--- /dev/null
+/*
+ * Copyright (c) 2006-2014,2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+/*!
+ @header SecKey
+ The functions provided in SecKey.h implement and manage a particular
+ type of keychain item that represents a key. A key can be stored in a
+ keychain, but a key can also be a transient object.
+
+ On OSX, you can use a SecKey as a SecKeychainItem in most functions.
+*/
+
+#ifndef _SECURITY_SECKEY_H_
+#define _SECURITY_SECKEY_H_
+
+#include <Availability.h>
+#include <Security/SecBase.h>
+#include <CoreFoundation/CoreFoundation.h>
+#include <dispatch/dispatch.h>
+#include <sys/types.h>
+
+#if SEC_OS_OSX
+#include <Security/SecAccess.h>
+#include <Security/cssmtype.h>
+#endif /* SEC_OS_OSX */
+
+__BEGIN_DECLS
+
+CF_ASSUME_NONNULL_BEGIN
+CF_IMPLICIT_BRIDGING_ENABLED
+
+#if SEC_OS_OSX
+/*!
+ @enum KeyItemAttributeConstants
+ @abstract Specifies keychain item attributes for keys.
+ @constant kSecKeyKeyClass type uint32 (CSSM_KEYCLASS), value
+ is one of CSSM_KEYCLASS_PUBLIC_KEY, CSSM_KEYCLASS_PRIVATE_KEY
+ or CSSM_KEYCLASS_SESSION_KEY.
+ @constant kSecKeyPrintName type blob, human readable name of
+ the key. Same as kSecLabelItemAttr for normal keychain items.
+ @constant kSecKeyAlias type blob, currently unused.
+ @constant kSecKeyPermanent type uint32, value is nonzero iff
+ this key is permanent (stored in some keychain). This is always
+ 1.
+ @constant kSecKeyPrivate type uint32, value is nonzero iff this
+ key is protected by a user login or a password, or both.
+ @constant kSecKeyModifiable type uint32, value is nonzero iff
+ attributes of this key can be modified.
+ @constant kSecKeyLabel type blob, for private and public keys
+ this contains the hash of the public key. This is used to
+ associate certificates and keys. Its value matches the value
+ of the kSecPublicKeyHashItemAttr of a certificate and it's used
+ to construct an identity from a certificate and a key.
+ For symmetric keys this is whatever the creator of the key
+ passed in during the generate key call.
+ @constant kSecKeyApplicationTag type blob, currently unused.
+ @constant kSecKeyKeyCreator type data, the data points to a
+ CSSM_GUID structure representing the moduleid of the csp owning
+ this key.
+ @constant kSecKeyKeyType type uint32, value is a CSSM_ALGORITHMS
+ representing the algorithm associated with this key.
+ @constant kSecKeyKeySizeInBits type uint32, value is the number
+ of bits in this key.
+ @constant kSecKeyEffectiveKeySize type uint32, value is the
+ effective number of bits in this key. For example a des key
+ has a kSecKeyKeySizeInBits of 64 but a kSecKeyEffectiveKeySize
+ of 56.
+ @constant kSecKeyStartDate type CSSM_DATE. Earliest date from
+ which this key may be used. If the value is all zeros or not
+ present, no restriction applies.
+ @constant kSecKeyEndDate type CSSM_DATE. Latest date at
+ which this key may be used. If the value is all zeros or not
+ present, no restriction applies.
+ @constant kSecKeySensitive type uint32, iff value is nonzero
+ this key cannot be wrapped with CSSM_ALGID_NONE.
+ @constant kSecKeyAlwaysSensitive type uint32, value is nonzero
+ iff this key has always been marked sensitive.
+ @constant kSecKeyExtractable type uint32, value is nonzero iff
+ this key can be wrapped.
+ @constant kSecKeyNeverExtractable type uint32, value is nonzero
+ iff this key was never marked extractable.
+ @constant kSecKeyEncrypt type uint32, value is nonzero iff this
+ key can be used in an encrypt operation.
+ @constant kSecKeyDecrypt type uint32, value is nonzero iff this
+ key can be used in a decrypt operation.
+ @constant kSecKeyDerive type uint32, value is nonzero iff this
+ key can be used in a deriveKey operation.
+ @constant kSecKeySign type uint32, value is nonzero iff this
+ key can be used in a sign operation.
+ @constant kSecKeyVerify type uint32, value is nonzero iff this
+ key can be used in a verify operation.
+ @constant kSecKeySignRecover type uint32.
+ @constant kSecKeyVerifyRecover type uint32.
+ key can unwrap other keys.
+ @constant kSecKeyWrap type uint32, value is nonzero iff this
+ key can wrap other keys.
+ @constant kSecKeyUnwrap type uint32, value is nonzero iff this
+ key can unwrap other keys.
+ @discussion
+ The use of these enumerations has been deprecated. Please
+ use the equivalent items defined in SecItem.h
+ @@@.
+*/
+CF_ENUM(int)
+{
+ kSecKeyKeyClass = 0,
+ kSecKeyPrintName = 1,
+ kSecKeyAlias = 2,
+ kSecKeyPermanent = 3,
+ kSecKeyPrivate = 4,
+ kSecKeyModifiable = 5,
+ kSecKeyLabel = 6,
+ kSecKeyApplicationTag = 7,
+ kSecKeyKeyCreator = 8,
+ kSecKeyKeyType = 9,
+ kSecKeyKeySizeInBits = 10,
+ kSecKeyEffectiveKeySize = 11,
+ kSecKeyStartDate = 12,
+ kSecKeyEndDate = 13,
+ kSecKeySensitive = 14,
+ kSecKeyAlwaysSensitive = 15,
+ kSecKeyExtractable = 16,
+ kSecKeyNeverExtractable = 17,
+ kSecKeyEncrypt = 18,
+ kSecKeyDecrypt = 19,
+ kSecKeyDerive = 20,
+ kSecKeySign = 21,
+ kSecKeyVerify = 22,
+ kSecKeySignRecover = 23,
+ kSecKeyVerifyRecover = 24,
+ kSecKeyWrap = 25,
+ kSecKeyUnwrap = 26
+};
+
+ /*!
+ @enum SecCredentialType
+ @abstract Determines the type of credential returned by SecKeyGetCredentials.
+ @constant kSecCredentialTypeWithUI Operations with this key are allowed to present UI if required.
+ @constant kSecCredentialTypeNoUI Operations with this key are not allowed to present UI, and will fail if UI is required.
+ @constant kSecCredentialTypeDefault The default setting for determining whether to present UI is used. This setting can be changed with a call to SecKeychainSetUserInteractionAllowed.
+*/
+typedef CF_ENUM(uint32, SecCredentialType)
+{
+ kSecCredentialTypeDefault = 0,
+ kSecCredentialTypeWithUI,
+ kSecCredentialTypeNoUI
+};
+#endif /* SEC_OS_OSX */
+
+/*!
+ @typedef SecPadding
+ @abstract Supported padding types.
+*/
+typedef CF_OPTIONS(uint32_t, SecPadding)
+{
+ kSecPaddingNone = 0,
+ kSecPaddingPKCS1 = 1,
+ kSecPaddingOAEP = 2, // __OSX_UNAVAILABLE __IOS_AVAILABLE(2.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0),
+
+ /* For SecKeyRawSign/SecKeyRawVerify only,
+ ECDSA signature is raw byte format {r,s}, big endian.
+ First half is r, second half is s */
+ kSecPaddingSigRaw = 0x4000,
+
+ /* For SecKeyRawSign/SecKeyRawVerify only, data to be signed is an MD2
+ hash; standard ASN.1 padding will be done, as well as PKCS1 padding
+ of the underlying RSA operation. */
+ kSecPaddingPKCS1MD2 = 0x8000, // __OSX_DEPRECATED(10.0, 10.12, "MD2 is deprecated") __IOS_DEPRECATED(2.0, 5.0, "MD2 is deprecated") __TVOS_UNAVAILABLE __WATCHOS_UNAVAILABLE,
+
+ /* For SecKeyRawSign/SecKeyRawVerify only, data to be signed is an MD5
+ hash; standard ASN.1 padding will be done, as well as PKCS1 padding
+ of the underlying RSA operation. */
+ kSecPaddingPKCS1MD5 = 0x8001, // __OSX_DEPRECATED(10.0, 10.12, "MD5 is deprecated") __IOS_DEPRECATED(2.0, 5.0, "MD5 is deprecated") __TVOS_UNAVAILABLE __WATCHOS_UNAVAILABLE,
+
+ /* For SecKeyRawSign/SecKeyRawVerify only, data to be signed is a SHA1
+ hash; standard ASN.1 padding will be done, as well as PKCS1 padding
+ of the underlying RSA operation. */
+ kSecPaddingPKCS1SHA1 = 0x8002,
+
+ /* For SecKeyRawSign/SecKeyRawVerify only, data to be signed is a SHA224
+ hash; standard ASN.1 padding will be done, as well as PKCS1 padding
+ of the underlying RSA operation. */
+ kSecPaddingPKCS1SHA224 = 0x8003, // __OSX_UNAVAILABLE __IOS_AVAILABLE(2.0),
+
+ /* For SecKeyRawSign/SecKeyRawVerify only, data to be signed is a SHA256
+ hash; standard ASN.1 padding will be done, as well as PKCS1 padding
+ of the underlying RSA operation. */
+ kSecPaddingPKCS1SHA256 = 0x8004, // __OSX_UNAVAILABLE __IOS_AVAILABLE(2.0),
+
+ /* For SecKeyRawSign/SecKeyRawVerify only, data to be signed is a SHA384
+ hash; standard ASN.1 padding will be done, as well as PKCS1 padding
+ of the underlying RSA operation. */
+ kSecPaddingPKCS1SHA384 = 0x8005, // __OSX_UNAVAILABLE __IOS_AVAILABLE(2.0),
+
+ /* For SecKeyRawSign/SecKeyRawVerify only, data to be signed is a SHA512
+ hash; standard ASN.1 padding will be done, as well as PKCS1 padding
+ of the underlying RSA operation. */
+ kSecPaddingPKCS1SHA512 = 0x8006, // __OSX_UNAVAILABLE __IOS_AVAILABLE(2.0),
+};
+
+#if SEC_OS_OSX
+/*!
