]> git.saurik.com Git - apple/security.git/blob - libsecurity_keychain/lib/SecKey.h
Security-55163.44.tar.gz
[apple/security.git] / libsecurity_keychain / lib / SecKey.h
1 /*
2 * Copyright (c) 2002-2010 Apple, Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24 /*!
25 @header SecKey
26 The functions provided in SecKey.h implement and manage a particular
27 type of keychain item that represents a key. A key can be stored in a
28 keychain, but a key can also be a transient object.
29
30 You can use a key as a keychain item in most functions.
31 */
32
33 #ifndef _SECURITY_SECKEY_H_
34 #define _SECURITY_SECKEY_H_
35
36 #include <dispatch/dispatch.h>
37 #include <Security/SecBase.h>
38 #include <Security/SecAccess.h>
39 #include <Security/cssmtype.h>
40 #include <CoreFoundation/CFDictionary.h>
41 #include <sys/types.h>
42
43 #if defined(__cplusplus)
44 extern "C" {
45 #endif
46
47 /*!
48 @enum KeyItemAttributeConstants
49 @abstract Specifies keychain item attributes for keys.
50 @constant kSecKeyKeyClass type uint32 (CSSM_KEYCLASS), value
51 is one of CSSM_KEYCLASS_PUBLIC_KEY, CSSM_KEYCLASS_PRIVATE_KEY
52 or CSSM_KEYCLASS_SESSION_KEY.
53 @constant kSecKeyPrintName type blob, human readable name of
54 the key. Same as kSecLabelItemAttr for normal keychain items.
55 @constant kSecKeyAlias type blob, currently unused.
56 @constant kSecKeyPermanent type uint32, value is nonzero iff
57 this key is permanent (stored in some keychain). This is always
58 1.
59 @constant kSecKeyPrivate type uint32, value is nonzero iff this
60 key is protected by a user login or a password, or both.
61 @constant kSecKeyModifiable type uint32, value is nonzero iff
62 attributes of this key can be modified.
63 @constant kSecKeyLabel type blob, for private and public keys
64 this contains the hash of the public key. This is used to
65 associate certificates and keys. It's value matches the value
66 of the kSecPublicKeyHashItemAttr of a certificate and it's used
67 to construct an identity from a certificate and a key.
68 For symmetric keys this is whatever the creator of the key
69 passed in during the generate key call.
70 @constant kSecKeyApplicationTag type blob, currently unused.
71 @constant kSecKeyKeyCreator type data, the data points to a
72 CSSM_GUID structure representing the moduleid of the csp owning
73 this key.
74 @constant kSecKeyKeyType type uint32, value a CSSM_ALGORITHMS
75 representing the algorithm associated with this key.
76 @constant kSecKeyKeySizeInBits type uint32, value is the number
77 of bits in this key.
78 @constant kSecKeyEffectiveKeySize type uint32, value is the
79 effective number of bits in this key. For example a des key
80 has a kSecKeyKeySizeInBits of 64 but a kSecKeyEffectiveKeySize
81 of 56.
82 @constant kSecKeyStartDate type CSSM_DATE. Earliest date from
83 which this key may be used. If the value is all zeros or not
84 present, no restriction applies.
85 @constant kSecKeyEndDate type CSSM_DATE. Latest date at
86 which this key may be used. If the value is all zeros or not
87 present, no restriction applies.
88 @constant kSecKeySensitive type uint32, iff value is nonzero
89 this key cannot be wrapped with CSSM_ALGID_NONE.
90 @constant kSecKeyAlwaysSensitive type uint32, value is nonzero
91 iff this key has always been marked sensitive.
92 @constant kSecKeyExtractable type uint32, value is nonzero iff
93 this key can be wrapped.
94 @constant kSecKeyNeverExtractable type uint32, value is nonzero
95 iff this key was never marked extractable.
96 @constant kSecKeyEncrypt type uint32, value is nonzero iff this
97 key can be used in an encrypt operation.
98 @constant kSecKeyDecrypt type uint32, value is nonzero iff this
99 key can be used in a decrypt operation.
