]> git.saurik.com Git - apple/security.git/blame - keychain/SecItemPriv.h
projects / apple / security.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Security-58286.60.28.tar.gz
[apple/security.git] / keychain / SecItemPriv.h
CommitLineData
b1ab9ed8 1/*
d8f41ccd 2 * Copyright (c) 2006-2014 Apple Inc. All Rights Reserved.
427c49bc 3 *
b1ab9ed8 4 * @APPLE_LICENSE_HEADER_START@
6b200bc3 5 *
b1ab9ed8
A		 6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
6b200bc3 12 *
b1ab9ed8
A		 13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
6b200bc3 20 *
b1ab9ed8
A		 21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24/*!
25 @header SecItemPriv
26 SecItemPriv defines private constants and SPI functions for access to
27 Security items (certificates, identities, keys, and keychain items.)
28*/
29
30#ifndef _SECURITY_SECITEMPRIV_H_
31#define _SECURITY_SECITEMPRIV_H_
32
5c19dc3a 33#include <CoreFoundation/CFDictionary.h>
b1ab9ed8 34#include <CoreFoundation/CFData.h>
427c49bc 35#include <CoreFoundation/CFError.h>
5c19dc3a 36#include <TargetConditionals.h>
6b200bc3 37#include <Security/SecBase.h>
866f8763 38#include <xpc/xpc.h>
5c19dc3a
A		 39
40#if (TARGET_OS_MAC && !(TARGET_OS_EMBEDDED || TARGET_OS_IPHONE))
41#include <Security/SecTask.h>
42#endif
b1ab9ed8 43
427c49bc 44__BEGIN_DECLS
b1ab9ed8
A		 45
46/*!
47 @enum Class Value Constants (Private)
48 @discussion Predefined item class constants used to get or set values in
49 a dictionary. The kSecClass constant is the key and its value is one
50 of the constants defined here.
51 @constant kSecClassAppleSharePassword Specifies AppleShare password items.
52*/
5c19dc3a 53extern const CFStringRef kSecClassAppleSharePassword;
b1ab9ed8
A		 54
55
56/*!
57 @enum Attribute Key Constants (Private)
58 @discussion Predefined item attribute keys used to get or set values in a
59 dictionary. Not all attributes apply to each item class. The table
60 below lists the currently defined attributes for each item class:
61
62 kSecClassGenericPassword item attributes:
63 kSecAttrAccessGroup
64 kSecAttrCreationDate
65 kSecAttrModificationDate
66 kSecAttrDescription
67 kSecAttrComment
68 kSecAttrCreator
69 kSecAttrType
70 kSecAttrScriptCode (private)
71 kSecAttrLabel
72 kSecAttrAlias (private)
73 kSecAttrIsInvisible
74 kSecAttrIsNegative
75 kSecAttrHasCustomIcon (private)
76 kSecAttrProtected (private)
77 kSecAttrAccount
78 kSecAttrService
79 kSecAttrGeneric
5c19dc3a
A		 80 kSecAttrSynchronizable
81 kSecAttrSyncViewHint
b1ab9ed8
A		 82
83 kSecClassInternetPassword item attributes:
84 kSecAttrAccessGroup
85 kSecAttrCreationDate
86 kSecAttrModificationDate
87 kSecAttrDescription
88 kSecAttrComment
89 kSecAttrCreator
90 kSecAttrType
91 kSecAttrScriptCode (private)
92 kSecAttrLabel
93 kSecAttrAlias (private)
94 kSecAttrIsInvisible
95 kSecAttrIsNegative
96 kSecAttrHasCustomIcon (private)
97 kSecAttrProtected (private)
98 kSecAttrAccount
99 kSecAttrSecurityDomain
100 kSecAttrServer
101 kSecAttrProtocol
102 kSecAttrAuthenticationType
103 kSecAttrPort
104 kSecAttrPath
5c19dc3a
A		 105 kSecAttrSynchronizable
106 kSecAttrSyncViewHint
b1ab9ed8
A		 107
108 kSecClassAppleSharePassword item attributes:
109 kSecAttrAccessGroup
110 kSecAttrCreationDate
111 kSecAttrModificationDate
112 kSecAttrDescription
113 kSecAttrComment
114 kSecAttrCreator
115 kSecAttrType
116 kSecAttrScriptCode (private)
117 kSecAttrLabel
118 kSecAttrAlias (private)
119 kSecAttrIsInvisible
120 kSecAttrIsNegative
121 kSecAttrHasCustomIcon (private)
122 kSecAttrProtected (private)
123 kSecAttrAccount
124 kSecAttrVolume
125 kSecAttrAddress
126 kSecAttrAFPServerSignature
5c19dc3a
A		 127 kSecAttrSynchronizable
128 kSecAttrSyncViewHint
b1ab9ed8
A		 129
