2 * Copyright (c) 2006-2014 Apple Inc. All Rights Reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
21 * @APPLE_LICENSE_HEADER_END@
26 SecItem defines CoreFoundation-based constants and functions for
27 access to Security items (certificates, keys, identities, and
31 #ifndef _SECURITY_SECITEM_H_
32 #define _SECURITY_SECITEM_H_
34 #include <CoreFoundation/CFNumber.h>
35 #include <CoreFoundation/CFArray.h>
36 #include <CoreFoundation/CFDictionary.h>
38 #if defined(__cplusplus)
42 CF_ASSUME_NONNULL_BEGIN
43 CF_IMPLICIT_BRIDGING_ENABLED
46 @enum Class Key Constant
47 @discussion Predefined key constant used to get or set item class values in
48 a dictionary. Its value is one of the constants defined in the Value
49 Constants for kSecClass.
50 @constant kSecClass Specifies a dictionary key whose value is the item's
51 class code. You use this key to get or set a value of type CFTypeRef
52 that contains the item class code.
54 extern const CFStringRef kSecClass
55 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
58 @enum Class Value Constants
59 @discussion Predefined item class constants used to get or set values in
60 a dictionary. The kSecClass constant is the key and its value is one
61 of the constants defined here. Note: on Mac OS X 10.6, only items
62 of class kSecClassInternetPassword are supported.
63 @constant kSecClassInternetPassword Specifies Internet password items.
64 @constant kSecClassGenericPassword Specifies generic password items.
65 @constant kSecClassCertificate Specifies certificate items.
66 @constant kSecClassKey Specifies key items.
67 @constant kSecClassIdentity Specifies identity items.
69 extern const CFStringRef kSecClassInternetPassword
70 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
71 extern const CFStringRef kSecClassGenericPassword
72 __OSX_AVAILABLE_STARTING(__MAC_10_7
, __IPHONE_2_0
);
73 extern const CFStringRef kSecClassCertificate
74 __OSX_AVAILABLE_STARTING(__MAC_10_7
, __IPHONE_2_0
);
75 extern const CFStringRef kSecClassKey
76 __OSX_AVAILABLE_STARTING(__MAC_10_7
, __IPHONE_2_0
);
77 extern const CFStringRef kSecClassIdentity
78 __OSX_AVAILABLE_STARTING(__MAC_10_7
, __IPHONE_2_0
);
81 @enum Attribute Key Constants
82 @discussion Predefined item attribute keys used to get or set values in a
83 dictionary. Not all attributes apply to each item class. The table
84 below lists the currently defined attributes for each item class:
86 kSecClassGenericPassword item attributes:
87 kSecAttrAccess (OS X only)
89 kSecAttrAccessGroup (iOS; also OS X if kSecAttrSynchronizable specified)
90 kSecAttrAccessible (iOS; also OS X if kSecAttrSynchronizable specified)
92 kSecAttrModificationDate
104 kSecClassInternetPassword item attributes:
105 kSecAttrAccess (OS X only)
106 kSecAttrAccessGroup (iOS; also OS X if kSecAttrSynchronizable specified)
107 kSecAttrAccessible (iOS; also OS X if kSecAttrSynchronizable specified)
109 kSecAttrModificationDate
118 kSecAttrSecurityDomain
121 kSecAttrAuthenticationType
125 kSecClassCertificate item attributes:
126 kSecAttrCertificateType
127 kSecAttrCertificateEncoding
133 kSecAttrPublicKeyHash
135 kSecClassKey item attributes:
136 kSecAttrAccess (OS X only)
137 kSecAttrAccessGroup (iOS only)
138 kSecAttrAccessible (iOS only)
141 kSecAttrApplicationLabel
143 kSecAttrApplicationTag
148 kSecAttrKeySizeInBits
149 kSecAttrEffectiveKeySize
158 Note that the attributes kSecAttrCan* describe attributes of the
159 key itself at relatively high level. Some of these attributes are
160 mathematical -- for example, a DSA key cannot encrypt. Others are
161 key-level policy issues -- for example, it is good cryptographic
162 hygiene to use an RSA key either for encryption or signing but not
163 both. Compare these to the certificate-level policy values in
166 kSecClassIdentity item attributes:
167 Since an identity is the combination of a private key and a
168 certificate, this class shares attributes of both kSecClassKey and
169 kSecClassCertificate.
171 @constant kSecAttrAccessible Specifies a dictionary key whose value
172 indicates when your application needs access to an item's data. You
173 should choose the most restrictive option that meets your application's
174 needs to allow the system to protect that item in the best way possible.
175 See the "kSecAttrAccessible Value Constants" section for a list of
176 values which can be specified.
177 IMPORTANT: This attribute is currently not supported for OS X keychain
178 items, unless the kSecAttrSynchronizable attribute is also present. If
179 both attributes are specified on either OS X or iOS, the value for the
180 kSecAttrAccessible key may only be one whose name does not end with
181 "ThisDeviceOnly", as those cannot sync to another device.
183 @constant kSecAttrAccessControl Specifies a dictionary key whose value
184 is SecAccessControl instance which contains access control conditions
186 IMPORTANT: This attribute is mutually exclusive with kSecAttrAccess
189 @constant kSecAttrAccess Specifies a dictionary key whose value
190 is a SecAccessRef describing the access control settings for this item.
191 This key is available on OS X only.
193 @constant kSecAttrAccessGroup Specifies a dictionary key whose value is
194 a CFStringRef indicating which access group a item is in. The access
195 groups that a particular application has membership in are determined by
196 two entitlements for that application. The application-identifier
197 entitlement contains the application's single access group, unless
198 there is a keychain-access-groups entitlement present. The latter
199 has as its value a list of access groups; the first item in this list
200 is the default access group. Unless a specific access group is provided
201 as the value of kSecAttrAccessGroup when SecItemAdd is called, new items
202 are created in the application's default access group. Specifying this
203 attribute in SecItemCopyMatching, SecItemUpdate, or SecItemDelete calls
204 limits the search to the specified access group (of which the calling
205 application must be a member to obtain matching results.) To share
206 keychain items between multiple applications, each application must have
207 a common group listed in its keychain-access-groups entitlement, and each
208 must specify this shared access group name as the value for the
209 kSecAttrAccessGroup key in the dictionary passed to SecItem functions.
211 @constant kSecAttrSynchronizable Specifies a dictionary key whose value is
212 a CFBooleanRef indicating whether the item in question can be synchronized.
213 To add a new item which can be synced to other devices, or to obtain
214 synchronizable results from a query, supply this key with a value of
215 kCFBooleanTrue. If the key is not supplied, or has a value of
216 kCFBooleanFalse, then no synchronizable items will be added or returned.
217 A predefined value, kSecAttrSynchronizableAny, may be provided instead of
218 kCFBooleanTrue if both synchronizable and non-synchronizable results are
221 IMPORTANT: Specifying the kSecAttrSynchronizable key has several caveats:
223 - Updating or deleting items using the kSecAttrSynchronizable key will
224 affect all copies of the item, not just the one on your local device.
