]> git.saurik.com Git - apple/security.git/blame - libsecurity_keychain/lib/SecKey.h
projects / apple / security.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Security-55471.14.8.tar.gz
[apple/security.git] / libsecurity_keychain / lib / SecKey.h
CommitLineData
b1ab9ed8
A		 1/*
2 * Copyright (c) 2002-2010 Apple, Inc. All Rights Reserved.
427c49bc 3 *
b1ab9ed8 4 * @APPLE_LICENSE_HEADER_START@
427c49bc 5 *
b1ab9ed8
A		 6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
427c49bc 12 *
b1ab9ed8
A		 13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
427c49bc 20 *
b1ab9ed8
A		 21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24/*!
25 @header SecKey
26 The functions provided in SecKey.h implement and manage a particular
27 type of keychain item that represents a key. A key can be stored in a
28 keychain, but a key can also be a transient object.
29
30 You can use a key as a keychain item in most functions.
31*/
32
33#ifndef _SECURITY_SECKEY_H_
34#define _SECURITY_SECKEY_H_
35
36#include <dispatch/dispatch.h>
37#include <Security/SecBase.h>
38#include <Security/SecAccess.h>
39#include <Security/cssmtype.h>
40#include <CoreFoundation/CFDictionary.h>
41#include <sys/types.h>
42
43#if defined(__cplusplus)
44extern "C" {
45#endif
46
47/*!
48 @enum KeyItemAttributeConstants
49 @abstract Specifies keychain item attributes for keys.
50 @constant kSecKeyKeyClass type uint32 (CSSM_KEYCLASS), value
51 is one of CSSM_KEYCLASS_PUBLIC_KEY, CSSM_KEYCLASS_PRIVATE_KEY
52 or CSSM_KEYCLASS_SESSION_KEY.
53 @constant kSecKeyPrintName type blob, human readable name of
54 the key. Same as kSecLabelItemAttr for normal keychain items.
55 @constant kSecKeyAlias type blob, currently unused.
56 @constant kSecKeyPermanent type uint32, value is nonzero iff
57 this key is permanent (stored in some keychain). This is always
58 1.
59 @constant kSecKeyPrivate type uint32, value is nonzero iff this
60 key is protected by a user login or a password, or both.
61 @constant kSecKeyModifiable type uint32, value is nonzero iff
62 attributes of this key can be modified.
63 @constant kSecKeyLabel type blob, for private and public keys
64 this contains the hash of the public key. This is used to
427c49bc 65 associate certificates and keys. Its value matches the value
b1ab9ed8
A		 66 of the kSecPublicKeyHashItemAttr of a certificate and it's used
67 to construct an identity from a certificate and a key.
68 For symmetric keys this is whatever the creator of the key
69 passed in during the generate key call.
70 @constant kSecKeyApplicationTag type blob, currently unused.
71 @constant kSecKeyKeyCreator type data, the data points to a
72 CSSM_GUID structure representing the moduleid of the csp owning
73 this key.
427c49bc 74 @constant kSecKeyKeyType type uint32, value is a CSSM_ALGORITHMS
b1ab9ed8
A		 75 representing the algorithm associated with this key.
76 @constant kSecKeyKeySizeInBits type uint32, value is the number
77 of bits in this key.
78 @constant kSecKeyEffectiveKeySize type uint32, value is the
79 effective number of bits in this key. For example a des key
80 has a kSecKeyKeySizeInBits of 64 but a kSecKeyEffectiveKeySize
81 of 56.
82 @constant kSecKeyStartDate type CSSM_DATE. Earliest date from
83 which this key may be used. If the value is all zeros or not
84 present, no restriction applies.
85 @constant kSecKeyEndDate type CSSM_DATE. Latest date at
86 which this key may be used. If the value is all zeros or not
87 present, no restriction applies.
88 @constant kSecKeySensitive type uint32, iff value is nonzero
89 this key cannot be wrapped with CSSM_ALGID_NONE.