130 kSecClassCertificate item attributes:
131 kSecAttrAccessGroup
132 kSecAttrCertificateType
133 kSecAttrCertificateEncoding
134 kSecAttrLabel
135 kSecAttrAlias (private)
136 kSecAttrSubject
137 kSecAttrIssuer
138 kSecAttrSerialNumber
139 kSecAttrSubjectKeyID
140 kSecAttrPublicKeyHash
5c19dc3a
A		 141 kSecAttrSynchronizable
142 kSecAttrSyncViewHint
b1ab9ed8
A		 143
144 kSecClassKey item attributes:
145 kSecAttrAccessGroup
146 kSecAttrKeyClass
147 kSecAttrLabel
148 kSecAttrAlias (private)
149 kSecAttrApplicationLabel
150 kSecAttrIsPermanent
151 kSecAttrIsPrivate (private)
152 kSecAttrIsModifiable (private)
153 kSecAttrApplicationTag
154 kSecAttrKeyCreator (private)
155 kSecAttrKeyType
156 kSecAttrKeySizeInBits
157 kSecAttrEffectiveKeySize
158 kSecAttrStartDate (private)
159 kSecAttrEndDate (private)
160 kSecAttrIsSensitive (private)
161 kSecAttrWasAlwaysSensitive (private)
162 kSecAttrIsExtractable (private)
163 kSecAttrWasNeverExtractable (private)
164 kSecAttrCanEncrypt
165 kSecAttrCanDecrypt
166 kSecAttrCanDerive
167 kSecAttrCanSign
168 kSecAttrCanVerify
169 kSecAttrCanSignRecover (private)
170 kSecAttrCanVerifyRecover (private)
171 kSecAttrCanWrap
172 kSecAttrCanUnwrap
5c19dc3a
A		 173 kSecAttrSynchronizable
174 kSecAttrSyncViewHint
b1ab9ed8
A		 175
176 kSecClassIdentity item attributes:
177 Since an identity is the combination of a private key and a
178 certificate, this class shares attributes of both kSecClassKey and
179 kSecClassCertificate.
180
181 @constant kSecAttrScriptCode Specifies a dictionary key whose value is the
182 item's script code attribute. You use this tag to set or get a value
183 of type CFNumberRef that represents a script code for this item's
184 strings. (Note: use of this attribute is deprecated; string attributes
185 should always be stored in UTF-8 encoding. This is currently private
186 for use by syncing; new code should not ever access this attribute.)
187 @constant kSecAttrAlias Specifies a dictionary key whose value is the
188 item's alias. You use this key to get or set a value of type CFDataRef
189 which represents an alias. For certificate items, the alias is either
190 a single email address, an array of email addresses, or the common
191 name of the certificate if it does not contain any email address.
192 (Items of class kSecClassCertificate have this attribute.)
193 @constant kSecAttrHasCustomIcon Specifies a dictionary key whose value is the
194 item's custom icon attribute. You use this tag to set or get a value
195 of type CFBooleanRef that indicates whether the item should have an
196 application-specific icon. (Note: use of this attribute is deprecated;
197 custom item icons are not supported in Mac OS X. This is currently
198 private for use by syncing; new code should not use this attribute.)
199 @constant kSecAttrVolume Specifies a dictionary key whose value is the
200 item's volume attribute. You use this key to set or get a CFStringRef
201 value that represents an AppleShare volume name. (Items of class
202 kSecClassAppleSharePassword have this attribute.)
203 @constant kSecAttrAddress Specifies a dictionary key whose value is the
204 item's address attribute. You use this key to set or get a CFStringRef
205 value that contains the AppleTalk zone name, or the IP or domain name
206 that represents the server address. (Items of class
207 kSecClassAppleSharePassword have this attribute.)
208 @constant kSecAttrAFPServerSignature Specifies a dictionary key whose value
209 is the item's AFP server signature attribute. You use this key to set
210 or get a CFDataRef value containing 16 bytes that represents the
211 server's signature block. (Items of class kSecClassAppleSharePassword
212 have this attribute.)
