---

CSSM Services

Although the Mac OS X security APIs provide all the capabilities you are ever likely to need for developing secure applications, nearly all the standard CSSM APIs are also available for your use. This section briefly describes the functions provided by each CSSM service. For details, see Common Security: CDSA and CSSM, version 2 (with corrigenda), from the Open Group (http://www.opengroup.org/security/cdsa.htm).

In this section:

Cryptographic Services
Data Store Services
Certificate Services
Trust Policy Services
Authorization Computation Services

Cryptographic Services

Cryptographic Services in CSSM provides functions to perform the following tasks:

• Encrypting and decrypting text and data

• Creating and verifying digital signatures

• Creating a cryptographic hash (used for message digests and other purposes)

• Generating symmetric and asymmetric pairs of cryptographic keys

• Generating pseudorandom numbers

• Controlling access to the CSP for creation of keys

To see exactly which security protocols and algorithms are supported by Apple’s CSP implementation, see the documentation provided with the Open Source security code, which you can download at http://developer.apple.com/darwin/projects/security/, and the Security Release Notes in the latest Xcode Tools from Apple.

Data Store Services

CSSM Data Store Services provides an API for storing and retrieving data that is independent of the type of storage used. If there is more than one DL module installed, the caller can query Data Store Services to learn the capabilities of each and select which one to use in a particular call. The Apple implementation of Data Store Services supports any standard CDSA DL plug-in module. The AppleFileDL Data Storage Library and AppleCSP/DL Encrypted Data Storage module both implement functions called by Data Store Services.

Certificate Services

Certificate Services as specified by CDSA performs the following functions:

• Verifies the signatures on certificates and certificate revocation lists

• Creates certificates and certificate revocation lists

• Signs certificates and certificate revocation lists

• Extracts values of fields from certificates and certificate revocation lists

• Searches certificate revocation lists for specified certificates

Apple’s implementation of Certificate Services supports all of the CL API functions in the CDSA/CSSM specification.

Trust Policy Services

The Mac OS X implementation of CSSM Trust Policy Services provides functions to verify certificates, to determine what attributes they contain and therefore the level of trust they can be given, and to construct a chain of related certificates. It does not implement other trust policy functions in the CSSM standard. Documentation for the CSSM trust policy functions supported by Apple’s TP implementation can be found with the Open Source security code, which you can download at http://developer.apple.com/darwin/projects/security/.

Authorization Computation Services

Apple’s implementation of CSSM does not include the Authorization Computation Services defined in the CDSA standard. Instead, the Authorization Services API calls the Security Server daemon directly (see Figure 1-2).

---