+ @typedef SecKeySizes
+ @abstract Supported key lengths.
+*/
+typedef CF_ENUM(uint32_t, SecKeySizes)
+{
+ kSecDefaultKeySize = 0,
+
+ // Symmetric Keysizes - default is currently kSecAES128 for AES.
+ kSec3DES192 = 192,
+ kSecAES128 = 128,
+ kSecAES192 = 192,
+ kSecAES256 = 256,
+
+ // Supported ECC Keys for Suite-B from RFC 4492 section 5.1.1.
+ // default is currently kSecp256r1
+ kSecp192r1 = 192,
+ kSecp256r1 = 256,
+ kSecp384r1 = 384,
+ kSecp521r1 = 521, // Yes, 521
+
+ // Boundaries for RSA KeySizes - default is currently 2048
+ // RSA keysizes must be multiples of 8
+ kSecRSAMin = 1024,
+ kSecRSAMax = 4096
+};
+#endif /* SEC_OS_OSX */
+
+/*!
+ @enum Key Parameter Constants
+ @discussion Predefined key constants used to get or set values in a dictionary.
+ These are used to provide explicit parameters to key generation functions
+ when non-default values are desired. See the description of the
+ SecKeyGeneratePair API for usage information.
+ @constant kSecPrivateKeyAttrs The value for this key is a CFDictionaryRef
+ containing attributes specific for the private key to be generated.
+ @constant kSecPublicKeyAttrs The value for this key is a CFDictionaryRef
+ containing attributes specific for the public key to be generated.
+*/
+extern const CFStringRef kSecPrivateKeyAttrs
+ __OSX_AVAILABLE_STARTING(__MAC_10_8, __IPHONE_2_0);
+extern const CFStringRef kSecPublicKeyAttrs
+ __OSX_AVAILABLE_STARTING(__MAC_10_8, __IPHONE_2_0);
+
+/*!
+ @function SecKeyGetTypeID
+ @abstract Returns the type identifier of SecKey instances.
+ @result The CFTypeID of SecKey instances.
+*/
+CFTypeID SecKeyGetTypeID(void)
+ __OSX_AVAILABLE_STARTING(__MAC_10_3, __IPHONE_2_0);
+
+
+#if SEC_OS_OSX
+/*!
+ @function SecKeyCreatePair
+ @abstract Creates an asymmetric key pair and stores it in a specified keychain.
+ @param keychainRef A reference to the keychain in which to store the private and public key items. Specify NULL for the default keychain.
+ @param algorithm An algorithm for the key pair. This parameter is ignored if a valid (non-zero) contextHandle is supplied.
+ @param keySizeInBits A key size for the key pair. This parameter is ignored if a valid (non-zero) contextHandle is supplied.
+ @param contextHandle (optional) A CSSM_CC_HANDLE, or 0. If this argument is supplied, the algorithm and keySizeInBits parameters are ignored. If extra parameters are needed to generate a key (some algorithms require this), you should create a context using CSSM_CSP_CreateKeyGenContext, using the CSPHandle obtained by calling SecKeychainGetCSPHandle. Then use CSSM_UpdateContextAttributes to add parameters, and dispose of the context using CSSM_DeleteContext after calling this function.
+ @param publicKeyUsage A bit mask indicating all permitted uses for the new public key. CSSM_KEYUSE bit mask values are defined in cssmtype.h.
+ @param publicKeyAttr A bit mask defining attribute values for the new public key. The bit mask values are equivalent to a CSSM_KEYATTR_FLAGS and are defined in cssmtype.h.
+ @param privateKeyUsage A bit mask indicating all permitted uses for the new private key. CSSM_KEYUSE bit mask values are defined in cssmtype.h.
+ @param privateKeyAttr A bit mask defining attribute values for the new private key. The bit mask values are equivalent to a CSSM_KEYATTR_FLAGS and are defined in cssmtype.h.
+ @param initialAccess (optional) A SecAccess object that determines the initial access rights to the private key. The public key is given "any/any" access rights by default.
+ @param publicKey (optional) On return, the keychain item reference of the generated public key. Use the SecKeyGetCSSMKey function to obtain the CSSM_KEY. The caller must call CFRelease on this value if it is returned. Pass NULL if a reference to this key is not required.
+ @param privateKey (optional) On return, the keychain item reference of the generated private key. Use the SecKeyGetCSSMKey function to obtain the CSSM_KEY. The caller must call CFRelease on this value if it is returned. Pass NULL if a reference to this key is not required.
+ @result A result code. See "Security Error Codes" (SecBase.h).
+ @discussion This API is deprecated for 10.7. Please use the SecKeyGeneratePair API instead.
+*/
+OSStatus SecKeyCreatePair(
+ SecKeychainRef _Nullable keychainRef,
+ CSSM_ALGORITHMS algorithm,
+ uint32 keySizeInBits,
+ CSSM_CC_HANDLE contextHandle,
+ CSSM_KEYUSE publicKeyUsage,
+ uint32 publicKeyAttr,
+ CSSM_KEYUSE privateKeyUsage,
+ uint32 privateKeyAttr,
+ SecAccessRef _Nullable initialAccess,
+ SecKeyRef* _Nullable CF_RETURNS_RETAINED publicKey,
+ SecKeyRef* _Nullable CF_RETURNS_RETAINED privateKey)
+ CSSM_DEPRECATED;
+
+/*!
+ @function SecKeyGenerate
+ @abstract Creates a symmetric key and optionally stores it in a specified keychain.
+ @param keychainRef (optional) A reference to the keychain in which to store the generated key. Specify NULL to generate a transient key.
+ @param algorithm An algorithm for the symmetric key. This parameter is ignored if a valid (non-zero) contextHandle is supplied.
+ @param keySizeInBits A key size for the key pair. This parameter is ignored if a valid (non-zero) contextHandle is supplied.
+ @param contextHandle (optional) A CSSM_CC_HANDLE, or 0. If this argument is supplied, the algorithm and keySizeInBits parameters are ignored. If extra parameters are needed to generate a key (some algorithms require this), you should create a context using CSSM_CSP_CreateKeyGenContext, using the CSPHandle obtained by calling SecKeychainGetCSPHandle. Then use CSSM_UpdateContextAttributes to add parameters, and dispose of the context using CSSM_DeleteContext after calling this function.
+ @param keyUsage A bit mask indicating all permitted uses for the new key. CSSM_KEYUSE bit mask values are defined in cssmtype.h.
+ @param keyAttr A bit mask defining attribute values for the new key. The bit mask values are equivalent to a CSSM_KEYATTR_FLAGS and are defined in cssmtype.h.
+ @param initialAccess (optional) A SecAccess object that determines the initial access rights for the key. This parameter is ignored if the keychainRef is NULL.
+ @param keyRef On return, a reference to the generated key. Use the SecKeyGetCSSMKey function to obtain the CSSM_KEY. The caller must call CFRelease on this value if it is returned.
+ @result A result code. See "Security Error Codes" (SecBase.h).
+ @discussion This API is deprecated for 10.7. Please use the SecKeyGenerateSymmetric API instead.
+*/
+OSStatus SecKeyGenerate(
+ SecKeychainRef _Nullable keychainRef,
+ CSSM_ALGORITHMS algorithm,
+ uint32 keySizeInBits,
+ CSSM_CC_HANDLE contextHandle,
+ CSSM_KEYUSE keyUsage,
+ uint32 keyAttr,
+ SecAccessRef _Nullable initialAccess,
+ SecKeyRef* _Nullable CF_RETURNS_RETAINED keyRef)
+ CSSM_DEPRECATED;
+
+/*!
+ @function SecKeyGetCSSMKey
+ @abstract Returns a pointer to the CSSM_KEY for the given key item reference.
+ @param key A keychain key item reference. The key item must be of class type kSecPublicKeyItemClass, kSecPrivateKeyItemClass, or kSecSymmetricKeyItemClass.
+ @param cssmKey On return, a pointer to a CSSM_KEY structure for the given key. This pointer remains valid until the key reference is released. The caller should not attempt to modify or free this data.
+ @result A result code. See "Security Error Codes" (SecBase.h).
+ @discussion The CSSM_KEY is valid until the key item reference is released. This API is deprecated in 10.7. Its use should no longer be needed.
+*/
+OSStatus SecKeyGetCSSMKey(SecKeyRef key, const CSSM_KEY * _Nullable * __nonnull cssmKey)
+ DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;;
+
+/*!
+ @function SecKeyGetCSPHandle
+ @abstract Returns the CSSM_CSP_HANDLE for the given key reference. The handle is valid until the key reference is released.
+ @param keyRef A key reference.
+ @param cspHandle On return, the CSSM_CSP_HANDLE for the given keychain.
+ @result A result code. See "Security Error Codes" (SecBase.h).
+ @discussion This API is deprecated in 10.7. Its use should no longer be needed.
+*/
+OSStatus SecKeyGetCSPHandle(SecKeyRef keyRef, CSSM_CSP_HANDLE *cspHandle)
+ DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
+
+/*!
+ @function SecKeyGetCredentials
+ @abstract For a given key, return a pointer to a CSSM_ACCESS_CREDENTIALS structure which will allow the key to be used.
