SecKey.h
1 /* 2 * Copyright (c) 2006-2014,2016 Apple Inc. All Rights Reserved. 3 * 4 * @APPLE_LICENSE_HEADER_START@ 5 * 6 * This file contains Original Code and/or Modifications of Original Code 7 * as defined in and that are subject to the Apple Public Source License 8 * Version 2.0 (the 'License'). You may not use this file except in 9 * compliance with the License. Please obtain a copy of the License at 10 * http://www.opensource.apple.com/apsl/ and read it before using this 11 * file. 12 * 13 * The Original Code and all software distributed under the License are 14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 18 * Please see the License for the specific language governing rights and 19 * limitations under the License. 20 * 21 * @APPLE_LICENSE_HEADER_END@ 22 */ 23 24 /*! 25 @header SecKey 26 The functions provided in SecKey.h implement and manage a particular 27 type of keychain item that represents a key. A key can be stored in a 28 keychain, but a key can also be a transient object. 29 30 On OSX, you can use a SecKey as a SecKeychainItem in most functions. 31 */ 32 33 #ifndef _SECURITY_SECKEY_H_ 34 #define _SECURITY_SECKEY_H_ 35 36 #include <Availability.h> 37 #include <Security/SecBase.h> 38 #include <CoreFoundation/CoreFoundation.h> 39 #include <dispatch/dispatch.h> 40 #include <sys/types.h> 41 42 #if SEC_OS_OSX 43 #include <Security/SecAccess.h> 44 #include <Security/cssmtype.h> 45 #endif /* SEC_OS_OSX */ 46 47 __BEGIN_DECLS 48 49 CF_ASSUME_NONNULL_BEGIN 50 CF_IMPLICIT_BRIDGING_ENABLED 51 52 #if SEC_OS_OSX 53 /*! 54 @enum KeyItemAttributeConstants 55 @abstract Specifies keychain item attributes for keys. 56 @constant kSecKeyKeyClass type uint32 (CSSM_KEYCLASS), value 57 is one of CSSM_KEYCLASS_PUBLIC_KEY, CSSM_KEYCLASS_PRIVATE_KEY 58 or CSSM_KEYCLASS_SESSION_KEY. 59 @constant kSecKeyPrintName type blob, human readable name of 60 the key. Same as kSecLabelItemAttr for normal keychain items. 61 @constant kSecKeyAlias type blob, currently unused. 62 @constant kSecKeyPermanent type uint32, value is nonzero iff 63 this key is permanent (stored in some keychain). This is always 64 1. 65 @constant kSecKeyPrivate type uint32, value is nonzero iff this 66 key is protected by a user login or a password, or both. 67 @constant kSecKeyModifiable type uint32, value is nonzero iff 68 attributes of this key can be modified. 69 @constant kSecKeyLabel type blob, for private and public keys 70 this contains the hash of the public key. This is used to 71 associate certificates and keys. Its value matches the value 72 of the kSecPublicKeyHashItemAttr of a certificate and it's used 73 to construct an identity from a certificate and a key. 74 For symmetric keys this is whatever the creator of the key 75 passed in during the generate key call. 76 @constant kSecKeyApplicationTag type blob, currently unused. 77 @constant kSecKeyKeyCreator type data, the data points to a 78 CSSM_GUID structure representing the moduleid of the csp owning 79 this key. 80 @constant kSecKeyKeyType type uint32, value is a CSSM_ALGORITHMS 81 representing the algorithm associated with this key. 82 @constant kSecKeyKeySizeInBits type uint32, value is the number 83 of bits in this key. 84 @constant kSecKeyEffectiveKeySize type uint32, value is the 85 effective number of bits in this key. For example a des key 86 has a kSecKeyKeySizeInBits of 64 but a kSecKeyEffectiveKeySize 87 of 56. 88 @constant kSecKeyStartDate type CSSM_DATE. Earliest date from 89 which this key may be used. If the value is all zeros or not 90 present, no restriction applies. 91 @constant kSecKeyEndDate type CSSM_DATE. Latest date at 92 which this key may be used. If the value is all zeros or not 93 present, no restriction applies. 94 @constant kSecKeySensitive type uint32, iff value is nonzero 95 this key cannot be wrapped with CSSM_ALGID_NONE. 96 @constant kSecKeyAlwaysSensitive type uint32, value is nonzero 97 iff this key has always been marked sensitive. 98 @constant kSecKeyExtractable type uint32, value is nonzero iff 99 this key can be wrapped. 100 @constant kSecKeyNeverExtractable type uint32, value is nonzero 101 iff this key was never marked extractable. 102 @constant kSecKeyEncrypt type uint32, value is nonzero iff this 103 key can be used in an encrypt operation. 104 @constant kSecKeyDecrypt type uint32, value is nonzero iff this 105 key can be used in a decrypt operation. 106 @constant kSecKeyDerive type uint32, value is nonzero iff this 107 key can be used in a deriveKey operation. 108 @constant kSecKeySign type uint32, value is nonzero iff this 109 key can be used in a sign operation. 110 @constant kSecKeyVerify type uint32, value is nonzero iff this 111 key can be used in a verify operation. 112 @constant kSecKeySignRecover type uint32. 113 @constant kSecKeyVerifyRecover type uint32. 114 key can unwrap other keys. 115 @constant kSecKeyWrap type uint32, value is nonzero iff this 116 key can wrap other keys. 117 @constant kSecKeyUnwrap type uint32, value is nonzero iff this 118 key can unwrap other keys. 119 @discussion 120 The use of these enumerations has been deprecated. Please 121 use the equivalent items defined in SecItem.h 122 @@@. 123 */ 124 CF_ENUM(int) 125 { 126 kSecKeyKeyClass = 0, 127 kSecKeyPrintName = 1, 128 kSecKeyAlias = 2, 129 kSecKeyPermanent = 3, 130 kSecKeyPrivate = 4, 131 kSecKeyModifiable = 5, 132 kSecKeyLabel = 6, 133 kSecKeyApplicationTag = 7, 134 kSecKeyKeyCreator = 8, 135 kSecKeyKeyType = 9, 136 kSecKeyKeySizeInBits = 10, 137 kSecKeyEffectiveKeySize = 11, 138 kSecKeyStartDate = 12, 139 kSecKeyEndDate = 13, 140 kSecKeySensitive = 14, 141 kSecKeyAlwaysSensitive = 15, 142 kSecKeyExtractable = 16, 143 kSecKeyNeverExtractable = 17, 144 kSecKeyEncrypt = 18, 145 kSecKeyDecrypt = 19, 146 kSecKeyDerive = 20, 147 kSecKeySign = 21, 148 kSecKeyVerify = 22, 149 kSecKeySignRecover = 23, 150 kSecKeyVerifyRecover = 24, 151 kSecKeyWrap = 25, 152 kSecKeyUnwrap = 26 153 }; 154 155 /*! 156 @enum SecCredentialType 157 @abstract Determines the type of credential returned by SecKeyGetCredentials. 158 @constant kSecCredentialTypeWithUI Operations with this key are allowed to present UI if required. 