OSX/sec/Security/SecAccessControl.h

   1 /*
   2  * Copyright (c) 2014 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24 /*!
  25  @header SecAccessControl
  26  SecAccessControl defines access rights for items.
  27  */
  28
  29 #ifndef _SECURITY_SECACCESSCONTROL_H_
  30 #define _SECURITY_SECACCESSCONTROL_H_
  31
  32 #include <Security/SecBase.h>
  33 #include <CoreFoundation/CFError.h>
  34 #include <sys/cdefs.h>
  35
  36 __BEGIN_DECLS
  37
  38 CF_ASSUME_NONNULL_BEGIN
  39 CF_IMPLICIT_BRIDGING_ENABLED
  40
  41 /*!
  42  @function SecAccessControlGetTypeID
  43  @abstract Returns the type identifier of SecAccessControl instances.
  44  @result The CFTypeID of SecAccessControl instances.
  45  */
  46 CFTypeID SecAccessControlGetTypeID(void)
  47 __OSX_AVAILABLE_STARTING(__MAC_10_10, __IPHONE_8_0);
  48
  49 #if RC_HIDE_J79 || RC_HIDE_J80
  50
  51 typedef CF_OPTIONS(CFOptionFlags, SecAccessControlCreateFlags) {
  52     kSecAccessControlUserPresence           = 1 << 0,                                 // User presence policy using Touch ID or Passcode. Touch ID does not have to be available or enrolled. Item is still accessible by Touch ID even if fingers are added or removed.
  53     kSecAccessControlTouchIDAny             CF_ENUM_AVAILABLE(NA, 9_0)    = 1u << 1,   // Constraint: Touch ID (any finger). Touch ID must be available and at least one finger must be enrolled. Item is still accessible by Touch ID even if fingers are added or removed.
  54     kSecAccessControlTouchIDCurrentSet      CF_ENUM_AVAILABLE(NA, 9_0)    = 1u << 3,   // Constraint: Touch ID from the set of currently enrolled fingers. Touch ID must be available and at least one finger must be enrolled. When fingers are added or removed, the item is invalidated.
  55     kSecAccessControlDevicePasscode         CF_ENUM_AVAILABLE(10_11, 9_0) = 1u << 4,   // Constraint: Device passcode
  56     kSecAccessControlOr                     CF_ENUM_AVAILABLE(NA, 9_0)    = 1u << 14,  // Constraint logic operation: when using more than one constraint, at least one of them must be satisfied.
  57     kSecAccessControlAnd                    CF_ENUM_AVAILABLE(NA, 9_0)    = 1u << 15,  // Constraint logic operation: when using more than one constraint, all must be satisfied.
  58     kSecAccessControlPrivateKeyUsage        CF_ENUM_AVAILABLE(NA, 9_0)    = 1u << 30,  // Create access control for private key operations (i.e. sign operation)
  59     kSecAccessControlApplicationPassword    CF_ENUM_AVAILABLE(NA, 9_0)    = 1u << 31,  // Security: Application provided password for data encryption key generation. This is not a constraint but additional item encryption mechanism.
  60 } __OSX_AVAILABLE_STARTING(__MAC_10_10, __IPHONE_8_0);
  61
  62 #else
  63
  64 typedef CF_OPTIONS(CFOptionFlags, SecAccessControlCreateFlags) {
  65     kSecAccessControlUserPresence           = 1 << 0,                                 // User presence policy using Touch ID or Passcode. Touch ID does not have to be available or enrolled. Item is still accessible by Touch ID even if fingers are added or removed.
  66     kSecAccessControlTouchIDAny             CF_ENUM_AVAILABLE(10_12, 9_0) = 1u << 1,   // Constraint: Touch ID (any finger). Touch ID must be available and at least one finger must be enrolled. Item is still accessible by Touch ID even if fingers are added or removed.
  67     kSecAccessControlTouchIDCurrentSet      CF_ENUM_AVAILABLE(10_12, 9_0) = 1u << 3,   // Constraint: Touch ID from the set of currently enrolled fingers. Touch ID must be available and at least one finger must be enrolled. When fingers are added or removed, the item is invalidated.
  68     kSecAccessControlDevicePasscode         CF_ENUM_AVAILABLE(10_11, 9_0) = 1u << 4,   // Constraint: Device passcode
  69     kSecAccessControlOr                     CF_ENUM_AVAILABLE(10_12, 9_0) = 1u << 14,  // Constraint logic operation: when using more than one constraint, at least one of them must be satisfied.
  70     kSecAccessControlAnd                    CF_ENUM_AVAILABLE(10_12, 9_0) = 1u << 15,  // Constraint logic operation: when using more than one constraint, all must be satisfied.
  71     kSecAccessControlPrivateKeyUsage        CF_ENUM_AVAILABLE(10_12, 9_0) = 1u << 30,  // Create access control for private key operations (i.e. sign operation)
  72     kSecAccessControlApplicationPassword    CF_ENUM_AVAILABLE(10_12, 9_0) = 1u << 31,  // Security: Application provided password for data encryption key generation. This is not a constraint but additional item encryption mechanism.
  73 } __OSX_AVAILABLE_STARTING(__MAC_10_10, __IPHONE_8_0);
  74
  75 #endif
  76
  77 /*!
  78  @function SecAccessControlCreateWithFlags
  79  @abstract Creates new access control object based on protection type and additional flags.
  80  @discussion Created access control object should be used as a value for kSecAttrAccessControl attribute in SecItemAdd,
  81  SecItemUpdate or SecKeyGeneratePair functions.  Accessing keychain items or performing operations on keys which are
  82  protected by access control objects can block the execution because of UI which can appear to satisfy the access control
  83  conditions, therefore it is recommended to either move those potentially blocking operations out of the main
  84  application thread or use combination of kSecUseAuthenticationContext and kSecUseAuthenticationUI attributes to control
  85  where the UI interaction can appear.
  86  @param allocator Allocator to be used by this instance.
  87  @param protection Protection class to be used for the item. One of kSecAttrAccessible constants.
  88  @param flags If no flags are set then all operations are allowed.
  89  @param error Additional error information filled in case of failure.
  90  @result Newly created access control object.
  91  */
  92 __nullable
  93 SecAccessControlRef SecAccessControlCreateWithFlags(CFAllocatorRef __nullable allocator, CFTypeRef protection,
  94                                                     SecAccessControlCreateFlags flags, CFErrorRef *error)
  95 __OSX_AVAILABLE_STARTING(__MAC_10_10, __IPHONE_8_0);
  96
  97 CF_IMPLICIT_BRIDGING_DISABLED
  98 CF_ASSUME_NONNULL_END
  99
 100 __END_DECLS
 101
 102 #endif // _SECURITY_SECACCESSCONTROL_H_