2 * Copyright (c) 2006-2009,2011-2013 Apple Inc. All Rights Reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
21 * @APPLE_LICENSE_HEADER_END@
26 The functions provided in SecKey.h implement and manage a particular
27 type of keychain item that represents a key. A key can be stored in a
28 keychain, but a key can also be a transient object.
31 #ifndef _SECURITY_SECKEY_H_
32 #define _SECURITY_SECKEY_H_
34 #include <Security/SecBase.h>
35 #include <CoreFoundation/CFDictionary.h>
36 #include <CoreFoundation/CFData.h>
37 #include <CoreFoundation/CFSet.h>
38 #include <CoreFoundation/CFError.h>
39 #include <sys/types.h>
43 CF_ASSUME_NONNULL_BEGIN
44 CF_IMPLICIT_BRIDGING_ENABLED
46 /* Padding Types (iPhone OS 2.0 and later only). */
47 typedef CF_OPTIONS(uint32_t, SecPadding
)
50 kSecPaddingPKCS1
= 1, // For EC, defaults to a signature in x9.62 DER encoding.
53 /* For SecKeyRawSign/SecKeyRawVerify only,
54 ECDSA signature is raw byte format {r,s}, big endian.
55 First half is r, second half is s */
56 kSecPaddingSigRaw
= 0x4000,
58 /* For SecKeyRawSign/SecKeyRawVerify only, data to be signed is an MD2
59 hash; standard ASN.1 padding will be done, as well as PKCS1 padding
60 of the underlying RSA operation. */
61 kSecPaddingPKCS1MD2
= 0x8000, /* Unsupported as of iOS 5.0 */
63 /* For SecKeyRawSign/SecKeyRawVerify only, data to be signed is an MD5
64 hash; standard ASN.1 padding will be done, as well as PKCS1 padding
65 of the underlying RSA operation. */
66 kSecPaddingPKCS1MD5
= 0x8001, /* Unsupported as of iOS 5.0 */
68 /* For SecKeyRawSign/SecKeyRawVerify only, data to be signed is a SHA1
69 hash; standard ASN.1 padding will be done, as well as PKCS1 padding
70 of the underlying RSA operation. */
71 kSecPaddingPKCS1SHA1
= 0x8002,
73 /* For SecKeyRawSign/SecKeyRawVerify only, data to be signed is a SHA224
74 hash; standard ASN.1 padding will be done, as well as PKCS1 padding
75 of the underlying RSA operation. */
76 kSecPaddingPKCS1SHA224
= 0x8003,
78 /* For SecKeyRawSign/SecKeyRawVerify only, data to be signed is a SHA256
79 hash; standard ASN.1 padding will be done, as well as PKCS1 padding
80 of the underlying RSA operation. */
81 kSecPaddingPKCS1SHA256
= 0x8004,
83 /* For SecKeyRawSign/SecKeyRawVerify only, data to be signed is a SHA384
84 hash; standard ASN.1 padding will be done, as well as PKCS1 padding
85 of the underlying RSA operation. */
86 kSecPaddingPKCS1SHA384
= 0x8005,
88 /* For SecKeyRawSign/SecKeyRawVerify only, data to be signed is a SHA512
89 hash; standard ASN.1 padding will be done, as well as PKCS1 padding
90 of the underlying RSA operation. */
91 kSecPaddingPKCS1SHA512
= 0x8006,
96 @function SecKeyGetTypeID
97 @abstract Returns the type identifier of SecKey instances.
98 @result The CFTypeID of SecKey instances.
100 CFTypeID
SecKeyGetTypeID(void)
101 __OSX_AVAILABLE_STARTING(__MAC_10_3
, __IPHONE_2_0
);
104 @enum Dictionary key constants for SecKeyGeneratePair API.
105 @discussion Predefined key constants used to get or set values
107 @constant kSecPrivateKeyAttrs The value for this key is a CFDictionaryRef
108 containing attributes specific for the private key to be generated.
109 @constant kSecPublicKeyAttrs The value for this key is a CFDictionaryRef
110 containing attributes specific for the public key to be generated.
112 extern const CFStringRef kSecPrivateKeyAttrs
113 __OSX_AVAILABLE_STARTING(__MAC_10_8
, __IPHONE_2_0
);
114 extern const CFStringRef kSecPublicKeyAttrs
115 __OSX_AVAILABLE_STARTING(__MAC_10_8
, __IPHONE_2_0
);
118 @function SecKeyGeneratePair
119 @abstract Generate a private/public keypair.
120 @param parameters A dictionary containing one or more key-value pairs.
121 See the discussion sections below for a complete overview of options.
122 @param publicKey On return, a SecKeyRef reference to the public key.
123 @param privateKey On return, a SecKeyRef reference to the private key.
124 @result A result code. See "Security Error Codes" (SecBase.h).
125 @discussion In order to generate a keypair the parameters dictionary must
126 at least contain the following keys:
128 * kSecAttrKeyType with a value being kSecAttrKeyTypeRSA or any other
129 kSecAttrKeyType defined in SecItem.h
130 * kSecAttrKeySizeInBits with a value being a CFNumberRef or CFStringRef
131 containing the requested key size in bits. Example sizes for RSA
132 keys are: 512, 768, 1024, 2048.
134 The values below may be set either in the top-level dictionary or in a
135 dictionary that is the value of the kSecPrivateKeyAttrs or
136 kSecPublicKeyAttrs key in the top-level dictionary. Setting these
137 attributes explicitly will override the defaults below. See SecItem.h
138 for detailed information on these attributes including the types of
141 * kSecAttrLabel default NULL
142 * kSecAttrIsPermanent if this key is present and has a Boolean
143 value of true, the key or key pair will be added to the default
145 * kSecAttrTokenID if this key should be generated on specified token. This
146 attribute can contain CFStringRef and can be present only in the top-level
147 parameters dictionary.
