/* * Copyright (c) 2006-2010 Apple Inc. All Rights Reserved. * * @APPLE_LICENSE_HEADER_START@ * * This file contains Original Code and/or Modifications of Original Code * as defined in and that are subject to the Apple Public Source License * Version 2.0 (the 'License'). You may not use this file except in * compliance with the License. Please obtain a copy of the License at * http://www.opensource.apple.com/apsl/ and read it before using this * file. * * The Original Code and all software distributed under the License are * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. * Please see the License for the specific language governing rights and * limitations under the License. * * @APPLE_LICENSE_HEADER_END@ */ /*! @header SecItemPriv SecItemPriv defines private constants and SPI functions for access to Security items (certificates, identities, keys, and keychain items.) */ #ifndef _SECURITY_SECITEMPRIV_H_ #define _SECURITY_SECITEMPRIV_H_ #include <CoreFoundation/CFData.h> #if defined(__cplusplus) extern "C" { #endif /*! @enum Class Value Constants (Private) @discussion Predefined item class constants used to get or set values in a dictionary. The kSecClass constant is the key and its value is one of the constants defined here. @constant kSecClassAppleSharePassword Specifies AppleShare password items. */ extern CFTypeRef kSecClassAppleSharePassword; /*! @enum Attribute Key Constants (Private) @discussion Predefined item attribute keys used to get or set values in a dictionary. Not all attributes apply to each item class. The table below lists the currently defined attributes for each item class: kSecClassGenericPassword item attributes: kSecAttrAccessGroup kSecAttrCreationDate kSecAttrModificationDate kSecAttrDescription kSecAttrComment kSecAttrCreator kSecAttrType kSecAttrScriptCode (private) kSecAttrLabel kSecAttrAlias (private) kSecAttrIsInvisible kSecAttrIsNegative kSecAttrHasCustomIcon (private) kSecAttrProtected (private) kSecAttrAccount kSecAttrService kSecAttrGeneric kSecClassInternetPassword item attributes: kSecAttrAccessGroup kSecAttrCreationDate kSecAttrModificationDate kSecAttrDescription kSecAttrComment kSecAttrCreator kSecAttrType kSecAttrScriptCode (private) kSecAttrLabel kSecAttrAlias (private) kSecAttrIsInvisible kSecAttrIsNegative kSecAttrHasCustomIcon (private) kSecAttrProtected (private) kSecAttrAccount kSecAttrSecurityDomain kSecAttrServer kSecAttrProtocol kSecAttrAuthenticationType kSecAttrPort kSecAttrPath kSecClassAppleSharePassword item attributes: kSecAttrAccessGroup kSecAttrCreationDate kSecAttrModificationDate kSecAttrDescription kSecAttrComment kSecAttrCreator kSecAttrType kSecAttrScriptCode (private) kSecAttrLabel kSecAttrAlias (private) kSecAttrIsInvisible kSecAttrIsNegative kSecAttrHasCustomIcon (private) kSecAttrProtected (private) kSecAttrAccount kSecAttrVolume kSecAttrAddress kSecAttrAFPServerSignature kSecClassCertificate item attributes: kSecAttrAccessGroup kSecAttrCertificateType kSecAttrCertificateEncoding kSecAttrLabel kSecAttrAlias (private) kSecAttrSubject kSecAttrIssuer kSecAttrSerialNumber kSecAttrSubjectKeyID kSecAttrPublicKeyHash kSecClassKey item attributes: kSecAttrAccessGroup kSecAttrKeyClass kSecAttrLabel kSecAttrAlias (private) kSecAttrApplicationLabel kSecAttrIsPermanent kSecAttrIsPrivate (private) kSecAttrIsModifiable (private) kSecAttrApplicationTag kSecAttrKeyCreator (private) kSecAttrKeyType kSecAttrKeySizeInBits kSecAttrEffectiveKeySize kSecAttrStartDate (private) kSecAttrEndDate (private) kSecAttrIsSensitive (private) kSecAttrWasAlwaysSensitive (private) kSecAttrIsExtractable (private) kSecAttrWasNeverExtractable (private) kSecAttrCanEncrypt kSecAttrCanDecrypt kSecAttrCanDerive kSecAttrCanSign kSecAttrCanVerify kSecAttrCanSignRecover (private) kSecAttrCanVerifyRecover (private) kSecAttrCanWrap kSecAttrCanUnwrap kSecClassIdentity item attributes: Since an identity is the combination of a private key and a certificate, this class shares attributes of both kSecClassKey and kSecClassCertificate. @constant kSecAttrScriptCode Specifies a dictionary key whose value is the item's script code attribute. You use this tag to set or get a value of type CFNumberRef that represents a script code for this item's strings. (Note: use of this attribute is deprecated; string attributes should always be stored in UTF-8 encoding. This is currently private