159 @constant kSecCredentialTypeNoUI Operations with this key are not allowed to present UI, and will fail if UI is required. 160 @constant kSecCredentialTypeDefault The default setting for determining whether to present UI is used. This setting can be changed with a call to SecKeychainSetUserInteractionAllowed. 161 */ 162 typedef CF_ENUM(uint32, SecCredentialType) 163 { 164 kSecCredentialTypeDefault = 0, 165 kSecCredentialTypeWithUI, 166 kSecCredentialTypeNoUI 167 }; 168 #endif /* SEC_OS_OSX */ 169 170 /*! 171 @typedef SecPadding 172 @abstract Supported padding types. 173 */ 174 typedef CF_OPTIONS(uint32_t, SecPadding) 175 { 176 kSecPaddingNone = 0, 177 kSecPaddingPKCS1 = 1, 178 kSecPaddingOAEP = 2, // __OSX_UNAVAILABLE __IOS_AVAILABLE(2.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0), 179 180 /* For SecKeyRawSign/SecKeyRawVerify only, 181 ECDSA signature is raw byte format {r,s}, big endian. 182 First half is r, second half is s */ 183 kSecPaddingSigRaw = 0x4000, 184 185 /* For SecKeyRawSign/SecKeyRawVerify only, data to be signed is an MD2 186 hash; standard ASN.1 padding will be done, as well as PKCS1 padding 187 of the underlying RSA operation. */ 188 kSecPaddingPKCS1MD2 = 0x8000, // __OSX_DEPRECATED(10.0, 10.12, "MD2 is deprecated") __IOS_DEPRECATED(2.0, 5.0, "MD2 is deprecated") __TVOS_UNAVAILABLE __WATCHOS_UNAVAILABLE, 189 190 /* For SecKeyRawSign/SecKeyRawVerify only, data to be signed is an MD5 191 hash; standard ASN.1 padding will be done, as well as PKCS1 padding 192 of the underlying RSA operation. */ 193 kSecPaddingPKCS1MD5 = 0x8001, // __OSX_DEPRECATED(10.0, 10.12, "MD5 is deprecated") __IOS_DEPRECATED(2.0, 5.0, "MD5 is deprecated") __TVOS_UNAVAILABLE __WATCHOS_UNAVAILABLE, 194 195 /* For SecKeyRawSign/SecKeyRawVerify only, data to be signed is a SHA1 196 hash; standard ASN.1 padding will be done, as well as PKCS1 padding 197 of the underlying RSA operation. */ 198 kSecPaddingPKCS1SHA1 = 0x8002, 199 200 /* For SecKeyRawSign/SecKeyRawVerify only, data to be signed is a SHA224 201 hash; standard ASN.1 padding will be done, as well as PKCS1 padding 202 of the underlying RSA operation. */ 203 kSecPaddingPKCS1SHA224 = 0x8003, // __OSX_UNAVAILABLE __IOS_AVAILABLE(2.0), 204 205 /* For SecKeyRawSign/SecKeyRawVerify only, data to be signed is a SHA256 206 hash; standard ASN.1 padding will be done, as well as PKCS1 padding 207 of the underlying RSA operation. */ 208 kSecPaddingPKCS1SHA256 = 0x8004, // __OSX_UNAVAILABLE __IOS_AVAILABLE(2.0), 209 210 /* For SecKeyRawSign/SecKeyRawVerify only, data to be signed is a SHA384 211 hash; standard ASN.1 padding will be done, as well as PKCS1 padding 212 of the underlying RSA operation. */ 213 kSecPaddingPKCS1SHA384 = 0x8005, // __OSX_UNAVAILABLE __IOS_AVAILABLE(2.0), 214 215 /* For SecKeyRawSign/SecKeyRawVerify only, data to be signed is a SHA512 216 hash; standard ASN.1 padding will be done, as well as PKCS1 padding 217 of the underlying RSA operation. */ 218 kSecPaddingPKCS1SHA512 = 0x8006, // __OSX_UNAVAILABLE __IOS_AVAILABLE(2.0), 219 }; 220 221 #if SEC_OS_OSX 222 /*! 223 @typedef SecKeySizes 224 @abstract Supported key lengths. 225 */ 226 typedef CF_ENUM(uint32_t, SecKeySizes) 227 { 228 kSecDefaultKeySize = 0, 229 230 // Symmetric Keysizes - default is currently kSecAES128 for AES. 231 kSec3DES192 = 192, 232 kSecAES128 = 128, 233 kSecAES192 = 192, 234 kSecAES256 = 256, 235 236 // Supported ECC Keys for Suite-B from RFC 4492 section 5.1.1. 237 // default is currently kSecp256r1 238 kSecp192r1 = 192, 239 kSecp256r1 = 256, 240 kSecp384r1 = 384, 241 kSecp521r1 = 521, // Yes, 521 242 243 // Boundaries for RSA KeySizes - default is currently 2048 244 // RSA keysizes must be multiples of 8 245 kSecRSAMin = 1024, 246 kSecRSAMax = 4096 247 }; 248 #endif /* SEC_OS_OSX */ 249 250 /*! 251 @enum Key Parameter Constants 252 @discussion Predefined key constants used to get or set values in a dictionary. 253 These are used to provide explicit parameters to key generation functions 254 when non-default values are desired. See the description of the 255 SecKeyGeneratePair API for usage information. 256 @constant kSecPrivateKeyAttrs The value for this key is a CFDictionaryRef 257 containing attributes specific for the private key to be generated. 258 @constant kSecPublicKeyAttrs The value for this key is a CFDictionaryRef 259 containing attributes specific for the public key to be generated. 260 */ 261 extern const CFStringRef kSecPrivateKeyAttrs 262 __OSX_AVAILABLE_STARTING(__MAC_10_8, __IPHONE_2_0); 263 extern const CFStringRef kSecPublicKeyAttrs 264 __OSX_AVAILABLE_STARTING(__MAC_10_8, __IPHONE_2_0); 265 266 /*! 267 @function SecKeyGetTypeID 268 @abstract Returns the type identifier of SecKey instances. 269 @result The CFTypeID of SecKey instances. 270 */ 271 CFTypeID SecKeyGetTypeID(void) 272 __OSX_AVAILABLE_STARTING(__MAC_10_3, __IPHONE_2_0); 273 274 275 #if SEC_OS_OSX 276 /*! 277 @function SecKeyCreatePair 278 @abstract Creates an asymmetric key pair and stores it in a specified keychain. 279 @param keychainRef A reference to the keychain in which to store the private and public key items. Specify NULL for the default keychain. 280 @param algorithm An algorithm for the key pair. This parameter is ignored if a valid (non-zero) contextHandle is supplied. 281 @param keySizeInBits A key size for the key pair. This parameter is ignored if a valid (non-zero) contextHandle is supplied. 282 @param contextHandle (optional) A CSSM_CC_HANDLE, or 0. If this argument is supplied, the algorithm and keySizeInBits parameters are ignored. If extra parameters are needed to generate a key (some algorithms require this), you should create a context using CSSM_CSP_CreateKeyGenContext, using the CSPHandle obtained by calling SecKeychainGetCSPHandle. Then use CSSM_UpdateContextAttributes to add parameters, and dispose of the context using CSSM_DeleteContext after calling this function. 