213 @constant kSecAttrCRLType (read-only) Specifies a dictionary key whose
214 value is the item's certificate revocation list type. You use this
215 key to get a value of type CFNumberRef that denotes the CRL type (see
216 the CSSM_CRL_TYPE enum in cssmtype.h). (Items of class
217 kSecClassCertificate have this attribute.)
218 @constant kSecAttrCRLEncoding (read-only) Specifies a dictionary key whose
219 value is the item's certificate revocation list encoding. You use
220 this key to get a value of type CFNumberRef that denotes the CRL
221 encoding (see the CSSM_CRL_ENCODING enum in cssmtype.h). (Items of
222 class kSecClassCertificate have this attribute.)
223 @constant kSecAttrKeyCreator Specifies a dictionary key whose value is a
224 CFDataRef containing a CSSM_GUID structure representing the module ID of
225 the CSP that owns this key.
226 @constant kSecAttrIsPrivate Specifies a dictionary key whose value is a
227 CFBooleanRef indicating whether the raw key material of the key in
228 question is private.
229 @constant kSecAttrIsModifiable Specifies a dictionary key whose value is a
230 CFBooleanRef indicating whether any of the attributes of this key are
231 modifiable.
232 @constant kSecAttrStartDate Specifies a dictionary key whose value is a
233 CFDateRef indicating the earliest date on which this key may be used.
234 If kSecAttrStartDate is not present, the restriction does not apply.
235 @constant kSecAttrEndDate Specifies a dictionary key whose value is a
236 CFDateRef indicating the last date on which this key may be used.
237 If kSecAttrEndDate is not present, the restriction does not apply.
238 @constant kSecAttrIsSensitive Specifies a dictionary key whose value
239 is a CFBooleanRef indicating whether the key in question must be wrapped
240 with an algorithm other than CSSM_ALGID_NONE.
241 @constant kSecAttrWasAlwaysSensitive Specifies a dictionary key whose value
242 is a CFBooleanRef indicating that the key in question has always been
243 marked as sensitive.
244 @constant kSecAttrIsExtractable Specifies a dictionary key whose value
245 is a CFBooleanRef indicating whether the key in question may be wrapped.
246 @constant kSecAttrWasNeverExtractable Specifies a dictionary key whose value
247 is a CFBooleanRef indicating that the key in question has never been
248 marked as extractable.
249 @constant kSecAttrCanSignRecover Specifies a dictionary key whole value is a
250 CFBooleanRef indicating whether the key in question can be used to
251 perform sign recovery.
252 @constant kSecAttrCanVerifyRecover Specifies a dictionary key whole value is
253 a CFBooleanRef indicating whether the key in question can be used to
254 perform verify recovery.
427c49bc
A		 255 @constant kSecAttrTombstone Specifies a dictionary key whose value is
256 a CFBooleanRef indicating that the item in question is a tombstone.
5c19dc3a
A		 257 @constant kSecAttrNoLegacy Specifies a dictionary key whose
258 value is a CFBooleanRef indicating that the query must be run on the
259 syncable backend even for non syncable items.
b1ab9ed8 260*/
5c19dc3a
A		 261extern const CFStringRef kSecAttrScriptCode;
262extern const CFStringRef kSecAttrAlias;
263extern const CFStringRef kSecAttrHasCustomIcon;
264extern const CFStringRef kSecAttrVolume;
265extern const CFStringRef kSecAttrAddress;
266extern const CFStringRef kSecAttrAFPServerSignature;
267extern const CFStringRef kSecAttrCRLType;
268extern const CFStringRef kSecAttrCRLEncoding;
269extern const CFStringRef kSecAttrKeyCreator;
270extern const CFStringRef kSecAttrIsPrivate;
271extern const CFStringRef kSecAttrIsModifiable;
272extern const CFStringRef kSecAttrStartDate;
273extern const CFStringRef kSecAttrEndDate;
274extern const CFStringRef kSecAttrIsSensitive;
275extern const CFStringRef kSecAttrWasAlwaysSensitive;
276extern const CFStringRef kSecAttrIsExtractable;
277extern const CFStringRef kSecAttrWasNeverExtractable;
278extern const CFStringRef kSecAttrCanSignRecover;
279extern const CFStringRef kSecAttrCanVerifyRecover;
280extern const CFStringRef kSecAttrTombstone;
281extern const CFStringRef kSecAttrNoLegacy
e3d460c9 282 __OSX_AVAILABLE(10.11) __IOS_AVAILABLE(9.3) __TVOS_AVAILABLE(9.3) __WATCHOS_AVAILABLE(2.3);
5c19dc3a
A		 283extern const CFStringRef kSecAttrSyncViewHint
284 __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
6b200bc3
A		 285extern const CFStringRef kSecAttrMultiUser
286 __OSX_AVAILABLE(10.11.5) __IOS_AVAILABLE(9.3) __TVOS_AVAILABLE(9.3) __WATCHOS_AVAILABLE(2.3);
866f8763
A		 287
288/* This will force the syncing system to derive an item's plaintext synchronization id from its primary key.