148 * kSecAttrApplicationTag default NULL
149 * kSecAttrEffectiveKeySize default NULL same as kSecAttrKeySizeInBits
150 * kSecAttrCanEncrypt default false for private keys, true for public keys
151 * kSecAttrCanDecrypt default true for private keys, false for public keys
152 * kSecAttrCanDerive default true
153 * kSecAttrCanSign default true for private keys, false for public keys
154 * kSecAttrCanVerify default false for private keys, true for public keys
155 * kSecAttrCanWrap default false for private keys, true for public keys
156 * kSecAttrCanUnwrap default true for private keys, false for public keys
159 OSStatus
SecKeyGeneratePair(CFDictionaryRef parameters
, SecKeyRef
* _Nullable CF_RETURNS_RETAINED publicKey
,
160 SecKeyRef
* _Nullable CF_RETURNS_RETAINED privateKey
) __OSX_AVAILABLE_STARTING(__MAC_10_7
, __IPHONE_2_0
);
164 @function SecKeyRawSign
165 @abstract Given a private key and data to sign, generate a digital
167 @param key Private key with which to sign.
168 @param padding See Padding Types above, typically kSecPaddingPKCS1SHA1.
169 @param dataToSign The data to be signed, typically the digest of the
171 @param dataToSignLen Length of dataToSign in bytes.
172 @param sig Pointer to buffer in which the signature will be returned.
173 @param sigLen IN/OUT maximum length of sig buffer on input, actualy
174 length of sig on output.
175 @result A result code. See "Security Error Codes" (SecBase.h).
176 @discussion If the padding argument is kSecPaddingPKCS1, PKCS1 padding
177 will be performed prior to signing. If this argument is kSecPaddingNone,
178 the incoming data will be signed "as is".
180 When PKCS1 padding is performed, the maximum length of data that can
181 be signed is the value returned by SecKeyGetBlockSize() - 11.
183 NOTE: The behavior this function with kSecPaddingNone is undefined if the
184 first byte of dataToSign is zero; there is no way to verify leading zeroes
185 as they are discarded during the calculation.
187 If you want to generate a proper PKCS1 style signature with DER encoding
188 of the digest type - and the dataToSign is a SHA1 digest - use
189 kSecPaddingPKCS1SHA1.
191 OSStatus
SecKeyRawSign(
194 const uint8_t *dataToSign
,
195 size_t dataToSignLen
,
198 __OSX_AVAILABLE_STARTING(__MAC_10_7
, __IPHONE_2_0
);
202 @function SecKeyRawVerify
203 @abstract Given a public key, data which has been signed, and a signature,
204 verify the signature.
205 @param key Public key with which to verify the signature.
206 @param padding See Padding Types above, typically kSecPaddingPKCS1SHA1.
207 @param signedData The data over which sig is being verified, typically
208 the digest of the actual data.
209 @param signedDataLen Length of signedData in bytes.
210 @param sig Pointer to the signature to verify.
211 @param sigLen Length of sig in bytes.
212 @result A result code. See "Security Error Codes" (SecBase.h).
213 @discussion If the padding argument is kSecPaddingPKCS1, PKCS1 padding
214 will be checked during verification. If this argument is kSecPaddingNone,
215 the incoming data will be compared directly to sig.
217 If you are verifying a proper PKCS1-style signature, with DER encoding
218 of the digest type - and the signedData is a SHA1 digest - use
219 kSecPaddingPKCS1SHA1.
221 OSStatus
SecKeyRawVerify(
224 const uint8_t *signedData
,
225 size_t signedDataLen
,
228 __OSX_AVAILABLE_STARTING(__MAC_10_7
, __IPHONE_2_0
);
232 @function SecKeyEncrypt
233 @abstract Encrypt a block of plaintext.
234 @param key Public key with which to encrypt the data.
235 @param padding See Padding Types above, typically kSecPaddingPKCS1.
236 @param plainText The data to encrypt.
237 @param plainTextLen Length of plainText in bytes, this must be less
238 or equal to the value returned by SecKeyGetBlockSize().
239 @param cipherText Pointer to the output buffer.
240 @param cipherTextLen On input, specifies how much space is available at
241 cipherText; on return, it is the actual number of cipherText bytes written.
242 @result A result code. See "Security Error Codes" (SecBase.h).
243 @discussion If the padding argument is kSecPaddingPKCS1 or kSecPaddingOAEP,
244 PKCS1 (respectively kSecPaddingOAEP) padding will be performed prior to encryption.
245 If this argument is kSecPaddingNone, the incoming data will be encrypted "as is".
246 kSecPaddingOAEP is the recommended value. Other value are not recommended
247 for security reason (Padding attack or malleability).
249 When PKCS1 padding is performed, the maximum length of data that can
250 be encrypted is the value returned by SecKeyGetBlockSize() - 11.
252 When memory usage is a critical issue, note that the input buffer
253 (plainText) can be the same as the output buffer (cipherText).
255 OSStatus
SecKeyEncrypt(
258 const uint8_t *plainText
,
261 size_t *cipherTextLen
)
262 __OSX_AVAILABLE_STARTING(__MAC_10_7
, __IPHONE_2_0
);
266 @function SecKeyDecrypt
267 @abstract Decrypt a block of ciphertext.
268 @param key Private key with which to decrypt the data.
269 @param padding See Padding Types above, typically kSecPaddingPKCS1.
270 @param cipherText The data to decrypt.
