|
1 <?xml version="1.0" encoding="utf-8"?> |
|
2 <!-- Copyright (c) 2007-2010 Nokia Corporation and/or its subsidiary(-ies) All rights reserved. --> |
|
3 <!-- This component and the accompanying materials are made available under the terms of the License |
|
4 "Eclipse Public License v1.0" which accompanies this distribution, |
|
5 and is available at the URL "http://www.eclipse.org/legal/epl-v10.html". --> |
|
6 <!-- Initial Contributors: |
|
7 Nokia Corporation - initial contribution. |
|
8 Contributors: |
|
9 --> |
|
10 <!DOCTYPE concept |
|
11 PUBLIC "-//OASIS//DTD DITA Concept//EN" "concept.dtd"> |
|
12 <concept id="GUID-AE96F25E-45A2-5C00-9F27-BB3E17C8E6E5" xml:lang="en"><title>Certificate |
|
13 and Key Management Overview</title><abstract><p>The Certificate and Key Management component provides authentication |
|
14 services for <xref href="GUID-FB2CAA46-8EBB-5F76-847C-F3B953C9D31C.dita">Public |
|
15 Key Cryptography</xref>.</p></abstract><prolog><metadata><keywords/></metadata></prolog><conbody> |
|
16 <section><title>Purpose</title> <p>The main purpose of the Certificate and |
|
17 Key Management component is to provide validation services according to the |
|
18 Public Key Infrastructure (PKI) for <xref href="GUID-C676C4E6-93AF-59E9-886D-74D59F154490.dita">X.509</xref> Certificates. </p> <p>The |
|
19 Certificate and Key Management component provides interfaces for the following: </p> <ul> |
|
20 <li id="GUID-A3109F52-09A5-5ACD-9844-883EB9E6E37B"><p>Storage and retrieval |
|
21 of certificates </p> </li> |
|
22 <li id="GUID-27F48C66-606E-594D-A1E0-8E1B7C048C6B"><p>Assignment of trust |
|
23 status to a certificate on an application-by-application basis </p> </li> |
|
24 <li id="GUID-CF4BAB94-8FC1-5375-BDA6-1DA46DF3F68B"><p>Certificate chain construction |
|
25 and validation </p> </li> |
|
26 <li id="GUID-C44175FE-15D6-5145-8F73-CAC7F10A506A"><p>Verification of trust |
|
27 of a certificate </p> </li> |
|
28 <li id="GUID-EFDD6039-5F57-5F41-B90C-2776B247F659"><p>Generation of asymmetric |
|
29 key pairs </p> </li> |
|
30 <li id="GUID-AB119A48-43E3-5C5F-80B6-F1A92E9B6531"><p>Protected storage of |
|
31 keys </p> </li> |
|
32 <li id="GUID-14E232E1-73F1-58EE-A435-53B3D46680D4"><p>Key import and export </p> </li> |
|
33 <li id="GUID-21FCB8AB-8399-50E3-847A-53DF092BBA25"><p>Authenticated execution |
|
34 of private key operations </p> </li> |
|
35 </ul> </section> |
|
36 <section><title>Required background</title> <p>To understand Certificate and |
|
37 Key Management in detail, you need to have a basic understanding of the following: </p> <ul> |
|
38 <li id="GUID-1A307F21-3BBF-525D-98B1-3AC2035786EC"><p><xref href="GUID-FB2CAA46-8EBB-5F76-847C-F3B953C9D31C.dita">Public |
|
39 Key Cryptography</xref> </p> </li> |
|
40 <li id="GUID-0EA3DF92-DFE8-5265-97F6-862D5198E9FF"><p><xref href="GUID-911E9F7E-D0AD-55EC-A3F4-1D427F803780.dita">Certificates</xref> </p> </li> |
|
41 <li id="GUID-0D2E1131-4C60-56CB-BCDD-432AC5F660F1"><p><xref href="GUID-5C58F7D1-D672-5B6D-AD48-863EC68F7446.dita">Digital |
|
42 Signatures</xref> </p> </li> |
|
43 </ul> </section> |
|
44 <section><title>Key concepts and terms</title> <dl> |