90 @constant kSecKeyAlwaysSensitive type uint32, value is nonzero
91 iff this key has always been marked sensitive.
92 @constant kSecKeyExtractable type uint32, value is nonzero iff
93 this key can be wrapped.
94 @constant kSecKeyNeverExtractable type uint32, value is nonzero
95 iff this key was never marked extractable.
96 @constant kSecKeyEncrypt type uint32, value is nonzero iff this
97 key can be used in an encrypt operation.
98 @constant kSecKeyDecrypt type uint32, value is nonzero iff this
99 key can be used in a decrypt operation.
100 @constant kSecKeyDerive type uint32, value is nonzero iff this
101 key can be used in a deriveKey operation.
102 @constant kSecKeySign type uint32, value is nonzero iff this
103 key can be used in a sign operation.
104 @constant kSecKeyVerify type uint32, value is nonzero iff this
105 key can be used in a verify operation.
106 @constant kSecKeySignRecover type uint32.
107 @constant kSecKeyVerifyRecover type uint32.
108 key can unwrap other keys.
427c49bc 109 @constant kSecKeyWrap type uint32, value is nonzero iff this
b1ab9ed8
A		 110 key can wrap other keys.
111 @constant kSecKeyUnwrap type uint32, value is nonzero iff this
112 key can unwrap other keys.
427c49bc 113 @discussion
b1ab9ed8
A		 114 The use of these enumerations has been deprecated. Please
115 use the equivalent items defined in SecItem.h
116 @@@.
117*/
118enum
119{
120 kSecKeyKeyClass = 0,
121 kSecKeyPrintName = 1,
122 kSecKeyAlias = 2,
123 kSecKeyPermanent = 3,
124 kSecKeyPrivate = 4,
125 kSecKeyModifiable = 5,
126 kSecKeyLabel = 6,
127 kSecKeyApplicationTag = 7,
128 kSecKeyKeyCreator = 8,
129 kSecKeyKeyType = 9,
130 kSecKeyKeySizeInBits = 10,
131 kSecKeyEffectiveKeySize = 11,
132 kSecKeyStartDate = 12,
133 kSecKeyEndDate = 13,
134 kSecKeySensitive = 14,
135 kSecKeyAlwaysSensitive = 15,
136 kSecKeyExtractable = 16,
137 kSecKeyNeverExtractable = 17,
138 kSecKeyEncrypt = 18,
139 kSecKeyDecrypt = 19,
140 kSecKeyDerive = 20,
141 kSecKeySign = 21,
142 kSecKeyVerify = 22,
143 kSecKeySignRecover = 23,
144 kSecKeyVerifyRecover = 24,
145 kSecKeyWrap = 25,
146 kSecKeyUnwrap = 26
147};
148
149/*!
150 @typedef SecCredentialType
151 @abstract Determines the type of credential returned by SecKeyGetCredentials.
152*/
153typedef uint32 SecCredentialType;
154
155/*!
156 @enum SecCredentialType
157 @abstract Determines the type of credential returned by SecKeyGetCredentials.
158 @constant kSecCredentialTypeWithUI Operations with this key are allowed to present UI if required.
159 @constant kSecCredentialTypeNoUI Operations with this key are not allowed to present UI, and will fail if UI is required.
160 @constant kSecCredentialTypeDefault The default setting for determining whether to present UI is used. This setting can be changed with a call to SecKeychainSetUserInteractionAllowed.
161*/
162enum
163{
164 kSecCredentialTypeDefault = 0,
165 kSecCredentialTypeWithUI,
166 kSecCredentialTypeNoUI
167};
168
169/*!
170 @typedef SecPadding
171 @abstract Supported padding types.