+ @param keyRef The key for which a credential is requested.
+ @param operation The type of operation to be performed with this key. See "Authorization tag type" for defined operations (cssmtype.h).
+ @param credentialType The type of credential requested.
+ @param outCredentials On return, a pointer to a CSSM_ACCESS_CREDENTIALS structure. This pointer remains valid until the key reference is released. The caller should not attempt to modify or free this data.
+ @result A result code. See "Security Error Codes" (SecBase.h).
+*/
+OSStatus SecKeyGetCredentials(
+ SecKeyRef keyRef,
+ CSSM_ACL_AUTHORIZATION_TAG operation,
+ SecCredentialType credentialType,
+ const CSSM_ACCESS_CREDENTIALS * _Nullable * __nonnull outCredentials)
+ DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
+
+/*!
+ @function SecKeyGenerateSymmetric
+ @abstract Generates a random symmetric key with the specified length
+ and algorithm type.
+
+ @param parameters A dictionary containing one or more key-value pairs.
+ See the discussion sections below for a complete overview of options.
+ @param error An optional pointer to a CFErrorRef. This value is set
+ if an error occurred. If not NULL, the caller is responsible for
+ releasing the CFErrorRef.
+ @result On return, a SecKeyRef reference to the symmetric key, or
+ NULL if the key could not be created.
+
+ @discussion In order to generate a symmetric key, the parameters dictionary
+ must at least contain the following keys:
+
+ * kSecAttrKeyType with a value of kSecAttrKeyTypeAES or any other
+ kSecAttrKeyType defined in SecItem.h
+ * kSecAttrKeySizeInBits with a value being a CFNumberRef containing
+ the requested key size in bits. Example sizes for AES keys are:
+ 128, 192, 256, 512.
+
+ To store the generated symmetric key in a keychain, set these keys:
+ * kSecUseKeychain (value is a SecKeychainRef)
+ * kSecAttrLabel (a user-visible label whose value is a CFStringRef,
+ e.g. "My App's Encryption Key")
+ * kSecAttrApplicationLabel (a label defined by your application, whose
+ value is a CFDataRef and which can be used to find this key in a
+ subsequent call to SecItemCopyMatching, e.g. "ID-1234567890-9876-0151")
+
+ To specify the generated key's access control settings, set this key:
+ * kSecAttrAccess (value is a SecAccessRef)
+
+ The keys below may be optionally set in the parameters dictionary
+ (with a CFBooleanRef value) to override the default usage values:
+
+ * kSecAttrCanEncrypt (defaults to true if not explicitly specified)
+ * kSecAttrCanDecrypt (defaults to true if not explicitly specified)
+ * kSecAttrCanWrap (defaults to true if not explicitly specified)
+ * kSecAttrCanUnwrap (defaults to true if not explicitly specified)
+
+*/
+_Nullable CF_RETURNS_RETAINED
+SecKeyRef SecKeyGenerateSymmetric(CFDictionaryRef parameters, CFErrorRef *error)
+ __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
+
+/*!
+ @function SecKeyCreateFromData
+ @abstract Creates a symmetric key with the given data and sets the
+ algorithm type specified.
+
+ @param parameters A dictionary containing one or more key-value pairs.
+ See the discussion sections below for a complete overview of options.
+ @result On return, a SecKeyRef reference to the symmetric key.
+
+ @discussion In order to generate a symmetric key the parameters dictionary must
+ at least contain the following keys:
+
+ * kSecAttrKeyType with a value of kSecAttrKeyTypeAES or any other
+ kSecAttrKeyType defined in SecItem.h
+
+ The keys below may be optionally set in the parameters dictionary
+ (with a CFBooleanRef value) to override the default usage values:
+
+ * kSecAttrCanEncrypt (defaults to true if not explicitly specified)
+ * kSecAttrCanDecrypt (defaults to true if not explicitly specified)
+ * kSecAttrCanWrap (defaults to true if not explicitly specified)
+ * kSecAttrCanUnwrap (defaults to true if not explicitly specified)
+
+*/
+_Nullable
+SecKeyRef SecKeyCreateFromData(CFDictionaryRef parameters,
+ CFDataRef keyData, CFErrorRef *error)
+ __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
+
+
+#ifdef __BLOCKS__
+/*!
+ @typedef SecKeyGeneratePairBlock
+ @abstract Delivers the result from an asynchronous key pair generation.
+ @param publicKey - the public key generated. You must retain publicKey if you wish to use it after your block returns.
+ @param privateKey - the private key generated. You must retain publicKey if you wish to use it after your block returns.
+ @param error - Any errors returned. You must retain error if you wish to use it after your block returns.
+ */
+
+typedef void (^SecKeyGeneratePairBlock)(SecKeyRef publicKey, SecKeyRef privateKey, CFErrorRef error);
+
+/*!
+ @function SecKeyGeneratePairAsync
+ @abstract Generate a private/public keypair returning the values in a callback.
+ @param parameters A dictionary containing one or more key-value pairs.
+ @param deliveryQueue A dispatch queue to be used to deliver the results.
+ @param result A callback function to result when the operation has completed.
+
+ @discussion In order to generate a keypair the parameters dictionary must
+ at least contain the following keys:
+
+ * kSecAttrKeyType with a value being kSecAttrKeyTypeRSA or any other
+ kSecAttrKeyType defined in SecItem.h
+ * kSecAttrKeySizeInBits with a value being a CFNumberRef or CFStringRef
+ containing the requested key size in bits. Example sizes for RSA
+ keys are: 512, 768, 1024, 2048.
+
+ Setting the following attributes explicitly will override the defaults below.
+ See SecItem.h for detailed information on these attributes including the types
+ of the values.
+
+ * kSecAttrLabel default NULL
+ * kSecAttrIsPermanent if this key is present and has a Boolean
+ value of true, the key or key pair will be added to the default
+ keychain.
+ * kSecAttrApplicationTag default NULL
+ * kSecAttrEffectiveKeySize default NULL same as kSecAttrKeySizeInBits
+ * kSecAttrCanEncrypt default false for private keys, true for public keys
+ * kSecAttrCanDecrypt default true for private keys, false for public keys
+ * kSecAttrCanDerive default true
+ * kSecAttrCanSign default true for private keys, false for public keys
+ * kSecAttrCanVerify default false for private keys, true for public keys
+ * kSecAttrCanWrap default false for private keys, true for public keys
+ * kSecAttrCanUnwrap default true for private keys, false for public keys
+
+*/
+void SecKeyGeneratePairAsync(CFDictionaryRef parameters,
+ dispatch_queue_t deliveryQueue, SecKeyGeneratePairBlock result)
+ __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
+
+#endif /* __BLOCKS__ */
+
+// Derive, Wrap, and Unwrap
+
+/*!
+ @function SecKeyDeriveFromPassword
+ @abstract Derives a symmetric key from a password.
+
+ @param password The password from which the keyis to be derived.
+ @param parameters A dictionary containing one or more key-value pairs.
+ @param error If the call fails this will contain the error code.
+
+ @discussion In order to derive a key the parameters dictionary must contain at least contain the following keys:
+ * kSecAttrSalt - a CFData for the salt value for mixing in the pseudo-random rounds.
+ * kSecAttrPRF - the algorithm to use for the pseudo-random-function.
+ If 0, this defaults to kSecAttrPRFHmacAlgSHA1. Possible values are:
+
+ * kSecAttrPRFHmacAlgSHA1
+ * kSecAttrPRFHmacAlgSHA224
+ * kSecAttrPRFHmacAlgSHA256
+ * kSecAttrPRFHmacAlgSHA384
+ * kSecAttrPRFHmacAlgSHA512
+
+ * kSecAttrRounds - the number of rounds to call the pseudo random function.
+ If 0, a count will be computed to average 1/10 of a second.
+ * kSecAttrKeySizeInBits with a value being a CFNumberRef
+ containing the requested key size in bits. Example sizes for RSA keys are:
+ 512, 768, 1024, 2048.
+
+ @result On success a SecKeyRef is returned. On failure this result is NULL and the
+ error parameter contains the reason.
+
+*/
+_Nullable CF_RETURNS_RETAINED
+SecKeyRef SecKeyDeriveFromPassword(CFStringRef password,
+ CFDictionaryRef parameters, CFErrorRef *error)
+ __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
+
+/*!
+ @function SecKeyWrapSymmetric
+ @abstract Wraps a symmetric key with a symmetric key.
+
+ @param keyToWrap The key which is to be wrapped.
+ @param wrappingKey The key wrapping key.
+ @param parameters The parameter list to use for wrapping the key.
+ @param error If the call fails this will contain the error code.
+
+ @result On success a CFDataRef is returned. On failure this result is NULL and the
+ error parameter contains the reason.
+
+ @discussion In order to wrap a key the parameters dictionary may contain the following key:
+ * kSecSalt - a CFData for the salt value for the encrypt.
+
+*/
+_Nullable
+CFDataRef SecKeyWrapSymmetric(SecKeyRef keyToWrap,
+ SecKeyRef wrappingKey, CFDictionaryRef parameters, CFErrorRef *error)
+ __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
+
+/*!
+ @function SecKeyUnwrapSymmetric
+ @abstract Unwrap a wrapped symmetric key.
+
+ @param keyToUnwrap The wrapped key to unwrap.
+ @param unwrappingKey The key unwrapping key.
+ @param parameters The parameter list to use for unwrapping the key.
+ @param error If the call fails this will contain the error code.
+
+ @result On success a SecKeyRef is returned. On failure this result is NULL and the
+ error parameter contains the reason.
+
+ @discussion In order to unwrap a key the parameters dictionary may contain the following key:
+ * kSecSalt - a CFData for the salt value for the decrypt.