|
45 <dlentry> |
|
46 <dt>Certificate</dt> |
|
47 <dd><p>A certificate is an electronic document that binds an identity to a |
|
48 particular public or private key pair. It is commonly used to authenticate |
|
49 cryptographic public keys. </p> <p>Certificates are issued by a Certification |
|
50 Authority (CA). They usually include information such as a label, serial number, |
|
51 validity period, certificate format (for example, X.509) and algorithm type |
|
52 (for example, MD2RSA). </p> </dd> |
|
53 </dlentry> |
|
54 <dlentry> |
|
55 <dt>Key</dt> |
|
56 <dd><p>A cryptography key is a constant value applied using a cryptographic |
|
57 algorithm to encrypt text or to decrypt encrypted text. </p> <p>Keys are classified |
|
58 as symmetric and asymmetric based on the type of algorithm applied. If the |
|
59 same key is used for both encryption and decryption, it is symmetric. If different |
|
60 keys are used for encryption and decryption, they are asymmetric. Asymmetric |
|
61 keys exist in the form of a public and private key pair, where the public |
|
62 key is used for encryption and the private key is used for decryption. </p> </dd> |
|
63 </dlentry> |
|
64 <dlentry> |
|
65 <dt>Certificate Store</dt> |
|
66 <dd><p>A certificate store is a database or a file that stores and manipulates |
|
67 certificates. </p> <p>The certificate store provides the following functionality: </p> <ul> |
|
68 <li id="GUID-4FABC2C2-8133-5398-9747-0A247344A52C"><p>Generation, storage |
|
69 and retrieval certificates </p> </li> |
|
70 <li id="GUID-F527AAE6-DCDE-5ECC-AB89-1299DC0800A4"><p>Assignment of trust |
|
71 status to certificates </p> </li> |
|
72 <li id="GUID-BA60380A-BAC7-59D4-BD7E-5C28ED24921A"><p>Retrieval of list of |
|
73 applications trusting a certificate </p> </li> |
|
74 </ul> </dd> |
|
75 </dlentry> |
|
76 <dlentry> |
|
77 <dt>Key Store</dt> |
|
78 <dd><p>A key store is a repository of keys that can be retrieved and used |
|
79 to accomplish a variety of tasks. </p> <p>The key store provides the following |
|
80 functionality: </p> <ul> |
|
81 <li id="GUID-F5BC1B3C-B400-5392-A68C-ACDB84ABACFC"><p>Generation, import and |
|
82 export of RSA, DSA, and DH key pairs </p> </li> |
|
83 <li id="GUID-4A5C1491-C922-5C00-94D6-0E9E05310102"><p>Listing of stored keys </p> </li> |
|
84 <li id="GUID-1F7B3427-3EB7-5411-A30C-0BB749C1EE73"><p>Authentication of users </p> </li> |
|
85 <li id="GUID-2DB4F4DF-BB77-5B7F-A724-BBAE21D5B4F4"><p>Private key operations |
|
86 for authenticated users </p> </li> |
|
87 </ul> </dd> |
|
88 </dlentry> |
|
89 <dlentry> |
|
90 <dt>Token</dt> |
|
91 <dd><p>A token is a physical instantiation of an object, such as a certificate |
|
92 or a key, stored in a phone. Each token belongs to a group of tokens called |
|
93 a token type. For example, an X.509 certificate is a token which belongs to |
|
94 the X.509 token type. </p> </dd> |
|
95 </dlentry> |
|
96 </dl> </section> |
|
97 <section><title>Architecture</title> <p>The following diagram shows the basic |
|
98 architecture of the Certificate and Key Management component. The blocks in |
|