225 Be sure that it makes sense to use the same password on all devices
226 before deciding to make a password synchronizable.
227 - Only password items can currently be synchronized. Keychain syncing
228 is not supported for certificates or cryptographic keys.
229 - Items stored or obtained using the kSecAttrSynchronizable key cannot
230 specify SecAccessRef-based access control with kSecAttrAccess. If a
231 password is intended to be shared between multiple applications, the
232 kSecAttrAccessGroup key must be specified, and each application
233 using this password must have a 'keychain-access-groups' entitlement
234 with the specified access group value.
235 - Items stored or obtained using the kSecAttrSynchronizable key may
236 not also specify a kSecAttrAccessible value which is incompatible
237 with syncing (namely, those whose names end with "ThisDeviceOnly".)
238 - Items stored or obtained using the kSecAttrSynchronizable key cannot
239 be specified by reference. You must pass kSecReturnAttributes and/or
240 kSecReturnData to retrieve results; kSecReturnRef is currently not
241 supported for synchronizable items.
242 - Persistent references to synchronizable items should be avoided;
243 while they may work locally, they cannot be moved between devices,
244 and may not resolve if the item is modified on some other device.
245 - When specifying a query that uses the kSecAttrSynchronizable key,
246 search keys are limited to the item's class and attributes.
247 The only search constant which may be used is kSecMatchLimit; other
248 constants using the kSecMatch prefix are not supported at this time.
250 @constant kSecAttrSynchronizableAny Specifies that both synchronizable and
251 non-synchronizable results should be returned from this query. This may be
252 used as a value for the kSecAttrSynchronizable dictionary key in a call to
253 SecItemCopyMatching, SecItemUpdate, or SecItemDelete.
255 @constant kSecAttrCreationDate (read-only) Specifies a dictionary key whose
256 value is the item's creation date. You use this key to get a value
257 of type CFDateRef that represents the date the item was created.
258 @constant kSecAttrModificationDate (read-only) Specifies a dictionary key
259 whose value is the item's modification date. You use this key to get
260 a value of type CFDateRef that represents the last time the item was
262 @constant kSecAttrDescription Specifies a dictionary key whose value is
263 the item's description attribute. You use this key to set or get a
264 value of type CFStringRef that represents a user-visible string
265 describing this particular kind of item (e.g., "disk image password").
266 @constant kSecAttrComment Specifies a dictionary key whose value is the
267 item's comment attribute. You use this key to set or get a value of
268 type CFStringRef containing the user-editable comment for this item.
269 @constant kSecAttrCreator Specifies a dictionary key whose value is the
270 item's creator attribute. You use this key to set or get a value of
271 type CFNumberRef that represents the item's creator. This number is
272 the unsigned integer representation of a four-character code (e.g.,
274 @constant kSecAttrType Specifies a dictionary key whose value is the item's
275 type attribute. You use this key to set or get a value of type
276 CFNumberRef that represents the item's type. This number is the
277 unsigned integer representation of a four-character code (e.g.,
279 @constant kSecAttrLabel Specifies a dictionary key whose value is the
280 item's label attribute. You use this key to set or get a value of
281 type CFStringRef containing the user-visible label for this item.
282 @constant kSecAttrIsInvisible Specifies a dictionary key whose value is the
283 item's invisible attribute. You use this key to set or get a value
284 of type CFBooleanRef that indicates whether the item is invisible
285 (i.e., should not be displayed.)
286 @constant kSecAttrIsNegative Specifies a dictionary key whose value is the
287 item's negative attribute. You use this key to set or get a value of
288 type CFBooleanRef that indicates whether there is a valid password
289 associated with this keychain item. This is useful if your application
290 doesn't want a password for some particular service to be stored in
291 the keychain, but prefers that it always be entered by the user.
292 @constant kSecAttrAccount Specifies a dictionary key whose value is the
293 item's account attribute. You use this key to set or get a CFStringRef
294 that contains an account name. (Items of class
295 kSecClassGenericPassword, kSecClassInternetPassword have this
297 @constant kSecAttrService Specifies a dictionary key whose value is the
298 item's service attribute. You use this key to set or get a CFStringRef
299 that represents the service associated with this item. (Items of class
300 kSecClassGenericPassword have this attribute.)
301 @constant kSecAttrGeneric Specifies a dictionary key whose value is the
302 item's generic attribute. You use this key to set or get a value of
303 CFDataRef that contains a user-defined attribute. (Items of class
304 kSecClassGenericPassword have this attribute.)
305 @constant kSecAttrSecurityDomain Specifies a dictionary key whose value
306 is the item's security domain attribute. You use this key to set or
307 get a CFStringRef value that represents the Internet security domain.
308 (Items of class kSecClassInternetPassword have this attribute.)
309 @constant kSecAttrServer Specifies a dictionary key whose value is the
310 item's server attribute. You use this key to set or get a value of
311 type CFStringRef that contains the server's domain name or IP address.
312 (Items of class kSecClassInternetPassword have this attribute.)
313 @constant kSecAttrProtocol Specifies a dictionary key whose value is the
314 item's protocol attribute. You use this key to set or get a value of
315 type CFNumberRef that denotes the protocol for this item (see the
316 SecProtocolType enum in SecKeychainItem.h). (Items of class
317 kSecClassInternetPassword have this attribute.)
318 @constant kSecAttrAuthenticationType Specifies a dictionary key whose value
319 is the item's authentication type attribute. You use this key to set
320 or get a value of type CFNumberRef that denotes the authentication
321 scheme for this item (see the kSecAttrAuthenticationType value
323 @constant kSecAttrPort Specifies a dictionary key whose value is the item's
324 port attribute. You use this key to set or get a CFNumberRef value
325 that represents an Internet port number. (Items of class
326 kSecClassInternetPassword have this attribute.)
327 @constant kSecAttrPath Specifies a dictionary key whose value is the item's
328 path attribute, typically this is the path component of the URL. You use
329 this key to set or get a CFStringRef value that represents a path. (Items
330 of class kSecClassInternetPassword have this attribute.)
331 @constant kSecAttrSubject (read-only) Specifies a dictionary key whose
332 value is the item's subject. You use this key to get a value of type
333 CFDataRef that contains the X.500 subject name of a certificate.
334 (Items of class kSecClassCertificate have this attribute.)
335 @constant kSecAttrIssuer (read-only) Specifies a dictionary key whose value
336 is the item's issuer. You use this key to get a value of type
337 CFDataRef that contains the X.500 issuer name of a certificate. (Items
338 of class kSecClassCertificate have this attribute.)
339 @constant kSecAttrSerialNumber (read-only) Specifies a dictionary key whose
340 value is the item's serial number. You use this key to get a value
341 of type CFDataRef that contains the serial number data of a
342 certificate. (Items of class kSecClassCertificate have this
344 @constant kSecAttrSubjectKeyID (read-only) Specifies a dictionary key whose
345 value is the item's subject key ID. You use this key to get a value
346 of type CFDataRef that contains the subject key ID of a certificate.
