Certificate -and Key Management Overview

The Certificate and Key Management component provides authentication -services for Public -Key Cryptography.

Purpose

The main purpose of the Certificate and -Key Management component is to provide validation services according to the -Public Key Infrastructure (PKI) for X.509 Certificates.

The -Certificate and Key Management component provides interfaces for the following:

Storage and retrieval -of certificates
Assignment of trust -status to a certificate on an application-by-application basis
Certificate chain construction -and validation
Verification of trust -of a certificate
Generation of asymmetric -key pairs
Protected storage of -keys
Key import and export
Authenticated execution -of private key operations

Required background

To understand Certificate and -Key Management in detail, you need to have a basic understanding of the following:

Public -Key Cryptography
Certificates
Digital -Signatures

Key concepts and terms

Certificate: A certificate is an electronic document that binds an identity to a -particular public or private key pair. It is commonly used to authenticate -cryptographic public keys.

Certificates are issued by a Certification -Authority (CA). They usually include information such as a label, serial number, -validity period, certificate format (for example, X.509) and algorithm type -(for example, MD2RSA).
Key: A cryptography key is a constant value applied using a cryptographic -algorithm to encrypt text or to decrypt encrypted text.

Keys are classified -as symmetric and asymmetric based on the type of algorithm applied. If the -same key is used for both encryption and decryption, it is symmetric. If different -keys are used for encryption and decryption, they are asymmetric. Asymmetric -keys exist in the form of a public and private key pair, where the public -key is used for encryption and the private key is used for decryption.
Certificate Store: A certificate store is a database or a file that stores and manipulates -certificates.

The certificate store provides the following functionality:

-
Generation, storage -and retrieval certificates

-
Assignment of trust -status to certificates

-
Retrieval of list of -applications trusting a certificate

-
Key Store: A key store is a repository of keys that can be retrieved and used -to accomplish a variety of tasks.

The key store provides the following -functionality:

-
Generation, import and -export of RSA, DSA, and DH key pairs

-
Listing of stored keys

-
Authentication of users

-
Private key operations -for authenticated users

-
Token: A token is a physical instantiation of an object, such as a certificate -or a key, stored in a phone. Each token belongs to a group of tokens called -a token type. For example, an X.509 certificate is a token which belongs to -the X.509 token type.

Architecture

The following diagram shows the basic -architecture of the Certificate and Key Management component. The blocks in -blue are internal to the component.

- -

The various blocks in the basic architecture diagram of the Certificate -and Key Management component are explained as follows:

Client Application: -This is a typical application that accesses the certificates or the keys of -the device through Certificate and Key Management component.

For example, -a web browser that wishes to load a bank's web page to perform a money-transfer -operation (in a secured mode using an https connection) first -checks the device's certificate store for a certificate that trusts the bank's -server and then loads the particular page.
Unified Stores: -The Unified Stores APIs -form the primary access point for client applications to use certificates -or keys stored in the device. The Unified -Certificate Store provides a unified view of all the certificates in -the device while the Unified -Key Store provides a similar view of all the keys in the device.
Generic Certificate -and Key Stores: These are the various certificate and key stores in the -device.
File-Based Store -Implementation: The certificate and key stores use Symbian's file-based -store implementation. Based on the operations to be performed on the -keys and certificates, the file-based implementation updates the physical -certificate and key store files.

APIs

The following table lists the key APIs of -the Certificate and Key Management component. The table lists APIs that perform -the following tasks:

Provide implementation -for certificate and key stores, and for manipulating various types of certificates.
Perform different types -of ASN.1 (Abstract Syntax Notation One) encoding.

- - - -API -Description - - - - -

Unified Store APIs

- - -

CUnifiedCertStore

Provides a common implementation for all certificate stores in the -device.

- - -

CUnifiedKeyStore

Provides a common implementation for all key stores in the device.

- - -

Certificate APIs

- - -

CX500DistinguishedName

Provides implementation for parsing and matching the X.500 distinguished -names.

- - -

CX520AttributeTypeAndValue

Provides implementation for parsing and matching attribute types -and values, as defined by the X.520 standard.

- - -

CX509GeneralName

Provides implementation for manipulation of X.509 certificates.

- - -

CX509CertChain

Provides implementation for X.509 certificate chain validation.

- - -

CX509RSAPublicKey

Provides APIs for encoding and decoding of RSA public keys.