289 * This might leak primary key information, but will cause syncing devices to discover sync conflicts sooner.
290 * Protected by the kSecEntitlementPrivateCKKSPlaintextFields entitlement.
291 *
292 * Will only be respected during a SecItemAdd.
293 */
294extern const CFStringRef kSecAttrDeriveSyncIDFromItemAttributes
295__OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
296extern const CFStringRef kSecAttrPCSPlaintextServiceIdentifier
297 __OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
298extern const CFStringRef kSecAttrPCSPlaintextPublicKey
299 __OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
300extern const CFStringRef kSecAttrPCSPlaintextPublicIdentity
301 __OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
302
303// ObjectID of item stored on the token. Token-type specific BLOB.
304// For kSecAttrTokenIDSecureEnclave and kSecAttrTokenIDAppleKeyStore, ObjectID is libaks's blob representation of encoded key.
fa7225c8 305extern const CFStringRef kSecAttrTokenOID
6b200bc3 306 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
866f8763
A		 307extern const CFStringRef kSecAttrUUID
308 __OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
309extern const CFStringRef kSecAttrSysBound
310 __OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
311extern const CFStringRef kSecAttrSHA1
312__OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
313
314#define kSecSecAttrSysBoundNot 0
315#define kSecSecAttrSysBoundPreserveDuringRestore 1
6b200bc3 316
fa7225c8 317
866f8763
A		 318extern const CFStringRef kSecAttrKeyTypeECSECPrimeRandomPKA
319 __OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
320extern const CFStringRef kSecAttrKeyTypeSecureEnclaveAttestation
321 __OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
322
323// Should not be used, use kSecAttrTokenOID instead.
324extern const CFStringRef kSecAttrSecureEnclaveKeyBlob
325 __OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
326
fa7225c8
A		 327/*!
328 @enum kSecAttrAccessible Value Constants (Private)
329 @constant kSecAttrAccessibleAlwaysPrivate Private alias for kSecAttrAccessibleAlways,
330 which is going to be deprecated for 3rd party use.
331 @constant kSecAttrAccessibleAlwaysThisDeviceOnlyPrivate for kSecAttrAccessibleAlwaysThisDeviceOnly,
332 which is going to be deprecated for 3rd party use.
333*/
334extern const CFStringRef kSecAttrAccessibleAlwaysPrivate
335;//%%% __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
336extern const CFStringRef kSecAttrAccessibleAlwaysThisDeviceOnlyPrivate
337;//%%% __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
5c19dc3a
A		 338
339/* View Hint Constants */
340
341extern const CFStringRef kSecAttrViewHintPCSMasterKey;
342extern const CFStringRef kSecAttrViewHintPCSiCloudDrive;
343extern const CFStringRef kSecAttrViewHintPCSPhotos;
344extern const CFStringRef kSecAttrViewHintPCSCloudKit;
345extern const CFStringRef kSecAttrViewHintPCSEscrow;
346extern const CFStringRef kSecAttrViewHintPCSFDE;
347extern const CFStringRef kSecAttrViewHintPCSMailDrop;
348extern const CFStringRef kSecAttrViewHintPCSiCloudBackup;
349extern const CFStringRef kSecAttrViewHintPCSNotes;
350extern const CFStringRef kSecAttrViewHintPCSiMessage;
866f8763 351extern const CFStringRef kSecAttrViewHintPCSFeldspar;
fa7225c8 352extern const CFStringRef kSecAttrViewHintPCSSharing;
5c19dc3a
A		 353
354extern const CFStringRef kSecAttrViewHintAppleTV;
355extern const CFStringRef kSecAttrViewHintHomeKit;
fa7225c8
A		 356extern const CFStringRef kSecAttrViewHintContinuityUnlock;
357extern const CFStringRef kSecAttrViewHintAccessoryPairing;
866f8763
A		 358extern const CFStringRef kSecAttrViewHintNanoRegistry;