+
+*/
+_Nullable
+SecKeyRef SecKeyUnwrapSymmetric(CFDataRef _Nullable * __nonnull keyToUnwrap,
+ SecKeyRef unwrappingKey, CFDictionaryRef parameters, CFErrorRef *error)
+ __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
+
+#endif /* SEC_OS_OSX */
+
+/*!
+ @function SecKeyGeneratePair
+ @abstract Generate a private/public keypair.
+ @param parameters A dictionary containing one or more key-value pairs.
+ See the discussion sections below for a complete overview of options.
+ @param publicKey On return, a SecKeyRef reference to the public key.
+ @param privateKey On return, a SecKeyRef reference to the private key.
+ @result A result code. See "Security Error Codes" (SecBase.h).
+
+ @discussion In order to generate a keypair the parameters dictionary must
+ at least contain the following keys:
+
+ * kSecAttrKeyType with a value of kSecAttrKeyTypeRSA or any other
+ kSecAttrKeyType defined in SecItem.h
+ * kSecAttrKeySizeInBits with a value being a CFNumberRef containing
+ the requested key size in bits. Example sizes for RSA keys are:
+ 512, 768, 1024, 2048.
+
+ The values below may be set either in the top-level dictionary or in a
+ dictionary that is the value of the kSecPrivateKeyAttrs or
+ kSecPublicKeyAttrs key in the top-level dictionary. Setting these
+ attributes explicitly will override the defaults below. See SecItem.h
+ for detailed information on these attributes including the types of
+ the values.
+
+ * kSecAttrLabel default NULL
+ * kSecUseKeychain default NULL, which specifies the default keychain
+ * kSecAttrIsPermanent default false
+ if this key is present and has a Boolean value of true, the key or
+ key pair will be added to the keychain.
+ * kSecAttrTokenID default NULL
+ The CFStringRef ID of the token to generate the key or keypair on. This
+ attribute can contain CFStringRef and can be present only in the top-level
+ parameters dictionary.
+ * kSecAttrApplicationTag default NULL
+ * kSecAttrEffectiveKeySize default NULL same as kSecAttrKeySizeInBits
+ * kSecAttrCanEncrypt default false for private keys, true for public keys
+ * kSecAttrCanDecrypt default true for private keys, false for public keys
+ * kSecAttrCanDerive default true
+ * kSecAttrCanSign default true for private keys, false for public keys
+ * kSecAttrCanVerify default false for private keys, true for public keys
+ * kSecAttrCanWrap default false for private keys, true for public keys
+ * kSecAttrCanUnwrap default true for private keys, false for public keys
+
+ NOTE: The function always saves keys in the keychain on macOS and as such attribute
+ kSecAttrIsPermanent is ignored. The function respects attribute kSecAttrIsPermanent
+ on iOS, tvOS and watchOS.
+ It is recommended to use SecKeyCreateRandomKey() which respects kSecAttrIsPermanent
+ on all platforms.
+*/
+OSStatus SecKeyGeneratePair(CFDictionaryRef parameters,
+ SecKeyRef * _Nullable CF_RETURNS_RETAINED publicKey, SecKeyRef * _Nullable CF_RETURNS_RETAINED privateKey)
+ __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_2_0);
+
+
+#if SEC_OS_IPHONE
+/*!
+ @function SecKeyRawSign
+ @abstract Given a private key and data to sign, generate a digital
+ signature.
+ @param key Private key with which to sign.
+ @param padding See Padding Types above, typically kSecPaddingPKCS1SHA1.
+ @param dataToSign The data to be signed, typically the digest of the
+ actual data.
+ @param dataToSignLen Length of dataToSign in bytes.
+ @param sig Pointer to buffer in which the signature will be returned.
+ @param sigLen IN/OUT maximum length of sig buffer on input, actualy
+ length of sig on output.
+ @result A result code. See "Security Error Codes" (SecBase.h).
+ @discussion If the padding argument is kSecPaddingPKCS1, PKCS1 padding
+ will be performed prior to signing. If this argument is kSecPaddingNone,
+ the incoming data will be signed "as is".
+
+ When PKCS1 padding is performed, the maximum length of data that can
+ be signed is the value returned by SecKeyGetBlockSize() - 11.
+
+ NOTE: The behavior this function with kSecPaddingNone is undefined if the
+ first byte of dataToSign is zero; there is no way to verify leading zeroes
+ as they are discarded during the calculation.
+
+ If you want to generate a proper PKCS1 style signature with DER encoding
+ of the digest type - and the dataToSign is a SHA1 digest - use
+ kSecPaddingPKCS1SHA1.
+ */
+OSStatus SecKeyRawSign(
+ SecKeyRef key,
+ SecPadding padding,
+ const uint8_t *dataToSign,
+ size_t dataToSignLen,
+ uint8_t *sig,
+ size_t *sigLen)
+__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_2_0);
+
+
+/*!
+ @function SecKeyRawVerify
+ @abstract Given a public key, data which has been signed, and a signature,
+ verify the signature.
+ @param key Public key with which to verify the signature.
+ @param padding See Padding Types above, typically kSecPaddingPKCS1SHA1.
+ @param signedData The data over which sig is being verified, typically
+ the digest of the actual data.
+ @param signedDataLen Length of signedData in bytes.
+ @param sig Pointer to the signature to verify.
+ @param sigLen Length of sig in bytes.
+ @result A result code. See "Security Error Codes" (SecBase.h).
+ @discussion If the padding argument is kSecPaddingPKCS1, PKCS1 padding
+ will be checked during verification. If this argument is kSecPaddingNone,
+ the incoming data will be compared directly to sig.
+
+ If you are verifying a proper PKCS1-style signature, with DER encoding
+ of the digest type - and the signedData is a SHA1 digest - use
+ kSecPaddingPKCS1SHA1.
+ */
+OSStatus SecKeyRawVerify(
+ SecKeyRef key,
+ SecPadding padding,
+ const uint8_t *signedData,
+ size_t signedDataLen,
+ const uint8_t *sig,
+ size_t sigLen)
+__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_2_0);
+
+
+/*!
+ @function SecKeyEncrypt
+ @abstract Encrypt a block of plaintext.
+ @param key Public key with which to encrypt the data.
+ @param padding See Padding Types above, typically kSecPaddingPKCS1.
+ @param plainText The data to encrypt.
+ @param plainTextLen Length of plainText in bytes, this must be less
+ or equal to the value returned by SecKeyGetBlockSize().
+ @param cipherText Pointer to the output buffer.
+ @param cipherTextLen On input, specifies how much space is available at
+ cipherText; on return, it is the actual number of cipherText bytes written.
+ @result A result code. See "Security Error Codes" (SecBase.h).
+ @discussion If the padding argument is kSecPaddingPKCS1 or kSecPaddingOAEP,
+ PKCS1 (respectively kSecPaddingOAEP) padding will be performed prior to encryption.
+ If this argument is kSecPaddingNone, the incoming data will be encrypted "as is".
+ kSecPaddingOAEP is the recommended value. Other value are not recommended
+ for security reason (Padding attack or malleability).
+
+ When PKCS1 padding is performed, the maximum length of data that can
+ be encrypted is the value returned by SecKeyGetBlockSize() - 11.
+
+ When memory usage is a critical issue, note that the input buffer
+ (plainText) can be the same as the output buffer (cipherText).
+ */
+OSStatus SecKeyEncrypt(
+ SecKeyRef key,
+ SecPadding padding,
+ const uint8_t *plainText,
+ size_t plainTextLen,
+ uint8_t *cipherText,
+ size_t *cipherTextLen)
+__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_2_0);
+
+
+/*!
+ @function SecKeyDecrypt
+ @abstract Decrypt a block of ciphertext.
+ @param key Private key with which to decrypt the data.
+ @param padding See Padding Types above, typically kSecPaddingPKCS1.
+ @param cipherText The data to decrypt.
+ @param cipherTextLen Length of cipherText in bytes, this must be less
+ or equal to the value returned by SecKeyGetBlockSize().
+ @param plainText Pointer to the output buffer.
+ @param plainTextLen On input, specifies how much space is available at
+ plainText; on return, it is the actual number of plainText bytes written.
+ @result A result code. See "Security Error Codes" (SecBase.h).
+ @discussion If the padding argument is kSecPaddingPKCS1 or kSecPaddingOAEP,
+ the corresponding padding will be removed after decryption.
+ If this argument is kSecPaddingNone, the decrypted data will be returned "as is".
+
+ When memory usage is a critical issue, note that the input buffer
+ (plainText) can be the same as the output buffer (cipherText).
+ */
+OSStatus SecKeyDecrypt(
+ SecKeyRef key, /* Private key */
+ SecPadding padding, /* kSecPaddingNone,
+ kSecPaddingPKCS1,
+ kSecPaddingOAEP */
+ const uint8_t *cipherText,
+ size_t cipherTextLen, /* length of cipherText */
+ uint8_t *plainText,
+ size_t *plainTextLen) /* IN/OUT */
+__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_2_0);
+
+#endif // SEC_OS_IPHONE
+
+/*!
+ @function SecKeyCreateRandomKey
+ @abstract Generates a new public/private key pair.
+ @param parameters A dictionary containing one or more key-value pairs.
+ See the discussion sections below for a complete overview of options.
+ @param error On error, will be populated with an error object describing the failure.
+ See "Security Error Codes" (SecBase.h).
+ @return Newly generated private key. To get associated public key, use SecKeyCopyPublicKey().
