]> git.saurik.com Git - apple/security.git/blob - keychain/SecKey.h
Security-57740.60.18.tar.gz
[apple/security.git] / keychain / SecKey.h
1 /*
2 * Copyright (c) 2006-2014,2016 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24 /*!
25 @header SecKey
26 The functions provided in SecKey.h implement and manage a particular
27 type of keychain item that represents a key. A key can be stored in a
28 keychain, but a key can also be a transient object.
29
30 On OSX, you can use a SecKey as a SecKeychainItem in most functions.
31 */
32
33 #ifndef _SECURITY_SECKEY_H_
34 #define _SECURITY_SECKEY_H_
35
36 #include <Availability.h>
37 #include <Security/SecBase.h>
38 #include <CoreFoundation/CoreFoundation.h>
39 #include <dispatch/dispatch.h>
40 #include <sys/types.h>
41
42 #if SEC_OS_OSX
43 #include <Security/SecAccess.h>
44 #include <Security/cssmtype.h>
45 #endif /* SEC_OS_OSX */
46
47 __BEGIN_DECLS
48
49 CF_ASSUME_NONNULL_BEGIN
50 CF_IMPLICIT_BRIDGING_ENABLED
51
52 #if SEC_OS_OSX
53 /*!
54 @enum KeyItemAttributeConstants
55 @abstract Specifies keychain item attributes for keys.
56 @constant kSecKeyKeyClass type uint32 (CSSM_KEYCLASS), value
57 is one of CSSM_KEYCLASS_PUBLIC_KEY, CSSM_KEYCLASS_PRIVATE_KEY
58 or CSSM_KEYCLASS_SESSION_KEY.
59 @constant kSecKeyPrintName type blob, human readable name of
60 the key. Same as kSecLabelItemAttr for normal keychain items.
61 @constant kSecKeyAlias type blob, currently unused.
62 @constant kSecKeyPermanent type uint32, value is nonzero iff
63 this key is permanent (stored in some keychain). This is always
64 1.
65 @constant kSecKeyPrivate type uint32, value is nonzero iff this
66 key is protected by a user login or a password, or both.
67 @constant kSecKeyModifiable type uint32, value is nonzero iff
68 attributes of this key can be modified.
69 @constant kSecKeyLabel type blob, for private and public keys
70 this contains the hash of the public key. This is used to
71 associate certificates and keys. Its value matches the value
72 of the kSecPublicKeyHashItemAttr of a certificate and it's used
73 to construct an identity from a certificate and a key.
74 For symmetric keys this is whatever the creator of the key
75 passed in during the generate key call.
76 @constant kSecKeyApplicationTag type blob, currently unused.
77 @constant kSecKeyKeyCreator type data, the data points to a
78 CSSM_GUID structure representing the moduleid of the csp owning
79 this key.
80 @constant kSecKeyKeyType type uint32, value is a CSSM_ALGORITHMS
81 representing the algorithm associated with this key.
82 @constant kSecKeyKeySizeInBits type uint32, value is the number
83 of bits in this key.
84 @constant kSecKeyEffectiveKeySize type uint32, value is the
85 effective number of bits in this key. For example a des key
86 has a kSecKeyKeySizeInBits of 64 but a kSecKeyEffectiveKeySize
87 of 56.
88 @constant kSecKeyStartDate type CSSM_DATE. Earliest date from
89 which this key may be used. If the value is all zeros or not
90 present, no restriction applies.
91 @constant kSecKeyEndDate type CSSM_DATE. Latest date at
92 which this key may be used. If the value is all zeros or not
93 present, no restriction applies.
94 @constant kSecKeySensitive type uint32, iff value is nonzero
95 this key cannot be wrapped with CSSM_ALGID_NONE.
96 @constant kSecKeyAlwaysSensitive type uint32, value is nonzero
97 iff this key has always been marked sensitive.
98 @constant kSecKeyExtractable type uint32, value is nonzero iff
99 this key can be wrapped.
100 @constant kSecKeyNeverExtractable type uint32, value is nonzero
101 iff this key was never marked extractable.
102 @constant kSecKeyEncrypt type uint32, value is nonzero iff this
103 key can be used in an encrypt operation.
104 @constant kSecKeyDecrypt type uint32, value is nonzero iff this
105 key can be used in a decrypt operation.
106 @constant kSecKeyDerive type uint32, value is nonzero iff this
107 key can be used in a deriveKey operation.
108 @constant kSecKeySign type uint32, value is nonzero iff this
109 key can be used in a sign operation.
110 @constant kSecKeyVerify type uint32, value is nonzero iff this
111 key can be used in a verify operation.
112 @constant kSecKeySignRecover type uint32.
113 @constant kSecKeyVerifyRecover type uint32.
114 key can unwrap other keys.
115 @constant kSecKeyWrap type uint32, value is nonzero iff this
116 key can wrap other keys.
117 @constant kSecKeyUnwrap type uint32, value is nonzero iff this
118 key can unwrap other keys.
119 @discussion
120 The use of these enumerations has been deprecated. Please
121 use the equivalent items defined in SecItem.h
122 @@@.
123 */
124 CF_ENUM(int)
125 {
126 kSecKeyKeyClass = 0,
127 kSecKeyPrintName = 1,
128 kSecKeyAlias = 2,
129 kSecKeyPermanent = 3,
130 kSecKeyPrivate = 4,
131 kSecKeyModifiable = 5,
132 kSecKeyLabel = 6,
133 kSecKeyApplicationTag = 7,
134 kSecKeyKeyCreator = 8,
135 kSecKeyKeyType = 9,
136 kSecKeyKeySizeInBits = 10,
137 kSecKeyEffectiveKeySize = 11,
138 kSecKeyStartDate = 12,
139 kSecKeyEndDate = 13,
140 kSecKeySensitive = 14,
141 kSecKeyAlwaysSensitive = 15,
142 kSecKeyExtractable = 16,
143 kSecKeyNeverExtractable = 17,
144 kSecKeyEncrypt = 18,
145 kSecKeyDecrypt = 19,
146 kSecKeyDerive = 20,
147 kSecKeySign = 21,
148 kSecKeyVerify = 22,
149 kSecKeySignRecover = 23,
150 kSecKeyVerifyRecover = 24,
151 kSecKeyWrap = 25,
152 kSecKeyUnwrap = 26
153 };
154
155 /*!
156 @enum SecCredentialType
157 @abstract Determines the type of credential returned by SecKeyGetCredentials.
158 @constant kSecCredentialTypeWithUI Operations with this key are allowed to present UI if required.
159 @constant kSecCredentialTypeNoUI Operations with this key are not allowed to present UI, and will fail if UI is required.
160 @constant kSecCredentialTypeDefault The default setting for determining whether to present UI is used. This setting can be changed with a call to SecKeychainSetUserInteractionAllowed.
161 */
162 typedef CF_ENUM(uint32, SecCredentialType)
163 {
164 kSecCredentialTypeDefault = 0,
165 kSecCredentialTypeWithUI,
166 kSecCredentialTypeNoUI
167 };
168 #endif /* SEC_OS_OSX */
169
170 /*!
171 @typedef SecPadding
172 @abstract Supported padding types.
173 */
174 typedef CF_OPTIONS(uint32_t, SecPadding)
175 {
176 kSecPaddingNone = 0,
177 kSecPaddingPKCS1 = 1,
178 kSecPaddingOAEP = 2, // __OSX_UNAVAILABLE __IOS_AVAILABLE(2.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0),
179
180 /* For SecKeyRawSign/SecKeyRawVerify only,
181 ECDSA signature is raw byte format {r,s}, big endian.
182 First half is r, second half is s */
183 kSecPaddingSigRaw = 0x4000,
184
185 /* For SecKeyRawSign/SecKeyRawVerify only, data to be signed is an MD2
186 hash; standard ASN.1 padding will be done, as well as PKCS1 padding
187 of the underlying RSA operation. */
188 kSecPaddingPKCS1MD2 = 0x8000, // __OSX_DEPRECATED(10.0, 10.12, "MD2 is deprecated") __IOS_DEPRECATED(2.0, 5.0, "MD2 is deprecated") __TVOS_UNAVAILABLE __WATCHOS_UNAVAILABLE,
189
190 /* For SecKeyRawSign/SecKeyRawVerify only, data to be signed is an MD5
191 hash; standard ASN.1 padding will be done, as well as PKCS1 padding
192 of the underlying RSA operation. */
193 kSecPaddingPKCS1MD5 = 0x8001, // __OSX_DEPRECATED(10.0, 10.12, "MD5 is deprecated") __IOS_DEPRECATED(2.0, 5.0, "MD5 is deprecated") __TVOS_UNAVAILABLE __WATCHOS_UNAVAILABLE,
194
195 /* For SecKeyRawSign/SecKeyRawVerify only, data to be signed is a SHA1
196 hash; standard ASN.1 padding will be done, as well as PKCS1 padding
197 of the underlying RSA operation. */
198 kSecPaddingPKCS1SHA1 = 0x8002,
199
200 /* For SecKeyRawSign/SecKeyRawVerify only, data to be signed is a SHA224
201 hash; standard ASN.1 padding will be done, as well as PKCS1 padding
202 of the underlying RSA operation. */
203 kSecPaddingPKCS1SHA224 = 0x8003, // __OSX_UNAVAILABLE __IOS_AVAILABLE(2.0),
204
205 /* For SecKeyRawSign/SecKeyRawVerify only, data to be signed is a SHA256
206 hash; standard ASN.1 padding will be done, as well as PKCS1 padding
207 of the underlying RSA operation. */
208 kSecPaddingPKCS1SHA256 = 0x8004, // __OSX_UNAVAILABLE __IOS_AVAILABLE(2.0),
209
210 /* For SecKeyRawSign/SecKeyRawVerify only, data to be signed is a SHA384
211 hash; standard ASN.1 padding will be done, as well as PKCS1 padding
212 of the underlying RSA operation. */
213 kSecPaddingPKCS1SHA384 = 0x8005, // __OSX_UNAVAILABLE __IOS_AVAILABLE(2.0),
214
215 /* For SecKeyRawSign/SecKeyRawVerify only, data to be signed is a SHA512
216 hash; standard ASN.1 padding will be done, as well as PKCS1 padding
217 of the underlying RSA operation. */
218 kSecPaddingPKCS1SHA512 = 0x8006, // __OSX_UNAVAILABLE __IOS_AVAILABLE(2.0),
219 };
220
221 #if SEC_OS_OSX
222 /*!