100 @constant kSecKeyDerive type uint32, value is nonzero iff this
101 key can be used in a deriveKey operation.
102 @constant kSecKeySign type uint32, value is nonzero iff this
103 key can be used in a sign operation.
104 @constant kSecKeyVerify type uint32, value is nonzero iff this
105 key can be used in a verify operation.
106 @constant kSecKeySignRecover type uint32.
107 @constant kSecKeyVerifyRecover type uint32.
108 key can unwrap other keys.
109 @constant kSecKeyWrap type uint32, value is nonzero iff this
110 key can wrap other keys.
111 @constant kSecKeyUnwrap type uint32, value is nonzero iff this
112 key can unwrap other keys.
113 @discussion
114 The use of these enumerations has been deprecated. Please
115 use the equivalent items defined in SecItem.h
116 @@@.
117 */
118 enum
119 {
120 kSecKeyKeyClass = 0,
121 kSecKeyPrintName = 1,
122 kSecKeyAlias = 2,
123 kSecKeyPermanent = 3,
124 kSecKeyPrivate = 4,
125 kSecKeyModifiable = 5,
126 kSecKeyLabel = 6,
127 kSecKeyApplicationTag = 7,
128 kSecKeyKeyCreator = 8,
129 kSecKeyKeyType = 9,
130 kSecKeyKeySizeInBits = 10,
131 kSecKeyEffectiveKeySize = 11,
132 kSecKeyStartDate = 12,
133 kSecKeyEndDate = 13,
134 kSecKeySensitive = 14,
135 kSecKeyAlwaysSensitive = 15,
136 kSecKeyExtractable = 16,
137 kSecKeyNeverExtractable = 17,
138 kSecKeyEncrypt = 18,
139 kSecKeyDecrypt = 19,
140 kSecKeyDerive = 20,
141 kSecKeySign = 21,
142 kSecKeyVerify = 22,
143 kSecKeySignRecover = 23,
144 kSecKeyVerifyRecover = 24,
145 kSecKeyWrap = 25,
146 kSecKeyUnwrap = 26
147 };
148
149 /*!
150 @typedef SecCredentialType
151 @abstract Determines the type of credential returned by SecKeyGetCredentials.
152 */
153 typedef uint32 SecCredentialType;
154
155 /*!
156 @enum SecCredentialType
157 @abstract Determines the type of credential returned by SecKeyGetCredentials.
158 @constant kSecCredentialTypeWithUI Operations with this key are allowed to present UI if required.
159 @constant kSecCredentialTypeNoUI Operations with this key are not allowed to present UI, and will fail if UI is required.
160 @constant kSecCredentialTypeDefault The default setting for determining whether to present UI is used. This setting can be changed with a call to SecKeychainSetUserInteractionAllowed.
161 */
162 enum
163 {
164 kSecCredentialTypeDefault = 0,
165 kSecCredentialTypeWithUI,
166 kSecCredentialTypeNoUI
167 };
168
169 /*!
170 @typedef SecPadding
171 @abstract Supported padding types.
172 */
173 typedef uint32_t SecPadding;
174 enum
175 {
176 kSecPaddingNone = 0,
177 kSecPaddingPKCS1 = 1,
178
179 /* For SecKeyRawSign/SecKeyRawVerify only, data to be signed is an MD2
180 hash; standard ASN.1 padding will be done, as well as PKCS1 padding
181 of the underlying RSA operation. */
182 kSecPaddingPKCS1MD2 = 0x8000,
183
184 /* For SecKeyRawSign/SecKeyRawVerify only, data to be signed is an MD5
185 hash; standard ASN.1 padding will be done, as well as PKCS1 padding
186 of the underlying RSA operation. */
187 kSecPaddingPKCS1MD5 = 0x8001,
188
189 /* For SecKeyRawSign/SecKeyRawVerify only, data to be signed is a SHA1
190 hash; standard ASN.1 padding will be done, as well as PKCS1 padding
191 of the underlying RSA operation. */
192 kSecPaddingPKCS1SHA1 = 0x8002,
193 };
194
195 /*!
196 @typedef SecKeySizes
197 @abstract Supported key lengths.