359extern const CFStringRef kSecAttrViewHintWatchMigration;
360extern const CFStringRef kSecAttrViewHintEngram;
361extern const CFStringRef kSecAttrViewHintManatee;
362extern const CFStringRef kSecAttrViewHintAutoUnlock;
363extern const CFStringRef kSecAttrViewHintHealth;
8a50f688 364extern const CFStringRef kSecAttrViewHintApplePay;
866f8763 365
b1ab9ed8 366
6b200bc3 367#if SEC_OS_IPHONE
e3d460c9
A		 368extern const CFStringRef kSecUseSystemKeychain
369 __TVOS_AVAILABLE(9.2)
370 __WATCHOS_AVAILABLE(3.0)
371 __OSX_AVAILABLE(10.11.4)
372 __IOS_AVAILABLE(9.3);
373
374extern const CFStringRef kSecUseSyncBubbleKeychain
375 __TVOS_AVAILABLE(9.2)
376 __WATCHOS_AVAILABLE(3.0)
377 __OSX_AVAILABLE(10.11.4)
378 __IOS_AVAILABLE(9.3);
6b200bc3 379#endif /* SEC_OS_IPHONE */
e3d460c9 380
b1ab9ed8
A		 381/*!
382 @enum Other Constants (Private)
383 @discussion Predefined constants used to set values in a dictionary.
427c49bc
A		 384 @constant kSecUseTombstones Specifies a dictionary key whose value is a
385 CFBooleanRef if present this overrides the default behaviour for when
386 we make tombstones. The default being we create tombstones for
387 synchronizable items unless we are explicitly deleting or updating a
388 tombstone. Setting this to false when calling SecItemDelete or
389 SecItemUpdate will ensure no tombstones are created. Setting it to
390 true will ensure we create tombstones even when deleting or updating non
391 synchronizable items.
b1ab9ed8
A		 392 @constant kSecUseKeychain Specifies a dictionary key whose value is a
393 keychain reference. You use this key to specify a value of type
394 SecKeychainRef that indicates the keychain to which SecItemAdd
395 will add the provided item(s).
396 @constant kSecUseKeychainList Specifies a dictionary key whose value is
397 either an array of keychains to search (CFArrayRef), or a single
398 keychain (SecKeychainRef). If not provided, the user's default
399 keychain list is searched. kSecUseKeychainList is ignored if an
400 explicit kSecUseItemList is also provided. This key can be used
401 for the SecItemCopyMatching, SecItemUpdate and SecItemDelete calls.
d8f41ccd 402 @constant kSecUseCredentialReference Specifies a CFDataRef containing
5c19dc3a 403 AppleCredentialManager reference handle to be used when authorizing access
d8f41ccd 404 to the item.
641423b6
A		 405 @constant kSecUseCallerName Specifies a dictionary key whose value
406 is a CFStringRef that represents a user-visible string describing
407 the caller name for which the application is attempting to authenticate.
408 The caller must have 'com.apple.private.LocalAuthentication.CallerName'
409 entitlement set to YES to use this feature, otherwise it is ignored.
866f8763
A		 410 @constant kSecUseTokenRawItems If set to true, token-based items (i.e. those
411 which have non-empty kSecAttrTokenID are not going through client-side
412 postprocessing, only raw form stored in the database is listed. This
413 flag is ignored in other operations than SecItemCopyMatching().
b1ab9ed8 414*/
5c19dc3a 415extern const CFStringRef kSecUseTombstones
427c49bc 416 __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
5c19dc3a 417extern const CFStringRef kSecUseCredentialReference
d8f41ccd 418 __OSX_AVAILABLE_STARTING(__MAC_10_10, __IPHONE_8_0);
641423b6
A		 419extern const CFStringRef kSecUseCallerName
420 __OSX_AVAILABLE(10.11.4) __IOS_AVAILABLE(9.3) __TVOS_AVAILABLE(9.3) __WATCHOS_AVAILABLE(2.3);
866f8763
A		 421extern const CFStringRef kSecUseTokenRawItems
422 __OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
423
424extern const CFStringRef kSOSInternalAccessGroup
425 __OSX_AVAILABLE(10.9) __IOS_AVAILABLE(7.0) __TVOS_AVAILABLE(9.3) __WATCHOS_AVAILABLE(2.3);
426
427/*!