99 blue are internal to the component. </p> <fig id="GUID-4532D14E-A9FE-595C-8B75-4FA2AE57B8EA"> |
|
100 <image href="GUID-5BB017AA-46AE-5461-9184-98CE7FA898B9_d0e362837_href.jpg" placement="inline"/> |
|
101 </fig> <p>The various blocks in the basic architecture diagram of the Certificate |
|
102 and Key Management component are explained as follows: </p> <ul> |
|
103 <li id="GUID-0FCBBCA0-CD31-51AB-84D1-93994EAC54E2"><p> <b>Client Application</b>: |
|
104 This is a typical application that accesses the certificates or the keys of |
|
105 the device through Certificate and Key Management component. </p> <p>For example, |
|
106 a web browser that wishes to load a bank's web page to perform a money-transfer |
|
107 operation (in a secured mode using an <codeph>https</codeph> connection) first |
|
108 checks the device's certificate store for a certificate that trusts the bank's |
|
109 server and then loads the particular page. </p> </li> |
|
110 <li id="GUID-B649A55C-7446-56D8-85FB-98AB4879B8CE"><p> <b>Unified Stores</b>: |
|
111 The <xref href="GUID-39B459CD-8210-59B5-95F4-85CE36676735.dita">Unified Stores</xref> APIs |
|
112 form the primary access point for client applications to use certificates |
|
113 or keys stored in the device. The <xref href="GUID-0010EB39-8C23-5453-BE96-4EFC520B6F81.dita">Unified |
|
114 Certificate Store</xref> provides a unified view of all the certificates in |
|
115 the device while the <xref href="GUID-695FCEB8-EA04-5C1C-A197-648275BA0281.dita">Unified |
|
116 Key Store</xref> provides a similar view of all the keys in the device. </p> </li> |
|
117 <li id="GUID-0A28DE19-3E16-5094-9964-32BE1BF50107"><p> <b>Generic Certificate |
|
118 and Key Stores</b>: These are the various certificate and key stores in the |
|
119 device. </p> </li> |
|
120 <li id="GUID-197709E0-7811-55F1-9EA9-7D80389B3D0A"><p> <b>File-Based Store |
|
121 Implementation</b>: The certificate and key stores use Symbian's <xref href="GUID-C7150120-74C2-5FF1-99F0-0A267393E342.dita">file-based |
|
122 store implementation</xref>. Based on the operations to be performed on the |
|
123 keys and certificates, the file-based implementation updates the physical |
|
124 certificate and key store files. </p> </li> |
|
125 </ul> </section> |
|
126 <section><title>APIs</title> <p>The following table lists the key APIs of |
|
127 the Certificate and Key Management component. The table lists APIs that perform |
|
128 the following tasks: </p> <ul> |
|
129 <li id="GUID-F6DF549D-F1B7-5662-AC36-50453FB56E02"><p>Provide implementation |
|
130 for certificate and key stores, and for manipulating various types of certificates. </p> </li> |
|
131 <li id="GUID-47864D9B-97A7-596F-9638-978E236212DE"><p>Perform different types |
|
132 of ASN.1 (Abstract Syntax Notation One) encoding. </p> </li> |
|
133 </ul> <table id="GUID-C78DF93D-7684-52FB-BA00-3A060789E26B"> |
|
134 <tgroup cols="2"><colspec colname="col0"/><colspec colname="col1"/> |
|
135 <thead> |
|
136 <row> |
|
137 <entry>API</entry> |
|
138 <entry>Description</entry> |
|
139 </row> |
|
140 </thead> |
|
141 <tbody> |
|
142 <row> |
|
143 <entry><p> <b>Unified Store APIs</b> </p> </entry> |