172*/
173typedef uint32_t SecPadding;
174enum
175{
176 kSecPaddingNone = 0,
177 kSecPaddingPKCS1 = 1,
178
179 /* For SecKeyRawSign/SecKeyRawVerify only, data to be signed is an MD2
180 hash; standard ASN.1 padding will be done, as well as PKCS1 padding
181 of the underlying RSA operation. */
182 kSecPaddingPKCS1MD2 = 0x8000,
183
184 /* For SecKeyRawSign/SecKeyRawVerify only, data to be signed is an MD5
185 hash; standard ASN.1 padding will be done, as well as PKCS1 padding
186 of the underlying RSA operation. */
187 kSecPaddingPKCS1MD5 = 0x8001,
188
189 /* For SecKeyRawSign/SecKeyRawVerify only, data to be signed is a SHA1
190 hash; standard ASN.1 padding will be done, as well as PKCS1 padding
191 of the underlying RSA operation. */
192 kSecPaddingPKCS1SHA1 = 0x8002,
193};
194
195/*!
196 @typedef SecKeySizes
197 @abstract Supported key lengths.
198*/
199typedef uint32_t SecKeySizes;
427c49bc 200enum
b1ab9ed8
A		 201{
202 kSecDefaultKeySize = 0,
427c49bc 203
b1ab9ed8
A		 204 // Symmetric Keysizes - default is currently kSecAES128 for AES.
205 kSec3DES192 = 192,
206 kSecAES128 = 128,
207 kSecAES192 = 192,
208 kSecAES256 = 256,
427c49bc 209
b1ab9ed8
A		 210 // Supported ECC Keys for Suite-B from RFC 4492 section 5.1.1.
211 // default is currently kSecp256r1
212 kSecp192r1 = 192,
213 kSecp256r1 = 256,
214 kSecp384r1 = 384,
215 kSecp521r1 = 521, // Yes, 521
427c49bc 216
b1ab9ed8
A		 217 // Boundaries for RSA KeySizes - default is currently 2048
218 // RSA keysizes must be multiples of 8
219 kSecRSAMin = 1024,
220 kSecRSAMax = 4096
221};
222
223
224/*!
225 @function SecKeyGetTypeID
226 @abstract Returns the type identifier of SecKey instances.
227 @result The CFTypeID of SecKey instances.
228*/
229CFTypeID SecKeyGetTypeID(void)
230 __OSX_AVAILABLE_STARTING(__MAC_10_3, __IPHONE_2_0);
231
232/*!
233 @function SecKeyCreatePair
234 @abstract Creates an asymmetric key pair and stores it in a specified keychain.
235 @param keychainRef A reference to the keychain in which to store the private and public key items. Specify NULL for the default keychain.
236 @param algorithm An algorithm for the key pair. This parameter is ignored if a valid (non-zero) contextHandle is supplied.
237 @param keySizeInBits A key size for the key pair. This parameter is ignored if a valid (non-zero) contextHandle is supplied.
238 @param contextHandle (optional) A CSSM_CC_HANDLE, or 0. If this argument is supplied, the algorithm and keySizeInBits parameters are ignored. If extra parameters are needed to generate a key (some algorithms require this), you should create a context using CSSM_CSP_CreateKeyGenContext, using the CSPHandle obtained by calling SecKeychainGetCSPHandle. Then use CSSM_UpdateContextAttributes to add parameters, and dispose of the context using CSSM_DeleteContext after calling this function.
239 @param publicKeyUsage A bit mask indicating all permitted uses for the new public key. CSSM_KEYUSE bit mask values are defined in cssmtype.h.
240 @param publicKeyAttr A bit mask defining attribute values for the new public key. The bit mask values are equivalent to a CSSM_KEYATTR_FLAGS and are defined in cssmtype.h.
241 @param privateKeyUsage A bit mask indicating all permitted uses for the new private key. CSSM_KEYUSE bit mask values are defined in cssmtype.h.
242 @param privateKeyAttr A bit mask defining attribute values for the new private key. The bit mask values are equivalent to a CSSM_KEYATTR_FLAGS and are defined in cssmtype.h.
243 @param initialAccess (optional) A SecAccess object that determines the initial access rights to the private key. The public key is given "any/any" access rights by default.
