]> git.saurik.com Git - apple/security.git/blame - OSX/libsecurity_keychain/lib/SecKeyPriv.h
projects / apple / security.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Security-57740.20.22.tar.gz
[apple/security.git] / OSX / libsecurity_keychain / lib / SecKeyPriv.h
CommitLineData
b1ab9ed8 1/*
5c19dc3a 2 * Copyright (c) 2002-2009,2011-2015 Apple Inc. All Rights Reserved.
b1ab9ed8
A		 3 *
4 * @APPLE_LICENSE_HEADER_START@
5c19dc3a 5 *
b1ab9ed8
A		 6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
5c19dc3a 12 *
b1ab9ed8
A		 13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
5c19dc3a 20 *
b1ab9ed8
A		 21 * @APPLE_LICENSE_HEADER_END@
22 *
23 * SecKeyPriv.h - SPIs to SecKeyRef objects.
24 */
25
26/*!
27 @header SecKeyPriv
28 The functions provided in SecKeyPriv.h implement and manage a particular
29 type of keychain item that represents a key. A key can be stored in a
30 keychain, but a key can also be a transient object.
31
32 You can use a key as a keychain item in most functions.
33*/
34
35#ifndef _SECURITY_SECKEYPRIV_H_
36#define _SECURITY_SECKEYPRIV_H_
37
38#include <Security/SecKey.h>
39#include <Security/x509defs.h>
40#include <Security/SecAsn1Types.h>
41#include <AvailabilityMacros.h>
fa7225c8 42#include <CoreFoundation/CFRuntime.h>
b1ab9ed8
A		 43
44#if defined(__cplusplus)
45extern "C" {
46#endif
47
427c49bc
A		 48typedef struct SecRSAPublicKeyParams {
49 uint8_t *modulus; /* modulus */
50 CFIndex modulusLength;
51 uint8_t *exponent; /* public exponent */
52 CFIndex exponentLength;
53} SecRSAPublicKeyParams;
54
b1ab9ed8
A		 55typedef uint32_t SecKeyEncoding;
56enum {
57 /* Typically only used for symmetric keys. */
58 kSecKeyEncodingRaw = 0,
59
60 /* RSA keys are DER-encoded according to PKCS1. */
61 kSecKeyEncodingPkcs1 = 1,
62
63 /* RSA keys are DER-encoded according to PKCS1 with Apple Extensions. */
64 kSecKeyEncodingApplePkcs1 = 2,
65
66 /* RSA public key in SecRSAPublicKeyParams format. keyData is a pointer
67 to a SecRSAPublicKeyParams and keyDataLength is
68 sizeof(SecRSAPublicKeyParams). */
69 kSecKeyEncodingRSAPublicParams = 3,
fa7225c8
A		 70
71 /* RSA public key in SecRSAPublicKeyParams format. keyData is a pointer
72 to a SecRSAPublicKeyParams and keyDataLength is
73 sizeof(SecRSAPublicKeyParams). */
74 kSecDERKeyEncoding = 4,
75
76 /* Internal "encodings to send other data" */
77 kSecGenerateKey = 5,
78 kSecExtractPublicFromPrivate = 6,
79
80 /* Encoding came from SecKeyCopyPublicBytes for a public key,
81 or internally from a private key */
82 kSecKeyEncodingBytes = 7,
83
84 /* Handing in a private key from corecrypto directly. */
85 kSecKeyCoreCrypto = 8,
86};
87
88typedef uint32_t SecKeyWrapType;
89enum {
90 /* wrap key in RFC3394 (AESWrap) */
91 kSecKeyWrapRFC3394 = 0,
92
93 /* wrap key in PGP style (support EC keys only right now) */
94 kSecKeyWrapPublicKeyPGP = 1,
95
96};
97
98typedef CF_ENUM(CFIndex, SecKeyOperationMode) {
99 kSecKeyOperationModePerform = 0,
100 kSecKeyOperationModeCheckIfSupported = 1,
b1ab9ed8
A		 101};
102
103typedef OSStatus (*SecKeyInitMethod)(SecKeyRef, const uint8_t *, CFIndex,