+ @discussion In order to generate a keypair the parameters dictionary must
+ at least contain the following keys:
+
+ * kSecAttrKeyType with a value being kSecAttrKeyTypeRSA or any other
+ kSecAttrKeyType defined in SecItem.h
+ * kSecAttrKeySizeInBits with a value being a CFNumberRef or CFStringRef
+ containing the requested key size in bits. Example sizes for RSA
+ keys are: 512, 768, 1024, 2048.
+
+ The values below may be set either in the top-level dictionary or in a
+ dictionary that is the value of the kSecPrivateKeyAttrs or
+ kSecPublicKeyAttrs key in the top-level dictionary. Setting these
+ attributes explicitly will override the defaults below. See SecItem.h
+ for detailed information on these attributes including the types of
+ the values.
+
+ * kSecAttrLabel default NULL
+ * kSecAttrIsPermanent if this key is present and has a Boolean value of true,
+ the key or key pair will be added to the default keychain.
+ * kSecAttrTokenID if this key should be generated on specified token. This
+ attribute can contain CFStringRef and can be present only in the top-level
+ parameters dictionary.
+ * kSecAttrApplicationTag default NULL
+ * kSecAttrEffectiveKeySize default NULL same as kSecAttrKeySizeInBits
+ * kSecAttrCanEncrypt default false for private keys, true for public keys
+ * kSecAttrCanDecrypt default true for private keys, false for public keys
+ * kSecAttrCanDerive default true
+ * kSecAttrCanSign default true for private keys, false for public keys
+ * kSecAttrCanVerify default false for private keys, true for public keys
+ * kSecAttrCanWrap default false for private keys, true for public keys
+ * kSecAttrCanUnwrap default true for private keys, false for public keys
+ */
+SecKeyRef _Nullable SecKeyCreateRandomKey(CFDictionaryRef parameters, CFErrorRef *error)
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+/*!
+ @function SecKeyCreateWithData
+ @abstract Create a SecKey from a well-defined external representation.
+ @param keyData CFData representing the key. The format of the data depends on the type of key being created.
+ @param attributes Dictionary containing attributes describing the key to be imported. The keys in this dictionary
+ are kSecAttr* constants from SecItem.h. Mandatory attributes are:
+ * kSecAttrKeyType
+ * kSecAttrKeyClass
+ @param error On error, will be populated with an error object describing the failure.
+ See "Security Error Codes" (SecBase.h).
+ @result A SecKey object representing the key, or NULL on failure.
+ @discussion This function does not add keys to any keychain, but the SecKey object it returns can be added
+ to keychain using the SecItemAdd function.
+ The requested data format depend on the type of key (kSecAttrKeyType) being created:
+ * kSecAttrKeyTypeRSA PKCS#1 format, public key can be also in x509 public key format
+ * kSecAttrKeyTypeECSECPrimeRandom ANSI X9.63 format (04 || X || Y [ || K])
+ */
+SecKeyRef _Nullable SecKeyCreateWithData(CFDataRef keyData, CFDictionaryRef attributes, CFErrorRef *error)
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+/*!
+ @function SecKeyGetBlockSize
+ @abstract Returns block length of the key in bytes.
+ @param key The key for which the block length is requested.
+ @result The block length of the key in bytes.
+ @discussion If for example key is an RSA key the value returned by
+ this function is the size of the modulus.
+ */
+size_t SecKeyGetBlockSize(SecKeyRef key)
+ __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0);
+
+/*!
+ @function SecKeyCopyExternalRepresentation
+ @abstract Create an external representation for the given key suitable for the key's type.
+ @param key The key to be exported.
+ @param error On error, will be populated with an error object describing the failure.
+ See "Security Error Codes" (SecBase.h).
+ @result A CFData representing the key in a format suitable for that key type.
+ @discussion This function may fail if the key is not exportable (e.g., bound to a smart card or Secure Enclave).
+ The format in which the key will be exported depends on the type of key:
+ * kSecAttrKeyTypeRSA PKCS#1 format
+ * kSecAttrKeyTypeECSECPrimeRandom ANSI X9.63 format (04 || X || Y [ || K])
+ */
+CFDataRef _Nullable SecKeyCopyExternalRepresentation(SecKeyRef key, CFErrorRef *error)
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+/*!
+ @function SecKeyCopyAttributes
+ @abstract Retrieve keychain attributes of a key.
+ @param key The key whose attributes are to be retrieved.
+ @result Dictionary containing attributes of the key. The keys that populate this dictionary are defined
+ and discussed in SecItem.h.
+ @discussion The attributes provided by this function are:
+ * kSecAttrCanEncrypt
+ * kSecAttrCanDecrypt
+ * kSecAttrCanDerive
+ * kSecAttrCanSign
+ * kSecAttrCanVerify
+ * kSecAttrKeyClass
+ * kSecAttrKeyType
+ * kSecAttrKeySizeInBits
+ * kSecAttrTokenID
+ * kSecAttrApplicationLabel
+ Other values returned in that dictionary are RFU.
+ */
+CFDictionaryRef _Nullable SecKeyCopyAttributes(SecKeyRef key)
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+/*!
+ @function SecKeyCopyPublicKey
+ @abstract Retrieve the public key from a key pair or private key.
+ @param key The key from which to retrieve a public key.
+ @result The public key or NULL if public key is not available for specified key.
+ @discussion Fails if key does not contain a public key or no public key can be computed from it.
+ */
+SecKeyRef _Nullable SecKeyCopyPublicKey(SecKeyRef key)
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+/*!
+ @enum SecKeyAlgorithm
+ @abstract Available algorithms for performing cryptographic operations with SecKey object. String representation
+ of constant can be used for logging or debugging purposes, because they contain human readable names of the algorithm.
+
+ @constant kSecKeyAlgorithmRSASignatureRaw
+ Raw RSA sign/verify operation, size of input data must be the same as value returned by SecKeyGetBlockSize().
+
+ @constant kSecKeyAlgorithmRSASignatureDigestPKCS1v15Raw
+ RSA sign/verify operation, assumes that input data is digest and OID and digest algorithm as specified in PKCS# v1.5.
+ This algorithm is typically not used directly, instead use algorithm with specified digest, like
+ kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA256.
+
+ @constant kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA1
+ RSA signature with PKCS#1 padding, input data must be SHA-1 generated digest.
+
+ @constant kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA224
+ RSA signature with PKCS#1 padding, input data must be SHA-224 generated digest.
+
+ @constant kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA256
+ RSA signature with PKCS#1 padding, input data must be SHA-256 generated digest.
+
+ @constant kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA384
+ RSA signature with PKCS#1 padding, input data must be SHA-384 generated digest.
+
+ @constant kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA512
+ RSA signature with PKCS#1 padding, input data must be SHA-512 generated digest.
+
+ @constant kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA1
+ RSA signature with PKCS#1 padding, SHA-1 digest is generated from input data of any size.
+
+ @constant kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA224
+ RSA signature with PKCS#1 padding, SHA-224 digest is generated from input data of any size.
+
+ @constant kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA256
+ RSA signature with PKCS#1 padding, SHA-256 digest is generated from input data of any size.
+
+ @constant kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA384
+ RSA signature with PKCS#1 padding, SHA-384 digest is generated from input data of any size.
+
+ @constant kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA512
+ RSA signature with PKCS#1 padding, SHA-512 digest is generated from input data of any size.
+
+ @constant kSecKeyAlgorithmRSASignatureDigestPSSSHA1
+ RSA signature with RSASSA-PSS padding according to PKCS#1 v2.1, input data must be SHA-1 generated digest.
+ PSS padding is calculated using MGF1 with SHA1 and saltLength parameter is set to 20 (SHA-1 output size).
+
+ @constant kSecKeyAlgorithmRSASignatureDigestPSSSHA224
+ RSA signature with RSASSA-PSS padding according to PKCS#1 v2.1, input data must be SHA-224 generated digest.
+ PSS padding is calculated using MGF1 with SHA224 and saltLength parameter is set to 28 (SHA-224 output size).
+
+ @constant kSecKeyAlgorithmRSASignatureDigestPSSSHA256
+ RSA signature with RSASSA-PSS padding according to PKCS#1 v2.1, input data must be SHA-256 generated digest.
+ PSS padding is calculated using MGF1 with SHA256 and saltLength parameter is set to 32 (SHA-256 output size).
+
+ @constant kSecKeyAlgorithmRSASignatureDigestPSSSHA384
+ RSA signature with RSASSA-PSS padding according to PKCS#1 v2.1, input data must be SHA-384 generated digest.
+ PSS padding is calculated using MGF1 with SHA384 and saltLength parameter is set to 48 (SHA-384 output size).
+
+ @constant kSecKeyAlgorithmRSASignatureDigestPSSSHA512
+ RSA signature with RSASSA-PSS padding according to PKCS#1 v2.1, input data must be SHA-512 generated digest.
+ PSS padding is calculated using MGF1 with SHA512 and saltLength parameter is set to 64 (SHA-512 output size).
+
+ @constant kSecKeyAlgorithmRSASignatureMessagePSSSHA1
+ RSA signature with RSASSA-PSS padding according to PKCS#1 v2.1, SHA-1 digest is generated from input data of any size.
+ PSS padding is calculated using MGF1 with SHA1 and saltLength parameter is set to 20 (SHA-1 output size).
+
+ @constant kSecKeyAlgorithmRSASignatureMessagePSSSHA224
+ RSA signature with RSASSA-PSS padding according to PKCS#1 v2.1, SHA-224 digest is generated from input data of any size.
+ PSS padding is calculated using MGF1 with SHA224 and saltLength parameter is set to 28 (SHA-224 output size).
+
+ @constant kSecKeyAlgorithmRSASignatureMessagePSSSHA256
+ RSA signature with RSASSA-PSS padding according to PKCS#1 v2.1, SHA-256 digest is generated from input data of any size.
