The OCAP Security File Generator (OCAP SFG) provides a complete solution for generation of signed OCAP applications, code images and Code Version Tables.
OCAP SFG provides the following capabilities:
The certificate installer maintains a database of available certificates that are of interest to the application developer. The database can be updated from certificate files and CRLs issued by Certificate Authorities and by RCMMs issued by the Root Certificate Authority. The database maintains an up to date list of all certificate locations and statuses. This facility simplifies the certificate file management process.
Application developers who do not generate their own certificates can use OCAP SFG to verify certificate chains that are provided by third parties. The verification includes tests for all X509 version 3 certificate extensions that are mandated for receiver checking, including the verification of name constraints.
The verification also includes the ability to check against authenticated versions of the root certificates (rather than those included in the certificate file) and latest versions of certificate revocation lists (CRLs). Certificate files will need to be re-verified on each change of root certificates effected by the delivery of a Root Certificate Management Message (RCMM).
The process of application authentication involves the creation of a series of hash files at each level in the directory structure that contains the application. After all of the hash files are generated, the top-level hash file is then signed and a signature file and certificate file generated.
The permission file provides details of the various secure resources that the application is permitted to access. This file is generated as an XML document and includes any signed credentials that have been provided by other organisations. OCAP SFG creates and installs the permission file and any associated certificate files that authenticate credentials in the requested directory.
Persistent file credentials are used by applications that have been granted access to files created by other applications or organisations. The credential grants appropriate access rights to the file(s) and needs to be generated by the organisation that created the files. The credential is then passed to the application author for inclusion in the permission file.
OCAP SFG creates a permission file extract containing the signed credential and a certificate file. The application author needs to include the extract into the application's permission file and include the certificate file in the same directory.
OCAP SFG allows device manufacturers to encapsulate their code image files and code version tables in a PKCS#7 Signed Data file. The Open Cable Security Specification requires code images to be prepared in this format for delivery to the receiver. The Open Cable Code Download Specification requires the code version table to be prepared in the PKCS#7 Signed Data format for delivery to the receiver.
In addition, OCAP SFG also provides a web service interface
OCAP SFG provides a 'C' language library to support server applications that use Transport Layer Security (TLS). This library includes the ability to select the cipher set defined for use with OCAP clients.
OCAP SFG provides the ability to generator certificate chains used with the server side of the TLS system and to generate the corresponding root certificate file that is broadcast to the client in order to verify the TLS server certificate chain.
These facilities are used by certificate authorities to generate X509 Certificates, Certificate Revocation Lists and Root Certificate Management Messages.
The X509 certificate generator creates new CA or leaf certificates according to the contents of a certificate request file. The certificate's Subject can include all of the Distinguished Name attributes specified as required or recommended by RFC 2459. The mandatory SubjectAlternateName can include rfc822Name (e-mail address), DNS name, URI name and IP addresses. The certificate generator includes the support of NameConstraints containing any of the field and name types allowed in the Subject and SubjectAlternateName attributes.
The X509 certificate generator also allows for the creation of self-signed root-certificates and for the generation of public/private key pairs. OCAP SFG provides a certificate authority with the capability to revoke certificates and to generate a signed CRL containing all currently revoked certificates. Empty CRLs can be created when no certificates are currently marked as revoked.
OCAP SFG provides a root certificate authority with the capability to create Root Certificate Management Messages containing new root certificates and lists of root certificates to be removed. The generator also provides the ability for root certificate authorities to add their signature to an RCMM created by another root certificate authority. The generator ensures that each of the signatures applied to the RCMM is unique.
The DVB-MHP PKI Certification Practice Statement requires that certificate subscribers store their private keys on a cryptographic hardware device that is protected by suitable passphrase and/or other authentication (for example, biometric). OCAP SFG supports a range of such devices at varying costs across a range of computing platforms. For broadcasters and application developers, the most commonly used devices are USB tokens or smart cards that have been assessed for FIPS 140-2 compliance. OCAP SFG addresses these devices through the standard PKCS#11 application program interface, allowing a range of different hardware tokens to be supported.
The PKI Operator can generate key pairs on a range of tokens and securely deliver the token and the corresponding pass phrase to the subscriber. Alternatively, where a token that requires a biometric or where a higher level security device such as the nCipher nShield is installed using a PCI card form factor, OCAP SFG can generate a key and issue a PKCS#10 formatted certificate request to the PKI Operator.