104 SecKeyEncoding);
b1ab9ed8 105typedef void (*SecKeyDestroyMethod)(SecKeyRef);
b1ab9ed8
A		 106typedef OSStatus (*SecKeyRawSignMethod)(SecKeyRef key, SecPadding padding,
107 const uint8_t *dataToSign, size_t dataToSignLen,
108 uint8_t *sig, size_t *sigLen);
109typedef OSStatus (*SecKeyRawVerifyMethod)(
110 SecKeyRef key, SecPadding padding, const uint8_t *signedData,
111 size_t signedDataLen, const uint8_t *sig, size_t sigLen);
112typedef OSStatus (*SecKeyEncryptMethod)(SecKeyRef key, SecPadding padding,
113 const uint8_t *plainText, size_t plainTextLen,
114 uint8_t *cipherText, size_t *cipherTextLen);
115typedef OSStatus (*SecKeyDecryptMethod)(SecKeyRef key, SecPadding padding,
116 const uint8_t *cipherText, size_t cipherTextLen,
117 uint8_t *plainText, size_t *plainTextLen);
fa7225c8
A		 118typedef OSStatus (*SecKeyComputeMethod)(SecKeyRef key,
119 const uint8_t *pub_key, size_t pub_key_len,
120 uint8_t *computed_key, size_t *computed_key_len);
b1ab9ed8
A		 121typedef size_t (*SecKeyBlockSizeMethod)(SecKeyRef key);
122typedef CFDictionaryRef (*SecKeyCopyDictionaryMethod)(SecKeyRef key);
fa7225c8
A		 123typedef CFIndex (*SecKeyGetAlgorithmIDMethod)(SecKeyRef key);
124typedef OSStatus (*SecKeyCopyPublicBytesMethod)(SecKeyRef key, CFDataRef *serialization);
125typedef CFDataRef (*SecKeyCopyWrapKeyMethod)(SecKeyRef key, SecKeyWrapType type, CFDataRef unwrappedKey, CFDictionaryRef parameters, CFDictionaryRef *outParam, CFErrorRef *error);
126typedef CFDataRef (*SecKeyCopyUnwrapKeyMethod)(SecKeyRef key, SecKeyWrapType type, CFDataRef wrappedKey, CFDictionaryRef parameters, CFDictionaryRef *outParam, CFErrorRef *error);
127typedef CFStringRef (*SecKeyDescribeMethod)(SecKeyRef key);
128
129typedef CFDataRef (*SecKeyCopyExternalRepresentationMethod)(SecKeyRef key, CFErrorRef *error);
130typedef SecKeyRef (*SecKeyCopyPublicKeyMethod)(SecKeyRef key);
131typedef Boolean (*SecKeyIsEqualMethod)(SecKeyRef key1, SecKeyRef key2);
3a7be6fd
A		 132typedef SecKeyRef (*SecKeyCreateDuplicateMethod)(SecKeyRef key);
133
fa7225c8
A		 134/*!
135 @abstract Performs cryptographic operation with the key.
136 @param key Key to perform the operation on.
137 @param operation Type of operation to be performed.
138 @param algorithm Algorithm identifier for the operation. Determines format of input and output data.
139 @param allAlgorithms Array of algorithms which were traversed until we got to this operation. The last member of this array is always the same as @c algorithm parameter.
140 @param mode Mode in which the operation is performed. Two available modes are checking only if the operation can be performed or actually performing the operation.
141 @param in1 First input parameter for the operation, meaningful only in ModePerform.
142 @param in2 Second input parameter for the operation, meaningful only in ModePerform.
143 @param error Error details when NULL is returned.
144 @return NULL if some failure occured. kCFNull if operation/algorithm/key combination is not supported, otherwise the result of the operation or kCFBooleanTrue in ModeCheckIfSupported.