283 @param publicKeyUsage A bit mask indicating all permitted uses for the new public key. CSSM_KEYUSE bit mask values are defined in cssmtype.h. 284 @param publicKeyAttr A bit mask defining attribute values for the new public key. The bit mask values are equivalent to a CSSM_KEYATTR_FLAGS and are defined in cssmtype.h. 285 @param privateKeyUsage A bit mask indicating all permitted uses for the new private key. CSSM_KEYUSE bit mask values are defined in cssmtype.h. 286 @param privateKeyAttr A bit mask defining attribute values for the new private key. The bit mask values are equivalent to a CSSM_KEYATTR_FLAGS and are defined in cssmtype.h. 287 @param initialAccess (optional) A SecAccess object that determines the initial access rights to the private key. The public key is given "any/any" access rights by default. 288 @param publicKey (optional) On return, the keychain item reference of the generated public key. Use the SecKeyGetCSSMKey function to obtain the CSSM_KEY. The caller must call CFRelease on this value if it is returned. Pass NULL if a reference to this key is not required. 289 @param privateKey (optional) On return, the keychain item reference of the generated private key. Use the SecKeyGetCSSMKey function to obtain the CSSM_KEY. The caller must call CFRelease on this value if it is returned. Pass NULL if a reference to this key is not required. 290 @result A result code. See "Security Error Codes" (SecBase.h). 291 @discussion This API is deprecated for 10.7. Please use the SecKeyGeneratePair API instead. 292 */ 293 OSStatus SecKeyCreatePair( 294 SecKeychainRef _Nullable keychainRef, 295 CSSM_ALGORITHMS algorithm, 296 uint32 keySizeInBits, 297 CSSM_CC_HANDLE contextHandle, 298 CSSM_KEYUSE publicKeyUsage, 299 uint32 publicKeyAttr, 300 CSSM_KEYUSE privateKeyUsage, 301 uint32 privateKeyAttr, 302 SecAccessRef _Nullable initialAccess, 303 SecKeyRef* _Nullable CF_RETURNS_RETAINED publicKey, 304 SecKeyRef* _Nullable CF_RETURNS_RETAINED privateKey) 305 CSSM_DEPRECATED; 306 307 /*! 308 @function SecKeyGenerate 309 @abstract Creates a symmetric key and optionally stores it in a specified keychain. 310 @param keychainRef (optional) A reference to the keychain in which to store the generated key. Specify NULL to generate a transient key. 311 @param algorithm An algorithm for the symmetric key. This parameter is ignored if a valid (non-zero) contextHandle is supplied. 312 @param keySizeInBits A key size for the key pair. This parameter is ignored if a valid (non-zero) contextHandle is supplied. 313 @param contextHandle (optional) A CSSM_CC_HANDLE, or 0. If this argument is supplied, the algorithm and keySizeInBits parameters are ignored. If extra parameters are needed to generate a key (some algorithms require this), you should create a context using CSSM_CSP_CreateKeyGenContext, using the CSPHandle obtained by calling SecKeychainGetCSPHandle. Then use CSSM_UpdateContextAttributes to add parameters, and dispose of the context using CSSM_DeleteContext after calling this function. 314 @param keyUsage A bit mask indicating all permitted uses for the new key. CSSM_KEYUSE bit mask values are defined in cssmtype.h. 315 @param keyAttr A bit mask defining attribute values for the new key. The bit mask values are equivalent to a CSSM_KEYATTR_FLAGS and are defined in cssmtype.h. 316 @param initialAccess (optional) A SecAccess object that determines the initial access rights for the key. This parameter is ignored if the keychainRef is NULL. 317 @param keyRef On return, a reference to the generated key. Use the SecKeyGetCSSMKey function to obtain the CSSM_KEY. The caller must call CFRelease on this value if it is returned. 318 @result A result code. See "Security Error Codes" (SecBase.h). 319 @discussion This API is deprecated for 10.7. Please use the SecKeyGenerateSymmetric API instead. 320 */ 321 OSStatus SecKeyGenerate( 322 SecKeychainRef _Nullable keychainRef, 323 CSSM_ALGORITHMS algorithm, 324 uint32 keySizeInBits, 325 CSSM_CC_HANDLE contextHandle, 326 CSSM_KEYUSE keyUsage, 327 uint32 keyAttr, 328 SecAccessRef _Nullable initialAccess, 329 SecKeyRef* _Nullable CF_RETURNS_RETAINED keyRef) 330 CSSM_DEPRECATED; 331 332 /*! 333 @function SecKeyGetCSSMKey 334 @abstract Returns a pointer to the CSSM_KEY for the given key item reference. 335 @param key A keychain key item reference. The key item must be of class type kSecPublicKeyItemClass, kSecPrivateKeyItemClass, or kSecSymmetricKeyItemClass. 336 @param cssmKey On return, a pointer to a CSSM_KEY structure for the given key. This pointer remains valid until the key reference is released. The caller should not attempt to modify or free this data. 337 @result A result code. See "Security Error Codes" (SecBase.h). 338 @discussion The CSSM_KEY is valid until the key item reference is released. This API is deprecated in 10.7. Its use should no longer be needed. 339 */ 340 OSStatus SecKeyGetCSSMKey(SecKeyRef key, const CSSM_KEY * _Nullable * __nonnull cssmKey) 341 DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;; 342 343 /*! 344 @function SecKeyGetCSPHandle 345 @abstract Returns the CSSM_CSP_HANDLE for the given key reference. The handle is valid until the key reference is released. 346 @param keyRef A key reference. 347 @param cspHandle On return, the CSSM_CSP_HANDLE for the given keychain. 348 @result A result code. See "Security Error Codes" (SecBase.h). 349 @discussion This API is deprecated in 10.7. Its use should no longer be needed. 350 */ 351 OSStatus SecKeyGetCSPHandle(SecKeyRef keyRef, CSSM_CSP_HANDLE *cspHandle) 352 DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 353 354 /*! 355 @function SecKeyGetCredentials 356 @abstract For a given key, return a pointer to a CSSM_ACCESS_CREDENTIALS structure which will allow the key to be used. 357 @param keyRef The key for which a credential is requested. 358 @param operation The type of operation to be performed with this key. See "Authorization tag type" for defined operations (cssmtype.h). 359 @param credentialType The type of credential requested. 360 @param outCredentials On return, a pointer to a CSSM_ACCESS_CREDENTIALS structure. This pointer remains valid until the key reference is released. The caller should not attempt to modify or free this data. 361 @result A result code. See "Security Error Codes" (SecBase.h). 