271 @param cipherTextLen Length of cipherText in bytes, this must be less
272 or equal to the value returned by SecKeyGetBlockSize().
273 @param plainText Pointer to the output buffer.
274 @param plainTextLen On input, specifies how much space is available at
275 plainText; on return, it is the actual number of plainText bytes written.
276 @result A result code. See "Security Error Codes" (SecBase.h).
277 @discussion If the padding argument is kSecPaddingPKCS1 or kSecPaddingOAEP,
278 the corresponding padding will be removed after decryption.
279 If this argument is kSecPaddingNone, the decrypted data will be returned "as is".
281 When memory usage is a critical issue, note that the input buffer
282 (plainText) can be the same as the output buffer (cipherText).
284 OSStatus
SecKeyDecrypt(
285 SecKeyRef key
, /* Private key */
286 SecPadding padding
, /* kSecPaddingNone,
289 const uint8_t *cipherText
,
290 size_t cipherTextLen
, /* length of cipherText */
292 size_t *plainTextLen
) /* IN/OUT */
293 __OSX_AVAILABLE_STARTING(__MAC_10_7
, __IPHONE_2_0
);
296 @function SecKeyGetBlockSize
297 @abstract Returns size of the block for specified key, in bytes.
298 @param key The key for which the block length is requested.
299 @result The block length of the key in bytes.
300 @discussion If for example key is an RSA key the value returned by
301 this function is the size of the modulus.
303 size_t SecKeyGetBlockSize(SecKeyRef key
)
304 __OSX_AVAILABLE_STARTING(__MAC_10_7
, __IPHONE_2_0
);
307 @function SecKeyCreateRandomKey
308 @abstract Generates a new public/private key pair.
309 @param parameters A dictionary containing one or more key-value pairs.
310 See the discussion sections below for a complete overview of options.
311 @param error On error, will be populated with an error object describing the failure.
312 See "Security Error Codes" (SecBase.h).
313 @return Newly generated private key. To get associated public key, use SecKeyCopyPublicKey().
314 @discussion In order to generate a keypair the parameters dictionary must
315 at least contain the following keys:
317 * kSecAttrKeyType with a value being kSecAttrKeyTypeRSA or any other
318 kSecAttrKeyType defined in SecItem.h
319 * kSecAttrKeySizeInBits with a value being a CFNumberRef or CFStringRef
320 containing the requested key size in bits. Example sizes for RSA
321 keys are: 512, 768, 1024, 2048.
323 The values below may be set either in the top-level dictionary or in a
324 dictionary that is the value of the kSecPrivateKeyAttrs or
325 kSecPublicKeyAttrs key in the top-level dictionary. Setting these
326 attributes explicitly will override the defaults below. See SecItem.h
327 for detailed information on these attributes including the types of
330 * kSecAttrLabel default NULL
331 * kSecAttrIsPermanent if this key is present and has a Boolean value of true,
332 the key or key pair will be added to the default keychain.
333 * kSecAttrTokenID if this key should be generated on specified token. This
334 attribute can contain CFStringRef and can be present only in the top-level
335 parameters dictionary.
336 * kSecAttrApplicationTag default NULL
337 * kSecAttrEffectiveKeySize default NULL same as kSecAttrKeySizeInBits
338 * kSecAttrCanEncrypt default false for private keys, true for public keys
339 * kSecAttrCanDecrypt default true for private keys, false for public keys
340 * kSecAttrCanDerive default true
341 * kSecAttrCanSign default true for private keys, false for public keys
342 * kSecAttrCanVerify default false for private keys, true for public keys
343 * kSecAttrCanWrap default false for private keys, true for public keys
344 * kSecAttrCanUnwrap default true for private keys, false for public keys
346 SecKeyRef _Nullable
SecKeyCreateRandomKey(CFDictionaryRef parameters
, CFErrorRef
*error
)
347 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
350 @function SecKeyCreateWithData
351 @abstract Create a SecKey from a well-defined external representation.
352 @param keyData CFData representing the key. The format of the data depends on the type of key being created.
353 @param attributes Dictionary containing attributes describing the key to be imported. The keys in this dictionary
354 are kSecAttr* constants from SecItem.h. Mandatory attributes are:
357 * kSecAttrKeySizeInBits
358 @param error On error, will be populated with an error object describing the failure.
359 See "Security Error Codes" (SecBase.h).
360 @result A SecKey object representing the key, or NULL on failure.
361 @discussion This function does not add keys to any keychain, but the SecKey object it returns can be added
362 to keychain using the SecItemAdd function.
363 The requested data format depend on the type of key (kSecAttrKeyType) being created:
364 * kSecAttrKeyTypeRSA PKCS#1 format
365 * kSecAttrKeyTypeECSECPrimeRandom SEC1 format (www.secg.org)
367 SecKeyRef _Nullable
SecKeyCreateWithData(CFDataRef keyData
, CFDictionaryRef attributes
, CFErrorRef
*error
)
368 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
371 @function SecKeyCopyExternalRepresentation
372 @abstract Create an external representation for the given key suitable for the key's type.
373 @param key The key to be exported.
374 @param error On error, will be populated with an error object describing the failure.
375 See "Security Error Codes" (SecBase.h).
376 @result A CFData representing the key in a format suitable for that key type.
377 @discussion This function may fail if the key is not exportable (e.g., bound to a smart card or Secure Enclave).
378 The format in which the key will be exported depends on the type of key:
379 * kSecAttrKeyTypeRSA PKCS#1 format
380 * kSecAttrKeyTypeECSECPrimeRandom SEC1 format (www.secg.org)
382 CFDataRef _Nullable
SecKeyCopyExternalRepresentation(SecKeyRef key
, CFErrorRef
*error
)
383 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
386 @function SecKeyCopyAttributes
387 @abstract Retrieve keychain attributes of a key.
