--- /dev/null
+/*
+ * Copyright (c) 2014 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+/*!
+ @header SecAccessControl
+ SecAccessControl defines access rights for items.
+ */
+
+#ifndef _SECURITY_SECACCESSCONTROL_H_
+#define _SECURITY_SECACCESSCONTROL_H_
+
+#include <Security/SecBase.h>
+#include <CoreFoundation/CFError.h>
+#include <sys/cdefs.h>
+
+__BEGIN_DECLS
+
+CF_ASSUME_NONNULL_BEGIN
+CF_IMPLICIT_BRIDGING_ENABLED
+
+/*!
+ @function SecAccessControlGetTypeID
+ @abstract Returns the type identifier of SecAccessControl instances.
+ @result The CFTypeID of SecAccessControl instances.
+ */
+CFTypeID SecAccessControlGetTypeID(void)
+__OSX_AVAILABLE_STARTING(__MAC_10_10, __IPHONE_8_0);
+
+/*!
+ @typedef SecAccessControlCreateFlags
+
+ @constant kSecAccessControlUserPresence
+ User presence policy using biometry or Passcode. Biometry does not have to be available or enrolled. Item is still
+ accessible by Touch ID even if fingers are added or removed. Item is still accessible by Face ID if user is re-enrolled.
+
+ @constant kSecAccessControlBiometryAny
+ Constraint: Touch ID (any finger) or Face ID. Touch ID or Face ID must be available. With Touch ID
+ at least one finger must be enrolled. With Face ID user has to be enrolled. Item is still accessible by Touch ID even
+ if fingers are added or removed. Item is still accessible by Face ID if user is re-enrolled.
+
+ @constant kSecAccessControlTouchIDAny
+ Deprecated, please use kSecAccessControlBiometryAny instead.
+
+ @constant kSecAccessControlBiometryCurrentSet
+ Constraint: Touch ID from the set of currently enrolled fingers. Touch ID must be available and at least one finger must
+ be enrolled. When fingers are added or removed, the item is invalidated. When Face ID is re-enrolled this item is invalidated.
+
+ @constant kSecAccessControlTouchIDCurrentSet
+ Deprecated, please use kSecAccessControlBiometryCurrentSet instead.
+
+ @constant kSecAccessControlDevicePasscode
+ Constraint: Device passcode
+
+ @constant kSecAccessControlWatch
+ Constraint: Watch
+
+ @constant kSecAccessControlOr
+ Constraint logic operation: when using more than one constraint, at least one of them must be satisfied.
+
+ @constant kSecAccessControlAnd
+ Constraint logic operation: when using more than one constraint, all must be satisfied.
+
+ @constant kSecAccessControlPrivateKeyUsage
+ Create access control for private key operations (i.e. sign operation)
+
+ @constant kSecAccessControlApplicationPassword
+ Security: Application provided password for data encryption key generation. This is not a constraint but additional item
+ encryption mechanism.
+*/
+typedef CF_OPTIONS(CFOptionFlags, SecAccessControlCreateFlags) {
+ kSecAccessControlUserPresence = 1u << 0,
+ kSecAccessControlBiometryAny API_AVAILABLE(macos(10.13.4), ios(11.3)) = 1u << 1,
+ kSecAccessControlTouchIDAny API_DEPRECATED_WITH_REPLACEMENT("kSecAccessControlBiometryAny", macos(10.12.1, 10.13.4), ios(9.0, 11.3)) = 1u << 1,
+ kSecAccessControlBiometryCurrentSet API_AVAILABLE(macos(10.13.4), ios(11.3)) = 1u << 3,
+ kSecAccessControlTouchIDCurrentSet API_DEPRECATED_WITH_REPLACEMENT("kSecAccessControlBiometryCurrentSet", macos(10.12.1, 10.13.4), ios(9.0, 11.3)) = 1u << 3,
+ kSecAccessControlDevicePasscode API_AVAILABLE(macos(10.11), ios(9.0)) = 1u << 4,
+ kSecAccessControlWatch API_AVAILABLE(macos(10.15), ios(NA), iosmac(13.0)) = 1u << 5,
+ kSecAccessControlOr API_AVAILABLE(macos(10.12.1), ios(9.0)) = 1u << 14,
+ kSecAccessControlAnd API_AVAILABLE(macos(10.12.1), ios(9.0)) = 1u << 15,
+ kSecAccessControlPrivateKeyUsage API_AVAILABLE(macos(10.12.1), ios(9.0)) = 1u << 30,
+ kSecAccessControlApplicationPassword API_AVAILABLE(macos(10.12.1), ios(9.0)) = 1u << 31,
+} __OSX_AVAILABLE_STARTING(__MAC_10_10, __IPHONE_8_0);
+
+/*!
+ @function SecAccessControlCreateWithFlags
+ @abstract Creates new access control object based on protection type and additional flags.
+ @discussion Created access control object should be used as a value for kSecAttrAccessControl attribute in SecItemAdd,
+ SecItemUpdate or SecKeyGeneratePair functions. Accessing keychain items or performing operations on keys which are
+ protected by access control objects can block the execution because of UI which can appear to satisfy the access control
+ conditions, therefore it is recommended to either move those potentially blocking operations out of the main
+ application thread or use combination of kSecUseAuthenticationContext and kSecUseAuthenticationUI attributes to control
+ where the UI interaction can appear.
+ @param allocator Allocator to be used by this instance.
+ @param protection Protection class to be used for the item. One of kSecAttrAccessible constants.
+ @param flags If no flags are set then all operations are allowed.
+ @param error Additional error information filled in case of failure.
+ @result Newly created access control object.
+ */
+__nullable
+SecAccessControlRef SecAccessControlCreateWithFlags(CFAllocatorRef __nullable allocator, CFTypeRef protection,
+ SecAccessControlCreateFlags flags, CFErrorRef *error)
+API_AVAILABLE(macos(10.10), ios(8.0));
+
+CF_IMPLICIT_BRIDGING_DISABLED
+CF_ASSUME_NONNULL_END
+
+__END_DECLS
+
+#endif // _SECURITY_SECACCESSCONTROL_H_
projects / apple / security.git / blobdiff