428 @enum kSecAttrTokenID Value Constants
429 @discussion Predefined item attribute constant used to get or set values
430 in a dictionary. The kSecAttrTokenID constant is the key and its value
431 can be kSecAttrTokenIDSecureEnclave.
432 @constant kSecAttrTokenIDKeyAppleStore Specifies well-known identifier of
433 the token implemented using libaks (AppleKeyStore). This token is identical to
434 kSecAttrTokenIDSecureEnclave for devices which support Secure Enclave and
435 silently falls back to in-kernel emulation for those devices which do not
436 have Secure Enclave support.
437 */
438extern const CFStringRef kSecAttrTokenIDAppleKeyStore
439 __OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(3.0);
440
441
442extern const CFStringRef kSecNetworkExtensionAccessGroupSuffix;
b1ab9ed8
A		 443
444/*!
445 @function SecItemCopyDisplayNames
446 @abstract Returns an array containing unique display names for each of the
447 certificates, keys, identities, or passwords in the provided items
448 array.
449 @param items An array containing items of type SecKeychainItemRef,
450 SecKeyRef, SecCertificateRef, or SecIdentityRef. All items in the
451 array should be of the same type.
452 @param displayNames On return, an array of CFString references containing
453 unique names for the supplied items. You are responsible for releasing
454 this array reference by calling the CFRelease function.
455 @result A result code. See "Security Error Codes" (SecBase.h).
456 @discussion Use this function to obtain item names which are suitable for
457 display in a menu or list view. The returned names are guaranteed to
458 be unique across the set of provided items.
459*/
460OSStatus SecItemCopyDisplayNames(CFArrayRef items, CFArrayRef *displayNames);
461
462/*!
463 @function SecItemDeleteAll
866f8763 464 @abstract Removes all items from the keychain.
b1ab9ed8
A		 465 @result A result code. See "Security Error Codes" (SecBase.h).
466*/
467OSStatus SecItemDeleteAll(void);
468
866f8763
A		 469/*!
470 @function _SecItemAddAndNotifyOnSync
471 @abstract Adds an item to the keychain, and calls syncCallback when the item has synced
472 @param attributes Attributes dictionary to be passed to SecItemAdd
473 @param result Result reference to be passed to SecItemAdd
474 @param syncCallback Block to be executed after the item has synced or failed to sync
475 @result The result code returned from SecItemAdd
476 */
477OSStatus _SecItemAddAndNotifyOnSync(CFDictionaryRef attributes, CFTypeRef * CF_RETURNS_RETAINED result, void (^syncCallback)(bool didSync, CFErrorRef error));
478
479/*!
480 @function SecItemSetCurrentItemAcrossAllDevices
481 @abstract Sets 'new current item' to be the 'current' item in CloudKit for the given identifier.
482 */
483void SecItemSetCurrentItemAcrossAllDevices(CFStringRef accessGroup,
484 CFStringRef identifier,
485 CFStringRef viewHint,
486 CFDataRef newCurrentItemReference,
487 CFDataRef newCurrentItemHash,
488 CFDataRef oldCurrentItemReference,
489 CFDataRef oldCurrentItemHash,
490 void (^complete)(CFErrorRef error));
491
492/*!
493 @function SecItemFetchCurrentItemAcrossAllDevices
494 @abstract Fetches the locally cached idea of which keychain item is 'current' across this iCloud account
495 for the given access group and identifier.
496 @param accessGroup The accessGroup of your process and the expected current item
497 @param identifier Which 'current' item you're interested in. Freeform, but should match the ID given to
498 SecItemSetCurrentItemAcrossAllDevices.
499 @param viewHint The keychain view hint for your items.
500 @param fetchCloudValue If false, will return the local machine's cached idea of which item is current. If true,
501 performs a CloudKit operation to determine the most up-to-date version.
502 @param complete Called to return values: a persistent ref to the current item, if such an item exists. Otherwise, error.
503 */
504void SecItemFetchCurrentItemAcrossAllDevices(CFStringRef accessGroup,
505 CFStringRef identifier,
506 CFStringRef viewHint,
507 bool fetchCloudValue,
508 void (^complete)(CFDataRef persistentRef, CFErrorRef error));
509
510
511#if __OBJC__
512void _SecItemFetchDigests(NSString *itemClass, NSString *accessGroup, void (^complete)(NSArray *, NSError *));
513#endif
514
6b200bc3 515#if SEC_OS_IPHONE
fa7225c8
A		 516/*!