223 @typedef SecKeySizes
224 @abstract Supported key lengths.
225 */
226 typedef CF_ENUM(uint32_t, SecKeySizes)
227 {
228 kSecDefaultKeySize = 0,
229
230 // Symmetric Keysizes - default is currently kSecAES128 for AES.
231 kSec3DES192 = 192,
232 kSecAES128 = 128,
233 kSecAES192 = 192,
234 kSecAES256 = 256,
235
236 // Supported ECC Keys for Suite-B from RFC 4492 section 5.1.1.
237 // default is currently kSecp256r1
238 kSecp192r1 = 192,
239 kSecp256r1 = 256,
240 kSecp384r1 = 384,
241 kSecp521r1 = 521, // Yes, 521
242
243 // Boundaries for RSA KeySizes - default is currently 2048
244 // RSA keysizes must be multiples of 8
245 kSecRSAMin = 1024,
246 kSecRSAMax = 4096
247 };
248 #endif /* SEC_OS_OSX */
249
250 /*!
251 @enum Key Parameter Constants
252 @discussion Predefined key constants used to get or set values in a dictionary.
253 These are used to provide explicit parameters to key generation functions
254 when non-default values are desired. See the description of the
255 SecKeyGeneratePair API for usage information.
256 @constant kSecPrivateKeyAttrs The value for this key is a CFDictionaryRef
257 containing attributes specific for the private key to be generated.
258 @constant kSecPublicKeyAttrs The value for this key is a CFDictionaryRef
259 containing attributes specific for the public key to be generated.
260 */
261 extern const CFStringRef kSecPrivateKeyAttrs
262 __OSX_AVAILABLE_STARTING(__MAC_10_8, __IPHONE_2_0);
263 extern const CFStringRef kSecPublicKeyAttrs
264 __OSX_AVAILABLE_STARTING(__MAC_10_8, __IPHONE_2_0);
265
266 /*!
267 @function SecKeyGetTypeID
268 @abstract Returns the type identifier of SecKey instances.
269 @result The CFTypeID of SecKey instances.
270 */
271 CFTypeID SecKeyGetTypeID(void)
272 __OSX_AVAILABLE_STARTING(__MAC_10_3, __IPHONE_2_0);
273
274
275 #if SEC_OS_OSX
276 /*!
277 @function SecKeyCreatePair
278 @abstract Creates an asymmetric key pair and stores it in a specified keychain.
279 @param keychainRef A reference to the keychain in which to store the private and public key items. Specify NULL for the default keychain.
280 @param algorithm An algorithm for the key pair. This parameter is ignored if a valid (non-zero) contextHandle is supplied.
281 @param keySizeInBits A key size for the key pair. This parameter is ignored if a valid (non-zero) contextHandle is supplied.
282 @param contextHandle (optional) A CSSM_CC_HANDLE, or 0. If this argument is supplied, the algorithm and keySizeInBits parameters are ignored. If extra parameters are needed to generate a key (some algorithms require this), you should create a context using CSSM_CSP_CreateKeyGenContext, using the CSPHandle obtained by calling SecKeychainGetCSPHandle. Then use CSSM_UpdateContextAttributes to add parameters, and dispose of the context using CSSM_DeleteContext after calling this function.
283 @param publicKeyUsage A bit mask indicating all permitted uses for the new public key. CSSM_KEYUSE bit mask values are defined in cssmtype.h.
284 @param publicKeyAttr A bit mask defining attribute values for the new public key. The bit mask values are equivalent to a CSSM_KEYATTR_FLAGS and are defined in cssmtype.h.
285 @param privateKeyUsage A bit mask indicating all permitted uses for the new private key. CSSM_KEYUSE bit mask values are defined in cssmtype.h.
286 @param privateKeyAttr A bit mask defining attribute values for the new private key. The bit mask values are equivalent to a CSSM_KEYATTR_FLAGS and are defined in cssmtype.h.
287 @param initialAccess (optional) A SecAccess object that determines the initial access rights to the private key. The public key is given "any/any" access rights by default.
288 @param publicKey (optional) On return, the keychain item reference of the generated public key. Use the SecKeyGetCSSMKey function to obtain the CSSM_KEY. The caller must call CFRelease on this value if it is returned. Pass NULL if a reference to this key is not required.
289 @param privateKey (optional) On return, the keychain item reference of the generated private key. Use the SecKeyGetCSSMKey function to obtain the CSSM_KEY. The caller must call CFRelease on this value if it is returned. Pass NULL if a reference to this key is not required.
290 @result A result code. See "Security Error Codes" (SecBase.h).
291 @discussion This API is deprecated for 10.7. Please use the SecKeyGeneratePair API instead.
292 */
293 OSStatus SecKeyCreatePair(
294 SecKeychainRef _Nullable keychainRef,
295 CSSM_ALGORITHMS algorithm,
296 uint32 keySizeInBits,
297 CSSM_CC_HANDLE contextHandle,
298 CSSM_KEYUSE publicKeyUsage,
299 uint32 publicKeyAttr,
300 CSSM_KEYUSE privateKeyUsage,
301 uint32 privateKeyAttr,
302 SecAccessRef _Nullable initialAccess,
303 SecKeyRef* _Nullable CF_RETURNS_RETAINED publicKey,
304 SecKeyRef* _Nullable CF_RETURNS_RETAINED privateKey)
305 DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
306
307 /*!
308 @function SecKeyGenerate
309 @abstract Creates a symmetric key and optionally stores it in a specified keychain.
310 @param keychainRef (optional) A reference to the keychain in which to store the generated key. Specify NULL to generate a transient key.
311 @param algorithm An algorithm for the symmetric key. This parameter is ignored if a valid (non-zero) contextHandle is supplied.
312 @param keySizeInBits A key size for the key pair. This parameter is ignored if a valid (non-zero) contextHandle is supplied.
313 @param contextHandle (optional) A CSSM_CC_HANDLE, or 0. If this argument is supplied, the algorithm and keySizeInBits parameters are ignored. If extra parameters are needed to generate a key (some algorithms require this), you should create a context using CSSM_CSP_CreateKeyGenContext, using the CSPHandle obtained by calling SecKeychainGetCSPHandle. Then use CSSM_UpdateContextAttributes to add parameters, and dispose of the context using CSSM_DeleteContext after calling this function.
314 @param keyUsage A bit mask indicating all permitted uses for the new key. CSSM_KEYUSE bit mask values are defined in cssmtype.h.
315 @param keyAttr A bit mask defining attribute values for the new key. The bit mask values are equivalent to a CSSM_KEYATTR_FLAGS and are defined in cssmtype.h.
316 @param initialAccess (optional) A SecAccess object that determines the initial access rights for the key. This parameter is ignored if the keychainRef is NULL.
317 @param keyRef On return, a reference to the generated key. Use the SecKeyGetCSSMKey function to obtain the CSSM_KEY. The caller must call CFRelease on this value if it is returned.
318 @result A result code. See "Security Error Codes" (SecBase.h).
319 @discussion This API is deprecated for 10.7. Please use the SecKeyGenerateSymmetric API instead.
320 */
321 OSStatus SecKeyGenerate(
322 SecKeychainRef _Nullable keychainRef,
323 CSSM_ALGORITHMS algorithm,
324 uint32 keySizeInBits,
325 CSSM_CC_HANDLE contextHandle,
326 CSSM_KEYUSE keyUsage,
327 uint32 keyAttr,
328 SecAccessRef _Nullable initialAccess,
329 SecKeyRef* _Nullable CF_RETURNS_RETAINED keyRef)
330 DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
331
332 /*!