- - -

CX509ExtensionBase

Provides APIs for manipulating various X.509 certificate extensions.

- - -

CWTLSCertificate

Provides implementation for construction and manipulation of WTLS (Wireless Transport -Layer Security) certificates.

- - -

CWTLSName

Provides implementation for manipulation of WTLS names.

- - -

CWTLSRSAPublicKey

Provides implementation for manipulation of RSA public keys associated -with WTLS certificates.

- - -

CWTLSCertChain

Provides implementation for validation of WTLS certificate chains.

- - -

ASN.1 Encoding APIs

- - -

CASN1EncBigInt

Encodes Big Integer objects.

- - -

CASN1EncBitString

Encodes bit strings (for example, keys).

- - -

CASN1EncBoolean

Encodes Boolean values.

- - -

CASN1EncEncoding

Encapsulates already encoded information.

- - -

CASN1EncExplicitTag

Wraps other encoding objects and provides them with an explicit -tag.

- - -

CASN1EncGeneralizedTime

Encodes time-related objects.

- - -

CASN1EncInt

Encodes TInt objects.

- - -

CASN1EncNull

Encodes NULL values.

- - -

CASN1EncObjectIdentifier

Encodes object identifiers.

- - -

CASN1EncOctetString

Encodes octet strings.

- - -

CASN1EncPrimitive

All ASN.1 primitive type encoding classes derive from this class.

- - -

CASN1EncPrintableString

Encodes printable strings.

- - -

CASN1EncSequence

Encodes the SEQUENCE and SEQUENCE-OF data types.

- - -

CASN1EncSet

Encodes the SET and SET-OF data types.

- - - -

Typical uses

The Certificate and Key Management -component performs the following tasks:

Validating certificates -in PKIX
Adding certificates
Finding certificates
Managing applicability -and trust settings
Removing certificates
Retrieving certificates
Creating keys
Importing keys
Exporting keys
Retrieving keys
Deleting keys
Signing keys
Retrieving key stores
Setting and retrieving -authentication policies
Setting use and management -policies

See Unified -Certificate Store Tutorial and Unified -Keystore Tutorials for details of these tasks.

-OS Security -Concepts + + + + + +Certificate +and Key Management Overview

The Certificate and Key Management component provides authentication +services for Public +Key Cryptography.

Purpose

The main purpose of the Certificate and +Key Management component is to provide validation services according to the +Public Key Infrastructure (PKI) for X.509 Certificates.

The +Certificate and Key Management component provides interfaces for the following:

Storage and retrieval +of certificates
Assignment of trust +status to a certificate on an application-by-application basis
Certificate chain construction +and validation
Verification of trust +of a certificate
Generation of asymmetric +key pairs
Protected storage of +keys
Key import and export
Authenticated execution +of private key operations

Required background

To understand Certificate and +Key Management in detail, you need to have a basic understanding of the following:

Public +Key Cryptography
Certificates
Digital +Signatures

Key concepts and terms

Certificate: A certificate is an electronic document that binds an identity to a +particular public or private key pair. It is commonly used to authenticate +cryptographic public keys.

Certificates are issued by a Certification +Authority (CA). They usually include information such as a label, serial number, +validity period, certificate format (for example, X.509) and algorithm type +(for example, MD2RSA).
Key: A cryptography key is a constant value applied using a cryptographic +algorithm to encrypt text or to decrypt encrypted text.

Keys are classified +as symmetric and asymmetric based on the type of algorithm applied. If the +same key is used for both encryption and decryption, it is symmetric. If different +keys are used for encryption and decryption, they are asymmetric. Asymmetric +keys exist in the form of a public and private key pair, where the public +key is used for encryption and the private key is used for decryption.
Certificate Store: A certificate store is a database or a file that stores and manipulates +certificates.

The certificate store provides the following functionality:

+
Generation, storage +and retrieval certificates

+
Assignment of trust +status to certificates

+
Retrieval of list of +applications trusting a certificate

+
Key Store: A key store is a repository of keys that can be retrieved and used +to accomplish a variety of tasks.

The key store provides the following +functionality:

+
Generation, import and +export of RSA, DSA, and DH key pairs

+
Listing of stored keys

+
Authentication of users

+
Private key operations +for authenticated users

+
Token: A token is a physical instantiation of an object, such as a certificate +or a key, stored in a phone. Each token belongs to a group of tokens called +a token type. For example, an X.509 certificate is a token which belongs to +the X.509 token type.