145 */
146typedef CFTypeRef(*SecKeyCopyOperationResultMethod)(SecKeyRef key, SecKeyOperationType operation, SecKeyAlgorithm algorithm, CFArrayRef allAlgorithms, SecKeyOperationMode mode, CFTypeRef in1, CFTypeRef in2, CFErrorRef *error);
147
148#define kSecKeyDescriptorVersion (4)
149
150typedef struct __SecKeyDescriptor {
151 /* Version of this SecKeyDescriptor. Must be kSecKeyDescriptorVersion. */
152 uint32_t version;
b1ab9ed8 153
fa7225c8 154 /* Name of this key class for use by SecKeyShow(). */
b1ab9ed8 155 const char *name;
fa7225c8
A		 156
157 /* If nonzero, SecKeyCreate will allocate this many bytes for the key
158 field in the SecKeyRef it creates. If zero key is NULL and the
159 implementor can choose to dynamically allocate it in the init
160 function and free it in the destroy function. */
161 uint32_t extraBytes;
162
163 /* Called by SecKeyCreate(). */
b1ab9ed8 164 SecKeyInitMethod init;
fa7225c8 165 /* Called by destructor (final CFRelease() or gc if using). */
b1ab9ed8 166 SecKeyDestroyMethod destroy;
fa7225c8 167 /* Called by SecKeyRawSign(). */
b1ab9ed8 168 SecKeyRawSignMethod rawSign;
fa7225c8 169 /* Called by SecKeyRawVerify(). */
b1ab9ed8 170 SecKeyRawVerifyMethod rawVerify;
fa7225c8 171 /* Called by SecKeyEncrypt(). */
b1ab9ed8 172 SecKeyEncryptMethod encrypt;
fa7225c8 173 /* Called by SecKeyDecrypt(). */
b1ab9ed8 174 SecKeyDecryptMethod decrypt;
fa7225c8
A		 175 /* Reserved for future use. */
176 SecKeyComputeMethod compute;
177 /* Called by SecKeyGetBlockSize(). */
b1ab9ed8 178 SecKeyBlockSizeMethod blockSize;
fa7225c8 179 /* Called by SecKeyCopyAttributeDictionary(), which is private. */
b1ab9ed8 180 SecKeyCopyDictionaryMethod copyDictionary;
fa7225c8
A		 181 /* Called by SecKeyDescribeMethod(). */
182 SecKeyDescribeMethod describe;
183#if kSecKeyDescriptorVersion > 0
184 /* Called by SecKeyCopyAttributeDictionary(), which is private. */
185 SecKeyGetAlgorithmIDMethod getAlgorithmID;
186#endif
187#if kSecKeyDescriptorVersion > 1
188 SecKeyCopyPublicBytesMethod copyPublic;
189#endif
190#if kSecKeyDescriptorVersion > 2
191 SecKeyCopyWrapKeyMethod copyWrapKey;
192 SecKeyCopyUnwrapKeyMethod copyUnwrapKey;
193#endif
194#if kSecKeyDescriptorVersion > 3
195 SecKeyCopyExternalRepresentationMethod copyExternalRepresentation;
196 SecKeyCopyPublicKeyMethod copyPublicKey;
197 SecKeyCopyOperationResultMethod copyOperationResult;
198 SecKeyIsEqualMethod isEqual;
3a7be6fd 199 SecKeyCreateDuplicateMethod createDuplicate;
fa7225c8 200#endif
b1ab9ed8
A		 201} SecKeyDescriptor;
202
203/*!
204 @function SecKeyGetAlgorithmID
205 @abstract Returns a pointer to a CSSM_X509_ALGORITHM_IDENTIFIER structure for the given key.
206 @param key A key reference.
207 @param algid On return, a pointer to a CSSM_X509_ALGORITHM_IDENTIFIER structure.
208 @result A result code. See "Security Error Codes" (SecBase.h).
5c19dc3a
A		 209 @discussion Deprecated in OS X 10.8 and later. Continued use is strongly discouraged,
210 since there is a naming conflict with a similar function (also deprecated) on iOS that
211 had different arguments and a different return value. Use SecKeyGetAlgorithmId instead.
b1ab9ed8
A		 212*/
213OSStatus SecKeyGetAlgorithmID(SecKeyRef key, const CSSM_X509_ALGORITHM_IDENTIFIER **algid)
214 DEPRECATED_IN_MAC_OS_X_VERSION_10_8_AND_LATER;
215
216enum {
217 kSecNullAlgorithmID = 0,
218 kSecRSAAlgorithmID = 1,
219 kSecDSAAlgorithmID = 2, /* unsupported, just here for reference. */
220 kSecECDSAAlgorithmID = 3,
221};
222
223/*!
224 @function SecKeyGetAlgorithmId
225 @abstract Returns an enumerated constant value which identifies the algorithm for the given key.