347 (Items of class kSecClassCertificate have this attribute.)
348 @constant kSecAttrPublicKeyHash (read-only) Specifies a dictionary key
349 whose value is the item's public key hash. You use this key to get a
350 value of type CFDataRef that contains the hash of a certificate's
351 public key. (Items of class kSecClassCertificate have this attribute.)
352 @constant kSecAttrCertificateType (read-only) Specifies a dictionary key
353 whose value is the item's certificate type. You use this key to get
354 a value of type CFNumberRef that denotes the certificate type (see the
355 CSSM_CERT_TYPE enum in cssmtype.h). (Items of class
356 kSecClassCertificate have this attribute.)
357 @constant kSecAttrCertificateEncoding (read-only) Specifies a dictionary
358 key whose value is the item's certificate encoding. You use this key
359 to get a value of type CFNumberRef that denotes the certificate
360 encoding (see the CSSM_CERT_ENCODING enum in cssmtype.h). (Items of
361 class kSecClassCertificate have this attribute.)
362 @constant kSecAttrKeyClass (read only) Specifies a dictionary key whose
363 value is one of kSecAttrKeyClassPublic, kSecAttrKeyClassPrivate or
364 kSecAttrKeyClassSymmetric.
365 @constant kSecAttrApplicationLabel Specifies a dictionary key whose value
366 is the key's application label attribute. This is different from the
367 kSecAttrLabel (which is intended to be human-readable). This attribute
368 is used to look up a key programmatically; in particular, for keys of
369 class kSecAttrKeyClassPublic and kSecAttrKeyClassPrivate, the value of
370 this attribute is the hash of the public key. This item is a type of CFDataRef.
371 Legacy keys may contain a UUID in this field as a CFStringRef.
372 @constant kSecAttrIsPermanent Specifies a dictionary key whose value is a
373 CFBooleanRef indicating whether the key in question will be stored
375 @constant kSecAttrIsSensitive Specifies a dictionary key whose value is a
376 CFBooleanRef indicating that the key in question can only be exported
377 in a wrapped (encrypted) format.
378 @constant kSecAttrIsExtractable Specifies a dictionary key whose value is a
379 CFBooleanRef indicating whether the key in question can be exported from
380 its keychain container.
381 @constant kSecAttrApplicationTag Specifies a dictionary key whose value is a
382 CFDataRef containing private tag data.
383 @constant kSecAttrKeyType Specifies a dictionary key whose value is a
384 CFNumberRef indicating the algorithm associated with this key (see the
385 CSSM_ALGORITHMS enum in cssmtype.h).
386 @constant kSecAttrPRF Specifies a dictionary key whose value is the PRF
387 (pseudo-random function) for this key (see "kSecAttrPRF Value Constants".)
388 @constant kSecAttrSalt Specifies a dictionary key whose value is a
389 CFData containing the salt to use for this key.
390 @constant kSecAttrRounds Specifies a dictionary key whose value is the
391 number of rounds for the pseudo-random function specified by kSecAttrPRF.
392 @constant kSecAttrKeySizeInBits Specifies a dictionary key whose value
393 is a CFNumberRef indicating the number of bits in this key.
394 @constant kSecAttrEffectiveKeySize Specifies a dictionary key whose value
395 is a CFNumberRef indicating the effective number of bits in this key.
396 For example, a DES key has a kSecAttrKeySizeInBits of 64, but a
397 kSecAttrEffectiveKeySize of 56 bits.
398 @constant kSecAttrCanEncrypt Specifies a dictionary key whole value is a
399 CFBooleanRef indicating whether the key in question can be used to
401 @constant kSecAttrCanDecrypt Specifies a dictionary key whole value is a
402 CFBooleanRef indicating whether the key in question can be used to
404 @constant kSecAttrCanDerive Specifies a dictionary key whole value is a
405 CFBooleanRef indicating whether the key in question can be used to
407 @constant kSecAttrCanSign Specifies a dictionary key whole value is a
408 CFBooleanRef indicating whether the key in question can be used to
409 create a digital signature.
410 @constant kSecAttrCanVerify Specifies a dictionary key whole value is a
411 CFBooleanRef indicating whether the key in question can be used to
412 verify a digital signature.
413 @constant kSecAttrCanWrap Specifies a dictionary key whole value is a
414 CFBooleanRef indicating whether the key in question can be used to
416 @constant kSecAttrCanUnwrap Specifies a dictionary key whole value is a
417 CFBooleanRef indicating whether the key in question can be used to
420 extern const CFStringRef kSecAttrAccessible
421 __OSX_AVAILABLE_STARTING(__MAC_10_9
, __IPHONE_4_0
);
422 extern const CFStringRef kSecAttrAccess
423 __OSX_AVAILABLE_STARTING(__MAC_10_7
, __IPHONE_NA
);
424 extern const CFStringRef kSecAttrAccessControl
425 __OSX_AVAILABLE_STARTING(__MAC_10_10
, __IPHONE_8_0
);
426 extern const CFStringRef kSecAttrAccessGroup
427 __OSX_AVAILABLE_STARTING(__MAC_10_9
, __IPHONE_3_0
);
428 extern const CFStringRef kSecAttrSynchronizable
429 __OSX_AVAILABLE_STARTING(__MAC_10_9
, __IPHONE_7_0
);
430 extern const CFStringRef kSecAttrSynchronizableAny
431 __OSX_AVAILABLE_STARTING(__MAC_10_9
, __IPHONE_7_0
);
432 extern const CFStringRef kSecAttrCreationDate
433 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
434 extern const CFStringRef kSecAttrModificationDate
435 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
436 extern const CFStringRef kSecAttrDescription
437 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
438 extern const CFStringRef kSecAttrComment
439 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
440 extern const CFStringRef kSecAttrCreator
441 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
442 extern const CFStringRef kSecAttrType
443 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
444 extern const CFStringRef kSecAttrLabel
445 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
446 extern const CFStringRef kSecAttrIsInvisible
447 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
448 extern const CFStringRef kSecAttrIsNegative
449 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
450 extern const CFStringRef kSecAttrAccount
451 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
452 extern const CFStringRef kSecAttrService
453 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
454 extern const CFStringRef kSecAttrGeneric
455 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
456 extern const CFStringRef kSecAttrSecurityDomain
457 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
458 extern const CFStringRef kSecAttrServer
459 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
460 extern const CFStringRef kSecAttrProtocol
461 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
462 extern const CFStringRef kSecAttrAuthenticationType
463 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
464 extern const CFStringRef kSecAttrPort
465 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
466 extern const CFStringRef kSecAttrPath
467 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
468 extern const CFStringRef kSecAttrSubject
469 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
470 extern const CFStringRef kSecAttrIssuer
471 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
472 extern const CFStringRef kSecAttrSerialNumber
473 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
474 extern const CFStringRef kSecAttrSubjectKeyID
475 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
476 extern const CFStringRef kSecAttrPublicKeyHash
477 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
478 extern const CFStringRef kSecAttrCertificateType
479 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
480 extern const CFStringRef kSecAttrCertificateEncoding
481 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
482 extern const CFStringRef kSecAttrKeyClass
483 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
484 extern const CFStringRef kSecAttrApplicationLabel
485 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
486 extern const CFStringRef kSecAttrIsPermanent
487 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
488 extern const CFStringRef kSecAttrIsSensitive
489 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
490 extern const CFStringRef kSecAttrIsExtractable
491 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
492 extern const CFStringRef kSecAttrApplicationTag
493 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
494 extern const CFStringRef kSecAttrKeyType
495 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
496 extern const CFStringRef kSecAttrPRF
497 __OSX_AVAILABLE_STARTING(__MAC_10_7
, __IPHONE_NA
);
498 extern const CFStringRef kSecAttrSalt
499 __OSX_AVAILABLE_STARTING(__MAC_10_7
, __IPHONE_NA
);
500 extern const CFStringRef kSecAttrRounds
501 __OSX_AVAILABLE_STARTING(__MAC_10_7
, __IPHONE_NA
);
502 extern const CFStringRef kSecAttrKeySizeInBits
503 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
504 extern const CFStringRef kSecAttrEffectiveKeySize
505 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
506 extern const CFStringRef kSecAttrCanEncrypt
507 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
508 extern const CFStringRef kSecAttrCanDecrypt
509 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
510 extern const CFStringRef kSecAttrCanDerive
511 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
512 extern const CFStringRef kSecAttrCanSign
513 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
514 extern const CFStringRef kSecAttrCanVerify
515 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
516 extern const CFStringRef kSecAttrCanWrap
517 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
518 extern const CFStringRef kSecAttrCanUnwrap
519 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
522 @enum kSecAttrAccessible Value Constants
523 @discussion Predefined item attribute constants used to get or set values
524 in a dictionary. The kSecAttrAccessible constant is the key and its
525 value is one of the constants defined here.