388 @param key The key whose attributes are to be retrieved.
389 @result Dictionary containing attributes of the key. The keys that populate this dictionary are defined
390 and discussed in SecItem.h.
391 @discussion The attributes provided by this function are:
399 * kSecAttrKeySizeInBits
401 * kSecAttrApplicationLabel
402 Other values returned in that dictionary are RFU.
404 CFDictionaryRef _Nullable
SecKeyCopyAttributes(SecKeyRef key
)
405 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
408 @function SecKeyCopyPublicKey
409 @abstract Retrieve the public key from a key pair or private key.
410 @param key The key from which to retrieve a public key.
411 @result The public key or NULL if public key is not available for specified key.
412 @discussion Fails if key does not contain a public key or no public key can be computed from it.
414 SecKeyRef _Nullable
SecKeyCopyPublicKey(SecKeyRef key
)
415 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
418 @enum SecKeyAlgorithm
419 @abstract Available algorithms for performing cryptographic operations with SecKey object. String representation
420 of constant can be used for logging or debugging purposes, because they contain human readable names of the algorithm.
422 @constant kSecKeyAlgorithmRSASignatureRaw
423 Raw RSA sign/verify operation, size of input data must be the same as value returned by SecKeyGetBlockSize().
425 @constant kSecKeyAlgorithmRSASignatureDigestPKCS1v15Raw
426 RSA sign/verify operation, assumes that input data is digest and OID and digest algorithm as specified in PKCS# v1.5.
427 This algorithm is typically not used directly, instead use algorithm with specified digest, like
428 kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA256.
430 @constant kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA1
431 RSA signature with PKCS#1 padding, input data must be SHA-1 generated digest.
433 @constant kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA224
434 RSA signature with PKCS#1 padding, input data must be SHA-224 generated digest.
436 @constant kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA256
437 RSA signature with PKCS#1 padding, input data must be SHA-256 generated digest.
439 @constant kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA384
440 RSA signature with PKCS#1 padding, input data must be SHA-384 generated digest.
442 @constant kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA512
443 RSA signature with PKCS#1 padding, input data must be SHA-512 generated digest.
445 @constant kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA1
446 RSA signature with PKCS#1 padding, SHA-1 digest is generated from input data of any size.
448 @constant kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA224
449 RSA signature with PKCS#1 padding, SHA-224 digest is generated from input data of any size.
451 @constant kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA256
452 RSA signature with PKCS#1 padding, SHA-256 digest is generated from input data of any size.
454 @constant kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA384
455 RSA signature with PKCS#1 padding, SHA-384 digest is generated from input data of any size.
457 @constant kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA512
458 RSA signature with PKCS#1 padding, SHA-512 digest is generated from input data of any size.
460 @constant kSecKeyAlgorithmECDSASignatureRFC4754
461 ECDSA algorithm, signature is concatenated r and s, big endian, data is message digest.
463 @constant kSecKeyAlgorithmECDSASignatureDigestX962
464 ECDSA algorithm, signature is in DER x9.62 encoding, input data is message digest.
466 @constant kSecKeyAlgorithmECDSASignatureDigestX962SHA1
467 ECDSA algorithm, signature is in DER x9.62 encoding, input data is message digest created by SHA1 algorithm.
469 @constant kSecKeyAlgorithmECDSASignatureDigestX962SHA1
470 ECDSA algorithm, signature is in DER x9.62 encoding, input data is message digest created by SHA224 algorithm.
472 @constant kSecKeyAlgorithmECDSASignatureDigestX962SHA1
473 ECDSA algorithm, signature is in DER x9.62 encoding, input data is message digest created by SHA256 algorithm.
475 @constant kSecKeyAlgorithmECDSASignatureDigestX962SHA1
476 ECDSA algorithm, signature is in DER x9.62 encoding, input data is message digest created by SHA384 algorithm.
478 @constant kSecKeyAlgorithmECDSASignatureDigestX962SHA1
479 ECDSA algorithm, signature is in DER x9.62 encoding, input data is message digest created by SHA512 algorithm.
481 @constant kSecKeyAlgorithmECDSASignatureMessageX962SHA1
482 ECDSA algorithm, signature is in DER x9.62 encoding, SHA-1 digest is generated from input data of any size.
484 @constant kSecKeyAlgorithmECDSASignatureMessageX962SHA224
485 ECDSA algorithm, signature is in DER x9.62 encoding, SHA-224 digest is generated from input data of any size.
487 @constant kSecKeyAlgorithmECDSASignatureMessageX962SHA256
488 ECDSA algorithm, signature is in DER x9.62 encoding, SHA-256 digest is generated from input data of any size.
490 @constant kSecKeyAlgorithmECDSASignatureMessageX962SHA384
491 ECDSA algorithm, signature is in DER x9.62 encoding, SHA-384 digest is generated from input data of any size.
493 @constant kSecKeyAlgorithmECDSASignatureMessageX962SHA512
494 ECDSA algorithm, signature is in DER x9.62 encoding, SHA-512 digest is generated from input data of any size.
496 @constant kSecKeyAlgorithmRSAEncryptionRaw
497 Raw RSA encryption or decryption, size of data must match RSA key modulus size. Note that direct
498 use of this algorithm without padding is cryptographically very weak, it is important to always introduce
499 some kind of padding. Input data size must be less or equal to the key block size and returned block has always
500 the same size as block size, as returned by SecKeyGetBlockSize().