226 @param key A key reference.
227 @result An algorithm identifier.
228*/
229CFIndex SecKeyGetAlgorithmId(SecKeyRef key)
5c19dc3a 230 __OSX_AVAILABLE_STARTING(__MAC_10_8, __IPHONE_9_0);
b1ab9ed8
A		 231
232/*!
233 @function SecKeyGetStrengthInBits
234 @abstract Returns key strength in bits for the given key.
235 @param key A key reference.
236 @param algid A pointer to a CSSM_X509_ALGORITHM_IDENTIFIER structure, as returned from a call to SecKeyGetAlgorithmID.
237 @param strength On return, the key strength in bits.
238 @result A result code. See "Security Error Codes" (SecBase.h).
239*/
240OSStatus SecKeyGetStrengthInBits(SecKeyRef key, const CSSM_X509_ALGORITHM_IDENTIFIER *algid, unsigned int *strength);
241
242/*!
243 @function SecKeyImportPair
244 @abstract Takes an asymmetric key pair and stores it in the keychain specified by the keychain parameter.
245 @param keychainRef A reference to the keychain in which to store the private and public key items. Specify NULL for the default keychain.
246 @param publicCssmKey A CSSM_KEY which is valid for the CSP returned by SecKeychainGetCSPHandle(). This may be a normal key or reference key.
247 @param privateCssmKey A CSSM_KEY which is valid for the CSP returned by SecKeychainGetCSPHandle(). This may be a normal key or reference key.
248 @param initialAccess A SecAccess object that determines the initial access rights to the private key. The public key is given an any/any acl by default.
249 @param publicKey Optional output pointer to the keychain item reference of the imported public key. The caller must call CFRelease on this value if it is returned.
250 @param privateKey Optional output pointer to the keychain item reference of the imported private key. The caller must call CFRelease on this value if it is returned.
251 @result A result code. See "Security Error Codes" (SecBase.h).
252 @deprecated in 10.5 and later. Use the SecKeychainItemImport function instead; see <Security/SecImportExport.h>
253*/
254OSStatus SecKeyImportPair(
255 SecKeychainRef keychainRef,
256 const CSSM_KEY *publicCssmKey,
257 const CSSM_KEY *privateCssmKey,
258 SecAccessRef initialAccess,
259 SecKeyRef* publicKey,
260 SecKeyRef* privateKey)
261 DEPRECATED_IN_MAC_OS_X_VERSION_10_5_AND_LATER;
262
263/*!
264 @function SecKeyCreate
265 @abstract Create a key reference from the supplied key data.
266 @param allocator CFAllocator to allocate the key data. Pass NULL to use the default allocator.
267 @param keyClass A descriptor for the particular class of key that is being created.
268 @param keyData Data from which to create the key. Specify the format of this data in the encoding parameter.
269 @param keyDataLength Length of the data pointed to by keyData.
270 @param encoding A value of type SecKeyEncoding which describes the format of keyData.
271 @result A key reference.
272 @discussion Warning: this function is NOT intended for use outside the Security stack in its current state. <rdar://3201885>
273 IMPORTANT: on Mac OS X 10.5 and earlier, the SecKeyCreate function had a different parameter list.
274 The current parameter list matches the iPhone OS implementation. Existing clients of this function
275 on Mac OS X (and there should not be any outside the Security stack, per the warning above) must
276 migrate to the replacement function, SecKeyCreateWithCSSMKey.
277*/
278SecKeyRef SecKeyCreate(CFAllocatorRef allocator,
279 const SecKeyDescriptor *keyClass, const uint8_t *keyData,
280 CFIndex keyDataLength, SecKeyEncoding encoding);
281
282/*!
283 @function SecKeyCreateWithCSSMKey
284 @abstract Generate a temporary floating key reference for a CSSM_KEY.
285 @param key A pointer to a CSSM_KEY structure.
286 @param keyRef On return, a key reference.
287 @result A result code. See "Security Error Codes" (SecBase.h).
288 @discussion Warning: this function is NOT intended for use outside the Security stack in its current state. <rdar://3201885>
289*/
290OSStatus SecKeyCreateWithCSSMKey(const CSSM_KEY *key, SecKeyRef* keyRef);
291
b1ab9ed8
A		 292
293/*!