517 @function SecItemDeleteAllWithAccessGroups
518 @abstract Deletes all items for each class for the given access groups
519 @param accessGroups An array of access groups for the items
520 @result A result code. See "Security Error Codes" (SecBase.h).
521 @discussion Provided for use by MobileInstallation to allow cleanup after uninstall
522 Requires entitlement "com.apple.private.uninstall.deletion"
523 */
524bool SecItemDeleteAllWithAccessGroups(CFArrayRef accessGroups, CFErrorRef *error);
6b200bc3 525#endif /* SEC_OS_IPHONE */
fa7225c8 526
b1ab9ed8
A		 527/*
528 Ensure the escrow keybag has been used to unlock the system keybag before
529 calling either of these APIs.
530 The password argument is optional, passing NULL implies no backup password
531 was set. We're assuming there will always be a backup keybag, except in
532 the OTA case where the loaded OTA backup bag will be used.
533 */
534CFDataRef _SecKeychainCopyBackup(CFDataRef backupKeybag, CFDataRef password);
535CFDataRef _SecKeychainCopyOTABackup(void);
427c49bc 536OSStatus _SecKeychainRestoreBackup(CFDataRef backup, CFDataRef backupKeybag,
b1ab9ed8 537 CFDataRef password);
ecaf5866
A		 538/*
539 EMCS backups are similar to regular backups but we do not want to unlock the keybag
540 */
541CFDataRef _SecKeychainCopyEMCSBackup(CFDataRef backupKeybag);
b1ab9ed8 542
e3d460c9
A		 543bool
544_SecKeychainWriteBackupToFileDescriptor(CFDataRef backupKeybag, CFDataRef password, int fd, CFErrorRef *error);
545
546bool
547_SecKeychainRestoreBackupFromFileDescriptor(int fd, CFDataRef backupKeybag, CFDataRef password, CFErrorRef *error);
548
fa7225c8
A		 549CFStringRef
550_SecKeychainCopyKeybagUUIDFromFileDescriptor(int fd, CFErrorRef *error);
e3d460c9 551
427c49bc
A		 552OSStatus _SecKeychainBackupSyncable(CFDataRef keybag, CFDataRef password, CFDictionaryRef backup_in, CFDictionaryRef *backup_out);
553OSStatus _SecKeychainRestoreSyncable(CFDataRef keybag, CFDataRef password, CFDictionaryRef backup_in);
554
555/* Called by clients to push sync circle and message changes to us.
556 Requires caller to have the kSecEntitlementKeychainSyncUpdates entitlement. */
d8f41ccd 557CFArrayRef _SecKeychainSyncUpdateMessage(CFDictionaryRef updates, CFErrorRef *error);
5c19dc3a 558
e3d460c9 559#if !TARGET_OS_IPHONE
5c19dc3a
A		 560CFDataRef _SecItemGetPersistentReference(CFTypeRef raw_item);
561#endif
562
e3d460c9 563/* Returns an OSStatus value for the given CFErrorRef, returns errSecInternal if the
6b200bc3 564 domain of the provided error is not recognized. Passing NULL returns errSecSuccess (0). */
427c49bc
A		 565OSStatus SecErrorGetOSStatus(CFErrorRef error);
566
d8f41ccd
A		 567bool _SecKeychainRollKeys(bool force, CFErrorRef *error);
568
e3d460c9 569CFDictionaryRef _SecSecuritydCopyWhoAmI(CFErrorRef *error);
866f8763 570XPC_RETURNS_RETAINED xpc_endpoint_t _SecSecuritydCopyCKKSEndpoint(CFErrorRef *error);
ecaf5866 571XPC_RETURNS_RETAINED xpc_endpoint_t _SecSecuritydCopyKeychainControlEndpoint(CFErrorRef* error);
6b200bc3
A		 572
573#if SEC_OS_IPHONE
e3d460c9 574bool _SecSyncBubbleTransfer(CFArrayRef services, uid_t uid, CFErrorRef *error);
6b200bc3
A		 575#else /* SEC_OS_IPHONE */
576bool _SecSyncBubbleTransfer(CFArrayRef services, CFErrorRef *error);
577#endif /* SEC_OS_IPHONE */
578
e3d460c9 579bool _SecSystemKeychainTransfer(CFErrorRef *error);
6b200bc3 580#if SEC_OS_IPHONE
e3d460c9 581bool _SecSyncDeleteUserViews(uid_t uid, CFErrorRef *error);
6b200bc3 582#endif /* SEC_OS_IPHONE */
e3d460c9 583
866f8763
A		 584
585
fa7225c8
A		 586OSStatus SecItemUpdateTokenItems(CFTypeRef tokenID, CFArrayRef tokenItemsAttributes);
587
6b200bc3
A		 588#if SEC_OS_OSX
589CFTypeRef SecItemCreateFromAttributeDictionary_osx(CFDictionaryRef refAttributes);
590#endif
591
592#if SEC_OS_IPHONE
fa7225c8
A		 593/*!
