LINEBURG


<< . .

 3
( 9)



. . >>


can be located on a ¬le system, a database, or a hardware device. Applications
access one or more of these wallets to select personas and identities.
The wallet provides location transparency in two ways. First, the wallet can be
located on a ¬le system, in a database, or in a hardware device. Second, each cre-
dential stored in a wallet can exist as a typed reference rather than as the actual cre-
dential.
The Oracle Cryptographic Toolkit wallet interface becomes a wrapper around the
wallet style interface presented by hardware devices. File“based wallets can be
treated like a wallet when the format of their credentials are well known. For exam-
ple, Oracle proprietary, Netscape, and Spyglass ¬le based wallets can be treated as
wallets.
In this release, only the default wallet is supported; it is located on a ¬le system.
The wallet™s location is de¬ned with the oss.source_my_wallet SQLNET.ORA
parameter .


Note: The wallet must be created using the osslogin command line
tool. Refer to Chapter 3, "Installing and Con¬guring the Oracle Security
Server", in the Oracle Security ServerTM Guide.



1.4 Oracle Cryptographic Toolkit Elements
The Oracle Cryptographic Toolkit works with the following basic elements:
“Identity”
s


“Trusted Identity”
s


“Persona”
s


“Wallet”
s




1.4.1 Identity
An identity is the public information for an entity. The identity of an object consists
of the binding of a public key and other public information for that entity. Every
identity has a type: for example, X.509 v1. Refer to Figure 1“2, “Identity”, for an
illustration of the structure of an identity.




Overview 1-7
Oracle Cryptographic Toolkit Elements



Figure 1“2 Identity




1.4.2 Trusted Identity
A trusted identity (or trust point) is an identity that is considered trustworthy. This
trusted identity is then used to validate other identities. For example, an X.509 type
trusted identity is a Certi¬cate Authority.

1.4.3 Persona
A persona contains an identity, the private information for an entity, a list of actions
that can be performed (for example, DSS, RSA, or symmetric key encryption), a set
of message formats, and a set of trusted identities. Each persona has a type that it
inherits from its identity: for example, X.509 v1.
Refer to Figure 1“3, “Persona”, for an illustration of a persona.




1-8 Oracle Cryptographic Toolkit Programmer™s Guide
Oracle Cryptographic Toolkit Elements



Figure 1“3 Persona




1.4.4 Wallet
The Oracle Cryptographic Toolkit also works with one or more repositories called
wallets. Wallets are containers that store trusted identities and personas. Refer to
Figure 1“4, “Wallet”, for an overview of the relationship between these elements.

Figure 1“4 Wallet




Overview 1-9
Types of Interfaces



1.5 Types of Interfaces
The Oracle Cryptographic Toolkit is accessed using two types of interfaces: the
Oracle Call Interface and the PL/SQL Interface.

1.5.1 Oracle Call Interface
Oracle client programs use the Oracle call interface to access Oracle Security Server
functions. Refer to Chapter 6, “OCI Functions for C”, for detailed Oracle call inter-
face programming information.

1.5.2 PL/SQL Interface
Oracle server programs use the Oracle PL/SQL interface to access Oracle Security
Server functions. Refer to Chapter 7, “PL/SQL Functions”, for detailed PL/SQL
interface programming information.




1-10 Oracle Cryptographic Toolkit Programmer™s Guide
2
Data Types

This chapter discusses Oracle Cryptographic Toolkit external datatype codes. The
following topics are covered:
“Data Types”
s


“Data Structures”
s




Data Types 2-1
Data Types



2.1 Data Types
Each data type name and its corresponding data type pre¬x used in the Oracle
Cryptographic Toolkit is listed as a subheading below. The table below each sub-
heading lists the possible data type values and their corresponding descriptions.

2.1.1 Name Pre¬xes
Each data type used in the Oracle Cryptographic Toolkit has a unique pre¬x. Fol-
lowing is a list of Oracle Cryptographic Toolkit data type names and pre¬xes.

Table 2“1 Data Types
Data Type Name Pre¬x Used
Crypto Engine State nzttces_
Crypto Engine Functions nzttcef_
Identity Type nzttidenttype_
Cipher Types nzttciphertype_
TDU Formats nztttdufmt_
Validate State nzttvalstate_
Unique ID nzttid_
Timestamp nztttstamp_


2.1.2 Crypto Engine State
Enumerated type listing the current state of the cryptographic engine
nzttces
(CE).
States are:

NZTTCES_CONTINUE Continue processing input
NZTTCES_END End processing input
NZTTCES_RESET Reset processing and skip generating output




2-2 Oracle Cryptographic Toolkit Programmer™s Guide
Data Types



2.1.3 Crypto Engine Functions
Enumerated type to show the cryptographic engine categories.
nzttcef
Types are:

NZTTCEF_DETATCHEDSIGNATURE Signature, detached from content
NZTTCEF_SIGNATURE Signature, combined with content
NZTTCEF_KEYEDHASH Keyed hash/checksum
NZTTCEF_HASH Hash/checksum
NZTTCEF_RANDOM Random byte generation
NZTTCEF_LAST Used for array size


2.1.4 Identity Type
nzttIdentType Enumerated type to indicate the type of identity.
Types are:

NZTTIDENTTYPE_X509v1 X.509v1
NZTTIDENTTYPE_X509v3 X509v3
NZTTIDENTTYPE_SYMMETRIC Symmetric


2.1.5 Cipher Types
nzttCipherType Enumerated type listing all possible cryptographic algorithms.
Types are:

NZTTCIPHERTYPE_MD5 MD5
NZTTCIPHERTYPE_SHA SHA




Data Types 2-3
Data Types



2.1.6 TDU Formats
nzttdufmt Enumerated type listing all possible toolkit data unit (TDU) formats.
Depending on the function and cipher used, some may not be available.
Types are:

NZTTDUFMT_PKCS7 PKCS7 format
NZTTDUFMT_RSAPAD RSA padded format
NZTTDUFMT_ORACLEv1 Oracle v1 format


2.1.7 Validate State
nzttValState Enumerated type listing states an identity can be in.
States are:

NZTTVALSTATE_NONE Needs to be validated
NZTTVALSTATE_GOOD Validated
NZTTVALSTATE_REVOKED Failed to validate


2.1.8 Unique ID
nzttid

nzttID Unique IDs for personas and identities repre-
sented with 128 bits


2.1.9 Timestamp
nztttstamp

nzttTStamp Timestamp as a 32 bit quantity in UTC




2-4 Oracle Cryptographic Toolkit Programmer™s Guide
Data Structures




2.2 Data Structures
Following is a list of Oracle Cryptographic Toolkit data structures. Each data struc-
ture is listed along with a brief description.

Table 2“2 Data Structures and Descriptions
Name of Data Structure Description
nzttBufferBlock This is an output parameter block used to describe each buffer
nzttWallet The Wallet structure contains a list of personas stored in that
wallet and private wallet information
nzttPersona The Persona structure contains information about a persona
nzttIdentity The Identity structure contains information about an identity


2.2.1 nzttBufferBlock
A function uses an output parameter block to describe each buffer when that func-
tion needs to ¬ll (and possibly grow) an output buffer. The ¬‚ags_nzttBufferBlock
member tells the function whether the buffer can be grown. The buffer is automati-
cally reallocated when ¬‚ags_nzttBufferBlock is 0.
The bu¬‚en_nzttBufferBlock member is set to the length of the buffer before the
function is called and equals the length of the buffer when the function is ¬nished.
If bu¬‚en_nzttBufferBlock is 0, then the initial pointer stored in
bu¬‚en_nzttBufferBlock is ignored.
The usedlen_nzttBufferBlock member is set to the length of the object stored in the
buffer when the function is ¬nished. If the initial buffer had a non zero length, then
it is possible that the object length is shorter than the buffer length.
The buffer_nzttBufferBlock member is a pointer to the output object. Refer to
Table 2“3, “nzttBufferBlock”.

Table 2“3 nzttBufferBlock
Type Name Description
uword ¬‚ags_nzttBufferBlock Flags
size_t bu¬‚en_nzttBufferBlock Total length of buffer
size_t usedlen_nzttBufferBlock Length of buffer actually used
ub1 *buffer_nzttBufferBlock Pointer to buffer




Data Types 2-5
Data Structures



2.2.2 nzttWallet
The wallet structure contains one or more personas. Each of these personas con-
tains its private key, its identity, and trusted third party identities. All identities are
quali¬ed with trust where the quali¬er can indicate anything from untrusted to
trusted for speci¬c operations. Refer to Table 2“4, “nzttWallet”.

Table 2“4 nzttWallet
Type Name Description
size_t npersona_nzttWallet Number of personas in the wallet
nzttPersona list_nzttWallet List of personas in the wallet
nzttWalletPrivate private_nzttWallet Private wallet information


2.2.3 nzttPersona
The persona structure contains information about a persona. Refer to Table 2“5,
“nzttPersona”.

Table 2“5 nzttPersona
Type Name Description
nzttIdentity myidentity_nzttPersona My identity
size_t nidents_nzttPersona Number of trusted identities
nzttIdentity list_nzttPersona List of trusted identities
nzttPersonaPrivate private_nzttPersona Opaque part of persona


2.2.4 nzttIdentity
The identity structure contains information about an identity. Refer to Table 2“6,
“nzttIdentity”.

Table 2“6 nzttIdentity
Type Name Description
size_t aliaslen_nzttIdentity Length of alias
text alias_nzttIdentity Alias
size_t commentlen_nzttIdentity Length of comment
text comment_nzttIdentity Comment
nzttIdentityPrivate private_nzttIdentity Opaque part of identity




2-6 Oracle Cryptographic Toolkit Programmer™s Guide
3
Concepts

This chapter discusses concepts behind the Oracle Cryptographic Toolkit. The fol-
lowing topics are discussed:
“Security Concepts”
s


“Oracle Cryptographic Toolkit Concepts”
s




Concepts 3-1
Security Concepts



3.1 Security Concepts
Following is a list of security concepts used in this document. Refer to Section 1.1.1,
“Oracle Security Server Features”, for an explanation of how these concepts apply
to the Oracle Cryptographic Toolkit.

Authentication
The recipient of an authenticated message can be certain of the message™s origin (its
sender). Authentication reduces the possibility that another person has imperson-
ated the sender of the message.

Authorization
The set of privileges available to an authenticated entity.

Certi¬cate
An entity™s public key signed by a trusted identity (certi¬cate authority) in the form
of a certi¬cate. This certi¬cate gives assurance that the entity™s information is cor-
rect and that the public key actually belongs to the entity.

Certi¬cate Authority
An application that creates identities by signing public key certi¬cates and stores
them in a database or a repository. The certi¬cate authority signature certi¬es that
the information in the certi¬cate is correct and the public key actually belongs to
the entity.

Con¬dentiality
A function of cryptography. Con¬dentiality guarantees that only the intended recip-
ient(s) of a message can view the message (decrypt the ciphertext).

Cryptography
The act of writing and deciphering in a secret code resulting in secure messages.

Decryption
The process of converting the contents of an encrypted message (ciphertext) back
into its original readable format (plaintext).

Digital Signature
A public key algorithm is used to sign the sender™s message with the sender™s pri-
vate key. The digital signature means that the document is authentic, has not been


<< . .

 3
( 9)



. . >>

Copyright Design by: Sunlight webdesign