244 @param publicKey (optional) On return, the keychain item reference of the generated public key. Use the SecKeyGetCSSMKey function to obtain the CSSM_KEY. The caller must call CFRelease on this value if it is returned. Pass NULL if a reference to this key is not required.
245 @param privateKey (optional) On return, the keychain item reference of the generated private key. Use the SecKeyGetCSSMKey function to obtain the CSSM_KEY. The caller must call CFRelease on this value if it is returned. Pass NULL if a reference to this key is not required.
246 @result A result code. See "Security Error Codes" (SecBase.h).
247 @discussion This API is deprecated for 10.7 Plese use the SecKeyGeneratePair API
248*/
249OSStatus SecKeyCreatePair(
250 SecKeychainRef keychainRef,
251 CSSM_ALGORITHMS algorithm,
252 uint32 keySizeInBits,
253 CSSM_CC_HANDLE contextHandle,
254 CSSM_KEYUSE publicKeyUsage,
255 uint32 publicKeyAttr,
256 CSSM_KEYUSE privateKeyUsage,
257 uint32 privateKeyAttr,
258 SecAccessRef initialAccess,
427c49bc 259 SecKeyRef* publicKey,
b1ab9ed8
A		 260 SecKeyRef* privateKey)
261 DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
262
263/*!
264 @function SecKeyGenerate
265 @abstract Creates a symmetric key and optionally stores it in a specified keychain.
266 @param keychainRef (optional) A reference to the keychain in which to store the generated key. Specify NULL to generate a transient key.
267 @param algorithm An algorithm for the symmetric key. This parameter is ignored if a valid (non-zero) contextHandle is supplied.
268 @param keySizeInBits A key size for the key pair. This parameter is ignored if a valid (non-zero) contextHandle is supplied.
269 @param contextHandle (optional) A CSSM_CC_HANDLE, or 0. If this argument is supplied, the algorithm and keySizeInBits parameters are ignored. If extra parameters are needed to generate a key (some algorithms require this), you should create a context using CSSM_CSP_CreateKeyGenContext, using the CSPHandle obtained by calling SecKeychainGetCSPHandle. Then use CSSM_UpdateContextAttributes to add parameters, and dispose of the context using CSSM_DeleteContext after calling this function.
270 @param keyUsage A bit mask indicating all permitted uses for the new key. CSSM_KEYUSE bit mask values are defined in cssmtype.h.
271 @param keyAttr A bit mask defining attribute values for the new key. The bit mask values are equivalent to a CSSM_KEYATTR_FLAGS and are defined in cssmtype.h.
272 @param initialAccess (optional) A SecAccess object that determines the initial access rights for the key. This parameter is ignored if the keychainRef is NULL.
273 @param keyRef On return, a reference to the generated key. Use the SecKeyGetCSSMKey function to obtain the CSSM_KEY. The caller must call CFRelease on this value if it is returned.
274 @result A result code. See "Security Error Codes" (SecBase.h).
275 @discussion This API is deprecated for 10.7. Plese use the SecKeyGenerateSymmetric API
276*/
277OSStatus SecKeyGenerate(
278 SecKeychainRef keychainRef,
279 CSSM_ALGORITHMS algorithm,
280 uint32 keySizeInBits,
281 CSSM_CC_HANDLE contextHandle,
282 CSSM_KEYUSE keyUsage,
283 uint32 keyAttr,
284 SecAccessRef initialAccess,
285 SecKeyRef* keyRef)
286 DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
287
288/*!
289 @function SecKeyGetCSSMKey
290 @abstract Returns a pointer to the CSSM_KEY for the given key item reference.
427c49bc 291 @param key A keychain key item reference. The key item must be of class type kSecPublicKeyItemClass, kSecPrivateKeyItemClass, or kSecSymmetricKeyItemClass.
b1ab9ed8
A		 292 @param cssmKey On return, a pointer to a CSSM_KEY structure for the given key. This pointer remains valid until the key reference is released. The caller should not attempt to modify or free this data.