526 When asking SecItemCopyMatching to return the item's data, the error
527 errSecInteractionNotAllowed will be returned if the item's data is not
528 available until a device unlock occurs.
529 @constant kSecAttrAccessibleWhenUnlocked Item data can only be accessed
530 while the device is unlocked. This is recommended for items that only
531 need be accesible while the application is in the foreground. Items
532 with this attribute will migrate to a new device when using encrypted
534 @constant kSecAttrAccessibleAfterFirstUnlock Item data can only be
535 accessed once the device has been unlocked after a restart. This is
536 recommended for items that need to be accesible by background
537 applications. Items with this attribute will migrate to a new device
538 when using encrypted backups.
539 @constant kSecAttrAccessibleAlways Item data can always be accessed
540 regardless of the lock state of the device. This is not recommended
541 for anything except system use. Items with this attribute will migrate
542 to a new device when using encrypted backups.
543 @constant kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly Item data can
544 only be accessed while the device is unlocked. This is recommended for
545 items that only need to be accessible while the application is in the
546 foreground and requires a passcode to be set on the device. Items with
547 this attribute will never migrate to a new device, so after a backup
548 is restored to a new device, these items will be missing. This
549 attribute will not be available on devices without a passcode. Disabling
550 the device passcode will cause all previously protected items to
552 @constant kSecAttrAccessibleWhenUnlockedThisDeviceOnly Item data can only
553 be accessed while the device is unlocked. This is recommended for items
554 that only need be accesible while the application is in the foreground.
555 Items with this attribute will never migrate to a new device, so after
556 a backup is restored to a new device, these items will be missing.
557 @constant kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly Item data can
558 only be accessed once the device has been unlocked after a restart.
559 This is recommended for items that need to be accessible by background
560 applications. Items with this attribute will never migrate to a new
561 device, so after a backup is restored to a new device these items will
563 @constant kSecAttrAccessibleAlwaysThisDeviceOnly Item data can always
564 be accessed regardless of the lock state of the device. This option
565 is not recommended for anything except system use. Items with this
566 attribute will never migrate to a new device, so after a backup is
567 restored to a new device, these items will be missing.
569 extern const CFStringRef kSecAttrAccessibleWhenUnlocked
570 __OSX_AVAILABLE_STARTING(__MAC_10_9
, __IPHONE_4_0
);
571 extern const CFStringRef kSecAttrAccessibleAfterFirstUnlock
572 __OSX_AVAILABLE_STARTING(__MAC_10_9
, __IPHONE_4_0
);
573 extern const CFStringRef kSecAttrAccessibleAlways
574 __OSX_AVAILABLE_STARTING(__MAC_10_9
, __IPHONE_4_0
);
575 extern const CFStringRef kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly
576 __OSX_AVAILABLE_STARTING(__MAC_10_10
, __IPHONE_8_0
);
577 extern const CFStringRef kSecAttrAccessibleWhenUnlockedThisDeviceOnly
578 __OSX_AVAILABLE_STARTING(__MAC_10_9
, __IPHONE_4_0
);
579 extern const CFStringRef kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly
580 __OSX_AVAILABLE_STARTING(__MAC_10_9
, __IPHONE_4_0
);
581 extern const CFStringRef kSecAttrAccessibleAlwaysThisDeviceOnly
582 __OSX_AVAILABLE_STARTING(__MAC_10_9
, __IPHONE_4_0
);
585 @enum kSecAttrProtocol Value Constants
586 @discussion Predefined item attribute constants used to get or set values
587 in a dictionary. The kSecAttrProtocol constant is the key and its
588 value is one of the constants defined here.