594 * @function SecCopyLastError
595 * @abstract return the last CFErrorRef for this thread
596 * @param status the error code returned from the API call w/o CFErrorRef or 0
597 * @result NULL or a retained CFError of the matching error code
598 *
599 * @discussion There are plenty of API calls in Security.framework that
600 * doesn't return an CFError in case of an error, many of them actually have
601 * a CFErrorRef internally, but throw it away at the last moment.
602 * This might be your chance to get hold of it. The status code pass in is there
603 * to avoid stale copies of CFErrorRef.
6b200bc3 604
fa7225c8
A		 605 * Note, not all interfaces support returning a CFErrorRef on the thread local
606 * storage. This is especially true when going though old CDSA style API.
607 */
608
609CFErrorRef
610SecCopyLastError(OSStatus status)
611 __TVOS_AVAILABLE(10.0)
612 __WATCHOS_AVAILABLE(3.0)
613 __IOS_AVAILABLE(10.0);
614
615
616bool
617SecItemUpdateWithError(CFDictionaryRef inQuery,
618 CFDictionaryRef inAttributesToUpdate,
619 CFErrorRef *error)
620 __TVOS_AVAILABLE(10.0)
621 __WATCHOS_AVAILABLE(3.0)
622 __IOS_AVAILABLE(10.0);
6b200bc3
A		 623#endif // SEC_OS_IPHONE
624
625#if SEC_OS_OSX
626/*!
627 @function SecItemParentCachePurge
866f8763 628 @abstract Clear the cache of parent certificates used in SecItemCopyParentCertificates_osx.
6b200bc3 629 */
ecaf5866 630void SecItemParentCachePurge(void);
6b200bc3 631#endif
fa7225c8
A		 632
633
6b200bc3 634#if SEC_OS_OSX_INCLUDES
fa7225c8 635/*!
866f8763 636 @function SecItemCopyParentCertificates_osx
fa7225c8
A		 637 @abstract Retrieve an array of possible issuing certificates for a given certificate.
638 @param certificate A reference to a certificate whose issuers are being sought.
639 @param context Pass NULL in this parameter to indicate that the default certificate
640 source(s) should be searched. The default is to search all available keychains.
641 Values of context other than NULL are currently ignored.
642 @result An array of zero or more certificates whose normalized subject matches the
643 normalized issuer of the provided certificate. Note that no cryptographic validation
644 of the signature is performed by this function; its purpose is only to provide a list
645 of candidate certificates.
646 */
866f8763 647CFArrayRef SecItemCopyParentCertificates_osx(SecCertificateRef certificate, void *context)
fa7225c8
A		 648__OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_NA);
649
650/*!
651 @function SecItemCopyStoredCertificate
652 @abstract Retrieve the first stored instance of a given certificate.
653 @param certificate A reference to a certificate.
654 @param context Pass NULL in this parameter to indicate that the default certificate
655 source(s) should be searched. The default is to search all available keychains.
656 Values of context other than NULL are currently ignored.
657 @result Returns a certificate reference if the given certificate exists in a keychain,
658 or NULL if the certificate cannot be found in any keychain. The caller is responsible
659 for releasing the returned certificate reference when finished with it.
660 */
661SecCertificateRef SecItemCopyStoredCertificate(SecCertificateRef certificate, void *context)
662__OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_NA);
6b200bc3 663#endif /* SEC_OS_OSX */
fa7225c8 664
427c49bc 665__END_DECLS
b1ab9ed8
A		 666
667#endif /* !_SECURITY_SECITEMPRIV_H_ */
mirror of Security