502 @constant kSecKeyAlgorithmRSAEncryptionPKCS1
503 RSA encryption or decryption, data is padded using PKCS#1 padding scheme. This algorithm should be used only for
504 backward compatibility with existing protocols and data. New implementations should choose cryptographically
505 stronger algorithm instead (see kSecKeyAlgorithmRSAEncryptionOAEP). Input data must be at most
506 "key block size - 11" bytes long and returned block has always the same size as block size, as returned
507 by SecKeyGetBlockSize().
509 @constant kSecKeyAlgorithmRSAEncryptionOAEPSHA1
510 RSA encryption or decryption, data is padded using OAEP padding scheme internally using SHA1. Input data must be at most
511 "key block size - 42" bytes long and returned block has always the same size as block size, as returned
512 by SecKeyGetBlockSize(). Use kSecKeyAlgorithmRSAEncryptionOAEPSHA1AESGCM to be able to encrypt and decrypt arbitrary long data.
514 @constant kSecKeyAlgorithmRSAEncryptionOAEPSHA224
515 RSA encryption or decryption, data is padded using OAEP padding scheme internally using SHA224. Input data must be at most
516 "key block size - 58" bytes long and returned block has always the same size as block size, as returned
517 by SecKeyGetBlockSize(). Use kSecKeyAlgorithmRSAEncryptionOAEPSHA224AESGCM to be able to encrypt and decrypt arbitrary long data.
519 @constant kSecKeyAlgorithmRSAEncryptionOAEPSHA256
520 RSA encryption or decryption, data is padded using OAEP padding scheme internally using SHA256. Input data must be at most
521 "key block size - 66" bytes long and returned block has always the same size as block size, as returned
522 by SecKeyGetBlockSize(). Use kSecKeyAlgorithmRSAEncryptionOAEPSHA256AESGCM to be able to encrypt and decrypt arbitrary long data.
524 @constant kSecKeyAlgorithmRSAEncryptionOAEPSHA384
525 RSA encryption or decryption, data is padded using OAEP padding scheme internally using SHA384. Input data must be at most
526 "key block size - 98" bytes long and returned block has always the same size as block size, as returned
527 by SecKeyGetBlockSize(). Use kSecKeyAlgorithmRSAEncryptionOAEPSHA384AESGCM to be able to encrypt and decrypt arbitrary long data.
529 @constant kSecKeyAlgorithmRSAEncryptionOAEPSHA512
530 RSA encryption or decryption, data is padded using OAEP padding scheme internally using SHA512. Input data must be at most
531 "key block size - 130" bytes long and returned block has always the same size as block size, as returned
532 by SecKeyGetBlockSize(). Use kSecKeyAlgorithmRSAEncryptionOAEPSHA512AESGCM to be able to encrypt and decrypt arbitrary long data.
534 @constant kSecKeyAlgorithmRSAEncryptionOAEPSHA1AESGCM
535 Randomly generated AES session key is encrypted by RSA with OAEP padding. User data are encrypted using session key in GCM
536 mode with all-zero 16 bytes long IV (initialization vector). Finally 16 byte AES-GCM tag is appended to ciphertext.
537 256bit AES key is used if RSA key is 4096bit or bigger, otherwise 128bit AES key is used. Raw public key data is used
538 as authentication data for AES-GCM encryption.
540 @constant kSecKeyAlgorithmRSAEncryptionOAEPSHA224AESGCM
541 Randomly generated AES session key is encrypted by RSA with OAEP padding. User data are encrypted using session key in GCM
542 mode with all-zero 16 bytes long IV (initialization vector). Finally 16 byte AES-GCM tag is appended to ciphertext.
543 256bit AES key is used if RSA key is 4096bit or bigger, otherwise 128bit AES key is used. Raw public key data is used
544 as authentication data for AES-GCM encryption.
546 @constant kSecKeyAlgorithmRSAEncryptionOAEPSHA256AESGCM
547 Randomly generated AES session key is encrypted by RSA with OAEP padding. User data are encrypted using session key in GCM
548 mode with all-zero 16 bytes long IV (initialization vector). Finally 16 byte AES-GCM tag is appended to ciphertext.
549 256bit AES key is used if RSA key is 4096bit or bigger, otherwise 128bit AES key is used. Raw public key data is used
550 as authentication data for AES-GCM encryption.
552 @constant kSecKeyAlgorithmRSAEncryptionOAEPSHA384AESGCM
553 Randomly generated AES session key is encrypted by RSA with OAEP padding. User data are encrypted using session key in GCM
554 mode with all-zero 16 bytes long IV (initialization vector). Finally 16 byte AES-GCM tag is appended to ciphertext.
555 256bit AES key is used if RSA key is 4096bit or bigger, otherwise 128bit AES key is used. Raw public key data is used
556 as authentication data for AES-GCM encryption.
558 @constant kSecKeyAlgorithmRSAEncryptionOAEPSHA512AESGCM
559 Randomly generated AES session key is encrypted by RSA with OAEP padding. User data are encrypted using session key in GCM
560 mode with all-zero 16 bytes long IV (initialization vector). Finally 16 byte AES-GCM tag is appended to ciphertext.
561 256bit AES key is used if RSA key is 4096bit or bigger, otherwise 128bit AES key is used. Raw public key data is used
562 as authentication data for AES-GCM encryption.
564 @constant kSecKeyAlgorithmECIESEncryptionStandardX963SHA1AESGCM
565 ECIES encryption or decryption. This algorithm does not limit the size of the message to be encrypted or decrypted.
566 Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA1. AES Key size
567 is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF,
568 and static public key data is used as authenticationData for AES-GCM processing. AES-GCM uses 16 bytes long TAG and
569 all-zero 16 byte long IV (initialization vector).
