Managing Keys, Certificates, and Passwords
The keychain provides storage for passwords, encryption keys, certificates, and other small pieces of data. After an app requests access to a keychain, it can store and retrieve sensitive data, confident that untrusted apps cannot access that data without explicit action by the user.
In OS X, the user is prompted for permission when an app needs to access the keychain; if the keychain is locked, the user is asked for a password to unlock it.
In iOS, an app can access only its own items in the keychain—the user is never asked for permission or for a password.
There are two recommended APIs for accessing the keychain:
Certificate, Key, and Trust Services
Certificate, Key, and Trust Services is a C API for managing certificates, public and private keys, symmetric keys, and trust policies in iOS and OS X. You can use these services in your app to:
Create certificates and asymmetric keys
Add certificates and keys to keychains, remove them from keychains, and use keys to encrypt and decrypt data
Retrieve information about a certificate, such as the private key associated with it, the owner, and so on
Convert certificates to and from portable representations
Create and manipulate trust policies and evaluate a specific certificate using a specified set of trust policies
Add anchor certificates
In OS X, functions are also available to retrieve anchor certificates and set user-specified settings for trust policies for a given certificate.
In iOS, additional functions are provided to:
Use a private key to generate a digital signature for a block of data
Use a public key to verify a signature
Use a public key to encrypt a block of data
Use a private key to decrypt a block of data
Certificate, Key, and Trust Services operates on certificates that conform to the X.509 ITU standard, uses the keychain for storage and retrieval of certificates and keys, and uses the trust policies provided by Apple.
Because certificates are used by SSL and TLS for authentication, the Secure Transport API includes a variety of functions to manage the use of certificates and root certificates in a secure connection.
To display the contents of a certificate in an OS X user interface, you can use the
SFCertificateView classes in the Security Objective-C API. In addition, the
SFCertificateTrustPanel class displays trust decisions and lets the user edit trust decisions.
In OS X and iOS, Keychain Services allows you to create keychains, add, delete, and edit keychain items, and—in OS X only—manage collections of keychains. In most cases, a keychain-aware app does not have to do any keychain management and only has to call a few functions to store or retrieve passwords.
By default, backups of iOS data are stored in cleartext, with the exception of passwords and other secrets on the keychain, which remain encrypted in the backup. It is therefore important to use the keychain to store passwords and other data (such as cookies) that are used to access secure web sites. Otherwise, this data might be compromised if an unauthorized person gains access to the backup data.
To get started using Keychain Services, see Keychain Services Programming Guide and Keychain Services Reference.
In OS X, the Keychain Access application provides a user interface to the keychain. See “Keychain Access” in Security Overview for more information about this application.
To Learn More
For more information about using Keychain Services to store and retrieve secrets and certificates, read Keychain Services Programming Guide and Keychain Services Reference.
For more information about Secure Transport, read “Secure Transport.”
For more information about the certificate user interface API, read “Security Objective-C API” in Security Overview.