589 @constant kSecAttrProtocolFTP
590 @constant kSecAttrProtocolFTPAccount
591 @constant kSecAttrProtocolHTTP
592 @constant kSecAttrProtocolIRC
593 @constant kSecAttrProtocolNNTP
594 @constant kSecAttrProtocolPOP3
595 @constant kSecAttrProtocolSMTP
596 @constant kSecAttrProtocolSOCKS
597 @constant kSecAttrProtocolIMAP
598 @constant kSecAttrProtocolLDAP
599 @constant kSecAttrProtocolAppleTalk
600 @constant kSecAttrProtocolAFP
601 @constant kSecAttrProtocolTelnet
602 @constant kSecAttrProtocolSSH
603 @constant kSecAttrProtocolFTPS
604 @constant kSecAttrProtocolHTTPS
605 @constant kSecAttrProtocolHTTPProxy
606 @constant kSecAttrProtocolHTTPSProxy
607 @constant kSecAttrProtocolFTPProxy
608 @constant kSecAttrProtocolSMB
609 @constant kSecAttrProtocolRTSP
610 @constant kSecAttrProtocolRTSPProxy
611 @constant kSecAttrProtocolDAAP
612 @constant kSecAttrProtocolEPPC
613 @constant kSecAttrProtocolIPP
614 @constant kSecAttrProtocolNNTPS
615 @constant kSecAttrProtocolLDAPS
616 @constant kSecAttrProtocolTelnetS
617 @constant kSecAttrProtocolIMAPS
618 @constant kSecAttrProtocolIRCS
619 @constant kSecAttrProtocolPOP3S
621 extern const CFStringRef kSecAttrProtocolFTP
622 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
623 extern const CFStringRef kSecAttrProtocolFTPAccount
624 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
625 extern const CFStringRef kSecAttrProtocolHTTP
626 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
627 extern const CFStringRef kSecAttrProtocolIRC
628 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
629 extern const CFStringRef kSecAttrProtocolNNTP
630 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
631 extern const CFStringRef kSecAttrProtocolPOP3
632 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
633 extern const CFStringRef kSecAttrProtocolSMTP
634 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
635 extern const CFStringRef kSecAttrProtocolSOCKS
636 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
637 extern const CFStringRef kSecAttrProtocolIMAP
638 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
639 extern const CFStringRef kSecAttrProtocolLDAP
640 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
641 extern const CFStringRef kSecAttrProtocolAppleTalk
642 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
643 extern const CFStringRef kSecAttrProtocolAFP
644 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
645 extern const CFStringRef kSecAttrProtocolTelnet
646 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
647 extern const CFStringRef kSecAttrProtocolSSH
648 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
649 extern const CFStringRef kSecAttrProtocolFTPS
650 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
651 extern const CFStringRef kSecAttrProtocolHTTPS
652 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
653 extern const CFStringRef kSecAttrProtocolHTTPProxy
654 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
655 extern const CFStringRef kSecAttrProtocolHTTPSProxy
656 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
657 extern const CFStringRef kSecAttrProtocolFTPProxy
658 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
659 extern const CFStringRef kSecAttrProtocolSMB
660 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
661 extern const CFStringRef kSecAttrProtocolRTSP
662 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
663 extern const CFStringRef kSecAttrProtocolRTSPProxy
664 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
665 extern const CFStringRef kSecAttrProtocolDAAP
666 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
667 extern const CFStringRef kSecAttrProtocolEPPC
668 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
669 extern const CFStringRef kSecAttrProtocolIPP
670 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
671 extern const CFStringRef kSecAttrProtocolNNTPS
672 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
673 extern const CFStringRef kSecAttrProtocolLDAPS
674 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
675 extern const CFStringRef kSecAttrProtocolTelnetS
676 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
677 extern const CFStringRef kSecAttrProtocolIMAPS
678 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
679 extern const CFStringRef kSecAttrProtocolIRCS
680 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
681 extern const CFStringRef kSecAttrProtocolPOP3S
682 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
685 @enum kSecAttrAuthenticationType Value Constants
686 @discussion Predefined item attribute constants used to get or set values
687 in a dictionary. The kSecAttrAuthenticationType constant is the key
688 and its value is one of the constants defined here.
689 @constant kSecAttrAuthenticationTypeNTLM
690 @constant kSecAttrAuthenticationTypeMSN
691 @constant kSecAttrAuthenticationTypeDPA
692 @constant kSecAttrAuthenticationTypeRPA
693 @constant kSecAttrAuthenticationTypeHTTPBasic
694 @constant kSecAttrAuthenticationTypeHTTPDigest
695 @constant kSecAttrAuthenticationTypeHTMLForm
696 @constant kSecAttrAuthenticationTypeDefault
698 extern const CFStringRef kSecAttrAuthenticationTypeNTLM
699 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
700 extern const CFStringRef kSecAttrAuthenticationTypeMSN
701 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
702 extern const CFStringRef kSecAttrAuthenticationTypeDPA
703 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
704 extern const CFStringRef kSecAttrAuthenticationTypeRPA
705 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
706 extern const CFStringRef kSecAttrAuthenticationTypeHTTPBasic
707 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
708 extern const CFStringRef kSecAttrAuthenticationTypeHTTPDigest
709 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
710 extern const CFStringRef kSecAttrAuthenticationTypeHTMLForm
711 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
712 extern const CFStringRef kSecAttrAuthenticationTypeDefault
713 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
716 @enum kSecAttrKeyClass Value Constants
717 @discussion Predefined item attribute constants used to get or set values
718 in a dictionary. The kSecAttrKeyClass constant is the key
719 and its value is one of the constants defined here.
720 @constant kSecAttrKeyClassPublic
721 @constant kSecAttrKeyClassPrivate
722 @constant kSecAttrKeyClassSymmetric
724 extern const CFStringRef kSecAttrKeyClassPublic
725 __OSX_AVAILABLE_STARTING(__MAC_10_7
, __IPHONE_2_0
);
726 extern const CFStringRef kSecAttrKeyClassPrivate
727 __OSX_AVAILABLE_STARTING(__MAC_10_7
, __IPHONE_2_0
);
728 extern const CFStringRef kSecAttrKeyClassSymmetric
729 __OSX_AVAILABLE_STARTING(__MAC_10_7
, __IPHONE_2_0
);
732 @enum kSecAttrKeyType Value Constants
733 @discussion Predefined item attribute constants used to get or set values
734 in a dictionary. The kSecAttrKeyType constant is the key
735 and its value is one of the constants defined here.
736 @constant kSecAttrKeyTypeRSA
737 @constant kSecAttrKeyTypeDSA
738 @constant kSecAttrKeyTypeAES
739 @constant kSecAttrKeyType3DES
740 @constant kSecAttrKeyTypeRC4
741 @constant kSecAttrKeyTypeRC2
742 @constant kSecAttrKeyTypeCAST
743 @constant kSecAttrKeyTypeECDSA (deprecated; use kSecAttrKeyTypeEC instead.)
744 @constant kSecAttrKeyTypeEC
746 extern const CFStringRef kSecAttrKeyTypeRSA
747 __OSX_AVAILABLE_STARTING(__MAC_10_7
, __IPHONE_2_0
);
748 extern const CFStringRef kSecAttrKeyTypeDSA
749 __OSX_AVAILABLE_STARTING(__MAC_10_7
, __IPHONE_NA
);
750 extern const CFStringRef kSecAttrKeyTypeAES
751 __OSX_AVAILABLE_STARTING(__MAC_10_7
, __IPHONE_NA
);
752 extern const CFStringRef kSecAttrKeyTypeDES
753 __OSX_AVAILABLE_STARTING(__MAC_10_7
, __IPHONE_NA
);
754 extern const CFStringRef kSecAttrKeyType3DES
755 __OSX_AVAILABLE_STARTING(__MAC_10_7
, __IPHONE_NA
);
756 extern const CFStringRef kSecAttrKeyTypeRC4
757 __OSX_AVAILABLE_STARTING(__MAC_10_7
, __IPHONE_NA
);
758 extern const CFStringRef kSecAttrKeyTypeRC2
759 __OSX_AVAILABLE_STARTING(__MAC_10_7
, __IPHONE_NA
);
760 extern const CFStringRef kSecAttrKeyTypeCAST
761 __OSX_AVAILABLE_STARTING(__MAC_10_7
, __IPHONE_NA
);
762 extern const CFStringRef kSecAttrKeyTypeECDSA
763 __OSX_AVAILABLE_STARTING(__MAC_10_7
, __IPHONE_NA
);
764 extern const CFStringRef kSecAttrKeyTypeEC
765 __OSX_AVAILABLE_STARTING(__MAC_10_9
, __IPHONE_4_0
);
768 @enum kSecAttrPRF Value Constants
769 @discussion Predefined item attribute constants used to specify the PRF
770 to use with SecKeyDeriveFromPassword.
