Certificate, Key, and Trust Services Concepts
Certificate, Key, and Trust Services是一个功能集合和数据结构,用来认证和授权用户和使用keys和certificates过程。因为在OS和iOS中,certificates和keys是存储在一个钥匙链中,大多功能在这个API中,必须使用在结合功能在钥匙链服务API。Certificate, Key, and Trust Services is a collection of functions and data structures used to authenticate and authorize users and processes using keys and certificates. Because in OS X and iOS, certificates and keys are stored on a keychain, many of the functions in this API must be used in conjunction with functions in the Keychain Services API.
这一章讨论一些概念,来使用Certificate, Key, and Trust Services API。而且,Certificate, Key, 和 Trust Services API是定义和讨论查看Security Overview。This chapter discusses some of the concepts you need to understand in order to use the Certificate, Key, and Trust Services API. In addition, keys and certificates are defined and discussed in Security Overview.
Certificates, Keys, and Identities
一个数字certificate是一个数据集,用来验证持有人或者发送者。例如,一个证书包含如下信息:A digital certificate is a collection of data used to verify the identity of the holder or sender of the certificate. For example, a certificate contains such information as:
-
证书发行人Certificate issuer
-
证书持有人Certificate holder
-
有效期Validity period (the certificate is not valid before or after this period)
-
公共秘钥Public key of the owner of the certificate
-
证书扩展,包含如允许用户私有秘钥相关的证书Certificate extensions, which contain additional information such as allowable uses for the private key associated with the certificate
-
证书有效期数字签名,确保证书没有被改变Digital signature from the certification authority to ensure that the certificate has not been altered and to indicate the identity of the issuer
每个证书是通过另一个证书验证的,创建一个证书链,以根证书为结尾。证书发行人称为证书认证机构。根证书的主人也是跟证书认证机构。查看Security Overview,更多详细信息关于结构和概念。Each certificate is verified through the use of another certificate, creating a chain of certificates that ends with the root certificate. The issuer of a certificate is called a certification authority (CA). The owner of the root certificate is the root certification authority. See Security Overview for more details about the structure and contents of a certificate.
每个公共秘钥是一个公共-私有秘钥对。名字暗示,公共秘钥可以被任何人包含,但是私有秘钥是由主人拥有。私有秘钥数据加密只能由公共秘钥可以解密,反之亦然。证书、私有秘钥作为识别。证书,密钥,和信托服务,包括功能找到证书或密钥与身份相关,找一个身份当给定的搜索条件。搜索条件包括允许使用的关键。Every public key is half of a public-private key pair. As implied by the names, the public key can be obtained by anyone, but the private key is kept secret by the owner of the key. Data encrypted with the private key can be decrypted only with the public key, and vice versa. In order to both encrypt and decrypt data, therefore, a given user must have both a public key (normally embedded in a certificate) and a private key. The combination of a certificate and its associated private key is known as an identity. Certificate, Key, and Trust Services includes functions to find the certificate or key associated with an identity and to find an identity when given search criteria. The search criteria include the permitted uses for the key.
在OS和iOS中,keys and certificates存储在钥匙链,数据库(加密和未加密的数据)。证书,密钥,和信托服务都使用秘钥的愿意。OS中,钥匙串访问实用看到钥匙串的内容和检验证书的内容。In OS X and iOS, keys and certificates are stored on a keychain, a database that provides secure (that is, encrypted) storage for private keys and other secrets as well as unencrypted storage for other security-related data. The Certificate, Key, and Trust Services functions that search for keys, certificates, and identities all use the keychain for this purpose. On an OS X system, you can use the Keychain Access utility to see the contents of the keychain and to examine the contents of certificates.
Certificate, Key, and Trust Services and CDSA
在iOS,钥匙链服务API为操纵钥匙链提供所有可用功能。In iOS, the Keychain Services API provides all the functions available to manipulate keychain items.
在OS中,证书,密钥,和信托服务API建立在CDSA(开源的通用数据安全架构),还有其编程接口,CSSM(通用数据安全管理)。In OS X, Certificate, Key, and Trust services and other security APIs are built on the open-source Common Data Security Architecture (CDSA) and its programming interface, Common Security Services Manager (CSSM).
证书,密钥,和信托服务提供执行大多数应用程序所需的操作,包括生成密钥对,检索证书或密钥以关联的身份,从系统中检索根证书,验证证书,并评估信任。从系统中检索根证书,验证证书,并评估信任。然而,底层API模块提供了更多的功能,可能会感兴趣的专业应用,如设计管理计算机或网络的安全应用。因为这个原因,证书,密钥,和信任服务API包括一些函数返回或创建模型的结构。所以,你可以在证书,自由地来回移动键,和信托服务和数字。The Certificate, Key, and Trust Services API provides functions to perform most of the operations needed by applications, including generating key pairs, retrieving the certificate or private key associated with an identity, retrieving root certificates from the system, validating certificates, and evaluating trust. However, the underlying CSSM API provides more capabilities that might be of interest to specialty applications, such as applications designed to administer the security of a computer or network. For this reason, the Certificate, Key, and Trust Services API includes a number of functions that return or create CSSM structures so that you can move freely back and forth between Certificate, Key, and Trust Services and CSSM.
For more information about the CSSM API, see Common Security: CDSA and CSSM, version 2 (with corrigenda) from The Open Group (http://www.opengroup.org/security/cdsa.htm).
政策和信任Policies and Trust
Certain attributes of a digital certificate (known as certificate extensions) are said to establish a level of trust for a digital certificate. The level of trust for a certificate is used to answer the question “Should I trust this certificate for this action?” A trust policy is a set of rules that specify how to evaluate a certificate to see if it is valid for a specific level of trust.
For example, in OS X the AppleX509TP module implements a trust policy referred to as the S/MIME policy, which specifies how to verify email addresses in addition to basic validation of the certificate. When you set up a trust evaluation in the Certificate, Key, and Trust Services API, you specify which policy to use in evaluating trust. This is how you indicate the use for which you want to verify the certificate’s validity. For example, if you specify the SSL policy, you are in effect asking whether the certificate can be trusted for use in establishing a secure connection over a network.
Some policies have options (see the AppleX509TP Trust Policies appendix in Certificate, Key, and Trust Services Reference). For example, the certificate revocation list policy includes options, which include flags. When the CSSM_TP_ACTION_REQUIRE_CRL_PER_CERT flag is set, a certificate is not valid unless every certificate in the certificate chain has been successfully verified using a certificate revocation list. Option structures for the AppleX509TP trust policies are defined in cssmapple.h. The Certificate, Key, and Trust Services API uses default option values for each policy.