198 */
199 typedef uint32_t SecKeySizes;
200 enum
201 {
202 kSecDefaultKeySize = 0,
203
204 // Symmetric Keysizes - default is currently kSecAES128 for AES.
205 kSec3DES192 = 192,
206 kSecAES128 = 128,
207 kSecAES192 = 192,
208 kSecAES256 = 256,
209
210 // Supported ECC Keys for Suite-B from RFC 4492 section 5.1.1.
211 // default is currently kSecp256r1
212 kSecp192r1 = 192,
213 kSecp256r1 = 256,
214 kSecp384r1 = 384,
215 kSecp521r1 = 521, // Yes, 521
216
217 // Boundaries for RSA KeySizes - default is currently 2048
218 // RSA keysizes must be multiples of 8
219 kSecRSAMin = 1024,
220 kSecRSAMax = 4096
221 };
222
223
224 /*!
225 @function SecKeyGetTypeID
226 @abstract Returns the type identifier of SecKey instances.
227 @result The CFTypeID of SecKey instances.
228 */
229 CFTypeID SecKeyGetTypeID(void)
230 __OSX_AVAILABLE_STARTING(__MAC_10_3, __IPHONE_2_0);
231
232 /*!
233 @function SecKeyCreatePair
234 @abstract Creates an asymmetric key pair and stores it in a specified keychain.
235 @param keychainRef A reference to the keychain in which to store the private and public key items. Specify NULL for the default keychain.
236 @param algorithm An algorithm for the key pair. This parameter is ignored if a valid (non-zero) contextHandle is supplied.
237 @param keySizeInBits A key size for the key pair. This parameter is ignored if a valid (non-zero) contextHandle is supplied.
238 @param contextHandle (optional) A CSSM_CC_HANDLE, or 0. If this argument is supplied, the algorithm and keySizeInBits parameters are ignored. If extra parameters are needed to generate a key (some algorithms require this), you should create a context using CSSM_CSP_CreateKeyGenContext, using the CSPHandle obtained by calling SecKeychainGetCSPHandle. Then use CSSM_UpdateContextAttributes to add parameters, and dispose of the context using CSSM_DeleteContext after calling this function.
239 @param publicKeyUsage A bit mask indicating all permitted uses for the new public key. CSSM_KEYUSE bit mask values are defined in cssmtype.h.
240 @param publicKeyAttr A bit mask defining attribute values for the new public key. The bit mask values are equivalent to a CSSM_KEYATTR_FLAGS and are defined in cssmtype.h.
241 @param privateKeyUsage A bit mask indicating all permitted uses for the new private key. CSSM_KEYUSE bit mask values are defined in cssmtype.h.
242 @param privateKeyAttr A bit mask defining attribute values for the new private key. The bit mask values are equivalent to a CSSM_KEYATTR_FLAGS and are defined in cssmtype.h.
243 @param initialAccess (optional) A SecAccess object that determines the initial access rights to the private key. The public key is given "any/any" access rights by default.
244 @param publicKey (optional) On return, the keychain item reference of the generated public key. Use the SecKeyGetCSSMKey function to obtain the CSSM_KEY. The caller must call CFRelease on this value if it is returned. Pass NULL if a reference to this key is not required.
245 @param privateKey (optional) On return, the keychain item reference of the generated private key. Use the SecKeyGetCSSMKey function to obtain the CSSM_KEY. The caller must call CFRelease on this value if it is returned. Pass NULL if a reference to this key is not required.
246 @result A result code. See "Security Error Codes" (SecBase.h).
247 @discussion This API is deprecated for 10.7 Plese use the SecKeyGeneratePair API
248 */
249 OSStatus SecKeyCreatePair(
250 SecKeychainRef keychainRef,
251 CSSM_ALGORITHMS algorithm,
252 uint32 keySizeInBits,
253 CSSM_CC_HANDLE contextHandle,
254 CSSM_KEYUSE publicKeyUsage,
255 uint32 publicKeyAttr,
256 CSSM_KEYUSE privateKeyUsage,
257 uint32 privateKeyAttr,
258 SecAccessRef initialAccess,
259 SecKeyRef* publicKey,
260 SecKeyRef* privateKey)
261 DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
262
263 /*!
