Apple CDSA Plug-ins
The Mac OS X implementation of CDSA includes five CDSA plug-ins (see Figure 1-2):
AppleCSP cryptographic service provider
AppleFileDL data storage library
AppleCSP/DL encrypted data storage provider
AppleX509CL certificate library
AppleX509TP trust policy library
This section briefly describes the purpose and function of each of these modules. (See “Glossary” for explanations of any unfamiliar terms.)
In this section:
AppleCSP Module
AppleFileDL Module
AppleCSP/DL Module
AppleX509CL Module
AppleX509TP Module
AppleCSP Module
All secure communications and authentication protocols are based on keys and encryption. The Apple cryptographic service provider (AppleCSP) is a basic plug-in module used by several of the security services for creating cryptographic keys and encrypting or decrypting data. Digital signatures also use the AppleCSP module to create message digests used to create and verify the signature. A CSP can use any number of algorithms.
AppleFileDL Module
A data storage library (DL) module provides persistent secure storage; that is, storage of encrypted data on disk or another medium that persists when the power is turned off. The CDSA standard allows a DL module to use any sort of database or other data store. Keeping things simple, the AppleFileDL module stores its data in files in the Mac OS X file system. It provides lower-level services used by the AppleCSP/DL plug-in for storing secrets on the keychain, Apple’s database used to store encrypted passwords, private keys, and other secrets.
AppleCSP/DL Module
The AppleCSP/DL plug-in is a multifunction module that combines cryptographic service and data storage functions to implement the Apple keychain, used for storage of passwords, keys, and other secrets. The AppleCSP/DL module calls the AppleFileDL module to perform file I/O, and the Security Server daemon to encrypt and decrypt secrets.
AppleX509CL Module
A certificate library (CL) module performs operations on digital certificates. Digital certificates are used to establish or confirm the identity of an entity such as a website or the sender of a digitally signed message. They do so by using a digital signature to ensure that only the identified entity could have provided the certificate (see “Digital Certificates”). A CL module performs such functions as creating new certificates (in memory), creating certificate revocation lists (that indicate which certificates are no longer valid), verifying the digital signature contained in a certificate, and extracting information from a certificate. CL modules do not store persistent copies of certificates. Rather, a DL module is used for that purpose.
The AppleX509CL plug-in performs these functions for certificates that conform to the X.509 standard promulgated by the International Telecommunication Union (ITU). The X.509 ITU standard is widely used on the Internet and throughout the information technology industry for designing secure applications based on a public key infrastructure (PKI). See “Asymmetric Keys” for more information on public keys.
AppleX509TP Module
A digital certificate has a level of trust associated with it, based on attributes of the certificate. A trust policy is a set of rules that specify the actions that can be taken given a specific level of trust. In other words, the purpose of establishing a level of trust for a certificate is to answer the question “Should I trust this certificate for this action?”
The issuer of a digital certificate adds a digital signature to the certificate to ensure that the certificate has not been altered and to verify the identity of the issuer. In general, a digital signature is verified through the use of another certificate. Consequently, each certificate is typically part of a chain of certificates that ends with a root certificate, which can be verified without recourse to another certificate (see “Digital Certificates.”
Note: The set of root certificates stored and maintained by Mac OS X is in a system keychain at /System/Library/Keychains/X509Anchors. You can browse these keychains in the Keychain Access utility (by using the File > Add Keychain menu item to add them to your list of keychains) to see what they contain and how the certificate chains are constructed.
A trust policy (TP) plug-in performs two main functions: it assembles the chain of certificates needed to verify a given certificate, and it determines the level of trust that can be accorded the certificate.
The AppleX509TP module performs these functions on X.509 certificates, using trust policies established by Apple.
Last updated: 2008-02-08
  |
||
|
|
|
|
| ||
Get information on Apple products.
Visit the Apple Store online or at retail locations. 1-800-MY-APPLE Copyright © 2007 Apple Inc. All rights reserved. | Terms of use | Privacy Notice |