+ PSS padding is calculated using MGF1 with SHA256 and saltLength parameter is set to 32 (SHA-256 output size).
+
+ @constant kSecKeyAlgorithmRSASignatureMessagePSSSHA384
+ RSA signature with RSASSA-PSS padding according to PKCS#1 v2.1, SHA-384 digest is generated from input data of any size.
+ PSS padding is calculated using MGF1 with SHA384 and saltLength parameter is set to 48 (SHA-384 output size).
+
+ @constant kSecKeyAlgorithmRSASignatureMessagePSSSHA512
+ RSA signature with RSASSA-PSS padding according to PKCS#1 v2.1, SHA-512 digest is generated from input data of any size.
+ PSS padding is calculated using MGF1 with SHA512 and saltLength parameter is set to 64 (SHA-512 output size).
+
+ @constant kSecKeyAlgorithmECDSASignatureRFC4754
+ ECDSA algorithm, signature is concatenated r and s, big endian, data is message digest.
+
+ @constant kSecKeyAlgorithmECDSASignatureDigestX962
+ ECDSA algorithm, signature is in DER x9.62 encoding, input data is message digest.
+
+ @constant kSecKeyAlgorithmECDSASignatureDigestX962SHA1
+ ECDSA algorithm, signature is in DER x9.62 encoding, input data is message digest created by SHA1 algorithm.
+
+ @constant kSecKeyAlgorithmECDSASignatureDigestX962SHA1
+ ECDSA algorithm, signature is in DER x9.62 encoding, input data is message digest created by SHA224 algorithm.
+
+ @constant kSecKeyAlgorithmECDSASignatureDigestX962SHA1
+ ECDSA algorithm, signature is in DER x9.62 encoding, input data is message digest created by SHA256 algorithm.
+
+ @constant kSecKeyAlgorithmECDSASignatureDigestX962SHA1
+ ECDSA algorithm, signature is in DER x9.62 encoding, input data is message digest created by SHA384 algorithm.
+
+ @constant kSecKeyAlgorithmECDSASignatureDigestX962SHA1
+ ECDSA algorithm, signature is in DER x9.62 encoding, input data is message digest created by SHA512 algorithm.
+
+ @constant kSecKeyAlgorithmECDSASignatureMessageX962SHA1
+ ECDSA algorithm, signature is in DER x9.62 encoding, SHA-1 digest is generated from input data of any size.
+
+ @constant kSecKeyAlgorithmECDSASignatureMessageX962SHA224
+ ECDSA algorithm, signature is in DER x9.62 encoding, SHA-224 digest is generated from input data of any size.
+
+ @constant kSecKeyAlgorithmECDSASignatureMessageX962SHA256
+ ECDSA algorithm, signature is in DER x9.62 encoding, SHA-256 digest is generated from input data of any size.
+
+ @constant kSecKeyAlgorithmECDSASignatureMessageX962SHA384
+ ECDSA algorithm, signature is in DER x9.62 encoding, SHA-384 digest is generated from input data of any size.
+
+ @constant kSecKeyAlgorithmECDSASignatureMessageX962SHA512
+ ECDSA algorithm, signature is in DER x9.62 encoding, SHA-512 digest is generated from input data of any size.
+
+ @constant kSecKeyAlgorithmRSAEncryptionRaw
+ Raw RSA encryption or decryption, size of data must match RSA key modulus size. Note that direct
+ use of this algorithm without padding is cryptographically very weak, it is important to always introduce
+ some kind of padding. Input data size must be less or equal to the key block size and returned block has always
+ the same size as block size, as returned by SecKeyGetBlockSize().
+
+ @constant kSecKeyAlgorithmRSAEncryptionPKCS1
+ RSA encryption or decryption, data is padded using PKCS#1 padding scheme. This algorithm should be used only for
+ backward compatibility with existing protocols and data. New implementations should choose cryptographically
+ stronger algorithm instead (see kSecKeyAlgorithmRSAEncryptionOAEP). Input data must be at most
+ "key block size - 11" bytes long and returned block has always the same size as block size, as returned
+ by SecKeyGetBlockSize().
+
+ @constant kSecKeyAlgorithmRSAEncryptionOAEPSHA1
+ RSA encryption or decryption, data is padded using OAEP padding scheme internally using SHA1. Input data must be at most
+ "key block size - 42" bytes long and returned block has always the same size as block size, as returned
+ by SecKeyGetBlockSize(). Use kSecKeyAlgorithmRSAEncryptionOAEPSHA1AESGCM to be able to encrypt and decrypt arbitrary long data.
+
+ @constant kSecKeyAlgorithmRSAEncryptionOAEPSHA224
+ RSA encryption or decryption, data is padded using OAEP padding scheme internally using SHA224. Input data must be at most
+ "key block size - 58" bytes long and returned block has always the same size as block size, as returned
+ by SecKeyGetBlockSize(). Use kSecKeyAlgorithmRSAEncryptionOAEPSHA224AESGCM to be able to encrypt and decrypt arbitrary long data.
+
+ @constant kSecKeyAlgorithmRSAEncryptionOAEPSHA256
+ RSA encryption or decryption, data is padded using OAEP padding scheme internally using SHA256. Input data must be at most
+ "key block size - 66" bytes long and returned block has always the same size as block size, as returned
+ by SecKeyGetBlockSize(). Use kSecKeyAlgorithmRSAEncryptionOAEPSHA256AESGCM to be able to encrypt and decrypt arbitrary long data.
+
+ @constant kSecKeyAlgorithmRSAEncryptionOAEPSHA384
+ RSA encryption or decryption, data is padded using OAEP padding scheme internally using SHA384. Input data must be at most
+ "key block size - 98" bytes long and returned block has always the same size as block size, as returned
+ by SecKeyGetBlockSize(). Use kSecKeyAlgorithmRSAEncryptionOAEPSHA384AESGCM to be able to encrypt and decrypt arbitrary long data.
+
+ @constant kSecKeyAlgorithmRSAEncryptionOAEPSHA512
+ RSA encryption or decryption, data is padded using OAEP padding scheme internally using SHA512. Input data must be at most
+ "key block size - 130" bytes long and returned block has always the same size as block size, as returned
+ by SecKeyGetBlockSize(). Use kSecKeyAlgorithmRSAEncryptionOAEPSHA512AESGCM to be able to encrypt and decrypt arbitrary long data.
+
+ @constant kSecKeyAlgorithmRSAEncryptionOAEPSHA1AESGCM
+ Randomly generated AES session key is encrypted by RSA with OAEP padding. User data are encrypted using session key in GCM
+ mode with all-zero 16 bytes long IV (initialization vector). Finally 16 byte AES-GCM tag is appended to ciphertext.
+ 256bit AES key is used if RSA key is 4096bit or bigger, otherwise 128bit AES key is used. Raw public key data is used
+ as authentication data for AES-GCM encryption.
+
+ @constant kSecKeyAlgorithmRSAEncryptionOAEPSHA224AESGCM
+ Randomly generated AES session key is encrypted by RSA with OAEP padding. User data are encrypted using session key in GCM
+ mode with all-zero 16 bytes long IV (initialization vector). Finally 16 byte AES-GCM tag is appended to ciphertext.
+ 256bit AES key is used if RSA key is 4096bit or bigger, otherwise 128bit AES key is used. Raw public key data is used
+ as authentication data for AES-GCM encryption.
+
+ @constant kSecKeyAlgorithmRSAEncryptionOAEPSHA256AESGCM
+ Randomly generated AES session key is encrypted by RSA with OAEP padding. User data are encrypted using session key in GCM
+ mode with all-zero 16 bytes long IV (initialization vector). Finally 16 byte AES-GCM tag is appended to ciphertext.
+ 256bit AES key is used if RSA key is 4096bit or bigger, otherwise 128bit AES key is used. Raw public key data is used
+ as authentication data for AES-GCM encryption.
+
+ @constant kSecKeyAlgorithmRSAEncryptionOAEPSHA384AESGCM
+ Randomly generated AES session key is encrypted by RSA with OAEP padding. User data are encrypted using session key in GCM
+ mode with all-zero 16 bytes long IV (initialization vector). Finally 16 byte AES-GCM tag is appended to ciphertext.
+ 256bit AES key is used if RSA key is 4096bit or bigger, otherwise 128bit AES key is used. Raw public key data is used
+ as authentication data for AES-GCM encryption.
+
+ @constant kSecKeyAlgorithmRSAEncryptionOAEPSHA512AESGCM
+ Randomly generated AES session key is encrypted by RSA with OAEP padding. User data are encrypted using session key in GCM
+ mode with all-zero 16 bytes long IV (initialization vector). Finally 16 byte AES-GCM tag is appended to ciphertext.
+ 256bit AES key is used if RSA key is 4096bit or bigger, otherwise 128bit AES key is used. Raw public key data is used
+ as authentication data for AES-GCM encryption.
+
+ @constant kSecKeyAlgorithmECIESEncryptionStandardX963SHA1AESGCM
+ Legacy ECIES encryption or decryption, use kSecKeyAlgorithmECIESEncryptionStandardVariableIVX963SHA256AESGCM in new code.
+ Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA1. AES Key size
+ is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF.
+ AES-GCM uses 16 bytes long TAG and all-zero 16 byte long IV (initialization vector).
+
+ @constant kSecKeyAlgorithmECIESEncryptionStandardX963SHA224AESGCM
+ Legacy ECIES encryption or decryption, use kSecKeyAlgorithmECIESEncryptionStandardVariableIVX963SHA224AESGCM in new code.
+ Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA224. AES Key size
+ is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF.
+ AES-GCM uses 16 bytes long TAG and all-zero 16 byte long IV (initialization vector).