264 @function SecKeyGenerate
265 @abstract Creates a symmetric key and optionally stores it in a specified keychain.
266 @param keychainRef (optional) A reference to the keychain in which to store the generated key. Specify NULL to generate a transient key.
267 @param algorithm An algorithm for the symmetric key. This parameter is ignored if a valid (non-zero) contextHandle is supplied.
268 @param keySizeInBits A key size for the key pair. This parameter is ignored if a valid (non-zero) contextHandle is supplied.
269 @param contextHandle (optional) A CSSM_CC_HANDLE, or 0. If this argument is supplied, the algorithm and keySizeInBits parameters are ignored. If extra parameters are needed to generate a key (some algorithms require this), you should create a context using CSSM_CSP_CreateKeyGenContext, using the CSPHandle obtained by calling SecKeychainGetCSPHandle. Then use CSSM_UpdateContextAttributes to add parameters, and dispose of the context using CSSM_DeleteContext after calling this function.
270 @param keyUsage A bit mask indicating all permitted uses for the new key. CSSM_KEYUSE bit mask values are defined in cssmtype.h.
271 @param keyAttr A bit mask defining attribute values for the new key. The bit mask values are equivalent to a CSSM_KEYATTR_FLAGS and are defined in cssmtype.h.
272 @param initialAccess (optional) A SecAccess object that determines the initial access rights for the key. This parameter is ignored if the keychainRef is NULL.
273 @param keyRef On return, a reference to the generated key. Use the SecKeyGetCSSMKey function to obtain the CSSM_KEY. The caller must call CFRelease on this value if it is returned.
274 @result A result code. See "Security Error Codes" (SecBase.h).
275 @discussion This API is deprecated for 10.7. Plese use the SecKeyGenerateSymmetric API
276 */
277 OSStatus SecKeyGenerate(
278 SecKeychainRef keychainRef,
279 CSSM_ALGORITHMS algorithm,
280 uint32 keySizeInBits,
281 CSSM_CC_HANDLE contextHandle,
282 CSSM_KEYUSE keyUsage,
283 uint32 keyAttr,
284 SecAccessRef initialAccess,
285 SecKeyRef* keyRef)
286 DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
287
288 /*!
289 @function SecKeyGetCSSMKey
290 @abstract Returns a pointer to the CSSM_KEY for the given key item reference.
291 @param key A keychain key item reference. The key item must be of class type kSecAppleKeyItemClass.
292 @param cssmKey On return, a pointer to a CSSM_KEY structure for the given key. This pointer remains valid until the key reference is released. The caller should not attempt to modify or free this data.
293 @result A result code. See "Security Error Codes" (SecBase.h).
294 @discussion The CSSM_KEY is valid until the key item reference is released. This API is deprecated in 10.7. Its use should no longer be needed.
295 */
296 OSStatus SecKeyGetCSSMKey(SecKeyRef key, const CSSM_KEY **cssmKey)
297 DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;;
298
299 /*!
300 @function SecKeyGetCSPHandle
301 @abstract Returns the CSSM_CSP_HANDLE for the given key reference. The handle is valid until the key reference is released.
302 @param keyRef A key reference.
303 @param cspHandle On return, the CSSM_CSP_HANDLE for the given keychain.
304 @result A result code. See "Security Error Codes" (SecBase.h).
305 @discussion This API is deprecated in 10.7. Its use should no longer be needed.
306 */
307 OSStatus SecKeyGetCSPHandle(SecKeyRef keyRef, CSSM_CSP_HANDLE *cspHandle)
308 DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
309
310 /*!
311 @function SecKeyGetCredentials
312 @abstract For a given key, return a pointer to a CSSM_ACCESS_CREDENTIALS structure which will allow the key to be used.
313 @param keyRef The key for which a credential is requested.
314 @param operation The type of operation to be performed with this key. See "Authorization tag type" for defined operations (cssmtype.h).
315 @param credentialType The type of credential requested.
316 @param outCredentials On return, a pointer to a CSSM_ACCESS_CREDENTIALS structure. This pointer remains valid until the key reference is released. The caller should not attempt to modify or free this data.