362 */ 363 OSStatus SecKeyGetCredentials( 364 SecKeyRef keyRef, 365 CSSM_ACL_AUTHORIZATION_TAG operation, 366 SecCredentialType credentialType, 367 const CSSM_ACCESS_CREDENTIALS * _Nullable * __nonnull outCredentials) 368 DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; 369 370 /*! 371 @function SecKeyGenerateSymmetric 372 @abstract Generates a random symmetric key with the specified length 373 and algorithm type. 374 375 @param parameters A dictionary containing one or more key-value pairs. 376 See the discussion sections below for a complete overview of options. 377 @param error An optional pointer to a CFErrorRef. This value is set 378 if an error occurred. If not NULL, the caller is responsible for 379 releasing the CFErrorRef. 380 @result On return, a SecKeyRef reference to the symmetric key, or 381 NULL if the key could not be created. 382 383 @discussion In order to generate a symmetric key, the parameters dictionary 384 must at least contain the following keys: 385 386 * kSecAttrKeyType with a value of kSecAttrKeyTypeAES or any other 387 kSecAttrKeyType defined in SecItem.h 388 * kSecAttrKeySizeInBits with a value being a CFNumberRef containing 389 the requested key size in bits. Example sizes for AES keys are: 390 128, 192, 256, 512. 391 392 To store the generated symmetric key in a keychain, set these keys: 393 * kSecUseKeychain (value is a SecKeychainRef) 394 * kSecAttrLabel (a user-visible label whose value is a CFStringRef, 395 e.g. "My App's Encryption Key") 396 * kSecAttrApplicationLabel (a label defined by your application, whose 397 value is a CFDataRef and which can be used to find this key in a 398 subsequent call to SecItemCopyMatching, e.g. "ID-1234567890-9876-0151") 399 400 To specify the generated key's access control settings, set this key: 401 * kSecAttrAccess (value is a SecAccessRef) 402 403 The keys below may be optionally set in the parameters dictionary 404 (with a CFBooleanRef value) to override the default usage values: 405 406 * kSecAttrCanEncrypt (defaults to true if not explicitly specified) 407 * kSecAttrCanDecrypt (defaults to true if not explicitly specified) 408 * kSecAttrCanWrap (defaults to true if not explicitly specified) 409 * kSecAttrCanUnwrap (defaults to true if not explicitly specified) 410 411 */ 412 _Nullable CF_RETURNS_RETAINED 413 SecKeyRef SecKeyGenerateSymmetric(CFDictionaryRef parameters, CFErrorRef *error) 414 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); 415 416 /*! 417 @function SecKeyCreateFromData 418 @abstract Creates a symmetric key with the given data and sets the 419 algorithm type specified. 420 421 @param parameters A dictionary containing one or more key-value pairs. 422 See the discussion sections below for a complete overview of options. 423 @result On return, a SecKeyRef reference to the symmetric key. 424 425 @discussion In order to generate a symmetric key the parameters dictionary must 426 at least contain the following keys: 427 428 * kSecAttrKeyType with a value of kSecAttrKeyTypeAES or any other 429 kSecAttrKeyType defined in SecItem.h 430 431 The keys below may be optionally set in the parameters dictionary 432 (with a CFBooleanRef value) to override the default usage values: 433 434 * kSecAttrCanEncrypt (defaults to true if not explicitly specified) 435 * kSecAttrCanDecrypt (defaults to true if not explicitly specified) 436 * kSecAttrCanWrap (defaults to true if not explicitly specified) 437 * kSecAttrCanUnwrap (defaults to true if not explicitly specified) 438 439 */ 440 _Nullable 441 SecKeyRef SecKeyCreateFromData(CFDictionaryRef parameters, 442 CFDataRef keyData, CFErrorRef *error) 443 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); 444 445 446 #ifdef __BLOCKS__ 447 /*! 448 @typedef SecKeyGeneratePairBlock 449 @abstract Delivers the result from an asynchronous key pair generation. 450 @param publicKey - the public key generated. You must retain publicKey if you wish to use it after your block returns. 451 @param privateKey - the private key generated. You must retain publicKey if you wish to use it after your block returns. 452 @param error - Any errors returned. You must retain error if you wish to use it after your block returns. 453 */ 454 455 typedef void (^SecKeyGeneratePairBlock)(SecKeyRef publicKey, SecKeyRef privateKey, CFErrorRef error); 456 457 /*! 458 @function SecKeyGeneratePairAsync 459 @abstract Generate a private/public keypair returning the values in a callback. 460 @param parameters A dictionary containing one or more key-value pairs. 461 @param deliveryQueue A dispatch queue to be used to deliver the results. 462 @param result A callback function to result when the operation has completed. 463 464 @discussion In order to generate a keypair the parameters dictionary must 465 at least contain the following keys: 466 467 * kSecAttrKeyType with a value being kSecAttrKeyTypeRSA or any other 468 kSecAttrKeyType defined in SecItem.h 469 * kSecAttrKeySizeInBits with a value being a CFNumberRef or CFStringRef 470 containing the requested key size in bits. Example sizes for RSA 471 keys are: 512, 768, 1024, 2048. 472 473 Setting the following attributes explicitly will override the defaults below. 474 See SecItem.h for detailed information on these attributes including the types 475 of the values. 476 477 * kSecAttrLabel default NULL 478 * kSecAttrIsPermanent if this key is present and has a Boolean 479 value of true, the key or key pair will be added to the default 480 keychain. 481 * kSecAttrApplicationTag default NULL 482 * kSecAttrEffectiveKeySize default NULL same as kSecAttrKeySizeInBits 483 * kSecAttrCanEncrypt default false for private keys, true for public keys 484 * kSecAttrCanDecrypt default true for private keys, false for public keys 485 * kSecAttrCanDerive default true 486 * kSecAttrCanSign default true for private keys, false for public keys 487 * kSecAttrCanVerify default false for private keys, true for public keys 488 * kSecAttrCanWrap default false for private keys, true for public keys 489 * kSecAttrCanUnwrap default true for private keys, false for public keys 490 491 */ 492 void SecKeyGeneratePairAsync(CFDictionaryRef parameters, 493 dispatch_queue_t deliveryQueue, SecKeyGeneratePairBlock result) 494 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); 495 496 #endif /* __BLOCKS__ */ 497 498 // Derive, Wrap, and Unwrap 499 500 /*! 