Apple Developer Connection
Advanced Search
Member Login Log In | Not a Member? Contact ADC

CDSA and OpenSSL

Overview

The foundation for cryptography and public key infrastructure on Mac OS X is the Common Data Security Architecture (CDSA). This is a layered set of security services and a cryptographic framework for creating security-enabled applications. In addition, Apple has created additional layers built on CDSA to provided simplified interfaces to CDSA for common security-related tasks.

One cryptographic toolkit that is well known in the Unix community is OpenSSL. OpenSSL provides a general purpose cryptography library, as well as support for the Secure Sockets Layer (SSL) and Transport Layer Security (TLS). The functionality and security provided by the CDSA architecture is an improvement over that available through OpenSSL, and Apple is encouraging developers to use CDSA and layered services such as the Web Kit, CFNetwork and Secure Transport for cryptography or SSL.

There are several advantages to using CDSA. It will improve the overall performance of the system by reducing the number of libraries that frameworks link against to do cryptography. In addition, it makes it easier to do export control paperwork. One of the largest user benefits will be in the area of certificate management, including certificates used by SSL. In addition, Apple is actively improving the performance of the algorithms in CDSA.

Using CDSA has the additional benefit of insulating clients from the implementation of the algorithms. Many of the functions in OpenSSL vary algorithm by algorithm, making it difficult for clients to change algorithms. With the modular approach used in CDSA, new cryptographic modules can be written and deployed with no changes to client code. This also holds true for certificates. A client does not necessarily need to know if a given certificate is stored on disk or on a smart card.

Support for Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) is provided through the SecureTransport API set. One major advantage of the SecureTransport APIs is that they are designed so that key material does not have to be supplied as a parameter to the API. SecureTransport calls into CDSA to access keys via reference, which allows us to use keys based on tokens such as smart cards, which do not allow keys to be exported.

One of the unique features of Apple's implementation of CDSA is the use of reference keys. The default Cryptographic Service Provider (CSP) talks to a root process called SecurityServer to perform actions with cryptographic keys. This allows the keys to be maintained in a separate address space from the client application, and also encourages developers to avoid using key material directly. This is essential if external cryptographic devices such as smart cards or hardware signing boxes are to be supported.

If you are running UNIX services or directly porting UNIX code that uses OpenSSL, that technology is available to you through Darwin. However, if you're doing native Mac OS X development and want integration with Mac OS X's security features such as a common key and certificate repository and authentication that can take advantage of smart cards and other security tokens, you should use CFNetwork or Secure Transport. CFNetwork is very well suited for streaming to and from Web and FTP servers, and uses Secure Transport when establishing secure sessions such as when https:// URLs are used. Secure Transport itself is available for code that already operates at the UNIX sockets level to add SSL functionality that is integrated with Mac OS X's native security architecture.

Use of CDSA

Clients who need to do cryptographic operations should use CDSA or the layered services above CDSA. Some common applications are encryption of data or hashing using such algorithms as SHA-1. A wide variety of algorithms are supported in our standard Cryptographic Service Provider (CSP). Some well known clients are the Keychain and the Encrypted Image feature of Disk Copy.

Clients needing SSL functionality should use CFNetwork, or use SecureTransport directly. This will allow Mac users to get the benefits of a common certificate store. These benefits allow users to specify trust once, rather than in each application. In addition, certificates stored on tokens such as smart cards are supported automatically. SecureTransport has support for both client and server for TLS. The certificate APIs will also be used by third party developers of applications such as browsers and mail applications.

Resources

  • Sample code for using SecureTransport and for doing various types of cryptographic operations is available. This code is also available on the latest developer CD.
  • The CDSA Discussion Mailing List is a good resource for asking CDSA questions.
  • The CDSA implementation is available in the open source repository, and so can be used from Darwin code.

Updated: 2004-08-23