317 @result A result code. See "Security Error Codes" (SecBase.h).
318 */
319 OSStatus SecKeyGetCredentials(
320 SecKeyRef keyRef,
321 CSSM_ACL_AUTHORIZATION_TAG operation,
322 SecCredentialType credentialType,
323 const CSSM_ACCESS_CREDENTIALS **outCredentials)
324 DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
325
326 /*!
327 @function SecKeyGetBlockSize
328 @abstract Decrypt a block of ciphertext.
329 @param key The key for which the block length is requested.
330 @result The block length of the key in bytes.
331 @discussion If for example key is an RSA key the value returned by
332 this function is the size of the modulus.
333 */
334 size_t SecKeyGetBlockSize(SecKeyRef key)
335 __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0);
336
337 /*!
338 @function SecKeyGenerateSymmetric
339 @abstract Generates a random symmetric key with the specified length
340 and algorithm type.
341
342 @param parameters A dictionary containing one or more key-value pairs.
343 See the discussion sections below for a complete overview of options.
344 @param error An optional pointer to a CFErrorRef. This value is set
345 if an error occurred. If not NULL, the caller is responsible for
346 releasing the CFErrorRef.
347 @result On return, a SecKeyRef reference to the symmetric key, or
348 NULL if the key could not be created.
349
350 @discussion In order to generate a symmetric key, the parameters dictionary
351 must at least contain the following keys:
352
353 * kSecAttrKeyType with a value of kSecAttrKeyTypeAES or any other
354 kSecAttrKeyType defined in SecItem.h
355 * kSecAttrKeySizeInBits with a value being a CFNumberRef containing
356 the requested key size in bits. Example sizes for AES keys are:
357 128, 192, 256, 512.
358
359 To store the generated symmetric key in a keychain, set these keys:
360 * kSecUseKeychain (value is a SecKeychainRef)
361 * kSecAttrLabel (a user-visible label whose value is a CFStringRef,
362 e.g. "My App's Encryption Key")
363 * kSecAttrApplicationLabel (a label defined by your application, whose
364 value is a CFStringRef and which can be used to find this key in a
365 subsequent call to SecItemCopyMatching, e.g. "ID-1234567890-9876-0151")
366
367 To specify the generated key's access control settings, set this key:
368 * kSecAttrAccess (value is a SecAccessRef)
369
370 The keys below may be optionally set in the parameters dictionary
371 (with a CFBooleanRef value) to override the default usage values:
372
373 * kSecAttrCanEncrypt (defaults to true if not explicitly specified)
374 * kSecAttrCanDecrypt (defaults to true if not explicitly specified)
375 * kSecAttrCanWrap (defaults to true if not explicitly specified)
376 * kSecAttrCanUnwrap (defaults to true if not explicitly specified)
377
378 */
379 SecKeyRef SecKeyGenerateSymmetric(CFDictionaryRef parameters, CFErrorRef *error)
380 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
381
382
383 /*!
384 @function SecKeyCreateFromData
385 @abstract Creates a symmetric key with the given data and sets the
386 algorithm type specified.
387
388 @param parameters A dictionary containing one or more key-value pairs.
389 See the discussion sections below for a complete overview of options.
390 @result On return, a SecKeyRef reference to the symmetric key.
391
392 @discussion In order to generate a symmetric key the parameters dictionary must
393 at least contain the following keys:
394
395 * kSecAttrKeyType with a value of kSecAttrKeyTypeAES or any other
396 kSecAttrKeyType defined in SecItem.h
397
398 The keys below may be optionally set in the parameters dictionary
399 (with a CFBooleanRef value) to override the default usage values:
400
401 * kSecAttrCanEncrypt (defaults to true if not explicitly specified)
402 * kSecAttrCanDecrypt (defaults to true if not explicitly specified)
403 * kSecAttrCanWrap (defaults to true if not explicitly specified)
404 * kSecAttrCanUnwrap (defaults to true if not explicitly specified)
405
406 */
407 SecKeyRef SecKeyCreateFromData(CFDictionaryRef parameters,
408 CFDataRef keyData, CFErrorRef *error)
409 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
410
411
412 /*!