771 @constant kSecAttrPRFHmacAlgSHA1
772 @constant kSecAttrPRFHmacAlgSHA224
773 @constant kSecAttrPRFHmacAlgSHA256
774 @constant kSecAttrPRFHmacAlgSHA384
775 @constant kSecAttrPRFHmacAlgSHA512
777 extern const CFStringRef kSecAttrPRFHmacAlgSHA1
778 __OSX_AVAILABLE_STARTING(__MAC_10_7
, __IPHONE_NA
);
779 extern const CFStringRef kSecAttrPRFHmacAlgSHA224
780 __OSX_AVAILABLE_STARTING(__MAC_10_7
, __IPHONE_NA
);
781 extern const CFStringRef kSecAttrPRFHmacAlgSHA256
782 __OSX_AVAILABLE_STARTING(__MAC_10_7
, __IPHONE_NA
);
783 extern const CFStringRef kSecAttrPRFHmacAlgSHA384
784 __OSX_AVAILABLE_STARTING(__MAC_10_7
, __IPHONE_NA
);
785 extern const CFStringRef kSecAttrPRFHmacAlgSHA512
786 __OSX_AVAILABLE_STARTING(__MAC_10_7
, __IPHONE_NA
);
789 @enum Search Constants
790 @discussion Predefined search constants used to set values in a query
791 dictionary. You can specify a combination of search attributes and
792 item attributes when looking for matching items with the
793 SecItemCopyMatching function.
794 @constant kSecMatchPolicy Specifies a dictionary key whose value is a
795 SecPolicyRef. If provided, returned certificates or identities must
796 verify with this policy.
797 @constant kSecMatchItemList Specifies a dictionary key whose value is a
798 CFArray of SecKeychainItemRef items. If provided, returned items will be
799 limited to the subset which are contained in this list.
800 @constant kSecMatchSearchList Specifies a dictionary key whose value is a
801 CFArray of SecKeychainRef items. If provided, the search will be limited
802 to the keychains contained in this list.
803 @constant kSecMatchIssuers Specifies a dictionary key whose value is a
804 CFArray of X.500 names (of type CFDataRef). If provided, returned
805 certificates or identities will be limited to those whose
806 certificate chain contains one of the issuers provided in this list.
807 @constant kSecMatchEmailAddressIfPresent Specifies a dictionary key whose
808 value is a CFStringRef containing an RFC822 email address. If
809 provided, returned certificates or identities will be limited to those
810 that contain the address, or do not contain any email address.
811 @constant kSecMatchSubjectContains Specifies a dictionary key whose value
812 is a CFStringRef. If provided, returned certificates or identities
813 will be limited to those containing this string in the subject.
814 @constant kSecMatchSubjectStartsWith Specifies a dictionary key whose value
815 is a CFStringRef. If provided, returned certificates or identities
816 will be limited to those with subject names that start with this string.
817 @constant kSecMatchSubjectEndsWith Specifies a dictionary key whose value
818 is a CFStringRef. If provided, returned certificates or identities
819 will be limited to those with subject names that end with this string.
820 @constant kSecMatchSubjectWholeString Specifies a dictionary key whose
821 value is a CFStringRef. If provided, returned certificates or identities
822 will be limited to those matching this string exactly in the subject.
823 @constant kSecMatchCaseInsensitive Specifies a dictionary key whose value
824 is a CFBooleanRef. If this value is kCFBooleanFalse, or is not
825 provided, then case-sensitive string matching is performed.
826 @constant kSecMatchDiacriticInsensitive Specifies a dictionary key whose
827 value is a CFBooleanRef. If this value is kCFBooleanFalse, or is not
828 provided, then diacritic-sensitive string matching is performed.
829 @constant kSecMatchWidthInsensitive Specifies a dictionary key whose
830 value is a CFBooleanRef. If this value is kCFBooleanFalse, or is not
831 provided, then string matching is width-sensitive (e.g. 'a' != 0xFF41).
832 @constant kSecMatchTrustedOnly Specifies a dictionary key whose value is
833 a CFBooleanRef. If provided with a value of kCFBooleanTrue, only
834 certificates which can be verified back to a trusted anchor will be
835 returned. If this value is kCFBooleanFalse, or is not provided, then
836 both trusted and untrusted certificates may be returned.
837 @constant kSecMatchValidOnDate Specifies a dictionary key whose value is
838 of type CFDateRef. If provided, returned keys, certificates or
839 identities will be limited to those which are valid for the given date.
840 Pass a value of kCFNull to indicate the current date.
841 @constant kSecMatchLimit Specifies a dictionary key whose value is a
842 CFNumberRef. If provided, this value specifies the maximum number of
843 results to return. If not provided, results are limited to the first
844 item found. Predefined values are provided for a single item
845 (kSecMatchLimitOne) and all matching items (kSecMatchLimitAll).
846 @constant kSecMatchLimitOne Specifies that results are limited to the first
847 item found; used as a value for the kSecMatchLimit dictionary key.
848 @constant kSecMatchLimitAll Specifies that an unlimited number of results
849 may be returned; used as a value for the kSecMatchLimit dictionary
852 extern const CFStringRef kSecMatchPolicy
853 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
854 extern const CFStringRef kSecMatchItemList
855 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
856 extern const CFStringRef kSecMatchSearchList
857 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
858 extern const CFStringRef kSecMatchIssuers
859 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
860 extern const CFStringRef kSecMatchEmailAddressIfPresent
861 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
862 extern const CFStringRef kSecMatchSubjectContains
863 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
864 extern const CFStringRef kSecMatchSubjectStartsWith
865 __OSX_AVAILABLE_STARTING(__MAC_10_7
, __IPHONE_NA
);
866 extern const CFStringRef kSecMatchSubjectEndsWith
867 __OSX_AVAILABLE_STARTING(__MAC_10_7
, __IPHONE_NA
);
868 extern const CFStringRef kSecMatchSubjectWholeString
869 __OSX_AVAILABLE_STARTING(__MAC_10_7
, __IPHONE_NA
);
870 extern const CFStringRef kSecMatchCaseInsensitive
871 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
872 extern const CFStringRef kSecMatchDiacriticInsensitive
873 __OSX_AVAILABLE_STARTING(__MAC_10_7
, __IPHONE_NA
);
874 extern const CFStringRef kSecMatchWidthInsensitive
875 __OSX_AVAILABLE_STARTING(__MAC_10_7
, __IPHONE_NA
);
876 extern const CFStringRef kSecMatchTrustedOnly
877 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
878 extern const CFStringRef kSecMatchValidOnDate
879 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
880 extern const CFStringRef kSecMatchLimit
881 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
882 extern const CFStringRef kSecMatchLimitOne
883 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
884 extern const CFStringRef kSecMatchLimitAll
885 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
889 @enum Return Type Key Constants
890 @discussion Predefined return type keys used to set values in a dictionary.