293 @result A result code. See "Security Error Codes" (SecBase.h).
294 @discussion The CSSM_KEY is valid until the key item reference is released. This API is deprecated in 10.7. Its use should no longer be needed.
295*/
296OSStatus SecKeyGetCSSMKey(SecKeyRef key, const CSSM_KEY **cssmKey)
297 DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;;
298
299/*!
300 @function SecKeyGetCSPHandle
301 @abstract Returns the CSSM_CSP_HANDLE for the given key reference. The handle is valid until the key reference is released.
302 @param keyRef A key reference.
303 @param cspHandle On return, the CSSM_CSP_HANDLE for the given keychain.
304 @result A result code. See "Security Error Codes" (SecBase.h).
305 @discussion This API is deprecated in 10.7. Its use should no longer be needed.
306*/
307OSStatus SecKeyGetCSPHandle(SecKeyRef keyRef, CSSM_CSP_HANDLE *cspHandle)
308 DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
309
310/*!
311 @function SecKeyGetCredentials
312 @abstract For a given key, return a pointer to a CSSM_ACCESS_CREDENTIALS structure which will allow the key to be used.
313 @param keyRef The key for which a credential is requested.
314 @param operation The type of operation to be performed with this key. See "Authorization tag type" for defined operations (cssmtype.h).
315 @param credentialType The type of credential requested.
316 @param outCredentials On return, a pointer to a CSSM_ACCESS_CREDENTIALS structure. This pointer remains valid until the key reference is released. The caller should not attempt to modify or free this data.
317 @result A result code. See "Security Error Codes" (SecBase.h).
318*/
319OSStatus SecKeyGetCredentials(
320 SecKeyRef keyRef,
321 CSSM_ACL_AUTHORIZATION_TAG operation,
322 SecCredentialType credentialType,
323 const CSSM_ACCESS_CREDENTIALS **outCredentials)
324 DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
325
326/*!
327 @function SecKeyGetBlockSize
427c49bc 328 @abstract Decrypt a block of ciphertext.
b1ab9ed8
A		 329 @param key The key for which the block length is requested.
330 @result The block length of the key in bytes.
427c49bc 331 @discussion If for example key is an RSA key the value returned by
b1ab9ed8
A		 332 this function is the size of the modulus.
333 */
334size_t SecKeyGetBlockSize(SecKeyRef key)
335 __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0);
336
337/*!
338 @function SecKeyGenerateSymmetric
339 @abstract Generates a random symmetric key with the specified length
427c49bc
A		 340 and algorithm type.
341
b1ab9ed8
A		 342 @param parameters A dictionary containing one or more key-value pairs.
343 See the discussion sections below for a complete overview of options.
344 @param error An optional pointer to a CFErrorRef. This value is set
345 if an error occurred. If not NULL, the caller is responsible for
346 releasing the CFErrorRef.
347 @result On return, a SecKeyRef reference to the symmetric key, or
348 NULL if the key could not be created.
427c49bc 349
b1ab9ed8
A		 350 @discussion In order to generate a symmetric key, the parameters dictionary
351 must at least contain the following keys:
427c49bc 352
b1ab9ed8
A		 353 * kSecAttrKeyType with a value of kSecAttrKeyTypeAES or any other
354 kSecAttrKeyType defined in SecItem.h
355 * kSecAttrKeySizeInBits with a value being a CFNumberRef containing
356 the requested key size in bits. Example sizes for AES keys are:
357 128, 192, 256, 512.