333 @function SecKeyGetCSSMKey
334 @abstract Returns a pointer to the CSSM_KEY for the given key item reference.
335 @param key A keychain key item reference. The key item must be of class type kSecPublicKeyItemClass, kSecPrivateKeyItemClass, or kSecSymmetricKeyItemClass.
336 @param cssmKey On return, a pointer to a CSSM_KEY structure for the given key. This pointer remains valid until the key reference is released. The caller should not attempt to modify or free this data.
337 @result A result code. See "Security Error Codes" (SecBase.h).
338 @discussion The CSSM_KEY is valid until the key item reference is released. This API is deprecated in 10.7. Its use should no longer be needed.
339 */
340 OSStatus SecKeyGetCSSMKey(SecKeyRef key, const CSSM_KEY * _Nullable * __nonnull cssmKey)
341 DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;;
342
343 /*!
344 @function SecKeyGetCSPHandle
345 @abstract Returns the CSSM_CSP_HANDLE for the given key reference. The handle is valid until the key reference is released.
346 @param keyRef A key reference.
347 @param cspHandle On return, the CSSM_CSP_HANDLE for the given keychain.
348 @result A result code. See "Security Error Codes" (SecBase.h).
349 @discussion This API is deprecated in 10.7. Its use should no longer be needed.
350 */
351 OSStatus SecKeyGetCSPHandle(SecKeyRef keyRef, CSSM_CSP_HANDLE *cspHandle)
352 DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
353
354 /*!
355 @function SecKeyGetCredentials
356 @abstract For a given key, return a pointer to a CSSM_ACCESS_CREDENTIALS structure which will allow the key to be used.
357 @param keyRef The key for which a credential is requested.
358 @param operation The type of operation to be performed with this key. See "Authorization tag type" for defined operations (cssmtype.h).
359 @param credentialType The type of credential requested.
360 @param outCredentials On return, a pointer to a CSSM_ACCESS_CREDENTIALS structure. This pointer remains valid until the key reference is released. The caller should not attempt to modify or free this data.
361 @result A result code. See "Security Error Codes" (SecBase.h).
362 */
363 OSStatus SecKeyGetCredentials(
364 SecKeyRef keyRef,
365 CSSM_ACL_AUTHORIZATION_TAG operation,
366 SecCredentialType credentialType,
367 const CSSM_ACCESS_CREDENTIALS * _Nullable * __nonnull outCredentials)
368 DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
369
370 /*!
371 @function SecKeyGenerateSymmetric
372 @abstract Generates a random symmetric key with the specified length
373 and algorithm type.
374
375 @param parameters A dictionary containing one or more key-value pairs.
376 See the discussion sections below for a complete overview of options.
377 @param error An optional pointer to a CFErrorRef. This value is set
378 if an error occurred. If not NULL, the caller is responsible for
379 releasing the CFErrorRef.
380 @result On return, a SecKeyRef reference to the symmetric key, or
381 NULL if the key could not be created.
382
383 @discussion In order to generate a symmetric key, the parameters dictionary
384 must at least contain the following keys:
385
386 * kSecAttrKeyType with a value of kSecAttrKeyTypeAES or any other
387 kSecAttrKeyType defined in SecItem.h
388 * kSecAttrKeySizeInBits with a value being a CFNumberRef containing
389 the requested key size in bits. Example sizes for AES keys are:
390 128, 192, 256, 512.
391
392 To store the generated symmetric key in a keychain, set these keys:
393 * kSecUseKeychain (value is a SecKeychainRef)
394 * kSecAttrLabel (a user-visible label whose value is a CFStringRef,
395 e.g. "My App's Encryption Key")
396 * kSecAttrApplicationLabel (a label defined by your application, whose
397 value is a CFDataRef and which can be used to find this key in a
398 subsequent call to SecItemCopyMatching, e.g. "ID-1234567890-9876-0151")
399
400 To specify the generated key's access control settings, set this key:
401 * kSecAttrAccess (value is a SecAccessRef)
402
403 The keys below may be optionally set in the parameters dictionary
404 (with a CFBooleanRef value) to override the default usage values:
405
406 * kSecAttrCanEncrypt (defaults to true if not explicitly specified)
407 * kSecAttrCanDecrypt (defaults to true if not explicitly specified)
408 * kSecAttrCanWrap (defaults to true if not explicitly specified)
409 * kSecAttrCanUnwrap (defaults to true if not explicitly specified)
410
411 */
412 _Nullable CF_RETURNS_RETAINED
413 SecKeyRef SecKeyGenerateSymmetric(CFDictionaryRef parameters, CFErrorRef *error)
414 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
415
416 /*!
417 @function SecKeyCreateFromData
418 @abstract Creates a symmetric key with the given data and sets the
419 algorithm type specified.
420
421 @param parameters A dictionary containing one or more key-value pairs.
422 See the discussion sections below for a complete overview of options.
423 @result On return, a SecKeyRef reference to the symmetric key.
424
425 @discussion In order to generate a symmetric key the parameters dictionary must
426 at least contain the following keys:
427
428 * kSecAttrKeyType with a value of kSecAttrKeyTypeAES or any other
429 kSecAttrKeyType defined in SecItem.h
430
431 The keys below may be optionally set in the parameters dictionary
432 (with a CFBooleanRef value) to override the default usage values:
433
434 * kSecAttrCanEncrypt (defaults to true if not explicitly specified)
435 * kSecAttrCanDecrypt (defaults to true if not explicitly specified)
436 * kSecAttrCanWrap (defaults to true if not explicitly specified)
437 * kSecAttrCanUnwrap (defaults to true if not explicitly specified)
438
439 */
440 _Nullable
441 SecKeyRef SecKeyCreateFromData(CFDictionaryRef parameters,
442 CFDataRef keyData, CFErrorRef *error)
443 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
444
445
446 #ifdef __BLOCKS__
447 /*!
448 @typedef SecKeyGeneratePairBlock
449 @abstract Delivers the result from an asynchronous key pair generation.
450 @param publicKey - the public key generated. You must retain publicKey if you wish to use it after your block returns.
451 @param privateKey - the private key generated. You must retain publicKey if you wish to use it after your block returns.
452 @param error - Any errors returned. You must retain error if you wish to use it after your block returns.
453 */
454
455 typedef void (^SecKeyGeneratePairBlock)(SecKeyRef publicKey, SecKeyRef privateKey, CFErrorRef error);
456
457 /*!
458 @function SecKeyGeneratePairAsync
459 @abstract Generate a private/public keypair returning the values in a callback.
460 @param parameters A dictionary containing one or more key-value pairs.
461 @param deliveryQueue A dispatch queue to be used to deliver the results.
462 @param result A callback function to result when the operation has completed.
463
464 @discussion In order to generate a keypair the parameters dictionary must
465 at least contain the following keys:
466
467 * kSecAttrKeyType with a value being kSecAttrKeyTypeRSA or any other
468 kSecAttrKeyType defined in SecItem.h
469 * kSecAttrKeySizeInBits with a value being a CFNumberRef or CFStringRef
470 containing the requested key size in bits. Example sizes for RSA
471 keys are: 512, 768, 1024, 2048.
472
473 Setting the following attributes explicitly will override the defaults below.
474 See SecItem.h for detailed information on these attributes including the types
475 of the values.
476
477 * kSecAttrLabel default NULL
478 * kSecAttrIsPermanent if this key is present and has a Boolean
479 value of true, the key or key pair will be added to the default
480 keychain.
481 * kSecAttrApplicationTag default NULL
482 * kSecAttrEffectiveKeySize default NULL same as kSecAttrKeySizeInBits
483 * kSecAttrCanEncrypt default false for private keys, true for public keys
484 * kSecAttrCanDecrypt default true for private keys, false for public keys
485 * kSecAttrCanDerive default true
486 * kSecAttrCanSign default true for private keys, false for public keys
487 * kSecAttrCanVerify default false for private keys, true for public keys
488 * kSecAttrCanWrap default false for private keys, true for public keys
489 * kSecAttrCanUnwrap default true for private keys, false for public keys
490
491 */
492 void SecKeyGeneratePairAsync(CFDictionaryRef parameters,
493 dispatch_queue_t deliveryQueue, SecKeyGeneratePairBlock result)
494 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
495
496 #endif /* __BLOCKS__ */
497
498 // Derive, Wrap, and Unwrap
499
500 /*!
501 @function SecKeyDeriveFromPassword
502 @abstract Derives a symmetric key from a password.
503
504 @param password The password from which the keyis to be derived.
505 @param parameters A dictionary containing one or more key-value pairs.
506 @param error If the call fails this will contain the error code.
507
508 @discussion In order to derive a key the parameters dictionary must contain at least contain the following keys:
509 * kSecAttrSalt - a CFData for the salt value for mixing in the pseudo-random rounds.
510 * kSecAttrPRF - the algorithm to use for the pseudo-random-function.
511 If 0, this defaults to kSecAttrPRFHmacAlgSHA1. Possible values are:
512
513 * kSecAttrPRFHmacAlgSHA1
514 * kSecAttrPRFHmacAlgSHA224
515 * kSecAttrPRFHmacAlgSHA256
516 * kSecAttrPRFHmacAlgSHA384
517 * kSecAttrPRFHmacAlgSHA512
518
519 * kSecAttrRounds - the number of rounds to call the pseudo random function.