501 @function SecKeyDeriveFromPassword 502 @abstract Derives a symmetric key from a password. 503 504 @param password The password from which the keyis to be derived. 505 @param parameters A dictionary containing one or more key-value pairs. 506 @param error If the call fails this will contain the error code. 507 508 @discussion In order to derive a key the parameters dictionary must contain at least contain the following keys: 509 * kSecAttrSalt - a CFData for the salt value for mixing in the pseudo-random rounds. 510 * kSecAttrPRF - the algorithm to use for the pseudo-random-function. 511 If 0, this defaults to kSecAttrPRFHmacAlgSHA1. Possible values are: 512 513 * kSecAttrPRFHmacAlgSHA1 514 * kSecAttrPRFHmacAlgSHA224 515 * kSecAttrPRFHmacAlgSHA256 516 * kSecAttrPRFHmacAlgSHA384 517 * kSecAttrPRFHmacAlgSHA512 518 519 * kSecAttrRounds - the number of rounds to call the pseudo random function. 520 If 0, a count will be computed to average 1/10 of a second. 521 * kSecAttrKeySizeInBits with a value being a CFNumberRef 522 containing the requested key size in bits. Example sizes for RSA keys are: 523 512, 768, 1024, 2048. 524 525 @result On success a SecKeyRef is returned. On failure this result is NULL and the 526 error parameter contains the reason. 527 528 */ 529 _Nullable CF_RETURNS_RETAINED 530 SecKeyRef SecKeyDeriveFromPassword(CFStringRef password, 531 CFDictionaryRef parameters, CFErrorRef *error) 532 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); 533 534 /*! 535 @function SecKeyWrapSymmetric 536 @abstract Wraps a symmetric key with a symmetric key. 537 538 @param keyToWrap The key which is to be wrapped. 539 @param wrappingKey The key wrapping key. 540 @param parameters The parameter list to use for wrapping the key. 541 @param error If the call fails this will contain the error code. 542 543 @result On success a CFDataRef is returned. On failure this result is NULL and the 544 error parameter contains the reason. 545 546 @discussion In order to wrap a key the parameters dictionary may contain the following key: 547 * kSecSalt - a CFData for the salt value for the encrypt. 548 549 */ 550 _Nullable 551 CFDataRef SecKeyWrapSymmetric(SecKeyRef keyToWrap, 552 SecKeyRef wrappingKey, CFDictionaryRef parameters, CFErrorRef *error) 553 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); 554 555 /*! 556 @function SecKeyUnwrapSymmetric 557 @abstract Unwrap a wrapped symmetric key. 558 559 @param keyToUnwrap The wrapped key to unwrap. 560 @param unwrappingKey The key unwrapping key. 561 @param parameters The parameter list to use for unwrapping the key. 562 @param error If the call fails this will contain the error code. 563 564 @result On success a SecKeyRef is returned. On failure this result is NULL and the 565 error parameter contains the reason. 566 567 @discussion In order to unwrap a key the parameters dictionary may contain the following key: 568 * kSecSalt - a CFData for the salt value for the decrypt. 569 570 */ 571 _Nullable 572 SecKeyRef SecKeyUnwrapSymmetric(CFDataRef _Nullable * __nonnull keyToUnwrap, 573 SecKeyRef unwrappingKey, CFDictionaryRef parameters, CFErrorRef *error) 574 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); 575 576 #endif /* SEC_OS_OSX */ 577 578 /*! 579 @function SecKeyGeneratePair 580 @abstract Generate a private/public keypair. 581 @param parameters A dictionary containing one or more key-value pairs. 582 See the discussion sections below for a complete overview of options. 583 @param publicKey On return, a SecKeyRef reference to the public key. 584 @param privateKey On return, a SecKeyRef reference to the private key. 585 @result A result code. See "Security Error Codes" (SecBase.h). 586 587 @discussion In order to generate a keypair the parameters dictionary must 588 at least contain the following keys: 589 590 * kSecAttrKeyType with a value of kSecAttrKeyTypeRSA or any other 591 kSecAttrKeyType defined in SecItem.h 592 * kSecAttrKeySizeInBits with a value being a CFNumberRef containing 593 the requested key size in bits. Example sizes for RSA keys are: 594 512, 768, 1024, 2048. 595 596 The values below may be set either in the top-level dictionary or in a 597 dictionary that is the value of the kSecPrivateKeyAttrs or 598 kSecPublicKeyAttrs key in the top-level dictionary. Setting these 599 attributes explicitly will override the defaults below. See SecItem.h 600 for detailed information on these attributes including the types of 601 the values. 602 603 * kSecAttrLabel default NULL 604 * kSecUseKeychain default NULL, which specifies the default keychain 605 * kSecAttrIsPermanent default false 606 if this key is present and has a Boolean value of true, the key or 607 key pair will be added to the keychain. 608 * kSecAttrTokenID default NULL 609 The CFStringRef ID of the token to generate the key or keypair on. This 610 attribute can contain CFStringRef and can be present only in the top-level 611 parameters dictionary. 612 * kSecAttrApplicationTag default NULL 613 * kSecAttrEffectiveKeySize default NULL same as kSecAttrKeySizeInBits 614 * kSecAttrCanEncrypt default false for private keys, true for public keys 615 * kSecAttrCanDecrypt default true for private keys, false for public keys 616 * kSecAttrCanDerive default true 617 * kSecAttrCanSign default true for private keys, false for public keys 618 * kSecAttrCanVerify default false for private keys, true for public keys 619 * kSecAttrCanWrap default false for private keys, true for public keys 620 * kSecAttrCanUnwrap default true for private keys, false for public keys 621 622 NOTE: The function always saves keys in the keychain on macOS and as such attribute 623 kSecAttrIsPermanent is ignored. The function respects attribute kSecAttrIsPermanent 624 on iOS, tvOS and watchOS. 625 It is recommended to use SecKeyCreateRandomKey() which respects kSecAttrIsPermanent 626 on all platforms. 