294 @function SecKeyRawSign
295 @abstract Given a private key and data to sign, generate a digital signature.
296 @param key Private key with which to sign.
297 @param padding See Padding Types above, typically kSecPaddingPKCS1SHA1.
298 @param dataToSign The data to be signed, typically the digest of the actual data.
299 @param dataToSignLen Length of dataToSign in bytes.
300 @param sig Pointer to buffer in which the signature will be returned.
301 @param sigLen IN/OUT maximum length of sig buffer on input, actualy length of sig on output.
302 @result A result code. See "Security Error Codes" (SecBase.h).
303 @discussion If the padding argument is kSecPaddingPKCS1, PKCS1 padding
304 will be performed prior to signing. If this argument is kSecPaddingNone,
305 the incoming data will be signed "as is".
306
307 When PKCS1 padding is performed, the maximum length of data that can
308 be signed is the value returned by SecKeyGetBlockSize() - 11.
309
310 NOTE: The behavior this function with kSecPaddingNone is undefined if the
311 first byte of dataToSign is zero; there is no way to verify leading zeroes
312 as they are discarded during the calculation.
313
314 If you want to generate a proper PKCS1 style signature with DER encoding of
315 the digest type - and the dataToSign is a SHA1 digest - use kSecPaddingPKCS1SHA1.
316*/
317OSStatus SecKeyRawSign(
318 SecKeyRef key,
319 SecPadding padding,
320 const uint8_t *dataToSign,
321 size_t dataToSignLen,
322 uint8_t *sig,
323 size_t *sigLen);
324
325
326/*!
327 @function SecKeyRawVerify
328 @abstract Given a public key, data which has been signed, and a signature, verify the signature.
329 @param key Public key with which to verify the signature.
330 @param padding See Padding Types above, typically kSecPaddingPKCS1SHA1.
331 @param signedData The data over which sig is being verified, typically the digest of the actual data.
332 @param signedDataLen Length of signedData in bytes.
333 @param sig Pointer to the signature to verify.
334 @param sigLen Length of sig in bytes.
335 @result A result code. See "Security Error Codes" (SecBase.h).
336 @discussion If the padding argument is kSecPaddingPKCS1, PKCS1 padding
337 will be checked during verification. If this argument is kSecPaddingNone,
338 the incoming data will be compared directly to sig.
339
340 If you are verifying a proper PKCS1-style signature, with DER encoding of the digest
341 type - and the signedData is a SHA1 digest - use kSecPaddingPKCS1SHA1.
342*/
343OSStatus SecKeyRawVerify(
344 SecKeyRef key,
345 SecPadding padding,
346 const uint8_t *signedData,
347 size_t signedDataLen,
348 const uint8_t *sig,
349 size_t sigLen);
350
351
352/*!
353 @function SecKeyEncrypt
354 @abstract Encrypt a block of plaintext.
355 @param key Public key with which to encrypt the data.
356 @param padding See Padding Types above, typically kSecPaddingPKCS1.
357 @param plainText The data to encrypt.
358 @param plainTextLen Length of plainText in bytes, this must be less
359 or equal to the value returned by SecKeyGetBlockSize().
360 @param cipherText Pointer to the output buffer.
361 @param cipherTextLen On input, specifies how much space is available at
362 cipherText; on return, it is the actual number of cipherText bytes written.
363 @result A result code. See "Security Error Codes" (SecBase.h).
364 @discussion If the padding argument is kSecPaddingPKCS1, PKCS1 padding
365 will be performed prior to encryption. If this argument is kSecPaddingNone,
366 the incoming data will be encrypted "as is".
367
368 When PKCS1 padding is performed, the maximum length of data that can
369 be encrypted is the value returned by SecKeyGetBlockSize() - 11.
370
371 When memory usage is a critical issue, note that the input buffer
372 (plainText) can be the same as the output buffer (cipherText).
373*/
374OSStatus SecKeyEncrypt(
375 SecKeyRef key,
376 SecPadding padding,
377 const uint8_t *plainText,
378 size_t plainTextLen,
379 uint8_t *cipherText,
380 size_t *cipherTextLen);
381
382
383/*!
