Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Apple Open-sources Three Cryptographic Libraries

Apple Open-sources Three Cryptographic Libraries

This item in japanese

Apple has announced they have open sourced three major components in their OSes’ security subsystem. Apple’s announcement has spun some controversy due to the restrictive nature of the license used for one of the libraries.

The three open-sourced components are:

  • corecrypto: the fundamental building block of other cryptographic libraries. It provides low level cryptographic primitives that, according to Apple, “should not be used by iOS or OS X apps” directly. corecrypto has been made available to allow developers or other interested parties to verify it implementation and security characteristics. As it will be discussed later, corecrypto is subject to more restrictive licensing terms than the other two libraries.
  • Common Crypto: a library that provides support for common cruyptographic operations such as symmetric encryption, hash-based message authentication, and digests. This library provides iOS and OS X Cryptograhic Services.
  • Security Framework, a framework that provides APIs to manage certificates, key pairs, and trust policies. This framework includes important OS X and iOS services such as Keychain and transport level network security.

An important details in Apple’s announcement is that the lowest-level component, corecrypto is not being actually open-sourced at all, as many remarked publicly. It would seem more correct to think of this in terms of “source disclosure”, since Apple subject downloading corecrypto to an “internal use license agreement” that only grants the right to download and inspect the source code for a period of 90 days from the download while explicitly forbidding redistribution. According to a reddit commenter, the 90 days limit could help grant revocability: in case Apple ever decide to stop offering the download option for `corecrypto`, it would ensue that at most 90 days after their source would go globally unlicensed.

Another reason of concern that has been vented is the impossibility of actually knowing whether the cryptographic libraries and frameworks that are included in actually shipping versions of iOS and OS X have been effectively built from the source code that Apple provides.

Still, Apple hope that the availability of their cryptographic libraries will allow third-party developers to build more advanced security features in their apps.

Rate this Article