627 */ 628 OSStatus SecKeyGeneratePair(CFDictionaryRef parameters, 629 SecKeyRef * _Nullable CF_RETURNS_RETAINED publicKey, SecKeyRef * _Nullable CF_RETURNS_RETAINED privateKey) 630 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_2_0); 631 632 633 #if SEC_OS_IPHONE 634 /*! 635 @function SecKeyRawSign 636 @abstract Given a private key and data to sign, generate a digital 637 signature. 638 @param key Private key with which to sign. 639 @param padding See Padding Types above, typically kSecPaddingPKCS1SHA1. 640 @param dataToSign The data to be signed, typically the digest of the 641 actual data. 642 @param dataToSignLen Length of dataToSign in bytes. 643 @param sig Pointer to buffer in which the signature will be returned. 644 @param sigLen IN/OUT maximum length of sig buffer on input, actualy 645 length of sig on output. 646 @result A result code. See "Security Error Codes" (SecBase.h). 647 @discussion If the padding argument is kSecPaddingPKCS1, PKCS1 padding 648 will be performed prior to signing. If this argument is kSecPaddingNone, 649 the incoming data will be signed "as is". 650 651 When PKCS1 padding is performed, the maximum length of data that can 652 be signed is the value returned by SecKeyGetBlockSize() - 11. 653 654 NOTE: The behavior this function with kSecPaddingNone is undefined if the 655 first byte of dataToSign is zero; there is no way to verify leading zeroes 656 as they are discarded during the calculation. 657 658 If you want to generate a proper PKCS1 style signature with DER encoding 659 of the digest type - and the dataToSign is a SHA1 digest - use 660 kSecPaddingPKCS1SHA1. 661 */ 662 OSStatus SecKeyRawSign( 663 SecKeyRef key, 664 SecPadding padding, 665 const uint8_t *dataToSign, 666 size_t dataToSignLen, 667 uint8_t *sig, 668 size_t *sigLen) 669 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_2_0); 670 671 672 /*! 673 @function SecKeyRawVerify 674 @abstract Given a public key, data which has been signed, and a signature, 675 verify the signature. 676 @param key Public key with which to verify the signature. 677 @param padding See Padding Types above, typically kSecPaddingPKCS1SHA1. 678 @param signedData The data over which sig is being verified, typically 679 the digest of the actual data. 680 @param signedDataLen Length of signedData in bytes. 681 @param sig Pointer to the signature to verify. 682 @param sigLen Length of sig in bytes. 683 @result A result code. See "Security Error Codes" (SecBase.h). 684 @discussion If the padding argument is kSecPaddingPKCS1, PKCS1 padding 685 will be checked during verification. If this argument is kSecPaddingNone, 686 the incoming data will be compared directly to sig. 687 688 If you are verifying a proper PKCS1-style signature, with DER encoding 689 of the digest type - and the signedData is a SHA1 digest - use 690 kSecPaddingPKCS1SHA1. 691 */ 692 OSStatus SecKeyRawVerify( 693 SecKeyRef key, 694 SecPadding padding, 695 const uint8_t *signedData, 696 size_t signedDataLen, 697 const uint8_t *sig, 698 size_t sigLen) 699 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_2_0); 700 701 702 /*! 703 @function SecKeyEncrypt 704 @abstract Encrypt a block of plaintext. 705 @param key Public key with which to encrypt the data. 706 @param padding See Padding Types above, typically kSecPaddingPKCS1. 707 @param plainText The data to encrypt. 708 @param plainTextLen Length of plainText in bytes, this must be less 709 or equal to the value returned by SecKeyGetBlockSize(). 710 @param cipherText Pointer to the output buffer. 711 @param cipherTextLen On input, specifies how much space is available at 712 cipherText; on return, it is the actual number of cipherText bytes written. 713 @result A result code. See "Security Error Codes" (SecBase.h). 714 @discussion If the padding argument is kSecPaddingPKCS1 or kSecPaddingOAEP, 715 PKCS1 (respectively kSecPaddingOAEP) padding will be performed prior to encryption. 716 If this argument is kSecPaddingNone, the incoming data will be encrypted "as is". 717 kSecPaddingOAEP is the recommended value. Other value are not recommended 718 for security reason (Padding attack or malleability). 719 720 When PKCS1 padding is performed, the maximum length of data that can 721 be encrypted is the value returned by SecKeyGetBlockSize() - 11. 722 723 When memory usage is a critical issue, note that the input buffer 724 (plainText) can be the same as the output buffer (cipherText). 725 */ 726 OSStatus SecKeyEncrypt( 727 SecKeyRef key, 728 SecPadding padding, 729 const uint8_t *plainText, 730 size_t plainTextLen, 731 uint8_t *cipherText, 732 size_t *cipherTextLen) 733 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_2_0); 734 735 736 /*! 737 @function SecKeyDecrypt 738 @abstract Decrypt a block of ciphertext. 739 @param key Private key with which to decrypt the data. 740 @param padding See Padding Types above, typically kSecPaddingPKCS1. 741 @param cipherText The data to decrypt. 742 @param cipherTextLen Length of cipherText in bytes, this must be less 743 or equal to the value returned by SecKeyGetBlockSize(). 744 @param plainText Pointer to the output buffer. 745 @param plainTextLen On input, specifies how much space is available at 746 plainText; on return, it is the actual number of plainText bytes written. 747 @result A result code. See "Security Error Codes" (SecBase.h). 748 @discussion If the padding argument is kSecPaddingPKCS1 or kSecPaddingOAEP, 749 the corresponding padding will be removed after decryption. 750 If this argument is kSecPaddingNone, the decrypted data will be returned "as is". 751 752 When memory usage is a critical issue, note that the input buffer 753 (plainText) can be the same as the output buffer (cipherText). 754 */ 755 OSStatus SecKeyDecrypt( 756 SecKeyRef key, /* Private key */ 757 SecPadding padding, /* kSecPaddingNone, 758 kSecPaddingPKCS1, 759 kSecPaddingOAEP */ 760 const uint8_t *cipherText, 761 size_t cipherTextLen, /* length of cipherText */ 762 uint8_t *plainText, 763 size_t *plainTextLen) /* IN/OUT */ 764 __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_2_0); 765 766 #endif // SEC_OS_IPHONE 767 768 /*! 