Certificate, Key, and Trust Services Concepts

Certificate, Key, and Trust Services is a collection of functions and data structures used to authenticate and authorize users and processes using keys and certificates. Because in OS X and iOS, certificates and keys are stored on a keychain, many of the functions in this API must be used in conjunction with functions in the Keychain Services API.

This chapter discusses some of the concepts you need to understand in order to use the Certificate, Key, and Trust Services API. In addition, keys and certificates are defined and discussed in Security Overview.

Certificates, Keys, and Identities

A digital certificate is a collection of data used to verify the identity of the holder or sender of the certificate. For example, a certificate contains such information as:

Each certificate is verified through the use of another certificate, creating a chain of certificates that ends with the root certificate. The issuer of a certificate is called a certification authority (CA). The owner of the root certificate is the root certification authority. See Security Overview for more details about the structure and contents of a certificate.

Every public key is half of a public-private key pair. As implied by the names, the public key can be obtained by anyone, but the private key is kept secret by the owner of the key. Data encrypted with the private key can be decrypted only with the public key, and vice versa. In order to both encrypt and decrypt data, therefore, a given user must have both a public key (normally embedded in a certificate) and a private key. The combination of a certificate and its associated private key is known as an identity. Certificate, Key, and Trust Services includes functions to find the certificate or key associated with an identity and to find an identity when given search criteria. The search criteria include the permitted uses for the key.

In OS X and iOS, keys and certificates are stored on a keychain, a database that provides secure (that is, encrypted) storage for private keys and other secrets as well as unencrypted storage for other security-related data. The Certificate, Key, and Trust Services functions that search for keys, certificates, and identities all use the keychain for this purpose. On an OS X system, you can use the Keychain Access utility to see the contents of the keychain and to examine the contents of certificates.

Certificate, Key, and Trust Services and CDSA

In iOS, the Keychain Services API provides all the functions available to manipulate keychain items.

In OS X, Certificate, Key, and Trust services and other security APIs are built on the open-source Common Data Security Architecture (CDSA) and its programming interface, Common Security Services Manager (CSSM).

The Certificate, Key, and Trust Services API provides functions to perform most of the operations needed by applications, including generating key pairs, retrieving the certificate or private key associated with an identity, retrieving root certificates from the system, validating certificates, and evaluating trust. However, the underlying CSSM API provides more capabilities that might be of interest to specialty applications, such as applications designed to administer the security of a computer or network. For this reason, the Certificate, Key, and Trust Services API includes a number of functions that return or create CSSM structures so that you can move freely back and forth between Certificate, Key, and Trust Services and CSSM.

For more information about the CSSM API, see Common Security: CDSA and CSSM, version 2 (with corrigenda) from The Open Group (http://www.opengroup.org/security/cdsa.htm).

Policies and Trust

Certain attributes of a digital certificate (known as certificate extensions) are said to establish a level of trust for a digital certificate. The level of trust for a certificate is used to answer the question “Should I trust this certificate for this action?” A trust policy is a set of rules that specify how to evaluate a certificate to see if it is valid for a specific level of trust.

For example, in OS X the AppleX509TP module implements a trust policy referred to as the S/MIME policy, which specifies how to verify email addresses in addition to basic validation of the certificate. When you set up a trust evaluation in the Certificate, Key, and Trust Services API, you specify which policy to use in evaluating trust. This is how you indicate the use for which you want to verify the certificate’s validity. For example, if you specify the SSL policy, you are in effect asking whether the certificate can be trusted for use in establishing a secure connection over a network.

Some policies have options (see the “AppleX509TP Trust Policies” appendix in Certificate, Key, and Trust Services Reference). For example, the certificate revocation list policy includes options, which include flags. When the CSSM_TP_ACTION_REQUIRE_CRL_PER_CERT flag is set, a certificate is not valid unless every certificate in the certificate chain has been successfully verified using a certificate revocation list. Option structures for the AppleX509TP trust policies are defined in cssmapple.h. The Certificate, Key, and Trust Services API uses default option values for each policy.