for use by syncing; new code should not ever access this attribute.) @constant kSecAttrAlias Specifies a dictionary key whose value is the item's alias. You use this key to get or set a value of type CFDataRef which represents an alias. For certificate items, the alias is either a single email address, an array of email addresses, or the common name of the certificate if it does not contain any email address. (Items of class kSecClassCertificate have this attribute.) @constant kSecAttrHasCustomIcon Specifies a dictionary key whose value is the item's custom icon attribute. You use this tag to set or get a value of type CFBooleanRef that indicates whether the item should have an application-specific icon. (Note: use of this attribute is deprecated; custom item icons are not supported in Mac OS X. This is currently private for use by syncing; new code should not use this attribute.) @constant kSecAttrVolume Specifies a dictionary key whose value is the item's volume attribute. You use this key to set or get a CFStringRef value that represents an AppleShare volume name. (Items of class kSecClassAppleSharePassword have this attribute.) @constant kSecAttrAddress Specifies a dictionary key whose value is the item's address attribute. You use this key to set or get a CFStringRef value that contains the AppleTalk zone name, or the IP or domain name that represents the server address. (Items of class kSecClassAppleSharePassword have this attribute.) @constant kSecAttrAFPServerSignature Specifies a dictionary key whose value is the item's AFP server signature attribute. You use this key to set or get a CFDataRef value containing 16 bytes that represents the server's signature block. (Items of class kSecClassAppleSharePassword have this attribute.) @constant kSecAttrCRLType (read-only) Specifies a dictionary key whose value is the item's certificate revocation list type. You use this key to get a value of type CFNumberRef that denotes the CRL type (see the CSSM_CRL_TYPE enum in cssmtype.h). (Items of class kSecClassCertificate have this attribute.) @constant kSecAttrCRLEncoding (read-only) Specifies a dictionary key whose value is the item's certificate revocation list encoding. You use this key to get a value of type CFNumberRef that denotes the CRL encoding (see the CSSM_CRL_ENCODING enum in cssmtype.h). (Items of class kSecClassCertificate have this attribute.) @constant kSecAttrKeyCreator Specifies a dictionary key whose value is a CFDataRef containing a CSSM_GUID structure representing the module ID of the CSP that owns this key. @constant kSecAttrIsPrivate Specifies a dictionary key whose value is a CFBooleanRef indicating whether the raw key material of the key in question is private. @constant kSecAttrIsModifiable Specifies a dictionary key whose value is a CFBooleanRef indicating whether any of the attributes of this key are modifiable. @constant kSecAttrStartDate Specifies a dictionary key whose value is a CFDateRef indicating the earliest date on which this key may be used. If kSecAttrStartDate is not present, the restriction does not apply. @constant kSecAttrEndDate Specifies a dictionary key whose value is a CFDateRef indicating the last date on which this key may be used. If kSecAttrEndDate is not present, the restriction does not apply. @constant kSecAttrIsSensitive Specifies a dictionary key whose value is a CFBooleanRef indicating whether the key in question must be wrapped with an algorithm other than CSSM_ALGID_NONE. @constant kSecAttrWasAlwaysSensitive Specifies a dictionary key whose value is a CFBooleanRef indicating that the key in question has always been marked as sensitive. @constant kSecAttrIsExtractable Specifies a dictionary key whose value is a CFBooleanRef indicating whether the key in question may be wrapped. @constant kSecAttrWasNeverExtractable Specifies a dictionary key whose value is a CFBooleanRef indicating that the key in question has never been marked as extractable. @constant kSecAttrCanSignRecover Specifies a dictionary key whole value is a CFBooleanRef indicating whether the key in question can be used to perform sign recovery. @constant kSecAttrCanVerifyRecover Specifies a dictionary key whole value is a CFBooleanRef indicating whether the key in question can be used to perform verify recovery. @constant kSecAttrSynchronizable Specifies a dictionary key