Architecture

The following diagram shows the basic +architecture of the Certificate and Key Management component. The blocks in +blue are internal to the component.

+ +

The various blocks in the basic architecture diagram of the Certificate +and Key Management component are explained as follows:

Client Application: +This is a typical application that accesses the certificates or the keys of +the device through Certificate and Key Management component.

For example, +a web browser that wishes to load a bank's web page to perform a money-transfer +operation (in a secured mode using an https connection) first +checks the device's certificate store for a certificate that trusts the bank's +server and then loads the particular page.
Unified Stores: +The Unified Stores APIs +form the primary access point for client applications to use certificates +or keys stored in the device. The Unified +Certificate Store provides a unified view of all the certificates in +the device while the Unified +Key Store provides a similar view of all the keys in the device.
Generic Certificate +and Key Stores: These are the various certificate and key stores in the +device.
File-Based Store +Implementation: The certificate and key stores use Symbian's file-based +store implementation. Based on the operations to be performed on the +keys and certificates, the file-based implementation updates the physical +certificate and key store files.

APIs

The following table lists the key APIs of +the Certificate and Key Management component. The table lists APIs that perform +the following tasks:

Provide implementation +for certificate and key stores, and for manipulating various types of certificates.
Perform different types +of ASN.1 (Abstract Syntax Notation One) encoding.

+ + + +API +Description + + + + +

Unified Store APIs

+ + +

CUnifiedCertStore

Provides a common implementation for all certificate stores in the +device.

+ + +

CUnifiedKeyStore

Provides a common implementation for all key stores in the device.

+ + +

Certificate APIs

+ + +

CX500DistinguishedName

Provides implementation for parsing and matching the X.500 distinguished +names.

+ + +

CX520AttributeTypeAndValue

Provides implementation for parsing and matching attribute types +and values, as defined by the X.520 standard.

+ + +

CX509GeneralName

Provides implementation for manipulation of X.509 certificates.

+ + +

CX509CertChain

Provides implementation for X.509 certificate chain validation.

+ + +

CX509RSAPublicKey

Provides APIs for encoding and decoding of RSA public keys.

+ + +

CX509ExtensionBase

Provides APIs for manipulating various X.509 certificate extensions.

+ + +

CWTLSCertificate

Provides implementation for construction and manipulation of WTLS (Wireless Transport +Layer Security) certificates.

+ + +

CWTLSName

Provides implementation for manipulation of WTLS names.

+ + +

CWTLSRSAPublicKey

Provides implementation for manipulation of RSA public keys associated +with WTLS certificates.

+ + +

CWTLSCertChain

Provides implementation for validation of WTLS certificate chains.

+ + +

ASN.1 Encoding APIs

+ + +

CASN1EncBigInt

Encodes Big Integer objects.

+ + +

CASN1EncBitString

Encodes bit strings (for example, keys).

+ + +

CASN1EncBoolean

Encodes Boolean values.

+ + +

CASN1EncEncoding

Encapsulates already encoded information.

+ + +

CASN1EncExplicitTag

Wraps other encoding objects and provides them with an explicit +tag.

+ + +

CASN1EncGeneralizedTime

Encodes time-related objects.

+ + +

CASN1EncInt

Encodes TInt objects.

+ + +

CASN1EncNull

Encodes NULL values.

+ + +

CASN1EncObjectIdentifier

Encodes object identifiers.

+ + +

CASN1EncOctetString

Encodes octet strings.

+ + +

CASN1EncPrimitive

All ASN.1 primitive type encoding classes derive from this class.

+ + +

CASN1EncPrintableString

Encodes printable strings.

+ + +

CASN1EncSequence

Encodes the SEQUENCE and SEQUENCE-OF data types.

+ + +

CASN1EncSet

Encodes the SET and SET-OF data types.

+ + + +

Typical uses

The Certificate and Key Management +component performs the following tasks:

Validating certificates +in PKIX
Adding certificates
Finding certificates
Managing applicability +and trust settings
Removing certificates
Retrieving certificates
Creating keys
Importing keys
Exporting keys
Retrieving keys
Deleting keys
Signing keys
Retrieving key stores
Setting and retrieving +authentication policies
Setting use and management +policies

See Unified +Certificate Store Tutorial and Unified +Keystore Tutorials for details of these tasks.

+OS Security +Concepts

\ No newline at end of file