|
144 </row> |
|
145 <row> |
|
146 <entry><p> <xref href="GUID-AD63C29A-17C3-375C-840F-42A92422300D.dita"><apiname>CUnifiedCertStore</apiname></xref> </p> </entry> |
|
147 <entry><p>Provides a common implementation for all certificate stores in the |
|
148 device. </p> </entry> |
|
149 </row> |
|
150 <row> |
|
151 <entry><p> <xref href="GUID-818689D6-EB99-382E-A435-D9C6C5D464DE.dita"><apiname>CUnifiedKeyStore</apiname></xref> </p> </entry> |
|
152 <entry><p>Provides a common implementation for all key stores in the device. </p> </entry> |
|
153 </row> |
|
154 <row> |
|
155 <entry><p> <b>Certificate APIs</b> </p> </entry> |
|
156 </row> |
|
157 <row> |
|
158 <entry><p> <xref href="GUID-4C645733-8F0C-3AC8-A19E-0AB005F4CE7F.dita"><apiname>CX500DistinguishedName</apiname></xref> </p> </entry> |
|
159 <entry><p>Provides implementation for parsing and matching the <xref href="GUID-C93D021E-D99A-5839-AB54-3D8D7620214A.dita">X.500</xref> distinguished |
|
160 names. </p> </entry> |
|
161 </row> |
|
162 <row> |
|
163 <entry><p> <xref href="GUID-21954042-44FA-3376-A4C1-D7DE560144C8.dita"><apiname>CX520AttributeTypeAndValue</apiname></xref> </p> </entry> |
|
164 <entry><p>Provides implementation for parsing and matching attribute types |
|
165 and values, as defined by the X.520 standard. </p> </entry> |
|
166 </row> |
|
167 <row> |
|
168 <entry><p> <xref href="GUID-1309FCDC-229B-36C7-85A9-4540ABC869F9.dita"><apiname>CX509GeneralName</apiname></xref> </p> </entry> |
|
169 <entry><p>Provides implementation for manipulation of X.509 certificates. </p> </entry> |
|
170 </row> |
|
171 <row> |
|
172 <entry><p> <xref href="GUID-A919BE84-8257-3911-9AD1-B1DB736346CE.dita"><apiname>CX509CertChain</apiname></xref> </p> </entry> |
|
173 <entry><p>Provides implementation for X.509 certificate chain validation. </p> </entry> |
|
174 </row> |
|
175 <row> |
|
176 <entry><p> <xref href="GUID-A9B59AEF-C278-3E20-A57B-15293F833A71.dita"><apiname>CX509RSAPublicKey</apiname></xref> </p> </entry> |
|
177 <entry><p>Provides APIs for encoding and decoding of RSA public keys. </p> </entry> |
|
178 </row> |
|
179 <row> |
|
180 <entry><p> <xref href="GUID-9AD19EB1-44D4-339A-A30A-2B43817DB2CB.dita"><apiname>CX509ExtensionBase</apiname></xref> </p> </entry> |
|
181 <entry><p>Provides APIs for manipulating various X.509 certificate extensions. </p> </entry> |
|
182 </row> |
|
183 <row> |
|
184 <entry><p> <xref href="GUID-3E94241B-3B37-3C64-8CFF-7795063160AF.dita"><apiname>CWTLSCertificate</apiname></xref> </p> </entry> |
|
185 <entry><p>Provides implementation for construction and manipulation of <xref href="GUID-A636C1B3-8AB2-52D7-BB19-4CC93F4BDD97.dita">WTLS</xref> (Wireless Transport |
|
186 Layer Security) certificates. </p> </entry> |
|
187 </row> |
|
188 <row> |
|
189 <entry><p> <xref href="GUID-04C4024C-2987-37F9-8D85-ACCB3D4C1293.dita"><apiname>CWTLSName</apiname></xref> </p> </entry> |
|
190 <entry><p>Provides implementation for manipulation of WTLS names. </p> </entry> |
|
191 </row> |
|
192 <row> |
|
193 <entry><p> <xref href="GUID-A8600958-D424-366C-A56D-68A77949EA28.dita"><apiname>CWTLSRSAPublicKey</apiname></xref> </p> </entry> |