whose value is a CFBooleanRef indicating that the item in question can be synchronized. */ extern CFTypeRef kSecAttrScriptCode; extern CFTypeRef kSecAttrAlias; extern CFTypeRef kSecAttrHasCustomIcon; extern CFTypeRef kSecAttrVolume; extern CFTypeRef kSecAttrAddress; extern CFTypeRef kSecAttrAFPServerSignature; extern CFTypeRef kSecAttrCRLType; extern CFTypeRef kSecAttrCRLEncoding; extern CFTypeRef kSecAttrKeyCreator; extern CFTypeRef kSecAttrIsPrivate; extern CFTypeRef kSecAttrIsModifiable; extern CFTypeRef kSecAttrStartDate; extern CFTypeRef kSecAttrEndDate; extern CFTypeRef kSecAttrIsSensitive; extern CFTypeRef kSecAttrWasAlwaysSensitive; extern CFTypeRef kSecAttrIsExtractable; extern CFTypeRef kSecAttrWasNeverExtractable; extern CFTypeRef kSecAttrCanSignRecover; extern CFTypeRef kSecAttrCanVerifyRecover; extern CFTypeRef kSecAttrSynchronizable; /*! @enum Other Constants (Private) @discussion Predefined constants used to set values in a dictionary. @constant kSecUseKeychain Specifies a dictionary key whose value is a keychain reference. You use this key to specify a value of type SecKeychainRef that indicates the keychain to which SecItemAdd will add the provided item(s). @constant kSecUseKeychainList Specifies a dictionary key whose value is either an array of keychains to search (CFArrayRef), or a single keychain (SecKeychainRef). If not provided, the user's default keychain list is searched. kSecUseKeychainList is ignored if an explicit kSecUseItemList is also provided. This key can be used for the SecItemCopyMatching, SecItemUpdate and SecItemDelete calls. */ #if defined(MULTIPLE_KEYCHAINS) extern CFTypeRef kSecUseKeychain; extern CFTypeRef kSecUseKeychainList; #endif /* !defined(MULTIPLE_KEYCHAINS) */ /*! @function SecItemCopyDisplayNames @abstract Returns an array containing unique display names for each of the certificates, keys, identities, or passwords in the provided items array. @param items An array containing items of type SecKeychainItemRef, SecKeyRef, SecCertificateRef, or SecIdentityRef. All items in the array should be of the same type. @param displayNames On return, an array of CFString references containing unique names for the supplied items. You are responsible for releasing this array reference by calling the CFRelease function. @result A result code. See "Security Error Codes" (SecBase.h). @discussion Use this function to obtain item names which are suitable for display in a menu or list view. The returned names are guaranteed to be unique across the set of provided items. */ OSStatus SecItemCopyDisplayNames(CFArrayRef items, CFArrayRef *displayNames); /*! @function SecItemDeleteAll @abstract Removes all items from the keychain and added root certificates from the trust store. @result A result code. See "Security Error Codes" (SecBase.h). */ OSStatus SecItemDeleteAll(void); enum { kSecMigrateKeychainImport = -1, kSecMigrateKeychainExport = 0 }; /* Call this function with a 0 handle_in and NULL data_in to start an export. data_out will be returned if data needs to be transmitted to the client (caller is responsible for CFReleasing returned CFDataRef). If handle_out is set to nonzero on return, then the caller should call this function again with the returned handle passed as handle_in and the response from the importing client on the other end of the connection as data_in. Caller should continue passing data_out to the importing device and continue providing additional data until handle_out is set to zero. When importing, call this function with handle_in set to 0 and data_in to the data to be imported, if more data is expected, handle_out will be non zero upon return. */ OSStatus _SecMigrateKeychain(int32_t handle_in, CFDataRef data_in, int32_t *handle_out, CFDataRef *data_out); /* Ensure the escrow keybag has been used to unlock the system keybag before calling either of these APIs. The password argument is optional, passing NULL implies no backup password was set. We're assuming there will always be a backup keybag, except in the OTA case where the loaded OTA backup bag will be used. */ CFDataRef _SecKeychainCopyBackup(CFDataRef backupKeybag, CFDataRef password); CFDataRef _SecKeychainCopyOTABackup(void); bool _SecKeychainRestoreBackup(CFDataRef backup, CFDataRef backupKeybag, CFDataRef password); #if defined(__cplusplus) } #endif #endif /* !_SECURITY_SECITEMPRIV_H_ */