520 If 0, a count will be computed to average 1/10 of a second.
521 * kSecAttrKeySizeInBits with a value being a CFNumberRef
522 containing the requested key size in bits. Example sizes for RSA keys are:
523 512, 768, 1024, 2048.
524
525 @result On success a SecKeyRef is returned. On failure this result is NULL and the
526 error parameter contains the reason.
527
528 */
529 _Nullable CF_RETURNS_RETAINED
530 SecKeyRef SecKeyDeriveFromPassword(CFStringRef password,
531 CFDictionaryRef parameters, CFErrorRef *error)
532 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
533
534 /*!
535 @function SecKeyWrapSymmetric
536 @abstract Wraps a symmetric key with a symmetric key.
537
538 @param keyToWrap The key which is to be wrapped.
539 @param wrappingKey The key wrapping key.
540 @param parameters The parameter list to use for wrapping the key.
541 @param error If the call fails this will contain the error code.
542
543 @result On success a CFDataRef is returned. On failure this result is NULL and the
544 error parameter contains the reason.
545
546 @discussion In order to wrap a key the parameters dictionary may contain the following key:
547 * kSecSalt - a CFData for the salt value for the encrypt.
548
549 */
550 _Nullable
551 CFDataRef SecKeyWrapSymmetric(SecKeyRef keyToWrap,
552 SecKeyRef wrappingKey, CFDictionaryRef parameters, CFErrorRef *error)
553 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
554
555 /*!
556 @function SecKeyUnwrapSymmetric
557 @abstract Unwrap a wrapped symmetric key.
558
559 @param keyToUnwrap The wrapped key to unwrap.
560 @param unwrappingKey The key unwrapping key.
561 @param parameters The parameter list to use for unwrapping the key.
562 @param error If the call fails this will contain the error code.
563
564 @result On success a SecKeyRef is returned. On failure this result is NULL and the
565 error parameter contains the reason.
566
567 @discussion In order to unwrap a key the parameters dictionary may contain the following key:
568 * kSecSalt - a CFData for the salt value for the decrypt.
569
570 */
571 _Nullable
572 SecKeyRef SecKeyUnwrapSymmetric(CFDataRef _Nullable * __nonnull keyToUnwrap,
573 SecKeyRef unwrappingKey, CFDictionaryRef parameters, CFErrorRef *error)
574 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
575
576 #endif /* SEC_OS_OSX */
577
578 /*!
579 @function SecKeyGeneratePair
580 @abstract Generate a private/public keypair.
581 @param parameters A dictionary containing one or more key-value pairs.
582 See the discussion sections below for a complete overview of options.
583 @param publicKey On return, a SecKeyRef reference to the public key.
584 @param privateKey On return, a SecKeyRef reference to the private key.
585 @result A result code. See "Security Error Codes" (SecBase.h).
586
587 @discussion In order to generate a keypair the parameters dictionary must
588 at least contain the following keys:
589
590 * kSecAttrKeyType with a value of kSecAttrKeyTypeRSA or any other
591 kSecAttrKeyType defined in SecItem.h
592 * kSecAttrKeySizeInBits with a value being a CFNumberRef containing
593 the requested key size in bits. Example sizes for RSA keys are:
594 512, 768, 1024, 2048.
595
596 The values below may be set either in the top-level dictionary or in a
597 dictionary that is the value of the kSecPrivateKeyAttrs or
598 kSecPublicKeyAttrs key in the top-level dictionary. Setting these
599 attributes explicitly will override the defaults below. See SecItem.h
600 for detailed information on these attributes including the types of
601 the values.
602
603 * kSecAttrLabel default NULL
604 * kSecUseKeychain default NULL, which specifies the default keychain
605 * kSecAttrIsPermanent default false
606 if this key is present and has a Boolean value of true, the key or
607 key pair will be added to the keychain.
608 * kSecAttrTokenID default NULL
609 The CFStringRef ID of the token to generate the key or keypair on. This
610 attribute can contain CFStringRef and can be present only in the top-level
611 parameters dictionary.
612 * kSecAttrApplicationTag default NULL
613 * kSecAttrEffectiveKeySize default NULL same as kSecAttrKeySizeInBits
614 * kSecAttrCanEncrypt default false for private keys, true for public keys
615 * kSecAttrCanDecrypt default true for private keys, false for public keys
616 * kSecAttrCanDerive default true
617 * kSecAttrCanSign default true for private keys, false for public keys
618 * kSecAttrCanVerify default false for private keys, true for public keys
619 * kSecAttrCanWrap default false for private keys, true for public keys
620 * kSecAttrCanUnwrap default true for private keys, false for public keys
621
622 */
623 OSStatus SecKeyGeneratePair(CFDictionaryRef parameters,
624 SecKeyRef * _Nullable CF_RETURNS_RETAINED publicKey, SecKeyRef * _Nullable CF_RETURNS_RETAINED privateKey)
625 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_2_0);
626
627
628 #if SEC_OS_IPHONE
629 /*!
630 @function SecKeyRawSign
631 @abstract Given a private key and data to sign, generate a digital
632 signature.
633 @param key Private key with which to sign.
634 @param padding See Padding Types above, typically kSecPaddingPKCS1SHA1.
635 @param dataToSign The data to be signed, typically the digest of the
636 actual data.
637 @param dataToSignLen Length of dataToSign in bytes.
638 @param sig Pointer to buffer in which the signature will be returned.
639 @param sigLen IN/OUT maximum length of sig buffer on input, actualy
640 length of sig on output.
641 @result A result code. See "Security Error Codes" (SecBase.h).
642 @discussion If the padding argument is kSecPaddingPKCS1, PKCS1 padding
643 will be performed prior to signing. If this argument is kSecPaddingNone,
644 the incoming data will be signed "as is".
645
646 When PKCS1 padding is performed, the maximum length of data that can
647 be signed is the value returned by SecKeyGetBlockSize() - 11.
648
649 NOTE: The behavior this function with kSecPaddingNone is undefined if the
650 first byte of dataToSign is zero; there is no way to verify leading zeroes
651 as they are discarded during the calculation.
652
653 If you want to generate a proper PKCS1 style signature with DER encoding
654 of the digest type - and the dataToSign is a SHA1 digest - use
655 kSecPaddingPKCS1SHA1.
656 */
657 OSStatus SecKeyRawSign(
658 SecKeyRef key,
659 SecPadding padding,
660 const uint8_t *dataToSign,
661 size_t dataToSignLen,
662 uint8_t *sig,
663 size_t *sigLen)
664 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_2_0);
665
666
667 /*!
668 @function SecKeyRawVerify
669 @abstract Given a public key, data which has been signed, and a signature,
670 verify the signature.
671 @param key Public key with which to verify the signature.
672 @param padding See Padding Types above, typically kSecPaddingPKCS1SHA1.
673 @param signedData The data over which sig is being verified, typically
674 the digest of the actual data.
675 @param signedDataLen Length of signedData in bytes.
676 @param sig Pointer to the signature to verify.
677 @param sigLen Length of sig in bytes.
678 @result A result code. See "Security Error Codes" (SecBase.h).
679 @discussion If the padding argument is kSecPaddingPKCS1, PKCS1 padding
680 will be checked during verification. If this argument is kSecPaddingNone,
681 the incoming data will be compared directly to sig.
682
683 If you are verifying a proper PKCS1-style signature, with DER encoding
684 of the digest type - and the signedData is a SHA1 digest - use
685 kSecPaddingPKCS1SHA1.
686 */
687 OSStatus SecKeyRawVerify(
688 SecKeyRef key,
689 SecPadding padding,
690 const uint8_t *signedData,
691 size_t signedDataLen,
692 const uint8_t *sig,
693 size_t sigLen)
694 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_2_0);
695
696
697 /*!
698 @function SecKeyEncrypt
699 @abstract Encrypt a block of plaintext.
700 @param key Public key with which to encrypt the data.
701 @param padding See Padding Types above, typically kSecPaddingPKCS1.
702 @param plainText The data to encrypt.
703 @param plainTextLen Length of plainText in bytes, this must be less
704 or equal to the value returned by SecKeyGetBlockSize().
705 @param cipherText Pointer to the output buffer.
706 @param cipherTextLen On input, specifies how much space is available at
707 cipherText; on return, it is the actual number of cipherText bytes written.
708 @result A result code. See "Security Error Codes" (SecBase.h).
709 @discussion If the padding argument is kSecPaddingPKCS1 or kSecPaddingOAEP,
710 PKCS1 (respectively kSecPaddingOAEP) padding will be performed prior to encryption.
711 If this argument is kSecPaddingNone, the incoming data will be encrypted "as is".
712 kSecPaddingOAEP is the recommended value. Other value are not recommended
713 for security reason (Padding attack or malleability).
714
715 When PKCS1 padding is performed, the maximum length of data that can
716 be encrypted is the value returned by SecKeyGetBlockSize() - 11.