769 @function SecKeyCreateRandomKey 770 @abstract Generates a new public/private key pair. 771 @param parameters A dictionary containing one or more key-value pairs. 772 See the discussion sections below for a complete overview of options. 773 @param error On error, will be populated with an error object describing the failure. 774 See "Security Error Codes" (SecBase.h). 775 @return Newly generated private key. To get associated public key, use SecKeyCopyPublicKey(). 776 @discussion In order to generate a keypair the parameters dictionary must 777 at least contain the following keys: 778 779 * kSecAttrKeyType with a value being kSecAttrKeyTypeRSA or any other 780 kSecAttrKeyType defined in SecItem.h 781 * kSecAttrKeySizeInBits with a value being a CFNumberRef or CFStringRef 782 containing the requested key size in bits. Example sizes for RSA 783 keys are: 512, 768, 1024, 2048. 784 785 The values below may be set either in the top-level dictionary or in a 786 dictionary that is the value of the kSecPrivateKeyAttrs or 787 kSecPublicKeyAttrs key in the top-level dictionary. Setting these 788 attributes explicitly will override the defaults below. See SecItem.h 789 for detailed information on these attributes including the types of 790 the values. 791 792 * kSecAttrLabel default NULL 793 * kSecAttrIsPermanent if this key is present and has a Boolean value of true, 794 the key or key pair will be added to the default keychain. 795 * kSecAttrTokenID if this key should be generated on specified token. This 796 attribute can contain CFStringRef and can be present only in the top-level 797 parameters dictionary. 798 * kSecAttrApplicationTag default NULL 799 * kSecAttrEffectiveKeySize default NULL same as kSecAttrKeySizeInBits 800 * kSecAttrCanEncrypt default false for private keys, true for public keys 801 * kSecAttrCanDecrypt default true for private keys, false for public keys 802 * kSecAttrCanDerive default true 803 * kSecAttrCanSign default true for private keys, false for public keys 804 * kSecAttrCanVerify default false for private keys, true for public keys 805 * kSecAttrCanWrap default false for private keys, true for public keys 806 * kSecAttrCanUnwrap default true for private keys, false for public keys 807 */ 808 SecKeyRef _Nullable SecKeyCreateRandomKey(CFDictionaryRef parameters, CFErrorRef *error) 809 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 810 811 /*! 812 @function SecKeyCreateWithData 813 @abstract Create a SecKey from a well-defined external representation. 814 @param keyData CFData representing the key. The format of the data depends on the type of key being created. 815 @param attributes Dictionary containing attributes describing the key to be imported. The keys in this dictionary 816 are kSecAttr* constants from SecItem.h. Mandatory attributes are: 817 * kSecAttrKeyType 818 * kSecAttrKeyClass 819 @param error On error, will be populated with an error object describing the failure. 820 See "Security Error Codes" (SecBase.h). 821 @result A SecKey object representing the key, or NULL on failure. 822 @discussion This function does not add keys to any keychain, but the SecKey object it returns can be added 823 to keychain using the SecItemAdd function. 824 The requested data format depend on the type of key (kSecAttrKeyType) being created: 825 * kSecAttrKeyTypeRSA PKCS#1 format, public key can be also in x509 public key format 826 * kSecAttrKeyTypeECSECPrimeRandom ANSI X9.63 format (04 || X || Y [ || K]) 827 */ 828 SecKeyRef _Nullable SecKeyCreateWithData(CFDataRef keyData, CFDictionaryRef attributes, CFErrorRef *error) 829 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 830 831 /*! 832 @function SecKeyGetBlockSize 833 @abstract Returns block length of the key in bytes. 834 @param key The key for which the block length is requested. 835 @result The block length of the key in bytes. 836 @discussion If for example key is an RSA key the value returned by 837 this function is the size of the modulus. 838 */ 839 size_t SecKeyGetBlockSize(SecKeyRef key) 840 __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); 841 842 /*! 843 @function SecKeyCopyExternalRepresentation 844 @abstract Create an external representation for the given key suitable for the key's type. 845 @param key The key to be exported. 846 @param error On error, will be populated with an error object describing the failure. 847 See "Security Error Codes" (SecBase.h). 848 @result A CFData representing the key in a format suitable for that key type. 849 @discussion This function may fail if the key is not exportable (e.g., bound to a smart card or Secure Enclave). 850 The format in which the key will be exported depends on the type of key: 851 * kSecAttrKeyTypeRSA PKCS#1 format 852 * kSecAttrKeyTypeECSECPrimeRandom ANSI X9.63 format (04 || X || Y [ || K]) 853 */ 854 CFDataRef _Nullable SecKeyCopyExternalRepresentation(SecKeyRef key, CFErrorRef *error) 855 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 856 857 /*! 858 @function SecKeyCopyAttributes 859 @abstract Retrieve keychain attributes of a key. 860 @param key The key whose attributes are to be retrieved. 861 @result Dictionary containing attributes of the key. The keys that populate this dictionary are defined 862 and discussed in SecItem.h. 863 @discussion The attributes provided by this function are: 864 * kSecAttrCanEncrypt 865 * kSecAttrCanDecrypt 866 * kSecAttrCanDerive 867 * kSecAttrCanSign 868 * kSecAttrCanVerify 869 * kSecAttrKeyClass 870 * kSecAttrKeyType 871 * kSecAttrKeySizeInBits 872 * kSecAttrTokenID 873 * kSecAttrApplicationLabel 874 The set of values is not fixed. Future versions may return more values in this dictionary. 875 */ 876 CFDictionaryRef _Nullable SecKeyCopyAttributes(SecKeyRef key) 877 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 878 879 /*! 880 @function SecKeyCopyPublicKey 881 @abstract Retrieve the public key from a key pair or private key. 882 @param key The key from which to retrieve a public key. 883 @result The public key or NULL if public key is not available for specified key. 884 @discussion Fails if key does not contain a public key or no public key can be computed from it. 885 */ 886 SecKeyRef _Nullable SecKeyCopyPublicKey(SecKeyRef key) 887 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 888 889 /*! 