571 @constant kSecKeyAlgorithmECIESEncryptionStandardX963SHA224AESGCM
572 ECIES encryption or decryption. This algorithm does not limit the size of the message to be encrypted or decrypted.
573 Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA1. AES Key size
574 is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF,
575 and static public key data is used as authenticationData for AES-GCM processing. AES-GCM uses 16 bytes long TAG and
576 all-zero 16 byte long IV (initialization vector).
578 @constant kSecKeyAlgorithmECIESEncryptionStandardX963SHA256AESGCM
579 ECIES encryption or decryption. This algorithm does not limit the size of the message to be encrypted or decrypted.
580 Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA1. AES Key size
581 is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF,
582 and static public key data is used as authenticationData for AES-GCM processing. AES-GCM uses 16 bytes long TAG and
583 all-zero 16 byte long IV (initialization vector).
585 @constant kSecKeyAlgorithmECIESEncryptionStandardX963SHA384AESGCM
586 ECIES encryption or decryption. This algorithm does not limit the size of the message to be encrypted or decrypted.
587 Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA1. AES Key size
588 is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF,
589 and static public key data is used as authenticationData for AES-GCM processing. AES-GCM uses 16 bytes long TAG and
590 all-zero 16 byte long IV (initialization vector).
592 @constant kSecKeyAlgorithmECIESEncryptionStandardX963SHA512AESGCM
593 ECIES encryption or decryption. This algorithm does not limit the size of the message to be encrypted or decrypted.
594 Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA1. AES Key size
595 is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF,
596 and static public key data is used as authenticationData for AES-GCM processing. AES-GCM uses 16 bytes long TAG and
597 all-zero 16 byte long IV (initialization vector).
599 @constant kSecKeyAlgorithmECIESEncryptionCofactorX963SHA1AESGCM
600 ECIES encryption or decryption. This algorithm does not limit the size of the message to be encrypted or decrypted.
601 Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA1. AES Key size
602 is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF,
603 and static public key data is used as authenticationData for AES-GCM processing. AES-GCM uses 16 bytes long TAG and
604 all-zero 16 byte long IV (initialization vector).
606 @constant kSecKeyAlgorithmECIESEncryptionCofactorX963SHA224AESGCM
607 ECIES encryption or decryption. This algorithm does not limit the size of the message to be encrypted or decrypted.
608 Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA1. AES Key size
609 is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF,
610 and static public key data is used as authenticationData for AES-GCM processing. AES-GCM uses 16 bytes long TAG and
611 all-zero 16 byte long IV (initialization vector).
613 @constant kSecKeyAlgorithmECIESEncryptionCofactorX963SHA256AESGCM
614 ECIES encryption or decryption. This algorithm does not limit the size of the message to be encrypted or decrypted.
615 Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA1. AES Key size
616 is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF,
617 and static public key data is used as authenticationData for AES-GCM processing. AES-GCM uses 16 bytes long TAG and
618 all-zero 16 byte long IV (initialization vector).
620 @constant kSecKeyAlgorithmECIESEncryptionCofactorX963SHA384AESGCM
621 ECIES encryption or decryption. This algorithm does not limit the size of the message to be encrypted or decrypted.
622 Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA1. AES Key size
623 is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF,
624 and static public key data is used as authenticationData for AES-GCM processing. AES-GCM uses 16 bytes long TAG and
625 all-zero 16 byte long IV (initialization vector).
627 @constant kSecKeyAlgorithmECIESEncryptionCofactorX963SHA512AESGCM
628 ECIES encryption or decryption. This algorithm does not limit the size of the message to be encrypted or decrypted.
629 Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA1. AES Key size
630 is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF,
631 and static public key data is used as authenticationData for AES-GCM processing. AES-GCM uses 16 bytes long TAG and
632 all-zero 16 byte long IV (initialization vector).
634 @constant kSecKeyAlgorithmECDHKeyExchangeCofactor
635 Compute shared secret using ECDH cofactor algorithm, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys.
636 This algorithm does not accept any parameters, length of output raw shared secret is given by the length of the key.
638 @constant kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA1
639 Compute shared secret using ECDH cofactor algorithm, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys
640 and apply ANSI X9.63 KDF with SHA1 as hashing function. Requires kSecKeyKeyExchangeParameterRequestedSize and allows
641 kSecKeyKeyExchangeParameterSharedInfo parameters to be used.
643 @constant kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA224
644 Compute shared secret using ECDH cofactor algorithm, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys
645 and apply ANSI X9.63 KDF with SHA224 as hashing function. Requires kSecKeyKeyExchangeParameterRequestedSize and allows
646 kSecKeyKeyExchangeParameterSharedInfo parameters to be used.
648 @constant kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA256
649 Compute shared secret using ECDH cofactor algorithm, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys
650 and apply ANSI X9.63 KDF with SHA256 as hashing function. Requires kSecKeyKeyExchangeParameterRequestedSize and allows
651 kSecKeyKeyExchangeParameterSharedInfo parameters to be used.
653 @constant kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA384
654 Compute shared secret using ECDH cofactor algorithm, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys
655 and apply ANSI X9.63 KDF with SHA384 as hashing function. Requires kSecKeyKeyExchangeParameterRequestedSize and allows
656 kSecKeyKeyExchangeParameterSharedInfo parameters to be used.
658 @constant kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA512
659 Compute shared secret using ECDH cofactor algorithm, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys
660 and apply ANSI X9.63 KDF with SHA512 as hashing function. Requires kSecKeyKeyExchangeParameterRequestedSize and allows
661 kSecKeyKeyExchangeParameterSharedInfo parameters to be used.