717
718 When memory usage is a critical issue, note that the input buffer
719 (plainText) can be the same as the output buffer (cipherText).
720 */
721 OSStatus SecKeyEncrypt(
722 SecKeyRef key,
723 SecPadding padding,
724 const uint8_t *plainText,
725 size_t plainTextLen,
726 uint8_t *cipherText,
727 size_t *cipherTextLen)
728 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_2_0);
729
730
731 /*!
732 @function SecKeyDecrypt
733 @abstract Decrypt a block of ciphertext.
734 @param key Private key with which to decrypt the data.
735 @param padding See Padding Types above, typically kSecPaddingPKCS1.
736 @param cipherText The data to decrypt.
737 @param cipherTextLen Length of cipherText in bytes, this must be less
738 or equal to the value returned by SecKeyGetBlockSize().
739 @param plainText Pointer to the output buffer.
740 @param plainTextLen On input, specifies how much space is available at
741 plainText; on return, it is the actual number of plainText bytes written.
742 @result A result code. See "Security Error Codes" (SecBase.h).
743 @discussion If the padding argument is kSecPaddingPKCS1 or kSecPaddingOAEP,
744 the corresponding padding will be removed after decryption.
745 If this argument is kSecPaddingNone, the decrypted data will be returned "as is".
746
747 When memory usage is a critical issue, note that the input buffer
748 (plainText) can be the same as the output buffer (cipherText).
749 */
750 OSStatus SecKeyDecrypt(
751 SecKeyRef key, /* Private key */
752 SecPadding padding, /* kSecPaddingNone,
753 kSecPaddingPKCS1,
754 kSecPaddingOAEP */
755 const uint8_t *cipherText,
756 size_t cipherTextLen, /* length of cipherText */
757 uint8_t *plainText,
758 size_t *plainTextLen) /* IN/OUT */
759 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_2_0);
760
761 #endif // SEC_OS_IPHONE
762
763 /*!
764 @function SecKeyCreateRandomKey
765 @abstract Generates a new public/private key pair.
766 @param parameters A dictionary containing one or more key-value pairs.
767 See the discussion sections below for a complete overview of options.
768 @param error On error, will be populated with an error object describing the failure.
769 See "Security Error Codes" (SecBase.h).
770 @return Newly generated private key. To get associated public key, use SecKeyCopyPublicKey().
771 @discussion In order to generate a keypair the parameters dictionary must
772 at least contain the following keys:
773
774 * kSecAttrKeyType with a value being kSecAttrKeyTypeRSA or any other
775 kSecAttrKeyType defined in SecItem.h
776 * kSecAttrKeySizeInBits with a value being a CFNumberRef or CFStringRef
777 containing the requested key size in bits. Example sizes for RSA
778 keys are: 512, 768, 1024, 2048.
779
780 The values below may be set either in the top-level dictionary or in a
781 dictionary that is the value of the kSecPrivateKeyAttrs or
782 kSecPublicKeyAttrs key in the top-level dictionary. Setting these
783 attributes explicitly will override the defaults below. See SecItem.h
784 for detailed information on these attributes including the types of
785 the values.
786
787 * kSecAttrLabel default NULL
788 * kSecAttrIsPermanent if this key is present and has a Boolean value of true,
789 the key or key pair will be added to the default keychain.
790 * kSecAttrTokenID if this key should be generated on specified token. This
791 attribute can contain CFStringRef and can be present only in the top-level
792 parameters dictionary.
793 * kSecAttrApplicationTag default NULL
794 * kSecAttrEffectiveKeySize default NULL same as kSecAttrKeySizeInBits
795 * kSecAttrCanEncrypt default false for private keys, true for public keys
796 * kSecAttrCanDecrypt default true for private keys, false for public keys
797 * kSecAttrCanDerive default true
798 * kSecAttrCanSign default true for private keys, false for public keys
799 * kSecAttrCanVerify default false for private keys, true for public keys
800 * kSecAttrCanWrap default false for private keys, true for public keys
801 * kSecAttrCanUnwrap default true for private keys, false for public keys
802 */
803 SecKeyRef _Nullable SecKeyCreateRandomKey(CFDictionaryRef parameters, CFErrorRef *error)
804 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
805
806 /*!
807 @function SecKeyCreateWithData
808 @abstract Create a SecKey from a well-defined external representation.
809 @param keyData CFData representing the key. The format of the data depends on the type of key being created.
810 @param attributes Dictionary containing attributes describing the key to be imported. The keys in this dictionary
811 are kSecAttr* constants from SecItem.h. Mandatory attributes are:
812 * kSecAttrKeyType
813 * kSecAttrKeyClass
814 @param error On error, will be populated with an error object describing the failure.
815 See "Security Error Codes" (SecBase.h).
816 @result A SecKey object representing the key, or NULL on failure.
817 @discussion This function does not add keys to any keychain, but the SecKey object it returns can be added
818 to keychain using the SecItemAdd function.
819 The requested data format depend on the type of key (kSecAttrKeyType) being created:
820 * kSecAttrKeyTypeRSA PKCS#1 format, public key can be also in x509 public key format
821 * kSecAttrKeyTypeECSECPrimeRandom ANSI X9.63 format (04 || X || Y [ || K])
822 */
823 SecKeyRef _Nullable SecKeyCreateWithData(CFDataRef keyData, CFDictionaryRef attributes, CFErrorRef *error)
824 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
825
826 /*!
827 @function SecKeyGetBlockSize
828 @abstract Decrypt a block of ciphertext.
829 @param key The key for which the block length is requested.
830 @result The block length of the key in bytes.
831 @discussion If for example key is an RSA key the value returned by
832 this function is the size of the modulus.
833 */
834 size_t SecKeyGetBlockSize(SecKeyRef key)
835 __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0);
836
837 /*!
838 @function SecKeyCopyExternalRepresentation
839 @abstract Create an external representation for the given key suitable for the key's type.
840 @param key The key to be exported.
841 @param error On error, will be populated with an error object describing the failure.
842 See "Security Error Codes" (SecBase.h).
843 @result A CFData representing the key in a format suitable for that key type.
844 @discussion This function may fail if the key is not exportable (e.g., bound to a smart card or Secure Enclave).
845 The format in which the key will be exported depends on the type of key:
846 * kSecAttrKeyTypeRSA PKCS#1 format
847 * kSecAttrKeyTypeECSECPrimeRandom ANSI X9.63 format (04 || X || Y [ || K])
848 */
849 CFDataRef _Nullable SecKeyCopyExternalRepresentation(SecKeyRef key, CFErrorRef *error)
850 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
851
852 /*!
853 @function SecKeyCopyAttributes
854 @abstract Retrieve keychain attributes of a key.
855 @param key The key whose attributes are to be retrieved.
856 @result Dictionary containing attributes of the key. The keys that populate this dictionary are defined
857 and discussed in SecItem.h.
858 @discussion The attributes provided by this function are:
859 * kSecAttrCanEncrypt
860 * kSecAttrCanDecrypt
861 * kSecAttrCanDerive
862 * kSecAttrCanSign
863 * kSecAttrCanVerify
864 * kSecAttrKeyClass
865 * kSecAttrKeyType
866 * kSecAttrKeySizeInBits
867 * kSecAttrTokenID
868 * kSecAttrApplicationLabel
869 Other values returned in that dictionary are RFU.
870 */
871 CFDictionaryRef _Nullable SecKeyCopyAttributes(SecKeyRef key)
872 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
873
874 /*!
875 @function SecKeyCopyPublicKey
876 @abstract Retrieve the public key from a key pair or private key.
877 @param key The key from which to retrieve a public key.
878 @result The public key or NULL if public key is not available for specified key.
879 @discussion Fails if key does not contain a public key or no public key can be computed from it.
880 */
881 SecKeyRef _Nullable SecKeyCopyPublicKey(SecKeyRef key)
882 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
883
884 /*!
885 @enum SecKeyAlgorithm
886 @abstract Available algorithms for performing cryptographic operations with SecKey object. String representation
887 of constant can be used for logging or debugging purposes, because they contain human readable names of the algorithm.
888
889 @constant kSecKeyAlgorithmRSASignatureRaw
890 Raw RSA sign/verify operation, size of input data must be the same as value returned by SecKeyGetBlockSize().
891
892 @constant kSecKeyAlgorithmRSASignatureDigestPKCS1v15Raw
893 RSA sign/verify operation, assumes that input data is digest and OID and digest algorithm as specified in PKCS# v1.5.
894 This algorithm is typically not used directly, instead use algorithm with specified digest, like
895 kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA256.
