Zilog EZ80F91AZA User Manual

UM020107-1211

SSL Configuration

ZTP Network Security SSL Plug-In

User Manual

29

tificate and, therefore, the public key. A field within the certificate indicates which public
key algorithm can be used to arrive at a shared secret that will be used to derive the shared
symmetric key(s) used to encrypt data exchanged between the parties.

The ZTP Network Security SSL Plug-In supports the following three public key algo-
rithms:

•

RSA encryption

•

DSA signature

•

Diffie-Hellman key agreement



The most popular algorithm used with SSL is RSA encryption, which is the only key
exchange algorithm supported by SSLv2. On their own, DSA signatures cannot be used to
establish a shared secret, but the DSA algorithm is used to sign Ephemeral Diffie-Hellman
parameters, thereby allowing the Diffie-Hellman key agreement algorithm to arrive at a
shared secret.

A global array,

PkiGen

, determines which public key algorithms are available for use by

the SSL handshake protocols. This array is located in the

pki_conf.c

configuration file.

The default setting of the

PkiGen

array is shown in the following code fragment.

PKI_Init PkiGen[SSL_MAX_PKI]

=

{

NullPki_init,

rsa_init,

dsa_init,

dh_init

};

In the above code, note that a call to each of the three supported PKI algorithms appears
below the

NullPki_init

function pointer. Indeed, each entry in the array is a function

pointer that is used to initialize a data structure that the SSL handshake protocols use dur-
ing key exchange processing. The

NullPki

algorithm does not perform any useful func-

tion, but it must be included in the

PkiGen

array for proper operation of the SSL protocol.

The ordering of entries in the

PkiGen

array is not arbitrary, and is determined by the ordi-

nal values of the following macros (see the

ez80_pki.h

header file); the values of these

macros must not be altered.

#define SSL_PKI_ID_RSA

1

#define SSL_PKI_ID_DSA

2

#define SSL_PKI_ID_DH

3