891 You use these keys to specify the type of results which should be
892 returned by the SecItemCopyMatching or SecItemAdd function. You can
893 specify zero or more of these return types. If more than one of these
894 result types is specified, the result is returned as a CFDictionaryRef
895 whose keys are the result types and values are the requested data.
896 @constant kSecReturnData Specifies a dictionary key whose value is of type
897 CFBooleanRef. A value of kCFBooleanTrue indicates that the data of
898 an item (CFDataRef) should be returned. For keys and password
899 items, data is secret (encrypted) and may require the user to enter
900 a password for access.
901 @constant kSecReturnAttributes Specifies a dictionary key whose value is
902 of type CFBooleanRef. A value of kCFBooleanTrue indicates that the
903 (non-encrypted) attributes of an item (in a CFDictionaryRef) should be
905 @constant kSecReturnRef Specifies a dictionary key whose value is a
906 CFBooleanRef. A value of kCFBooleanTrue indicates that a reference
907 should be returned. Depending on the item class requested, the
908 returned reference(s) may be of type SecKeychainItemRef, SecKeyRef,
909 SecCertificateRef, or SecIdentityRef.
910 @constant kSecReturnPersistentRef Specifies a dictionary key whose value
911 is of type CFBooleanRef. A value of kCFBooleanTrue indicates that a
912 persistent reference to an item (CFDataRef) should be returned.
914 extern const CFStringRef kSecReturnData
915 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
916 extern const CFStringRef kSecReturnAttributes
917 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
918 extern const CFStringRef kSecReturnRef
919 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
920 extern const CFStringRef kSecReturnPersistentRef
921 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
925 @enum Value Type Key Constants
926 @discussion Predefined value type keys used to pass values in a dictionary.
927 You can specify zero or more of these types depending on the function
928 you are calling. For SecItemCopyMatching or SecItemAdd these are
929 used as keys in the results dictionary.
930 @constant kSecValueData Specifies a dictionary key whose value is of type
931 CFDataRef. For keys and password items, data is secret (encrypted)
932 and may require the user to enter a password for access.
933 @constant kSecValueRef Specifies a dictionary key whose value, depending
934 on the item class requested, is of type SecKeychainItemRef, SecKeyRef,
935 SecCertificateRef, or SecIdentityRef.
936 @constant kSecValuePersistentRef Specifies a dictionary key whose value
937 is of type CFDataRef. The bytes in this CFDataRef can be stored by
938 the caller and used on a subsequent invocation of the application (or
939 even a different application) to retrieve the item referenced by it.
941 extern const CFStringRef kSecValueData
942 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
943 extern const CFStringRef kSecValueRef
944 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
945 extern const CFStringRef kSecValuePersistentRef
946 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
950 @enum Other Constants
951 @discussion Predefined constants used to set values in a dictionary.
952 @constant kSecUseItemList Specifies a dictionary key whose value is a
953 CFArray of items. If provided, this array is treated as the set of
954 all possible items to search, or add if the API being called is
955 SecItemAdd. The items in this array may be of type SecKeyRef,
956 SecCertificateRef, SecIdentityRef, or CFDataRef (for a persistent
957 item reference.) The items in the array must all be of the same
958 type. When this attribute is provided, no keychains are searched.
959 @constant kSecUseKeychain Specifies a dictionary key whose value is a
960 keychain reference. You use this key to specify a value of type
961 SecKeychainRef to which SecItemAdd will add the provided item(s).
962 @constant kSecUseOperationPrompt Specifies a dictionary key whose value
963 is a CFStringRef that represents a user-visible string describing
964 the operation for which the application is attempting to authenticate.
965 The application is responsible for the text localization.
966 @constant kSecUseAuthenticationUI Specifies a dictionary key whose value
967 is one of kSecUseAuthenticationUIAllow, kSecUseAuthenticationUIFail, kSecUseAuthenticationUISkip.
968 @constant kSecUseAuthenticationContext Specifies a dictionary key whose value
969 is LAContext to be used for keychain item authentication.
970 * If the item requires authentication and this key is omitted, a new context
971 will be created just for the purpose of the single call.
972 * If the specified context has been previously authenticated, the operation
973 will succeed without asking user for authentication.
974 * If the specified context has not been previously authenticated, the new
975 authentication will be started on this context, allowing caller to
976 eventually reuse the sucessfully authenticated context in subsequent
979 extern const CFStringRef kSecUseItemList
980 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
981 extern const CFStringRef kSecUseKeychain
982 __OSX_AVAILABLE_STARTING(__MAC_10_7
, __IPHONE_NA
);
983 extern const CFStringRef kSecUseOperationPrompt
984 __OSX_AVAILABLE_STARTING(__MAC_10_10
, __IPHONE_8_0
);
985 extern const CFStringRef kSecUseAuthenticationUI
986 __OSX_AVAILABLE_STARTING(__MAC_10_11
, __IPHONE_9_0
);
987 extern const CFStringRef kSecUseAuthenticationContext
988 __OSX_AVAILABLE_STARTING(__MAC_10_11
, __IPHONE_9_0
);
991 @enum kSecUseAuthenticationUI Value Constants
992 @discussion Predefined item attribute constants used to get or set values
993 in a dictionary. The kSecUseAuthenticationUI constant is the key and its
994 value is one of the constants defined here.
995 If the key kSecUseAuthenticationUI not provided then kSecUseAuthenticationUIAllow
997 @constant kSecUseAuthenticationUIAllow Specifies that authenticate UI can appear.
998 @constant kSecUseAuthenticationUIFail Specifies that the error
999 errSecInteractionNotAllowed will be returned if an item needs
1000 to authenticate with UI
1001 @constant kSecUseAuthenticationUIAllowSkip Specifies that all items which need
1002 to authenticate with UI will be silently skipped. This value can be used
1003 only with SecItemCopyMatching.
1005 extern const CFStringRef kSecUseAuthenticationUIAllow
1006 __OSX_AVAILABLE_STARTING(__MAC_10_11
, __IPHONE_9_0
);
1007 extern const CFStringRef kSecUseAuthenticationUIFail
1008 __OSX_AVAILABLE_STARTING(__MAC_10_11
, __IPHONE_9_0
);
1009 extern const CFStringRef kSecUseAuthenticationUISkip
1010 __OSX_AVAILABLE_STARTING(__MAC_10_11
, __IPHONE_9_0
);
1013 @function SecItemCopyMatching
1014 @abstract Returns one or more items which match a search query.