413 @function SecKeyGeneratePair
414 @abstract Generate a private/public keypair.
415 @param parameters A dictionary containing one or more key-value pairs.
416 @result A result code. See "Security Error Codes" (SecBase.h). On success,
417 the result code will be errSecSuccess, and the output parameters will
418 contain the public SecKeyRef and private SecKeyRef. It is the caller's
419 responsibility to CFRelease these key references when finished with them.
420
421 @discussion In order to generate a keypair the parameters dictionary must
422 at least contain the following keys:
423
424 * kSecAttrKeyType with a value of kSecAttrKeyTypeRSA or any other
425 kSecAttrKeyType defined in SecItem.h
426 * kSecAttrKeySizeInBits with a value being a CFNumberRef containing
427 the requested key size in bits. Example sizes for RSA keys are:
428 512, 768, 1024, 2048.
429
430 Setting the following attributes explicitly will override the defaults below.
431 See SecItem.h for detailed information on these attributes including the types
432 of the values.
433
434 * kSecAttrLabel default NULL
435 * kSecUseKeychain default NULL, which specifies the default keychain
436 * kSecAttrApplicationTag default NULL
437 * kSecAttrEffectiveKeySize default NULL same as kSecAttrKeySizeInBits
438 * kSecAttrCanEncrypt default false for private keys, true for public keys
439 * kSecAttrCanDecrypt default true for private keys, false for public keys
440 * kSecAttrCanDerive default true
441 * kSecAttrCanSign default true for private keys, false for public keys
442 * kSecAttrCanVerify default false for private keys, true for public keys
443 * kSecAttrCanWrap default false for private keys, true for public keys
444 * kSecAttrCanUnwrap default true for private keys, false for public keys
445
446 */
447 OSStatus SecKeyGeneratePair(CFDictionaryRef parameters,
448 SecKeyRef *publicKey, SecKeyRef *privateKey)
449 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_2_0);
450
451 /*!
452 @typedef SecKeyGeneratePairBlock
453 @abstract Delivers the result from an asynchronous key pair generation.
454 @param publicKey - the public key generated. You must retain publicKey if you wish to use it after your block returns.
455 @param privateKey - the private key generated. You must retain publicKey if you wish to use it after your block returns.
456 @param error - Any errors returned. You must retain error if you wish to use it after your block returns.
457 */
458
459 #ifdef __BLOCKS__
460 typedef void (^SecKeyGeneratePairBlock)(SecKeyRef publicKey, SecKeyRef privateKey, CFErrorRef error);
461
462
463 /*!
464 @function SecKeyGeneratePairAsync
465 @abstract Generate a private/public keypair returning the values in a callback.
466 @param parameters A dictionary containing one or more key-value pairs.
467 @param deliveryQueue A dispatch queue to be used to deliver the results.
468 @param result A callback function to result when the operation has completed.
469 @result On success the function returns NULL.
470
471 @discussion In order to generate a keypair the parameters dictionary must
472 at least contain the following keys:
473
474 * kSecAttrKeyType with a value being kSecAttrKeyTypeRSA or any other
475 kSecAttrKeyType defined in SecItem.h
476 * kSecAttrKeySizeInBits with a value being a CFNumberRef or CFStringRef
477 containing the requested key size in bits. Example sizes for RSA
478 keys are: 512, 768, 1024, 2048.
479
480 The values below may be set either in the top-level dictionary or in a
481 dictionary that is the value of the kSecPrivateKeyAttrs or
482 kSecPublicKeyAttrs key in the top-level dictionary. Setting these
483 attributes explicitly will override the defaults below. See SecItem.h
484 for detailed information on these attributes including the types of
485 the values.
486
487 * kSecAttrLabel default NULL
488 * kSecAttrIsPermanent if this key is present and has a Boolean
489 value of true, the key or key pair will be added to the default
490 keychain.