+
+ @constant kSecKeyAlgorithmECIESEncryptionStandardX963SHA256AESGCM
+ Legacy ECIES encryption or decryption, use kSecKeyAlgorithmECIESEncryptionStandardVariableIVX963SHA256AESGCM in new code.
+ Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA256. AES Key size
+ is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF.
+ AES-GCM uses 16 bytes long TAG and all-zero 16 byte long IV (initialization vector).
+
+ @constant kSecKeyAlgorithmECIESEncryptionStandardX963SHA384AESGCM
+ Legacy ECIES encryption or decryption, use kSecKeyAlgorithmECIESEncryptionStandardVariableIVX963SHA384AESGCM in new code.
+ Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA384. AES Key size
+ is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF.
+ AES-GCM uses 16 bytes long TAG and all-zero 16 byte long IV (initialization vector).
+
+ @constant kSecKeyAlgorithmECIESEncryptionStandardX963SHA512AESGCM
+ Legacy ECIES encryption or decryption, use kSecKeyAlgorithmECIESEncryptionStandardVariableIVX963SHA512AESGCM in new code.
+ Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA512. AES Key size
+ is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF.
+ AES-GCM uses 16 bytes long TAG and all-zero 16 byte long IV (initialization vector).
+
+ @constant kSecKeyAlgorithmECIESEncryptionCofactorX963SHA1AESGCM
+ Legacy ECIES encryption or decryption, use kSecKeyAlgorithmECIESEncryptionCofactorVariableIVX963SHA256AESGCM in new code.
+ Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA1. AES Key size
+ is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF.
+ AES-GCM uses 16 bytes long TAG and all-zero 16 byte long IV (initialization vector).
+
+ @constant kSecKeyAlgorithmECIESEncryptionCofactorX963SHA224AESGCM
+ Legacy ECIES encryption or decryption, use kSecKeyAlgorithmECIESEncryptionCofactorVariableIVX963SHA224AESGCM in new code.
+ Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA224. AES Key size
+ is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF.
+ AES-GCM uses 16 bytes long TAG and all-zero 16 byte long IV (initialization vector).
+
+ @constant kSecKeyAlgorithmECIESEncryptionCofactorX963SHA256AESGCM
+ Legacy ECIES encryption or decryption, use kSecKeyAlgorithmECIESEncryptionCofactorVariableIVX963SHA256AESGCM in new code.
+ Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA256. AES Key size
+ is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF.
+ AES-GCM uses 16 bytes long TAG and all-zero 16 byte long IV (initialization vector).
+
+ @constant kSecKeyAlgorithmECIESEncryptionCofactorX963SHA384AESGCM
+ Legacy ECIES encryption or decryption, use kSecKeyAlgorithmECIESEncryptionCofactorVariableIVX963SHA384AESGCM in new code.
+ Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA384. AES Key size
+ is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF.
+ AES-GCM uses 16 bytes long TAG and all-zero 16 byte long IV (initialization vector).
+
+ @constant kSecKeyAlgorithmECIESEncryptionCofactorX963SHA512AESGCM
+ Legacy ECIES encryption or decryption, use kSecKeyAlgorithmECIESEncryptionCofactorVariableIVX963SHA512AESGCM in new code.
+ Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA512. AES Key size
+ is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF.
+ AES-GCM uses 16 bytes long TAG and all-zero 16 byte long IV (initialization vector).
+
+ @constant kSecKeyAlgorithmECIESEncryptionStandardVariableIVX963SHA224AESGCM
+ ECIES encryption or decryption. This algorithm does not limit the size of the message to be encrypted or decrypted.
+ Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA224. AES Key size
+ is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF.
+ AES-GCM uses 16 bytes long TAG, AES key is first half of KDF output and 16 byte long IV (initialization vector) is second half
+ of KDF output.
+
+ @constant kSecKeyAlgorithmECIESEncryptionStandardVariableIVX963SHA256AESGCM
+ ECIES encryption or decryption. This algorithm does not limit the size of the message to be encrypted or decrypted.
+ Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA256. AES Key size
+ is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF.
+ AES-GCM uses 16 bytes long TAG, AES key is first half of KDF output and 16 byte long IV (initialization vector) is second half
+ of KDF output.
+
+ @constant kSecKeyAlgorithmECIESEncryptionStandardVariableIVX963SHA384AESGCM
+ ECIES encryption or decryption. This algorithm does not limit the size of the message to be encrypted or decrypted.
+ Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA384. AES Key size
+ is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF.
+ AES-GCM uses 16 bytes long TAG, AES key is first half of KDF output and 16 byte long IV (initialization vector) is second half
+ of KDF output.
+
+ @constant kSecKeyAlgorithmECIESEncryptionStandardVariableIVX963SHA512AESGCM
+ ECIES encryption or decryption. This algorithm does not limit the size of the message to be encrypted or decrypted.
+ Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA512. AES Key size
+ is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF.
+ AES-GCM uses 16 bytes long TAG, AES key is first half of KDF output and 16 byte long IV (initialization vector) is second half
+ of KDF output.
+
+ @constant kSecKeyAlgorithmECIESEncryptionCofactorVariableIVX963SHA224AESGCM
+ ECIES encryption or decryption. This algorithm does not limit the size of the message to be encrypted or decrypted.
+ Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA224. AES Key size
+ is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF.
+ AES-GCM uses 16 bytes long TAG, AES key is first half of KDF output and 16 byte long IV (initialization vector) is second half
+ of KDF output.
+
+ @constant kSecKeyAlgorithmECIESEncryptionCofactorVariableIVX963SHA256AESGCM
+ ECIES encryption or decryption. This algorithm does not limit the size of the message to be encrypted or decrypted.
+ Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA256. AES Key size
+ is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF.
+ AES-GCM uses 16 bytes long TAG, AES key is first half of KDF output and 16 byte long IV (initialization vector) is second half
+ of KDF output.
+
+ @constant kSecKeyAlgorithmECIESEncryptionCofactorVariableIVX963SHA384AESGCM
+ ECIES encryption or decryption. This algorithm does not limit the size of the message to be encrypted or decrypted.
+ Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA384. AES Key size
+ is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF.
+ AES-GCM uses 16 bytes long TAG, AES key is first half of KDF output and 16 byte long IV (initialization vector) is second half
+ of KDF output.
+
+ @constant kSecKeyAlgorithmECIESEncryptionCofactorVariableIVX963SHA512AESGCM
+ ECIES encryption or decryption. This algorithm does not limit the size of the message to be encrypted or decrypted.
+ Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA512. AES Key size
+ is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF.
+ AES-GCM uses 16 bytes long TAG, AES key is first half of KDF output and 16 byte long IV (initialization vector) is second half
+ of KDF output.
+
+ @constant kSecKeyAlgorithmECDHKeyExchangeCofactor
+ Compute shared secret using ECDH cofactor algorithm, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys.
+ This algorithm does not accept any parameters, length of output raw shared secret is given by the length of the key.
+
+ @constant kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA1
+ Compute shared secret using ECDH cofactor algorithm, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys
+ and apply ANSI X9.63 KDF with SHA1 as hashing function. Requires kSecKeyKeyExchangeParameterRequestedSize and allows
+ kSecKeyKeyExchangeParameterSharedInfo parameters to be used.
+
+ @constant kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA224
+ Compute shared secret using ECDH cofactor algorithm, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys
+ and apply ANSI X9.63 KDF with SHA224 as hashing function. Requires kSecKeyKeyExchangeParameterRequestedSize and allows
+ kSecKeyKeyExchangeParameterSharedInfo parameters to be used.
+
+ @constant kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA256
+ Compute shared secret using ECDH cofactor algorithm, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys
+ and apply ANSI X9.63 KDF with SHA256 as hashing function. Requires kSecKeyKeyExchangeParameterRequestedSize and allows
+ kSecKeyKeyExchangeParameterSharedInfo parameters to be used.
+
+ @constant kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA384
+ Compute shared secret using ECDH cofactor algorithm, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys
+ and apply ANSI X9.63 KDF with SHA384 as hashing function. Requires kSecKeyKeyExchangeParameterRequestedSize and allows
+ kSecKeyKeyExchangeParameterSharedInfo parameters to be used.
+
+ @constant kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA512
+ Compute shared secret using ECDH cofactor algorithm, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys
+ and apply ANSI X9.63 KDF with SHA512 as hashing function. Requires kSecKeyKeyExchangeParameterRequestedSize and allows
+ kSecKeyKeyExchangeParameterSharedInfo parameters to be used.
+
+ @constant kSecKeyAlgorithmECDHKeyExchangeStandard
+ Compute shared secret using ECDH algorithm without cofactor, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys.
+ This algorithm does not accept any parameters, length of output raw shared secret is given by the length of the key.
+
+ @constant kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA1
+ Compute shared secret using ECDH algorithm without cofactor, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys
+ and apply ANSI X9.63 KDF with SHA1 as hashing function. Requires kSecKeyKeyExchangeParameterRequestedSize and allows
+ kSecKeyKeyExchangeParameterSharedInfo parameters to be used.
+
+ @constant kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA224
+ Compute shared secret using ECDH algorithm without cofactor, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys
+ and apply ANSI X9.63 KDF with SHA224 as hashing function. Requires kSecKeyKeyExchangeParameterRequestedSize and allows
+ kSecKeyKeyExchangeParameterSharedInfo parameters to be used.
+
+ @constant kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA256
+ Compute shared secret using ECDH algorithm without cofactor, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys
+ and apply ANSI X9.63 KDF with SHA256 as hashing function. Requires kSecKeyKeyExchangeParameterRequestedSize and allows
+ kSecKeyKeyExchangeParameterSharedInfo parameters to be used.