1015 @param query A dictionary containing an item class specification and
1016 optional attributes for controlling the search. See the "Keychain
1017 Search Attributes" section for a description of currently defined
1019 @param result On return, a CFTypeRef reference to the found item(s). The
1020 exact type of the result is based on the search attributes supplied
1021 in the query, as discussed below.
1022 @result A result code. See "Security Error Codes" (SecBase.h).
1023 @discussion Attributes defining a search are specified by adding key/value
1024 pairs to the query dictionary.
1026 A typical query consists of:
1028 * a kSecClass key, whose value is a constant from the Class
1029 Constants section that specifies the class of item(s) to be searched
1030 * one or more keys from the "Attribute Key Constants" section, whose value
1031 is the attribute data to be matched
1032 * one or more keys from the "Search Constants" section, whose value is
1033 used to further refine the search
1034 * a key from the "Return Type Key Constants" section, specifying the type of
1037 Result types are specified as follows:
1039 * To obtain the data of a matching item (CFDataRef), specify
1040 kSecReturnData with a value of kCFBooleanTrue.
1041 * To obtain the attributes of a matching item (CFDictionaryRef), specify
1042 kSecReturnAttributes with a value of kCFBooleanTrue.
1043 * To obtain a reference to a matching item (SecKeychainItemRef,
1044 SecKeyRef, SecCertificateRef, or SecIdentityRef), specify kSecReturnRef
1045 with a value of kCFBooleanTrue.
1046 * To obtain a persistent reference to a matching item (CFDataRef),
1047 specify kSecReturnPersistentRef with a value of kCFBooleanTrue. Note
1048 that unlike normal references, a persistent reference may be stored
1049 on disk or passed between processes.
1050 * If more than one of these result types is specified, the result is
1051 returned as a CFDictionaryRef containing all the requested data.
1053 By default, this function returns only the first match found. To obtain
1054 more than one matching item at a time, specify kSecMatchLimit with a value
1055 greater than 1. The result will be a CFArrayRef containing up to that
1056 number of matching items; the items' types are described above.
1058 To filter a provided list of items down to those matching the query,
1059 specify a kSecMatchItemList whose value is a CFArray of SecKeychainItemRef,
1060 SecKeyRef, SecCertificateRef, or SecIdentityRef items. The objects in the
1061 provided array must be of the same type.
1063 To convert from persistent item references to normal item references,
1064 specify a kSecMatchItemList whose value is a CFArray containing one or
1065 more CFDataRef elements (the persistent reference), and a kSecReturnRef
1066 whose value is kCFBooleanTrue. The objects in the provided array must be
1069 OSStatus
SecItemCopyMatching(CFDictionaryRef query
, CFTypeRef
* __nullable CF_RETURNS_RETAINED result
)
1070 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
1073 @function SecItemAdd
1074 @abstract Add one or more items to a keychain.
1075 @param attributes A dictionary containing an item class specification and
1076 optional entries specifying the item's attribute values. See the
1077 "Attribute Key Constants" section for a description of currently defined
1079 @param result On return, a CFTypeRef reference to the newly added item(s).
1080 The exact type of the result is based on the values supplied
1081 in attributes, as discussed below. Pass NULL if this result is not
1083 @result A result code. See "Security Error Codes" (SecBase.h).
1084 @discussion Attributes defining an item are specified by adding key/value
1085 pairs to the attributes dictionary. To add multiple items to a keychain
1086 at once use the kSecUseItemList key with an array of items as its value.
1087 This is currently only supported for non password items. To add an item
1088 to a particular keychain, supply kSecUseKeychain with a SecKeychainRef as
1091 Result types are specified as follows:
1093 * To obtain the data of the added item (CFDataRef), specify
1094 kSecReturnData with a value of kCFBooleanTrue.
1095 * To obtain all the attributes of the added item (CFDictionaryRef),
1096 specify kSecReturnAttributes with a value of kCFBooleanTrue.
1097 * To obtain a reference to the added item (SecKeychainItemRef, SecKeyRef,
1098 SecCertificateRef, or SecIdentityRef), specify kSecReturnRef with a
1099 value of kCFBooleanTrue. This is the default behavior if a result
1100 type is not explicitly specified.
1101 * To obtain a persistent reference to the added item (CFDataRef), specify
1102 kSecReturnPersistentRef with a value of kCFBooleanTrue. Note that
1103 unlike normal references, a persistent reference may be stored on disk
1104 or passed between processes.
1105 * If more than one of these result types is specified, the result is
1106 returned as a CFDictionaryRef containing all the requested data.
1108 OSStatus
SecItemAdd(CFDictionaryRef attributes
, CFTypeRef
* __nullable CF_RETURNS_RETAINED result
)
1109 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
1112 @function SecItemUpdate
1113 @abstract Modify zero or more items which match a search query.
1114 @param query A dictionary containing an item class specification and
1115 optional attributes for controlling the search. See the "Attribute
1116 Constants" and "Search Constants" sections for a description of
1117 currently defined search attributes.
1118 @param attributesToUpdate A dictionary containing one or more attributes
1119 whose values should be set to the ones specified. Only real keychain
1120 attributes are permitted in this dictionary (no "meta" attributes are
1121 allowed.) See the "Attribute Key Constants" section for a description of
1122 currently defined value attributes.
1123 @result A result code. See "Security Error Codes" (SecBase.h).
1124 @discussion Attributes defining a search are specified by adding key/value
1125 pairs to the query dictionary.
1127 OSStatus
SecItemUpdate(CFDictionaryRef query
, CFDictionaryRef attributesToUpdate
)
1128 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
1131 @function SecItemDelete
1132 @abstract Delete zero or more items which match a search query.
1133 @param query A dictionary containing an item class specification and
1134 optional attributes for controlling the search. See the "Attribute
1135 Constants" and "Search Constants" sections for a description of
1136 currently defined search attributes.
1137 @result A result code. See "Security Error Codes" (SecBase.h).
1138 @discussion Attributes defining a search are specified by adding key/value
1139 pairs to the query dictionary.
1141 By default, this function deletes all items matching the specified query.
1142 You can change this behavior by specifying one of the follow keys:
1144 * To delete an item identified by a transient reference, specify
1145 kSecMatchItemList with a reference returned by using the kSecReturnRef
1146 key in a previous call to SecItemCopyMatching or SecItemAdd.
1147 * To delete an item identified by a persistent reference, specify
1148 kSecMatchItemList with a persistent reference returned by using the
1149 kSecReturnPersistentRef key to SecItemCopyMatching or SecItemAdd.
1150 * If more than one of these result keys is specified, the behavior is
1153 OSStatus
SecItemDelete(CFDictionaryRef query
)
1154 __OSX_AVAILABLE_STARTING(__MAC_10_6
, __IPHONE_2_0
);
1156 CF_IMPLICIT_BRIDGING_DISABLED
1157 CF_ASSUME_NONNULL_END
1159 #if defined(__cplusplus)
1163 #endif /* !_SECURITY_SECITEM_H_ */
projects / apple / security.git / blob