384 @function SecKeyDecrypt
385 @abstract Decrypt a block of ciphertext.
386 @param key Private key with which to decrypt the data.
387 @param padding See SecPadding types above; typically kSecPaddingPKCS1.
388 @param cipherText The data to decrypt.
389 @param cipherTextLen Length of cipherText in bytes; this must be less
390 or equal to the value returned by SecKeyGetBlockSize().
391 @param plainText Pointer to the output buffer.
392 @param plainTextLen On input, specifies how much space is available at
393 plainText; on return, it is the actual number of plainText bytes written.
394 @result A result code. See "Security Error Codes" (SecBase.h).
395 @discussion If the padding argument is kSecPaddingPKCS1, PKCS1 padding
396 will be removed after decryption. If this argument is kSecPaddingNone,
397 the decrypted data will be returned "as is".
398
399 When memory usage is a critical issue, note that the input buffer
400 (plainText) can be the same as the output buffer (cipherText).
401*/
402OSStatus SecKeyDecrypt(
403 SecKeyRef key, /* Private key */
404 SecPadding padding, /* kSecPaddingNone, kSecPaddingPKCS1, kSecPaddingOAEP */
405 const uint8_t *cipherText,
406 size_t cipherTextLen, /* length of cipherText */
407 uint8_t *plainText,
408 size_t *plainTextLen); /* IN/OUT */
409
410OSStatus SecKeyVerifyDigest(
411 SecKeyRef key, /* Private key */
412 const SecAsn1AlgId *algId, /* algorithm oid/params */
413 const uint8_t *digestData, /* signature over this digest */
414 size_t digestDataLen, /* length of dataToDigest */
415 const uint8_t *sig, /* signature to verify */
416 size_t sigLen); /* length of sig */
417
418OSStatus SecKeySignDigest(
419 SecKeyRef key, /* Private key */
420 const SecAsn1AlgId *algId, /* algorithm oid/params */
421 const uint8_t *digestData, /* signature over this digest */
422 size_t digestDataLen, /* length of digestData */
423 uint8_t *sig, /* signature, RETURNED */
424 size_t *sigLen); /* IN/OUT */
425
426
427/* These are the named curves we support. These values come from RFC 4492
428 section 5.1.1, with the exception of SSL_Curve_None which means
429 "ECDSA not negotiated". */
430typedef enum
431{
432 kSecECCurveNone = -1,
433 kSecECCurveSecp256r1 = 23,
434 kSecECCurveSecp384r1 = 24,
435 kSecECCurveSecp521r1 = 25
436} SecECNamedCurve;
437
438/* Return a named curve enum for ecPrivateKey. */
439SecECNamedCurve SecECKeyGetNamedCurve(SecKeyRef ecPrivateKey);
440CFDataRef SecECKeyCopyPublicBits(SecKeyRef key);
441
442/* Given an RSA public key in encoded form return a SecKeyRef representing
443 that key. Supported encodings are kSecKeyEncodingPkcs1. */
444SecKeyRef SecKeyCreateRSAPublicKey(CFAllocatorRef allocator,
445 const uint8_t *keyData, CFIndex keyDataLength,
446 SecKeyEncoding encoding);
447
448CFDataRef SecKeyCopyModulus(SecKeyRef rsaPublicKey);
449CFDataRef SecKeyCopyExponent(SecKeyRef rsaPublicKey);
450
427c49bc
A		 451/*!
452 @function SecKeyCopyPublicBytes
453 @abstract Gets the bits of a public key
454 @param key Key to retrieve the bits.
455 @param publicBytes An out parameter to receive the public key bits
456 @result Errors if any when retrieving the public key bits..
457 */
458OSStatus SecKeyCopyPublicBytes(SecKeyRef key, CFDataRef* publicBytes);
459
460/*!
461 @function SecKeyCreatePublicFromPrivate
462 @abstract Create a public SecKeyRef from a private SecKeyRef
463 @param privateKey The private SecKeyRef for which you want the public key
464 @result A public SecKeyRef, or NULL if the conversion failed
465 @discussion This is a "best attempt" function, hence the SPI nature. If the public
466 key bits are not in memory, it attempts to load from the keychain. If the public
467 key was not tracked on the keychain, it will fail.