|
194 <entry><p>Provides implementation for manipulation of RSA public keys associated |
|
195 with WTLS certificates. </p> </entry> |
|
196 </row> |
|
197 <row> |
|
198 <entry><p> <xref href="GUID-56E949D5-EA4F-361C-8523-2965A336B009.dita"><apiname>CWTLSCertChain</apiname></xref> </p> </entry> |
|
199 <entry><p>Provides implementation for validation of WTLS certificate chains. </p> </entry> |
|
200 </row> |
|
201 <row> |
|
202 <entry><p> <b>ASN.1 Encoding APIs</b> </p> </entry> |
|
203 </row> |
|
204 <row> |
|
205 <entry><p> <xref href="GUID-1EBCC3C4-3E57-3424-BB41-E74E8120197E.dita"><apiname>CASN1EncBigInt</apiname></xref> </p> </entry> |
|
206 <entry><p>Encodes Big Integer objects. </p> </entry> |
|
207 </row> |
|
208 <row> |
|
209 <entry><p> <xref href="GUID-6B9883C8-9382-3941-A949-3D8E2B7C7EA5.dita"><apiname>CASN1EncBitString</apiname></xref> </p> </entry> |
|
210 <entry><p>Encodes bit strings (for example, keys). </p> </entry> |
|
211 </row> |
|
212 <row> |
|
213 <entry><p> <xref href="GUID-DE64C76D-D70B-36DC-826C-1662CFBD26D4.dita"><apiname>CASN1EncBoolean</apiname></xref> </p> </entry> |
|
214 <entry><p>Encodes Boolean values. </p> </entry> |
|
215 </row> |
|
216 <row> |
|
217 <entry><p> <xref href="GUID-1E9BA30C-729E-3C49-8DB4-5D693EF2C84E.dita"><apiname>CASN1EncEncoding</apiname></xref> </p> </entry> |
|
218 <entry><p>Encapsulates already encoded information. </p> </entry> |
|
219 </row> |
|
220 <row> |
|
221 <entry><p> <xref href="GUID-964E6C04-4AE0-3085-AF0A-6580264AEF36.dita"><apiname>CASN1EncExplicitTag</apiname></xref> </p> </entry> |
|
222 <entry><p>Wraps other encoding objects and provides them with an explicit |
|
223 tag. </p> </entry> |
|
224 </row> |
|
225 <row> |
|
226 <entry><p> <xref href="GUID-523EA13D-42F1-31DE-95F2-91AC56C58B62.dita"><apiname>CASN1EncGeneralizedTime</apiname></xref> </p> </entry> |
|
227 <entry><p>Encodes time-related objects. </p> </entry> |
|
228 </row> |
|
229 <row> |
|
230 <entry><p> <xref href="GUID-B4839A2D-E3C1-3405-8776-38A3F5D47FD3.dita"><apiname>CASN1EncInt</apiname></xref> </p> </entry> |
|
231 <entry><p>Encodes <codeph>TInt</codeph> objects. </p> </entry> |
|
232 </row> |
|
233 <row> |
|
234 <entry><p> <xref href="GUID-1ED494A4-503F-3651-946E-E99771348EF6.dita"><apiname>CASN1EncNull</apiname></xref> </p> </entry> |
|
235 <entry><p>Encodes NULL values. </p> </entry> |
|
236 </row> |
|
237 <row> |
|
238 <entry><p> <xref href="GUID-45B0317A-CBB5-369E-877B-C166F9BAE3DF.dita"><apiname>CASN1EncObjectIdentifier</apiname></xref> </p> </entry> |
|
239 <entry><p>Encodes object identifiers. </p> </entry> |
|
240 </row> |
|
241 <row> |
|
242 <entry><p> <xref href="GUID-4170E6D8-A1A5-3E84-B12D-D737CEC0A698.dita"><apiname>CASN1EncOctetString</apiname></xref> </p> </entry> |
|
243 <entry><p>Encodes octet strings. </p> </entry> |
|
244 </row> |
|
245 <row> |
|
246 <entry><p> <xref href="GUID-1B53FA4B-3D36-38AF-97CE-6BA64E9520F3.dita"><apiname>CASN1EncPrimitive</apiname></xref> </p> </entry> |
|
247 <entry><p>All ASN.1 primitive type encoding classes derive from this class. </p> </entry> |
|
248 </row> |
|
249 <row> |
|