896
897 @constant kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA1
898 RSA signature with PKCS#1 padding, input data must be SHA-1 generated digest.
899
900 @constant kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA224
901 RSA signature with PKCS#1 padding, input data must be SHA-224 generated digest.
902
903 @constant kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA256
904 RSA signature with PKCS#1 padding, input data must be SHA-256 generated digest.
905
906 @constant kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA384
907 RSA signature with PKCS#1 padding, input data must be SHA-384 generated digest.
908
909 @constant kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA512
910 RSA signature with PKCS#1 padding, input data must be SHA-512 generated digest.
911
912 @constant kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA1
913 RSA signature with PKCS#1 padding, SHA-1 digest is generated from input data of any size.
914
915 @constant kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA224
916 RSA signature with PKCS#1 padding, SHA-224 digest is generated from input data of any size.
917
918 @constant kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA256
919 RSA signature with PKCS#1 padding, SHA-256 digest is generated from input data of any size.
920
921 @constant kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA384
922 RSA signature with PKCS#1 padding, SHA-384 digest is generated from input data of any size.
923
924 @constant kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA512
925 RSA signature with PKCS#1 padding, SHA-512 digest is generated from input data of any size.
926
927 @constant kSecKeyAlgorithmECDSASignatureRFC4754
928 ECDSA algorithm, signature is concatenated r and s, big endian, data is message digest.
929
930 @constant kSecKeyAlgorithmECDSASignatureDigestX962
931 ECDSA algorithm, signature is in DER x9.62 encoding, input data is message digest.
932
933 @constant kSecKeyAlgorithmECDSASignatureDigestX962SHA1
934 ECDSA algorithm, signature is in DER x9.62 encoding, input data is message digest created by SHA1 algorithm.
935
936 @constant kSecKeyAlgorithmECDSASignatureDigestX962SHA1
937 ECDSA algorithm, signature is in DER x9.62 encoding, input data is message digest created by SHA224 algorithm.
938
939 @constant kSecKeyAlgorithmECDSASignatureDigestX962SHA1
940 ECDSA algorithm, signature is in DER x9.62 encoding, input data is message digest created by SHA256 algorithm.
941
942 @constant kSecKeyAlgorithmECDSASignatureDigestX962SHA1
943 ECDSA algorithm, signature is in DER x9.62 encoding, input data is message digest created by SHA384 algorithm.
944
945 @constant kSecKeyAlgorithmECDSASignatureDigestX962SHA1
946 ECDSA algorithm, signature is in DER x9.62 encoding, input data is message digest created by SHA512 algorithm.
947
948 @constant kSecKeyAlgorithmECDSASignatureMessageX962SHA1
949 ECDSA algorithm, signature is in DER x9.62 encoding, SHA-1 digest is generated from input data of any size.
950
951 @constant kSecKeyAlgorithmECDSASignatureMessageX962SHA224
952 ECDSA algorithm, signature is in DER x9.62 encoding, SHA-224 digest is generated from input data of any size.
953
954 @constant kSecKeyAlgorithmECDSASignatureMessageX962SHA256
955 ECDSA algorithm, signature is in DER x9.62 encoding, SHA-256 digest is generated from input data of any size.
956
957 @constant kSecKeyAlgorithmECDSASignatureMessageX962SHA384
958 ECDSA algorithm, signature is in DER x9.62 encoding, SHA-384 digest is generated from input data of any size.
959
960 @constant kSecKeyAlgorithmECDSASignatureMessageX962SHA512
961 ECDSA algorithm, signature is in DER x9.62 encoding, SHA-512 digest is generated from input data of any size.
962
963 @constant kSecKeyAlgorithmRSAEncryptionRaw
964 Raw RSA encryption or decryption, size of data must match RSA key modulus size. Note that direct
965 use of this algorithm without padding is cryptographically very weak, it is important to always introduce
966 some kind of padding. Input data size must be less or equal to the key block size and returned block has always
967 the same size as block size, as returned by SecKeyGetBlockSize().
968
969 @constant kSecKeyAlgorithmRSAEncryptionPKCS1
970 RSA encryption or decryption, data is padded using PKCS#1 padding scheme. This algorithm should be used only for
971 backward compatibility with existing protocols and data. New implementations should choose cryptographically
972 stronger algorithm instead (see kSecKeyAlgorithmRSAEncryptionOAEP). Input data must be at most
973 "key block size - 11" bytes long and returned block has always the same size as block size, as returned
974 by SecKeyGetBlockSize().
975
976 @constant kSecKeyAlgorithmRSAEncryptionOAEPSHA1
977 RSA encryption or decryption, data is padded using OAEP padding scheme internally using SHA1. Input data must be at most
978 "key block size - 42" bytes long and returned block has always the same size as block size, as returned
979 by SecKeyGetBlockSize(). Use kSecKeyAlgorithmRSAEncryptionOAEPSHA1AESGCM to be able to encrypt and decrypt arbitrary long data.
980
981 @constant kSecKeyAlgorithmRSAEncryptionOAEPSHA224
982 RSA encryption or decryption, data is padded using OAEP padding scheme internally using SHA224. Input data must be at most
983 "key block size - 58" bytes long and returned block has always the same size as block size, as returned
984 by SecKeyGetBlockSize(). Use kSecKeyAlgorithmRSAEncryptionOAEPSHA224AESGCM to be able to encrypt and decrypt arbitrary long data.
985
986 @constant kSecKeyAlgorithmRSAEncryptionOAEPSHA256
987 RSA encryption or decryption, data is padded using OAEP padding scheme internally using SHA256. Input data must be at most
988 "key block size - 66" bytes long and returned block has always the same size as block size, as returned
989 by SecKeyGetBlockSize(). Use kSecKeyAlgorithmRSAEncryptionOAEPSHA256AESGCM to be able to encrypt and decrypt arbitrary long data.
990
991 @constant kSecKeyAlgorithmRSAEncryptionOAEPSHA384
992 RSA encryption or decryption, data is padded using OAEP padding scheme internally using SHA384. Input data must be at most
993 "key block size - 98" bytes long and returned block has always the same size as block size, as returned
994 by SecKeyGetBlockSize(). Use kSecKeyAlgorithmRSAEncryptionOAEPSHA384AESGCM to be able to encrypt and decrypt arbitrary long data.
995
996 @constant kSecKeyAlgorithmRSAEncryptionOAEPSHA512
997 RSA encryption or decryption, data is padded using OAEP padding scheme internally using SHA512. Input data must be at most
998 "key block size - 130" bytes long and returned block has always the same size as block size, as returned
999 by SecKeyGetBlockSize(). Use kSecKeyAlgorithmRSAEncryptionOAEPSHA512AESGCM to be able to encrypt and decrypt arbitrary long data.
1000
1001 @constant kSecKeyAlgorithmRSAEncryptionOAEPSHA1AESGCM
1002 Randomly generated AES session key is encrypted by RSA with OAEP padding. User data are encrypted using session key in GCM
1003 mode with all-zero 16 bytes long IV (initialization vector). Finally 16 byte AES-GCM tag is appended to ciphertext.
1004 256bit AES key is used if RSA key is 4096bit or bigger, otherwise 128bit AES key is used. Raw public key data is used
1005 as authentication data for AES-GCM encryption.
1006
1007 @constant kSecKeyAlgorithmRSAEncryptionOAEPSHA224AESGCM
1008 Randomly generated AES session key is encrypted by RSA with OAEP padding. User data are encrypted using session key in GCM
1009 mode with all-zero 16 bytes long IV (initialization vector). Finally 16 byte AES-GCM tag is appended to ciphertext.
1010 256bit AES key is used if RSA key is 4096bit or bigger, otherwise 128bit AES key is used. Raw public key data is used
1011 as authentication data for AES-GCM encryption.
1012
1013 @constant kSecKeyAlgorithmRSAEncryptionOAEPSHA256AESGCM
1014 Randomly generated AES session key is encrypted by RSA with OAEP padding. User data are encrypted using session key in GCM
1015 mode with all-zero 16 bytes long IV (initialization vector). Finally 16 byte AES-GCM tag is appended to ciphertext.
1016 256bit AES key is used if RSA key is 4096bit or bigger, otherwise 128bit AES key is used. Raw public key data is used
1017 as authentication data for AES-GCM encryption.
1018
1019 @constant kSecKeyAlgorithmRSAEncryptionOAEPSHA384AESGCM
1020 Randomly generated AES session key is encrypted by RSA with OAEP padding. User data are encrypted using session key in GCM
1021 mode with all-zero 16 bytes long IV (initialization vector). Finally 16 byte AES-GCM tag is appended to ciphertext.
1022 256bit AES key is used if RSA key is 4096bit or bigger, otherwise 128bit AES key is used. Raw public key data is used
1023 as authentication data for AES-GCM encryption.
1024
1025 @constant kSecKeyAlgorithmRSAEncryptionOAEPSHA512AESGCM
1026 Randomly generated AES session key is encrypted by RSA with OAEP padding. User data are encrypted using session key in GCM
1027 mode with all-zero 16 bytes long IV (initialization vector). Finally 16 byte AES-GCM tag is appended to ciphertext.
1028 256bit AES key is used if RSA key is 4096bit or bigger, otherwise 128bit AES key is used. Raw public key data is used
1029 as authentication data for AES-GCM encryption.