468*/
469SecKeyRef SecKeyCreatePublicFromPrivate(SecKeyRef privateKey);
470
471/*!
472 @function SecKeyCreateFromPublicData
473*/
474SecKeyRef SecKeyCreateFromPublicData(CFAllocatorRef allocator, CFIndex algorithmID, CFDataRef publicBytes);
475
476OSStatus SecKeyRawVerifyOSX(
477 SecKeyRef key,
478 SecPadding padding,
479 const uint8_t *signedData,
480 size_t signedDataLen,
481 const uint8_t *sig,
482 size_t sigLen);
5c19dc3a 483
fa7225c8
A		 484/*!
485 @enum SecKeyAttestationKeyType
486 @abstract Defines types of builtin attestation keys.
487*/
488typedef CF_ENUM(uint32_t, SecKeyAttestationKeyType)
489{
490 kSecKeyAttestationKeyTypeSIK = 0,
491 kSecKeyAttestationKeyTypeGID
492} __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
493
494/*!
495 @function SecKeyCopyAttestationKey
496 @abstract Returns a copy of a builtin attestation key.
497
498 @param keyType Type of the requested builtin key.
499 @param error An optional pointer to a CFErrorRef. This value is set if an error occurred.
500
501 @result On success a SecKeyRef containing the requested key is returned, on failure it returns NULL.
502*/
503SecKeyRef SecKeyCopyAttestationKey(SecKeyAttestationKeyType keyType, CFErrorRef *error)
504__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
505
506/*!
507 @function SecKeyCreateAttestation
508 @abstract Attests a key with another key.
509
510 @param key The attesting key.
511 @param keyToAttest The key which is to be attested.
512 @param error An optional pointer to a CFErrorRef. This value is set if an error occurred.
513
514 @result On success a CFDataRef containing the attestation data is returned, on failure it returns NULL.
515
516 @discussion Key attestation only works for CTK SEP keys, i.e. keys created with kSecAttrTokenID=kSecAttrTokenIDSecureEnclave.
517*/
518CFDataRef SecKeyCreateAttestation(SecKeyRef key, SecKeyRef keyToAttest, CFErrorRef *error)
519__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
520
521/*!
522 @function SecKeySetParameter
523 @abstract Sets unspecified key parameter for the backend.
524
525 @param key Key to set the parameter to.
526 @param name Identifies parameter to be set.
527 @param value New value for the parameter.
528 @param error Error which gathers more information when something went wrong.
529
530 @discussion Serves as channel between SecKey client and backend for passing additional sideband data send from SecKey caller
531 to SecKey implementation backend (currently only CTK-based token backend is supported). Parameter names and types are
532 a contract between SecKey user (application) and backend and are not interpreted by SecKey layer in any way.
533 */
534Boolean SecKeySetParameter(SecKeyRef key, CFStringRef name, CFPropertyListRef value, CFErrorRef *error)
535__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
536
3a7be6fd
A		 537/*!
538 @function SecKeyCreateDuplicate
539 @abstract Creates duplicate fo the key.
540
541 @param key Source key to be duplicated
542
543 @discussion Only memory representation of the key is duplicated, so if the key is backed by keychain, only one instance
544 stays in the keychain. Duplicating key is useful for setting 'temporary' key parameters using SecKeySetParameter.
545 If the key is immutable (i.e. does not support SecKeySetParameter), calling this method is identical to calling CFRetain().
546 */
547SecKeyRef SecKeyCreateDuplicate(SecKeyRef key)
548__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
549
fa7225c8
A		 550/*!
551 Algorithms for converting between bigendian and core-crypto ccunit data representation.
552 */
553extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureRawCCUnit;
554extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionRawCCUnit;
555
556/*!
557 Internal algorithm for RSA-MD5. We do not want to export MD5 in new API, but we need it
558 for implementing legacy interfaces.
559 */
560extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPKCS1v15MD5;
561extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureMessagePKCS1v15MD5;
562
563/*!
564 Algorithms for interoperability with libaks smartcard support.
565 */
566extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionAKSSmartCard;
567
b1ab9ed8
A		 568#if defined(__cplusplus)
569}
570#endif
571
572#endif /* !_SECURITY_SECKEYPRIV_H_ */
573
mirror of Security