250 <entry><p> <xref href="GUID-22AC4FE1-1EB4-341C-9CF8-F153F0346858.dita"><apiname>CASN1EncPrintableString</apiname></xref> </p> </entry> |
|
251 <entry><p>Encodes printable strings. </p> </entry> |
|
252 </row> |
|
253 <row> |
|
254 <entry><p> <xref href="GUID-A0846E03-BC80-3549-B59D-A0F2230E9AC9.dita"><apiname>CASN1EncSequence</apiname></xref> </p> </entry> |
|
255 <entry><p>Encodes the <xref href="http://www.asn1.org/books/Explain.html" scope="external">SEQUENCE</xref> and <xref href="http://www.asn1.org/books/Explain.html" scope="external">SEQUENCE-OF</xref> data types. </p> </entry> |
|
256 </row> |
|
257 <row> |
|
258 <entry><p> <xref href="GUID-98D3BDD5-8136-3C66-8381-73E0A8EE910E.dita"><apiname>CASN1EncSet</apiname></xref> </p> </entry> |
|
259 <entry><p>Encodes the <xref href="http://www.asn1.org/books/Explain.html" scope="external">SET</xref> and <xref href="http://www.asn1.org/books/Explain.html" scope="external">SET-OF</xref> data types. </p> </entry> |
|
260 </row> |
|
261 </tbody> |
|
262 </tgroup> |
|
263 </table> </section> |
|
264 <section><title>Typical uses</title> <p>The Certificate and Key Management |
|
265 component performs the following tasks: </p> <ul> |
|
266 <li id="GUID-1C7ED95B-442D-5D05-8E20-95B0F3E17438"><p>Validating certificates |
|
267 in PKIX </p> </li> |
|
268 <li id="GUID-8D85F504-F3AB-545E-8FF1-3F6FCEC0D5E8"><p>Adding certificates </p> </li> |
|
269 <li id="GUID-AC9BF0B0-1A1B-5995-A443-F4E21123CE56"><p>Finding certificates </p> </li> |
|
270 <li id="GUID-24C041AA-A7BF-5887-B993-E1EA5BA35B66"><p>Managing applicability |
|
271 and trust settings </p> </li> |
|
272 <li id="GUID-1FC9F3D9-69C5-56E1-99F6-31B36644B42D"><p>Removing certificates </p> </li> |
|
273 <li id="GUID-2923D772-0455-5B9A-BD9E-0CC20678A729"><p>Retrieving certificates </p> </li> |
|
274 <li id="GUID-B1BEDD53-5309-529F-B29A-C42D62ABCC3E"><p>Creating keys </p> </li> |
|
275 <li id="GUID-46E25298-08E8-560B-9084-5BD38154FA32"><p>Importing keys </p> </li> |
|
276 <li id="GUID-6FFE5197-8FA0-5760-A068-544CBAB21798"><p>Exporting keys </p> </li> |
|
277 <li id="GUID-6B1E12DA-6B0C-58F5-8A31-3BF5D2A9D464"><p>Retrieving keys </p> </li> |
|
278 <li id="GUID-F13A93BD-B5F5-5FD8-A035-817EFD6A2CF6"><p>Deleting keys </p> </li> |
|
279 <li id="GUID-3BC3D476-6DE9-5DF2-AC9E-7952C87C38DE"><p>Signing keys </p> </li> |
|
280 <li id="GUID-B9D742CE-C2DE-5930-B3E6-4837B7AC1579"><p>Retrieving key stores </p> </li> |
|
281 <li id="GUID-0B2B267D-F907-5E0D-BE31-DDB4D06F51D8"><p>Setting and retrieving |
|
282 authentication policies </p> </li> |
|
283 <li id="GUID-ED651B05-554A-5B02-BDAF-B61282F7DB4D"><p>Setting use and management |
|
284 policies </p> </li> |
|
285 </ul> <p>See <xref href="GUID-B946BDF0-C5D8-57E2-9D05-7BE134AD032E.dita">Unified |
|
286 Certificate Store Tutorial</xref> and <xref href="GUID-6C6AED40-D5B3-5613-8F92-FD2CB711AE54.dita">Unified |
|
287 Keystore Tutorials</xref> for details of these tasks. </p> </section> |
|
288 </conbody><related-links> |
|
289 <link href="GUID-6F73ED8C-E259-5717-AB84-0C2933A866DA.dita"><linktext>OS Security |
|
290 Concepts</linktext></link> |
|
291 </related-links></concept> |