1030
1031 @constant kSecKeyAlgorithmECIESEncryptionStandardX963SHA1AESGCM
1032 ECIES encryption or decryption. This algorithm does not limit the size of the message to be encrypted or decrypted.
1033 Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA1. AES Key size
1034 is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF,
1035 and static public key data is used as authenticationData for AES-GCM processing. AES-GCM uses 16 bytes long TAG and
1036 all-zero 16 byte long IV (initialization vector).
1037
1038 @constant kSecKeyAlgorithmECIESEncryptionStandardX963SHA224AESGCM
1039 ECIES encryption or decryption. This algorithm does not limit the size of the message to be encrypted or decrypted.
1040 Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA1. AES Key size
1041 is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF,
1042 and static public key data is used as authenticationData for AES-GCM processing. AES-GCM uses 16 bytes long TAG and
1043 all-zero 16 byte long IV (initialization vector).
1044
1045 @constant kSecKeyAlgorithmECIESEncryptionStandardX963SHA256AESGCM
1046 ECIES encryption or decryption. This algorithm does not limit the size of the message to be encrypted or decrypted.
1047 Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA1. AES Key size
1048 is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF,
1049 and static public key data is used as authenticationData for AES-GCM processing. AES-GCM uses 16 bytes long TAG and
1050 all-zero 16 byte long IV (initialization vector).
1051
1052 @constant kSecKeyAlgorithmECIESEncryptionStandardX963SHA384AESGCM
1053 ECIES encryption or decryption. This algorithm does not limit the size of the message to be encrypted or decrypted.
1054 Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA1. AES Key size
1055 is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF,
1056 and static public key data is used as authenticationData for AES-GCM processing. AES-GCM uses 16 bytes long TAG and
1057 all-zero 16 byte long IV (initialization vector).
1058
1059 @constant kSecKeyAlgorithmECIESEncryptionStandardX963SHA512AESGCM
1060 ECIES encryption or decryption. This algorithm does not limit the size of the message to be encrypted or decrypted.
1061 Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA1. AES Key size
1062 is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF,
1063 and static public key data is used as authenticationData for AES-GCM processing. AES-GCM uses 16 bytes long TAG and
1064 all-zero 16 byte long IV (initialization vector).
1065
1066 @constant kSecKeyAlgorithmECIESEncryptionCofactorX963SHA1AESGCM
1067 ECIES encryption or decryption. This algorithm does not limit the size of the message to be encrypted or decrypted.
1068 Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA1. AES Key size
1069 is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF,
1070 and static public key data is used as authenticationData for AES-GCM processing. AES-GCM uses 16 bytes long TAG and
1071 all-zero 16 byte long IV (initialization vector).
1072
1073 @constant kSecKeyAlgorithmECIESEncryptionCofactorX963SHA224AESGCM
1074 ECIES encryption or decryption. This algorithm does not limit the size of the message to be encrypted or decrypted.
1075 Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA1. AES Key size
1076 is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF,
1077 and static public key data is used as authenticationData for AES-GCM processing. AES-GCM uses 16 bytes long TAG and
1078 all-zero 16 byte long IV (initialization vector).
1079
1080 @constant kSecKeyAlgorithmECIESEncryptionCofactorX963SHA256AESGCM
1081 ECIES encryption or decryption. This algorithm does not limit the size of the message to be encrypted or decrypted.
1082 Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA1. AES Key size
1083 is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF,
1084 and static public key data is used as authenticationData for AES-GCM processing. AES-GCM uses 16 bytes long TAG and
1085 all-zero 16 byte long IV (initialization vector).
1086
1087 @constant kSecKeyAlgorithmECIESEncryptionCofactorX963SHA384AESGCM
1088 ECIES encryption or decryption. This algorithm does not limit the size of the message to be encrypted or decrypted.
1089 Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA1. AES Key size
1090 is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF,
1091 and static public key data is used as authenticationData for AES-GCM processing. AES-GCM uses 16 bytes long TAG and
1092 all-zero 16 byte long IV (initialization vector).
1093
1094 @constant kSecKeyAlgorithmECIESEncryptionCofactorX963SHA512AESGCM
1095 ECIES encryption or decryption. This algorithm does not limit the size of the message to be encrypted or decrypted.
1096 Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA1. AES Key size
1097 is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF,
1098 and static public key data is used as authenticationData for AES-GCM processing. AES-GCM uses 16 bytes long TAG and
1099 all-zero 16 byte long IV (initialization vector).
1100
1101 @constant kSecKeyAlgorithmECDHKeyExchangeCofactor
1102 Compute shared secret using ECDH cofactor algorithm, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys.
1103 This algorithm does not accept any parameters, length of output raw shared secret is given by the length of the key.
1104
1105 @constant kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA1
1106 Compute shared secret using ECDH cofactor algorithm, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys
1107 and apply ANSI X9.63 KDF with SHA1 as hashing function. Requires kSecKeyKeyExchangeParameterRequestedSize and allows
1108 kSecKeyKeyExchangeParameterSharedInfo parameters to be used.
1109
1110 @constant kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA224
1111 Compute shared secret using ECDH cofactor algorithm, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys
1112 and apply ANSI X9.63 KDF with SHA224 as hashing function. Requires kSecKeyKeyExchangeParameterRequestedSize and allows
1113 kSecKeyKeyExchangeParameterSharedInfo parameters to be used.
1114
1115 @constant kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA256
1116 Compute shared secret using ECDH cofactor algorithm, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys
1117 and apply ANSI X9.63 KDF with SHA256 as hashing function. Requires kSecKeyKeyExchangeParameterRequestedSize and allows
1118 kSecKeyKeyExchangeParameterSharedInfo parameters to be used.
1119
1120 @constant kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA384
1121 Compute shared secret using ECDH cofactor algorithm, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys
1122 and apply ANSI X9.63 KDF with SHA384 as hashing function. Requires kSecKeyKeyExchangeParameterRequestedSize and allows
1123 kSecKeyKeyExchangeParameterSharedInfo parameters to be used.
1124
1125 @constant kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA512
1126 Compute shared secret using ECDH cofactor algorithm, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys
1127 and apply ANSI X9.63 KDF with SHA512 as hashing function. Requires kSecKeyKeyExchangeParameterRequestedSize and allows
1128 kSecKeyKeyExchangeParameterSharedInfo parameters to be used.
1129
1130 @constant kSecKeyAlgorithmECDHKeyExchangeStandard
1131 Compute shared secret using ECDH algorithm without cofactor, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys.
1132 This algorithm does not accept any parameters, length of output raw shared secret is given by the length of the key.
1133
1134 @constant kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA1
1135 Compute shared secret using ECDH algorithm without cofactor, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys
1136 and apply ANSI X9.63 KDF with SHA1 as hashing function. Requires kSecKeyKeyExchangeParameterRequestedSize and allows
1137 kSecKeyKeyExchangeParameterSharedInfo parameters to be used.
1138
1139 @constant kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA224
1140 Compute shared secret using ECDH algorithm without cofactor, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys
1141 and apply ANSI X9.63 KDF with SHA224 as hashing function. Requires kSecKeyKeyExchangeParameterRequestedSize and allows
1142 kSecKeyKeyExchangeParameterSharedInfo parameters to be used.
1143
1144 @constant kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA256
1145 Compute shared secret using ECDH algorithm without cofactor, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys
1146 and apply ANSI X9.63 KDF with SHA256 as hashing function. Requires kSecKeyKeyExchangeParameterRequestedSize and allows
1147 kSecKeyKeyExchangeParameterSharedInfo parameters to be used.
1148
1149 @constant kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA384
1150 Compute shared secret using ECDH algorithm without cofactor, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys
1151 and apply ANSI X9.63 KDF with SHA384 as hashing function. Requires kSecKeyKeyExchangeParameterRequestedSize and allows
1152 kSecKeyKeyExchangeParameterSharedInfo parameters to be used.
1153
1154 @constant kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA512
1155 Compute shared secret using ECDH algorithm without cofactor, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys
1156 and apply ANSI X9.63 KDF with SHA512 as hashing function. Requires kSecKeyKeyExchangeParameterRequestedSize and allows
1157 kSecKeyKeyExchangeParameterSharedInfo parameters to be used.