427c49bc 358
b1ab9ed8
A		 359 To store the generated symmetric key in a keychain, set these keys:
360 * kSecUseKeychain (value is a SecKeychainRef)
361 * kSecAttrLabel (a user-visible label whose value is a CFStringRef,
362 e.g. "My App's Encryption Key")
363 * kSecAttrApplicationLabel (a label defined by your application, whose
364 value is a CFStringRef and which can be used to find this key in a
365 subsequent call to SecItemCopyMatching, e.g. "ID-1234567890-9876-0151")
427c49bc 366
b1ab9ed8
A		 367 To specify the generated key's access control settings, set this key:
368 * kSecAttrAccess (value is a SecAccessRef)
427c49bc 369
b1ab9ed8
A		 370 The keys below may be optionally set in the parameters dictionary
371 (with a CFBooleanRef value) to override the default usage values:
427c49bc 372
b1ab9ed8
A		 373 * kSecAttrCanEncrypt (defaults to true if not explicitly specified)
374 * kSecAttrCanDecrypt (defaults to true if not explicitly specified)
375 * kSecAttrCanWrap (defaults to true if not explicitly specified)
376 * kSecAttrCanUnwrap (defaults to true if not explicitly specified)
427c49bc 377
b1ab9ed8
A		 378*/
379SecKeyRef SecKeyGenerateSymmetric(CFDictionaryRef parameters, CFErrorRef *error)
427c49bc
A		 380 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
381
b1ab9ed8
A		 382
383/*!
384 @function SecKeyCreateFromData
427c49bc
A		 385 @abstract Creates a symmetric key with the given data and sets the
386 algorithm type specified.
387
b1ab9ed8
A		 388 @param parameters A dictionary containing one or more key-value pairs.
389 See the discussion sections below for a complete overview of options.
390 @result On return, a SecKeyRef reference to the symmetric key.
427c49bc 391
b1ab9ed8
A		 392 @discussion In order to generate a symmetric key the parameters dictionary must
393 at least contain the following keys:
427c49bc 394
b1ab9ed8
A		 395 * kSecAttrKeyType with a value of kSecAttrKeyTypeAES or any other
396 kSecAttrKeyType defined in SecItem.h
427c49bc 397
b1ab9ed8
A		 398 The keys below may be optionally set in the parameters dictionary
399 (with a CFBooleanRef value) to override the default usage values:
427c49bc 400
b1ab9ed8
A		 401 * kSecAttrCanEncrypt (defaults to true if not explicitly specified)
402 * kSecAttrCanDecrypt (defaults to true if not explicitly specified)
403 * kSecAttrCanWrap (defaults to true if not explicitly specified)
404 * kSecAttrCanUnwrap (defaults to true if not explicitly specified)
427c49bc 405
b1ab9ed8
A		 406*/
407SecKeyRef SecKeyCreateFromData(CFDictionaryRef parameters,
408 CFDataRef keyData, CFErrorRef *error)
427c49bc 409 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
b1ab9ed8
A		 410
411
412/*!
413 @function SecKeyGeneratePair
414 @abstract Generate a private/public keypair.
415 @param parameters A dictionary containing one or more key-value pairs.
416 @result A result code. See "Security Error Codes" (SecBase.h). On success,
417 the result code will be errSecSuccess, and the output parameters will
418 contain the public SecKeyRef and private SecKeyRef. It is the caller's
419 responsibility to CFRelease these key references when finished with them.
427c49bc 420
b1ab9ed8
A		 421 @discussion In order to generate a keypair the parameters dictionary must
422 at least contain the following keys:
427c49bc 423
b1ab9ed8
A		 424 * kSecAttrKeyType with a value of kSecAttrKeyTypeRSA or any other
425 kSecAttrKeyType defined in SecItem.h
426 * kSecAttrKeySizeInBits with a value being a CFNumberRef containing
427 the requested key size in bits. Example sizes for RSA keys are:
428 512, 768, 1024, 2048.
427c49bc 429
b1ab9ed8
A		 430 Setting the following attributes explicitly will override the defaults below.
431 See SecItem.h for detailed information on these attributes including the types
432 of the values.