663 @constant kSecKeyAlgorithmECDHKeyExchangeStandard
664 Compute shared secret using ECDH algorithm without cofactor, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys.
665 This algorithm does not accept any parameters, length of output raw shared secret is given by the length of the key.
667 @constant kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA1
668 Compute shared secret using ECDH algorithm without cofactor, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys
669 and apply ANSI X9.63 KDF with SHA1 as hashing function. Requires kSecKeyKeyExchangeParameterRequestedSize and allows
670 kSecKeyKeyExchangeParameterSharedInfo parameters to be used.
672 @constant kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA224
673 Compute shared secret using ECDH algorithm without cofactor, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys
674 and apply ANSI X9.63 KDF with SHA224 as hashing function. Requires kSecKeyKeyExchangeParameterRequestedSize and allows
675 kSecKeyKeyExchangeParameterSharedInfo parameters to be used.
677 @constant kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA256
678 Compute shared secret using ECDH algorithm without cofactor, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys
679 and apply ANSI X9.63 KDF with SHA256 as hashing function. Requires kSecKeyKeyExchangeParameterRequestedSize and allows
680 kSecKeyKeyExchangeParameterSharedInfo parameters to be used.
682 @constant kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA384
683 Compute shared secret using ECDH algorithm without cofactor, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys
684 and apply ANSI X9.63 KDF with SHA384 as hashing function. Requires kSecKeyKeyExchangeParameterRequestedSize and allows
685 kSecKeyKeyExchangeParameterSharedInfo parameters to be used.
687 @constant kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA512
688 Compute shared secret using ECDH algorithm without cofactor, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys
689 and apply ANSI X9.63 KDF with SHA512 as hashing function. Requires kSecKeyKeyExchangeParameterRequestedSize and allows
690 kSecKeyKeyExchangeParameterSharedInfo parameters to be used.
693 typedef CFStringRef SecKeyAlgorithm CF_STRING_ENUM
694 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
696 extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureRaw
697 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
699 extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPKCS1v15Raw
700 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
702 extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA1
703 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
704 extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA224
705 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
706 extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA256
707 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
708 extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA384
709 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
710 extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA512
711 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
713 extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA1
714 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
715 extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA224
716 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
717 extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA256
718 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
719 extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA384
720 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
721 extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA512
722 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
724 extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureRFC4754
725 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
727 extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureDigestX962
728 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
729 extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureDigestX962SHA1
730 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
731 extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureDigestX962SHA224
732 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
733 extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureDigestX962SHA256
734 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
735 extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureDigestX962SHA384
736 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
737 extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureDigestX962SHA512
738 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
740 extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureMessageX962SHA1
741 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
742 extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureMessageX962SHA224
743 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
744 extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureMessageX962SHA256
745 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
746 extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureMessageX962SHA384
747 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
748 extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureMessageX962SHA512
749 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
751 extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionRaw
752 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
753 extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionPKCS1
754 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
755 extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA1
756 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
757 extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA224
758 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
759 extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA256
760 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
761 extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA384
762 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
763 extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA512
764 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
766 extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA1AESGCM
767 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
768 extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA224AESGCM
769 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
770 extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA256AESGCM
771 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
772 extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA384AESGCM
773 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
774 extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA512AESGCM
775 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
777 extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionStandardX963SHA1AESGCM
778 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
779 extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionStandardX963SHA224AESGCM
780 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
781 extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionStandardX963SHA256AESGCM
782 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
783 extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionStandardX963SHA384AESGCM
784 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
785 extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionStandardX963SHA512AESGCM
786 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
788 extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionCofactorX963SHA1AESGCM
789 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
790 extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionCofactorX963SHA224AESGCM
791 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
792 extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionCofactorX963SHA256AESGCM
793 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
794 extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionCofactorX963SHA384AESGCM
795 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
796 extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionCofactorX963SHA512AESGCM
797 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
799 extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeStandard
800 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
801 extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA1
802 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
803 extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA224
804 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
805 extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA256
806 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
807 extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA384
808 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
809 extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA512
810 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
812 extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeCofactor
813 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
814 extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA1
815 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
816 extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA224
817 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
818 extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA256
819 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
820 extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA384
821 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
822 extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA512
823 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
826 @function SecKeyCreateSignature
827 @abstract Given a private key and data to sign, generate a digital signature.
828 @param key Private key with which to sign.
829 @param algorithm One of SecKeyAlgorithm constants suitable to generate signature with this key.
830 @param dataToSign The data to be signed, typically the digest of the actual data.
831 @param error On error, will be populated with an error object describing the failure.
832 See "Security Error Codes" (SecBase.h).
833 @result The signature over dataToSign represented as a CFData, or NULL on failure.
834 @discussion Computes digital signature using specified key over input data. The operation algorithm
835 further defines the exact format of input data, operation to be performed and output signature.
837 CFDataRef _Nullable
SecKeyCreateSignature(SecKeyRef key
, SecKeyAlgorithm algorithm
, CFDataRef dataToSign
,
839 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
842 @function SecKeyVerifySignature
843 @abstract Given a public key, data which has been signed, and a signature, verify the signature.
844 @param key Public key with which to verify the signature.
845 @param algorithm One of SecKeyAlgorithm constants suitable to verify signature with this key.
846 @param signedData The data over which sig is being verified, typically the digest of the actual data.
847 @param signature The signature to verify.