491 * kSecAttrApplicationTag default NULL
492 * kSecAttrEffectiveKeySize default NULL same as kSecAttrKeySizeInBits
493 * kSecAttrCanEncrypt default false for private keys, true for public keys
494 * kSecAttrCanDecrypt default true for private keys, false for public keys
495 * kSecAttrCanDerive default true
496 * kSecAttrCanSign default true for private keys, false for public keys
497 * kSecAttrCanVerify default false for private keys, true for public keys
498 * kSecAttrCanWrap default false for private keys, true for public keys
499 * kSecAttrCanUnwrap default true for private keys, false for public keys
500
501 */
502 void SecKeyGeneratePairAsync(CFDictionaryRef parameters,
503 dispatch_queue_t deliveryQueue, SecKeyGeneratePairBlock result)
504 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
505
506 #endif /* __BLOCKS__ */
507
508 // Derive, Wrap, and Unwrap
509
510 /*!
511 @function SecKeyDeriveFromPassword
512 @abstract Derives a symmetric key from a password.
513
514 @param password The password from which the keyis to be derived.
515 @param parameters A dictionary containing one or more key-value pairs.
516 @param error If the call fails this will contain the error code.
517
518 @discussion In order to derive a key the parameters dictionary must contain at least contain the following keys:
519 * kSecAttrSalt - a CFData for the salt value for mixing in the pseudo-random rounds.
520 * kSecAttrPRF - the algorithm to use for the pseudo-random-function.
521 If 0, this defaults to kSecAttrPRFHmacAlgSHA1. Possible values are:
522
523 * kSecAttrPRFHmacAlgSHA1
524 * kSecAttrPRFHmacAlgSHA224
525 * kSecAttrPRFHmacAlgSHA256
526 * kSecAttrPRFHmacAlgSHA384
527 * kSecAttrPRFHmacAlgSHA512
528
529 * kSecAttrRounds - the number of rounds to call the pseudo random function.
530 If 0, a count will be computed to average 1/10 of a second.
531 * kSecAttrKeySizeInBits with a value being a CFNumberRef
532 containing the requested key size in bits. Example sizes for RSA keys are:
533 512, 768, 1024, 2048.
534
535 @result On success a SecKeyRef is returned. On failure this result is NULL and the
536 error parameter contains the reason.
537
538 */
539 SecKeyRef SecKeyDeriveFromPassword(CFStringRef password,
540 CFDictionaryRef parameters, CFErrorRef *error)
541 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
542
543 /*!
544 @function SecKeyWrapSymmetric
545 @abstract Wraps a symmetric key with a symmetric key.
546
547 @param keyToWrap The key which is to be wrapped.
548 @param wrappingKey The key wrapping key.
549 #param parameters The parameter list to use for wrapping the key.
550 @param error If the call fails this will contain the error code.
551
552 @result On success a CFDataRef is returned. On failure this result is NULL and the
553 error parameter contains the reason.
554
555 @discussion In order to wrap a key the parameters dictionary may contain the following key:
556 * kSecSalt - a CFData for the salt value for the encrypt.
557
558 */
559 CFDataRef SecKeyWrapSymmetric(SecKeyRef keyToWrap,
560 SecKeyRef wrappingKey, CFDictionaryRef parameters, CFErrorRef *error)
561 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
562
563 /*!
564 @function SecKeyUnwrapSymmetric
565 @abstract Unwrap a wrapped symmetric key.
566
567 @param keyToUnwrap The wrapped key to unwrap.
568 @param unwrappingKey The key unwrapping key.
569 #param parameters The parameter list to use for unwrapping the key.
570 @param error If the call fails this will contain the error code.
571
572 @result On success a SecKeyRef is returned. On failure this result is NULL and the
573 error parameter contains the reason.
574
575 @discussion In order to unwrap a key the parameters dictionary may contain the following key:
576 * kSecSalt - a CFData for the salt value for the decrypt.
577
578 */
579 SecKeyRef SecKeyUnwrapSymmetric(CFDataRef *keyToUnwrap,
580 SecKeyRef unwrappingKey, CFDictionaryRef parameters, CFErrorRef *error)
581 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
582
583
584 #if defined(__cplusplus)
585 }
586 #endif
587
588 #endif /* !_SECURITY_SECKEY_H_ */