427c49bc 433
b1ab9ed8
A		 434 * kSecAttrLabel default NULL
435 * kSecUseKeychain default NULL, which specifies the default keychain
436 * kSecAttrApplicationTag default NULL
437 * kSecAttrEffectiveKeySize default NULL same as kSecAttrKeySizeInBits
438 * kSecAttrCanEncrypt default false for private keys, true for public keys
439 * kSecAttrCanDecrypt default true for private keys, false for public keys
440 * kSecAttrCanDerive default true
441 * kSecAttrCanSign default true for private keys, false for public keys
442 * kSecAttrCanVerify default false for private keys, true for public keys
443 * kSecAttrCanWrap default false for private keys, true for public keys
444 * kSecAttrCanUnwrap default true for private keys, false for public keys
427c49bc 445
b1ab9ed8
A		 446*/
447OSStatus SecKeyGeneratePair(CFDictionaryRef parameters,
448 SecKeyRef *publicKey, SecKeyRef *privateKey)
449 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_2_0);
450
451/*!
452 @typedef SecKeyGeneratePairBlock
453 @abstract Delivers the result from an asynchronous key pair generation.
454 @param publicKey - the public key generated. You must retain publicKey if you wish to use it after your block returns.
455 @param privateKey - the private key generated. You must retain publicKey if you wish to use it after your block returns.
456 @param error - Any errors returned. You must retain error if you wish to use it after your block returns.
457 */
458
459#ifdef __BLOCKS__
460typedef void (^SecKeyGeneratePairBlock)(SecKeyRef publicKey, SecKeyRef privateKey, CFErrorRef error);
461
462
463/*!
464 @function SecKeyGeneratePairAsync
465 @abstract Generate a private/public keypair returning the values in a callback.
466 @param parameters A dictionary containing one or more key-value pairs.
467 @param deliveryQueue A dispatch queue to be used to deliver the results.
468 @param result A callback function to result when the operation has completed.
469 @result On success the function returns NULL.
427c49bc 470
b1ab9ed8
A		 471 @discussion In order to generate a keypair the parameters dictionary must
472 at least contain the following keys:
427c49bc 473
b1ab9ed8
A		 474 * kSecAttrKeyType with a value being kSecAttrKeyTypeRSA or any other
475 kSecAttrKeyType defined in SecItem.h
476 * kSecAttrKeySizeInBits with a value being a CFNumberRef or CFStringRef
477 containing the requested key size in bits. Example sizes for RSA
478 keys are: 512, 768, 1024, 2048.
427c49bc 479
b1ab9ed8
A		 480 The values below may be set either in the top-level dictionary or in a
481 dictionary that is the value of the kSecPrivateKeyAttrs or
482 kSecPublicKeyAttrs key in the top-level dictionary. Setting these
483 attributes explicitly will override the defaults below. See SecItem.h
484 for detailed information on these attributes including the types of
485 the values.
427c49bc 486
b1ab9ed8
A		 487 * kSecAttrLabel default NULL
488 * kSecAttrIsPermanent if this key is present and has a Boolean
489 value of true, the key or key pair will be added to the default
490 keychain.
491 * kSecAttrApplicationTag default NULL
492 * kSecAttrEffectiveKeySize default NULL same as kSecAttrKeySizeInBits
493 * kSecAttrCanEncrypt default false for private keys, true for public keys
494 * kSecAttrCanDecrypt default true for private keys, false for public keys
495 * kSecAttrCanDerive default true
496 * kSecAttrCanSign default true for private keys, false for public keys
497 * kSecAttrCanVerify default false for private keys, true for public keys
498 * kSecAttrCanWrap default false for private keys, true for public keys
499 * kSecAttrCanUnwrap default true for private keys, false for public keys
427c49bc 500
b1ab9ed8
A		 501*/
502void SecKeyGeneratePairAsync(CFDictionaryRef parameters,
503 dispatch_queue_t deliveryQueue, SecKeyGeneratePairBlock result)
427c49bc 504 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
b1ab9ed8
A		 505
506#endif /* __BLOCKS__ */
507
508// Derive, Wrap, and Unwrap
509
510/*!
511 @function SecKeyDeriveFromPassword
512 @abstract Derives a symmetric key from a password.