848 @param error On error, will be populated with an error object describing the failure.
849 See "Security Error Codes" (SecBase.h).
850 @result True if the signature was valid, False otherwise.
851 @discussion Verifies digital signature operation using specified key and signed data. The operation algorithm
852 further defines the exact format of input data, signature and operation to be performed.
854 Boolean
SecKeyVerifySignature(SecKeyRef key
, SecKeyAlgorithm algorithm
, CFDataRef signedData
, CFDataRef signature
, CFErrorRef
*error
)
855 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
858 @function SecKeyCreateEncryptedData
859 @abstract Encrypt a block of plaintext.
860 @param key Public key with which to encrypt the data.
861 @param algorithm One of SecKeyAlgorithm constants suitable to perform encryption with this key.
862 @param plaintext The data to encrypt. The length and format of the data must conform to chosen algorithm,
863 typically be less or equal to the value returned by SecKeyGetBlockSize().
864 @param error On error, will be populated with an error object describing the failure.
865 See "Security Error Codes" (SecBase.h).
866 @result The ciphertext represented as a CFData, or NULL on failure.
867 @discussion Encrypts plaintext data using specified key. The exact type of the operation including the format
868 of input and output data is specified by encryption algorithm.
870 CFDataRef _Nullable
SecKeyCreateEncryptedData(SecKeyRef key
, SecKeyAlgorithm algorithm
, CFDataRef plaintext
, CFErrorRef
*error
)
871 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
874 @function SecKeyCreateDecryptedData
875 @abstract Decrypt a block of ciphertext.
876 @param key Private key with which to decrypt the data.
877 @param algorithm One of SecKeyAlgorithm constants suitable to perform decryption with this key.
878 @param ciphertext The data to decrypt. The length and format of the data must conform to chosen algorithm,
879 typically be less or equal to the value returned by SecKeyGetBlockSize().
880 @param error On error, will be populated with an error object describing the failure.
881 See "Security Error Codes" (SecBase.h).
882 @result The plaintext represented as a CFData, or NULL on failure.
883 @discussion Decrypts ciphertext data using specified key. The exact type of the operation including the format
884 of input and output data is specified by decryption algorithm.
886 CFDataRef _Nullable
SecKeyCreateDecryptedData(SecKeyRef key
, SecKeyAlgorithm algorithm
, CFDataRef ciphertext
, CFErrorRef
*error
)
887 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
890 @enum SecKeyKeyExchangeParameter SecKey Key Exchange parameters
891 @constant kSecKeyKeyExchangeParameterRequestedSize Contains CFNumberRef with requested result size in bytes.
892 @constant kSecKeyKeyExchangeParameterSharedInfo Contains CFDataRef with additional shared info
893 for KDF (key derivation function).
895 typedef CFStringRef SecKeyKeyExchangeParameter CF_STRING_ENUM
896 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
897 extern const SecKeyKeyExchangeParameter kSecKeyKeyExchangeParameterRequestedSize
898 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
899 extern const SecKeyKeyExchangeParameter kSecKeyKeyExchangeParameterSharedInfo
900 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
903 @function SecKeyCopyKeyExchangeResult
904 @abstract Perform Diffie-Hellman style of key exchange operation, optionally with additional key-derivation steps.
905 @param algorithm One of SecKeyAlgorithm constants suitable to perform this operation.
906 @param publicKey Remote party's public key.
907 @param parameters Dictionary with parameters, see SecKeyKeyExchangeParameter constants. Used algorithm
908 determines the set of required and optional parameters to be used.
909 @param error Pointer to an error object on failure.
910 See "Security Error Codes" (SecBase.h).
911 @result Result of key exchange operation as a CFDataRef, or NULL on failure.
913 CFDataRef _Nullable
SecKeyCopyKeyExchangeResult(SecKeyRef privateKey
, SecKeyAlgorithm algorithm
, SecKeyRef publicKey
, CFDictionaryRef parameters
, CFErrorRef
*error
)
914 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
917 @enum SecKeyOperationType
918 @abstract Defines types of cryptographic operations available with SecKey instance.
920 @constant kSecKeyOperationTypeSign
921 Represents SecKeyCreateSignature()
923 @constant kSecKeyOperationTypeVerify
924 Represents SecKeyVerifySignature()
926 @constant kSecKeyOperationTypeEncrypt
927 Represents SecKeyCreateEncryptedData()
929 @constant kSecKeyOperationTypeDecrypt
930 Represents SecKeyCreateDecryptedData()
932 @constant kSecKeyOperationTypeKeyExchange
933 Represents SecKeyCopyKeyExchangeResult()
935 typedef CF_ENUM(CFIndex
, SecKeyOperationType
) {
936 kSecKeyOperationTypeSign
= 0,
937 kSecKeyOperationTypeVerify
= 1,
938 kSecKeyOperationTypeEncrypt
= 2,
939 kSecKeyOperationTypeDecrypt
= 3,
940 kSecKeyOperationTypeKeyExchange
= 4,
941 } __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
944 @function SecKeyIsAlgorithmSupported
945 @abstract Checks whether key supports specified algorithm for specified operation.
946 @param key Key to query
947 @param operation Operation type for which the key is queried
948 @param algorithm Algorithm which is queried
949 @return True if key supports specified algorithm for specified operation, False otherwise.
951 Boolean
SecKeyIsAlgorithmSupported(SecKeyRef key
, SecKeyOperationType operation
, SecKeyAlgorithm algorithm
)
952 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
954 CF_IMPLICIT_BRIDGING_DISABLED
955 CF_ASSUME_NONNULL_END
959 #endif /* !_SECURITY_SECKEY_H_ */