1158 */
1159
1160 typedef CFStringRef SecKeyAlgorithm CF_STRING_ENUM
1161 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1162
1163 extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureRaw
1164 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1165
1166 extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPKCS1v15Raw
1167 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1168
1169 extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA1
1170 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1171 extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA224
1172 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1173 extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA256
1174 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1175 extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA384
1176 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1177 extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA512
1178 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1179
1180 extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA1
1181 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1182 extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA224
1183 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1184 extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA256
1185 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1186 extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA384
1187 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1188 extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA512
1189 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1190
1191 extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureRFC4754
1192 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1193
1194 extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureDigestX962
1195 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1196 extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureDigestX962SHA1
1197 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1198 extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureDigestX962SHA224
1199 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1200 extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureDigestX962SHA256
1201 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1202 extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureDigestX962SHA384
1203 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1204 extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureDigestX962SHA512
1205 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1206
1207 extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureMessageX962SHA1
1208 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1209 extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureMessageX962SHA224
1210 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1211 extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureMessageX962SHA256
1212 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1213 extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureMessageX962SHA384
1214 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1215 extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureMessageX962SHA512
1216 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1217
1218 extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionRaw
1219 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1220 extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionPKCS1
1221 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1222 extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA1
1223 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1224 extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA224
1225 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1226 extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA256
1227 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1228 extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA384
1229 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1230 extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA512
1231 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1232
1233 extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA1AESGCM
1234 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1235 extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA224AESGCM
1236 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1237 extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA256AESGCM
1238 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1239 extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA384AESGCM
1240 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1241 extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA512AESGCM
1242 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1243
1244 extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionStandardX963SHA1AESGCM
1245 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1246 extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionStandardX963SHA224AESGCM
1247 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1248 extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionStandardX963SHA256AESGCM
1249 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1250 extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionStandardX963SHA384AESGCM
1251 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1252 extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionStandardX963SHA512AESGCM
1253 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1254
1255 extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionCofactorX963SHA1AESGCM
1256 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1257 extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionCofactorX963SHA224AESGCM
1258 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1259 extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionCofactorX963SHA256AESGCM
1260 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1261 extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionCofactorX963SHA384AESGCM
1262 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1263 extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionCofactorX963SHA512AESGCM
1264 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1265
1266 extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeStandard
1267 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1268 extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA1
1269 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1270 extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA224
1271 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1272 extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA256
1273 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1274 extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA384
1275 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1276 extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA512
1277 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1278
1279 extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeCofactor
1280 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1281 extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA1
1282 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1283 extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA224
1284 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1285 extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA256
1286 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1287 extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA384
1288 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1289 extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA512
1290 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1291
1292 /*!
1293 @function SecKeyCreateSignature
1294 @abstract Given a private key and data to sign, generate a digital signature.
1295 @param key Private key with which to sign.
1296 @param algorithm One of SecKeyAlgorithm constants suitable to generate signature with this key.
1297 @param dataToSign The data to be signed, typically the digest of the actual data.
1298 @param error On error, will be populated with an error object describing the failure.
1299 See "Security Error Codes" (SecBase.h).
1300 @result The signature over dataToSign represented as a CFData, or NULL on failure.
1301 @discussion Computes digital signature using specified key over input data. The operation algorithm
1302 further defines the exact format of input data, operation to be performed and output signature.
1303 */
1304 CFDataRef _Nullable SecKeyCreateSignature(SecKeyRef key, SecKeyAlgorithm algorithm, CFDataRef dataToSign, CFErrorRef *error)
1305 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1306
1307 /*!
1308 @function SecKeyVerifySignature
1309 @abstract Given a public key, data which has been signed, and a signature, verify the signature.
1310 @param key Public key with which to verify the signature.
1311 @param algorithm One of SecKeyAlgorithm constants suitable to verify signature with this key.
1312 @param signedData The data over which sig is being verified, typically the digest of the actual data.
1313 @param signature The signature to verify.
1314 @param error On error, will be populated with an error object describing the failure.
1315 See "Security Error Codes" (SecBase.h).
1316 @result True if the signature was valid, False otherwise.
1317 @discussion Verifies digital signature operation using specified key and signed data. The operation algorithm
1318 further defines the exact format of input data, signature and operation to be performed.
1319 */
1320 Boolean SecKeyVerifySignature(SecKeyRef key, SecKeyAlgorithm algorithm, CFDataRef signedData, CFDataRef signature, CFErrorRef *error)
1321 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1322
1323 /*!
1324 @function SecKeyCreateEncryptedData
1325 @abstract Encrypt a block of plaintext.
1326 @param key Public key with which to encrypt the data.
1327 @param algorithm One of SecKeyAlgorithm constants suitable to perform encryption with this key.
1328 @param plaintext The data to encrypt. The length and format of the data must conform to chosen algorithm,
1329 typically be less or equal to the value returned by SecKeyGetBlockSize().
1330 @param error On error, will be populated with an error object describing the failure.
1331 See "Security Error Codes" (SecBase.h).
1332 @result The ciphertext represented as a CFData, or NULL on failure.
1333 @discussion Encrypts plaintext data using specified key. The exact type of the operation including the format
1334 of input and output data is specified by encryption algorithm.
1335 */
1336 CFDataRef _Nullable SecKeyCreateEncryptedData(SecKeyRef key, SecKeyAlgorithm algorithm, CFDataRef plaintext,
1337 CFErrorRef *error)
1338 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1339
1340 /*!
1341 @function SecKeyCreateDecryptedData
1342 @abstract Decrypt a block of ciphertext.
1343 @param key Private key with which to decrypt the data.
1344 @param algorithm One of SecKeyAlgorithm constants suitable to perform decryption with this key.
1345 @param ciphertext The data to decrypt. The length and format of the data must conform to chosen algorithm,
1346 typically be less or equal to the value returned by SecKeyGetBlockSize().
1347 @param error On error, will be populated with an error object describing the failure.
1348 See "Security Error Codes" (SecBase.h).
1349 @result The plaintext represented as a CFData, or NULL on failure.
1350 @discussion Decrypts ciphertext data using specified key. The exact type of the operation including the format
1351 of input and output data is specified by decryption algorithm.
1352 */
1353 CFDataRef _Nullable SecKeyCreateDecryptedData(SecKeyRef key, SecKeyAlgorithm algorithm, CFDataRef ciphertext,
1354 CFErrorRef *error)
1355 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1356
1357 /*!
1358 @enum SecKeyKeyExchangeParameter SecKey Key Exchange parameters
1359 @constant kSecKeyKeyExchangeParameterRequestedSize Contains CFNumberRef with requested result size in bytes.
1360 @constant kSecKeyKeyExchangeParameterSharedInfo Contains CFDataRef with additional shared info
1361 for KDF (key derivation function).
1362 */
1363 typedef CFStringRef SecKeyKeyExchangeParameter CF_STRING_ENUM
1364 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1365 extern const SecKeyKeyExchangeParameter kSecKeyKeyExchangeParameterRequestedSize
1366 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1367 extern const SecKeyKeyExchangeParameter kSecKeyKeyExchangeParameterSharedInfo
1368 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1369
1370 /*!
1371 @function SecKeyCopyKeyExchangeResult
1372 @abstract Perform Diffie-Hellman style of key exchange operation, optionally with additional key-derivation steps.
1373 @param algorithm One of SecKeyAlgorithm constants suitable to perform this operation.
1374 @param publicKey Remote party's public key.
1375 @param parameters Dictionary with parameters, see SecKeyKeyExchangeParameter constants. Used algorithm
1376 determines the set of required and optional parameters to be used.
1377 @param error Pointer to an error object on failure.
1378 See "Security Error Codes" (SecBase.h).
1379 @result Result of key exchange operation as a CFDataRef, or NULL on failure.
1380 */
1381 CFDataRef _Nullable SecKeyCopyKeyExchangeResult(SecKeyRef privateKey, SecKeyAlgorithm algorithm, SecKeyRef publicKey, CFDictionaryRef parameters, CFErrorRef *error)
1382 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1383
1384 /*!
1385 @enum SecKeyOperationType
1386 @abstract Defines types of cryptographic operations available with SecKey instance.
1387
1388 @constant kSecKeyOperationTypeSign
1389 Represents SecKeyCreateSignature()
1390
1391 @constant kSecKeyOperationTypeVerify
1392 Represents SecKeyVerifySignature()
1393
1394 @constant kSecKeyOperationTypeEncrypt
1395 Represents SecKeyCreateEncryptedData()
1396
1397 @constant kSecKeyOperationTypeDecrypt
1398 Represents SecKeyCreateDecryptedData()
1399
1400 @constant kSecKeyOperationTypeKeyExchange
1401 Represents SecKeyCopyKeyExchangeResult()
1402 */
1403 typedef CF_ENUM(CFIndex, SecKeyOperationType) {
1404 kSecKeyOperationTypeSign = 0,
1405 kSecKeyOperationTypeVerify = 1,
1406 kSecKeyOperationTypeEncrypt = 2,
1407 kSecKeyOperationTypeDecrypt = 3,
1408 kSecKeyOperationTypeKeyExchange = 4,
1409 } __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1410
1411 /*!
1412 @function SecKeyIsAlgorithmSupported
1413 @abstract Checks whether key supports specified algorithm for specified operation.
1414 @param key Key to query
1415 @param operation Operation type for which the key is queried
1416 @param algorithm Algorithm which is queried
1417 @return True if key supports specified algorithm for specified operation, False otherwise.
1418 */
1419 Boolean SecKeyIsAlgorithmSupported(SecKeyRef key, SecKeyOperationType operation, SecKeyAlgorithm algorithm)
1420 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
1421
1422 CF_IMPLICIT_BRIDGING_DISABLED
1423 CF_ASSUME_NONNULL_END
1424
1425 __END_DECLS
1426
1427 #endif /* !_SECURITY_SECKEY_H_ */