+
+ @constant kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA384
+ Compute shared secret using ECDH algorithm without cofactor, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys
+ and apply ANSI X9.63 KDF with SHA384 as hashing function. Requires kSecKeyKeyExchangeParameterRequestedSize and allows
+ kSecKeyKeyExchangeParameterSharedInfo parameters to be used.
+
+ @constant kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA512
+ Compute shared secret using ECDH algorithm without cofactor, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys
+ and apply ANSI X9.63 KDF with SHA512 as hashing function. Requires kSecKeyKeyExchangeParameterRequestedSize and allows
+ kSecKeyKeyExchangeParameterSharedInfo parameters to be used.
+ */
+
+typedef CFStringRef SecKeyAlgorithm CF_STRING_ENUM
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureRaw
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPKCS1v15Raw
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA1
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA224
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA256
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA384
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA512
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA1
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA224
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA256
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA384
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA512
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPSSSHA1
+__OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPSSSHA224
+__OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPSSSHA256
+__OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPSSSHA384
+__OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPSSSHA512
+__OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
+
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureMessagePSSSHA1
+__OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureMessagePSSSHA224
+__OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureMessagePSSSHA256
+__OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureMessagePSSSHA384
+__OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureMessagePSSSHA512
+__OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
+
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureRFC4754
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureDigestX962
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureDigestX962SHA1
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureDigestX962SHA224
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureDigestX962SHA256
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureDigestX962SHA384
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureDigestX962SHA512
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureMessageX962SHA1
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureMessageX962SHA224
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureMessageX962SHA256
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureMessageX962SHA384
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureMessageX962SHA512
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionRaw
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionPKCS1
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA1
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA224
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA256
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA384
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA512
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA1AESGCM
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA224AESGCM
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA256AESGCM
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA384AESGCM
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA512AESGCM
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionStandardX963SHA1AESGCM
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionStandardX963SHA224AESGCM
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionStandardX963SHA256AESGCM
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionStandardX963SHA384AESGCM
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionStandardX963SHA512AESGCM
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionCofactorX963SHA1AESGCM
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionCofactorX963SHA224AESGCM
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionCofactorX963SHA256AESGCM
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionCofactorX963SHA384AESGCM
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionCofactorX963SHA512AESGCM
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionStandardVariableIVX963SHA224AESGCM
+__OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionStandardVariableIVX963SHA256AESGCM
+__OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionStandardVariableIVX963SHA384AESGCM
+__OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionStandardVariableIVX963SHA512AESGCM
+__OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
+
+extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionCofactorVariableIVX963SHA224AESGCM
+__OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionCofactorVariableIVX963SHA256AESGCM
+__OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionCofactorVariableIVX963SHA384AESGCM
+__OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionCofactorVariableIVX963SHA512AESGCM
+__OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0);
+
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeStandard
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA1
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA224
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA256
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA384
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA512
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeCofactor
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA1
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA224
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA256
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA384
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA512
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+/*!
+ @function SecKeyCreateSignature
+ @abstract Given a private key and data to sign, generate a digital signature.
+ @param key Private key with which to sign.
+ @param algorithm One of SecKeyAlgorithm constants suitable to generate signature with this key.
+ @param dataToSign The data to be signed, typically the digest of the actual data.
+ @param error On error, will be populated with an error object describing the failure.
+ See "Security Error Codes" (SecBase.h).
+ @result The signature over dataToSign represented as a CFData, or NULL on failure.
+ @discussion Computes digital signature using specified key over input data. The operation algorithm
+ further defines the exact format of input data, operation to be performed and output signature.
+ */
+CFDataRef _Nullable SecKeyCreateSignature(SecKeyRef key, SecKeyAlgorithm algorithm, CFDataRef dataToSign, CFErrorRef *error)
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+/*!
+ @function SecKeyVerifySignature
+ @abstract Given a public key, data which has been signed, and a signature, verify the signature.
+ @param key Public key with which to verify the signature.
+ @param algorithm One of SecKeyAlgorithm constants suitable to verify signature with this key.
+ @param signedData The data over which sig is being verified, typically the digest of the actual data.
+ @param signature The signature to verify.
+ @param error On error, will be populated with an error object describing the failure.
+ See "Security Error Codes" (SecBase.h).
+ @result True if the signature was valid, False otherwise.
+ @discussion Verifies digital signature operation using specified key and signed data. The operation algorithm
+ further defines the exact format of input data, signature and operation to be performed.
+ */
+Boolean SecKeyVerifySignature(SecKeyRef key, SecKeyAlgorithm algorithm, CFDataRef signedData, CFDataRef signature, CFErrorRef *error)
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+/*!
+ @function SecKeyCreateEncryptedData
+ @abstract Encrypt a block of plaintext.
+ @param key Public key with which to encrypt the data.
+ @param algorithm One of SecKeyAlgorithm constants suitable to perform encryption with this key.
+ @param plaintext The data to encrypt. The length and format of the data must conform to chosen algorithm,
+ typically be less or equal to the value returned by SecKeyGetBlockSize().
+ @param error On error, will be populated with an error object describing the failure.
+ See "Security Error Codes" (SecBase.h).
+ @result The ciphertext represented as a CFData, or NULL on failure.
+ @discussion Encrypts plaintext data using specified key. The exact type of the operation including the format
+ of input and output data is specified by encryption algorithm.
+ */
+CFDataRef _Nullable SecKeyCreateEncryptedData(SecKeyRef key, SecKeyAlgorithm algorithm, CFDataRef plaintext,
+ CFErrorRef *error)
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+/*!
+ @function SecKeyCreateDecryptedData
+ @abstract Decrypt a block of ciphertext.
+ @param key Private key with which to decrypt the data.
+ @param algorithm One of SecKeyAlgorithm constants suitable to perform decryption with this key.
+ @param ciphertext The data to decrypt. The length and format of the data must conform to chosen algorithm,
+ typically be less or equal to the value returned by SecKeyGetBlockSize().
+ @param error On error, will be populated with an error object describing the failure.
+ See "Security Error Codes" (SecBase.h).
+ @result The plaintext represented as a CFData, or NULL on failure.
+ @discussion Decrypts ciphertext data using specified key. The exact type of the operation including the format
+ of input and output data is specified by decryption algorithm.
+ */
+CFDataRef _Nullable SecKeyCreateDecryptedData(SecKeyRef key, SecKeyAlgorithm algorithm, CFDataRef ciphertext,
+ CFErrorRef *error)
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+/*!
+ @enum SecKeyKeyExchangeParameter SecKey Key Exchange parameters
+ @constant kSecKeyKeyExchangeParameterRequestedSize Contains CFNumberRef with requested result size in bytes.
+ @constant kSecKeyKeyExchangeParameterSharedInfo Contains CFDataRef with additional shared info
+ for KDF (key derivation function).
+ */
+typedef CFStringRef SecKeyKeyExchangeParameter CF_STRING_ENUM
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyKeyExchangeParameter kSecKeyKeyExchangeParameterRequestedSize
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyKeyExchangeParameter kSecKeyKeyExchangeParameterSharedInfo
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+/*!
+ @function SecKeyCopyKeyExchangeResult
+ @abstract Perform Diffie-Hellman style of key exchange operation, optionally with additional key-derivation steps.
+ @param algorithm One of SecKeyAlgorithm constants suitable to perform this operation.
+ @param publicKey Remote party's public key.
+ @param parameters Dictionary with parameters, see SecKeyKeyExchangeParameter constants. Used algorithm
+ determines the set of required and optional parameters to be used.
+ @param error Pointer to an error object on failure.
+ See "Security Error Codes" (SecBase.h).
+ @result Result of key exchange operation as a CFDataRef, or NULL on failure.
+ */
+CFDataRef _Nullable SecKeyCopyKeyExchangeResult(SecKeyRef privateKey, SecKeyAlgorithm algorithm, SecKeyRef publicKey, CFDictionaryRef parameters, CFErrorRef *error)
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+/*!
+ @enum SecKeyOperationType
+ @abstract Defines types of cryptographic operations available with SecKey instance.
+
+ @constant kSecKeyOperationTypeSign
+ Represents SecKeyCreateSignature()
+
+ @constant kSecKeyOperationTypeVerify
+ Represents SecKeyVerifySignature()
+
+ @constant kSecKeyOperationTypeEncrypt
+ Represents SecKeyCreateEncryptedData()
+
+ @constant kSecKeyOperationTypeDecrypt
+ Represents SecKeyCreateDecryptedData()
+
+ @constant kSecKeyOperationTypeKeyExchange
+ Represents SecKeyCopyKeyExchangeResult()
+ */
+typedef CF_ENUM(CFIndex, SecKeyOperationType) {
+ kSecKeyOperationTypeSign = 0,
+ kSecKeyOperationTypeVerify = 1,
+ kSecKeyOperationTypeEncrypt = 2,
+ kSecKeyOperationTypeDecrypt = 3,
+ kSecKeyOperationTypeKeyExchange = 4,
+} __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+/*!
+ @function SecKeyIsAlgorithmSupported
+ @abstract Checks whether key supports specified algorithm for specified operation.
+ @param key Key to query
+ @param operation Operation type for which the key is queried
+ @param algorithm Algorithm which is queried
+ @return True if key supports specified algorithm for specified operation, False otherwise.
+ */
+Boolean SecKeyIsAlgorithmSupported(SecKeyRef key, SecKeyOperationType operation, SecKeyAlgorithm algorithm)
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+CF_IMPLICIT_BRIDGING_DISABLED
+CF_ASSUME_NONNULL_END
+
+__END_DECLS
+
+#endif /* !_SECURITY_SECKEY_H_ */
projects / apple / security.git / blobdiff