427c49bc 513
b1ab9ed8
A		 514 @param password The password from which the keyis to be derived.
515 @param parameters A dictionary containing one or more key-value pairs.
516 @param error If the call fails this will contain the error code.
427c49bc 517
b1ab9ed8
A		 518 @discussion In order to derive a key the parameters dictionary must contain at least contain the following keys:
519 * kSecAttrSalt - a CFData for the salt value for mixing in the pseudo-random rounds.
520 * kSecAttrPRF - the algorithm to use for the pseudo-random-function.
521 If 0, this defaults to kSecAttrPRFHmacAlgSHA1. Possible values are:
427c49bc 522
b1ab9ed8
A		 523 * kSecAttrPRFHmacAlgSHA1
524 * kSecAttrPRFHmacAlgSHA224
525 * kSecAttrPRFHmacAlgSHA256
526 * kSecAttrPRFHmacAlgSHA384
527 * kSecAttrPRFHmacAlgSHA512
427c49bc 528
b1ab9ed8
A		 529 * kSecAttrRounds - the number of rounds to call the pseudo random function.
530 If 0, a count will be computed to average 1/10 of a second.
531 * kSecAttrKeySizeInBits with a value being a CFNumberRef
532 containing the requested key size in bits. Example sizes for RSA keys are:
533 512, 768, 1024, 2048.
427c49bc 534
b1ab9ed8
A		 535 @result On success a SecKeyRef is returned. On failure this result is NULL and the
536 error parameter contains the reason.
427c49bc 537
b1ab9ed8
A		 538*/
539SecKeyRef SecKeyDeriveFromPassword(CFStringRef password,
540 CFDictionaryRef parameters, CFErrorRef *error)
427c49bc 541 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
b1ab9ed8
A		 542
543/*!
544 @function SecKeyWrapSymmetric
545 @abstract Wraps a symmetric key with a symmetric key.
427c49bc 546
b1ab9ed8
A		 547 @param keyToWrap The key which is to be wrapped.
548 @param wrappingKey The key wrapping key.
549 #param parameters The parameter list to use for wrapping the key.
550 @param error If the call fails this will contain the error code.
427c49bc 551
b1ab9ed8
A		 552 @result On success a CFDataRef is returned. On failure this result is NULL and the
553 error parameter contains the reason.
427c49bc 554
b1ab9ed8
A		 555 @discussion In order to wrap a key the parameters dictionary may contain the following key:
556 * kSecSalt - a CFData for the salt value for the encrypt.
427c49bc 557
b1ab9ed8
A		 558*/
559CFDataRef SecKeyWrapSymmetric(SecKeyRef keyToWrap,
560 SecKeyRef wrappingKey, CFDictionaryRef parameters, CFErrorRef *error)
561 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
562
563/*!
564 @function SecKeyUnwrapSymmetric
565 @abstract Unwrap a wrapped symmetric key.
427c49bc 566
b1ab9ed8
A		 567 @param keyToUnwrap The wrapped key to unwrap.
568 @param unwrappingKey The key unwrapping key.
569 #param parameters The parameter list to use for unwrapping the key.
570 @param error If the call fails this will contain the error code.
427c49bc 571
b1ab9ed8
A		 572 @result On success a SecKeyRef is returned. On failure this result is NULL and the
573 error parameter contains the reason.
427c49bc 574
b1ab9ed8
A		 575 @discussion In order to unwrap a key the parameters dictionary may contain the following key:
576 * kSecSalt - a CFData for the salt value for the decrypt.
427c49bc 577
b1ab9ed8
A		 578*/
579SecKeyRef SecKeyUnwrapSymmetric(CFDataRef *keyToUnwrap,
580 SecKeyRef unwrappingKey, CFDictionaryRef parameters, CFErrorRef *error)
581 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
582
583
584#if defined(__cplusplus)
585}
586#endif
587
588#endif /* !_SECURITY_SECKEY_H_ */
mirror of Security