System information
A problem where the kinit tool did not do any error checking on the format of the renew parameter has been
corrected. (r. 2816142).
Back to top
Security Framework
The security framework exports a security APIs for use with Mac OS X.
Add a function to the TP module to enable developers and sysadmins to generate Cert Signing Requests. (r.
2909233).
CSP, TP, CL modules are now thread safe. (r. 2897036).
Added SSLSetCertificate() for server side SSL support. (r. 2886598).
Added expanded per-cert error reporting to TP Policy verification. The evidence chain returned by
CSSM_TP_CertGroupVerify now has policy-specific error codes reported in the returned evidence chain. (r.
2878647).
The Keychain database schema was updated to facilitate storage of certificates per the CDSA spec. (r. 2858506).
Added SecureTransport APIs. (r. 2855500).
Fixed a problem where KCAddGenericPassword would return a CDSA error code when a write to the KeyChain file
failed because of insufficient permissions. Now the OSErr wrPermErr is returned instead. (r. 2775734).
Keychains now support storing public as well as protected items. This is part of allowing certificates to be stored
in keychains. (r. 2304871).
Additional X509 root certificates have been included. (r. 2973839).
The trusted anchor certificates are now stored in a (root write-protected) keychain file. This makes the set of
anchor certs easier to update by system administrators and via Software Update. (r. 2950315).
New tool /usr/bin/certtool added to: (a) Create a key pair and a self-signed root cert, add them to a keychain. Used
for early debugging of server-side code. (b) Create a key pair and an associated Cert SIgning Request (CSR). A CSR
is the means by which one requests a cert authority (CA) such as Verisign to provide a "real" cert which is signed
by a recognized CA. (c) Import a cert obtained from the CA to whom one sent the CSR generated in step 2, add it to a
keychain, and bind the cert with the keypair generated in step 2. This is the "real world" procedure for obtaining
an SSL cert for a server which uses SecureTransport. (r. 2911384).
CSSMOID_SHA1 has been added to oidsalg.h. This is a common industry-standard value but not required by the CDSA
spec. (r. 2901582).
Brought the names of the fields in the cssm_context structure in cssmtype.h up to date with the CDSA 2.0 spec.
This does not affect binary compatibility. (r. 2900877).
Added the constant CSSMERR_DL_INVALID_DL_HANDLE which was missing from cssmerr.h. (r. 2900467).
Added the constant CSSMERR_CSSM_FUNCTION_NOT_IMPLEMENTED which was missing from cssmerr.h. (r.
2900465).
gGuidCssm was declared external in Security/cssmapple.h, but was not actually exported. This symbol is now
exported correctly. (r. 2892955).
Fixed a memory leak when calling KCFindInternetPassword. (r. 2843883).
Added support for smart cards that comply with the JavaCard 2.1 standard. (r. 2824101).
New Security APIs added to simplify use of the underlying Common Data Security Architecture (CDSA). (r.
2887937).
New APIs were added to Security.framework for working with X.509 certificates.(r. 2887929) (r. 2892437).
Added certificate support APIs to Security.framework.(r.2846641). (r. 2866950).
The list of trusted root certificates is now user modifiable, so that additional roots can be added, or existing roots
marked as not trusted. (r. 2824109).
Checking compliance with the CDSA 2.1 specification by running through the CDSA conformance test suite
developed by UniSoft. (r. 2824077).
Fixed memory leaks when calling KCFindGenericPassword and KCFindAppleSharePassword. (r. 2953620).
Data types in the layered services of Security.framework (such as KCRef) are now true Core Foundation objects.
(r. 2904268).