890 @enum SecKeyAlgorithm 891 @abstract Available algorithms for performing cryptographic operations with SecKey object. String representation 892 of constant can be used for logging or debugging purposes, because they contain human readable names of the algorithm. 893 894 @constant kSecKeyAlgorithmRSASignatureRaw 895 Raw RSA sign/verify operation, size of input data must be the same as value returned by SecKeyGetBlockSize(). 896 897 @constant kSecKeyAlgorithmRSASignatureDigestPKCS1v15Raw 898 RSA sign/verify operation, assumes that input data is digest and OID and digest algorithm as specified in PKCS# v1.5. 899 This algorithm is typically not used directly, instead use algorithm with specified digest, like 900 kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA256. 901 902 @constant kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA1 903 RSA signature with PKCS#1 padding, input data must be SHA-1 generated digest. 904 905 @constant kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA224 906 RSA signature with PKCS#1 padding, input data must be SHA-224 generated digest. 907 908 @constant kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA256 909 RSA signature with PKCS#1 padding, input data must be SHA-256 generated digest. 910 911 @constant kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA384 912 RSA signature with PKCS#1 padding, input data must be SHA-384 generated digest. 913 914 @constant kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA512 915 RSA signature with PKCS#1 padding, input data must be SHA-512 generated digest. 916 917 @constant kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA1 918 RSA signature with PKCS#1 padding, SHA-1 digest is generated by called function automatically from input data of any size. 919 920 @constant kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA224 921 RSA signature with PKCS#1 padding, SHA-224 digest is generated by called function automatically from input data of any size. 922 923 @constant kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA256 924 RSA signature with PKCS#1 padding, SHA-256 digest is generated by called function automatically from input data of any size. 925 926 @constant kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA384 927 RSA signature with PKCS#1 padding, SHA-384 digest is generated by called function automatically from input data of any size. 928 929 @constant kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA512 930 RSA signature with PKCS#1 padding, SHA-512 digest is generated by called function automatically from input data of any size. 931 932 @constant kSecKeyAlgorithmRSASignatureDigestPSSSHA1 933 RSA signature with RSASSA-PSS padding according to PKCS#1 v2.1, input data must be SHA-1 generated digest. 934 PSS padding is calculated using MGF1 with SHA1 and saltLength parameter is set to 20 (SHA-1 output size). 935 936 @constant kSecKeyAlgorithmRSASignatureDigestPSSSHA224 937 RSA signature with RSASSA-PSS padding according to PKCS#1 v2.1, input data must be SHA-224 generated digest. 938 PSS padding is calculated using MGF1 with SHA224 and saltLength parameter is set to 28 (SHA-224 output size). 939 940 @constant kSecKeyAlgorithmRSASignatureDigestPSSSHA256 941 RSA signature with RSASSA-PSS padding according to PKCS#1 v2.1, input data must be SHA-256 generated digest. 942 PSS padding is calculated using MGF1 with SHA256 and saltLength parameter is set to 32 (SHA-256 output size). 943 944 @constant kSecKeyAlgorithmRSASignatureDigestPSSSHA384 945 RSA signature with RSASSA-PSS padding according to PKCS#1 v2.1, input data must be SHA-384 generated digest. 946 PSS padding is calculated using MGF1 with SHA384 and saltLength parameter is set to 48 (SHA-384 output size). 947 948 @constant kSecKeyAlgorithmRSASignatureDigestPSSSHA512 949 RSA signature with RSASSA-PSS padding according to PKCS#1 v2.1, input data must be SHA-512 generated digest. 950 PSS padding is calculated using MGF1 with SHA512 and saltLength parameter is set to 64 (SHA-512 output size). 951 952 @constant kSecKeyAlgorithmRSASignatureMessagePSSSHA1 953 RSA signature with RSASSA-PSS padding according to PKCS#1 v2.1, SHA-1 digest is generated by called function automatically from input data of any size. 954 PSS padding is calculated using MGF1 with SHA1 and saltLength parameter is set to 20 (SHA-1 output size). 955 956 @constant kSecKeyAlgorithmRSASignatureMessagePSSSHA224 957 RSA signature with RSASSA-PSS padding according to PKCS#1 v2.1, SHA-224 digest is generated by called function automatically from input data of any size. 958 PSS padding is calculated using MGF1 with SHA224 and saltLength parameter is set to 28 (SHA-224 output size). 959 960 @constant kSecKeyAlgorithmRSASignatureMessagePSSSHA256 961 RSA signature with RSASSA-PSS padding according to PKCS#1 v2.1, SHA-256 digest is generated by called function automatically from input data of any size. 962 PSS padding is calculated using MGF1 with SHA256 and saltLength parameter is set to 32 (SHA-256 output size). 963 964 @constant kSecKeyAlgorithmRSASignatureMessagePSSSHA384 965 RSA signature with RSASSA-PSS padding according to PKCS#1 v2.1, SHA-384 digest is generated by called function automatically from input data of any size. 966 PSS padding is calculated using MGF1 with SHA384 and saltLength parameter is set to 48 (SHA-384 output size). 967 968 @constant kSecKeyAlgorithmRSASignatureMessagePSSSHA512 969 RSA signature with RSASSA-PSS padding according to PKCS#1 v2.1, SHA-512 digest is generated by called function automatically from input data of any size. 970 PSS padding is calculated using MGF1 with SHA512 and saltLength parameter is set to 64 (SHA-512 output size). 971 972 @constant kSecKeyAlgorithmECDSASignatureRFC4754 973 ECDSA algorithm, signature is concatenated r and s, big endian, input data must be message digest generated by some hash function. 974 975 @constant kSecKeyAlgorithmECDSASignatureDigestX962 976 ECDSA algorithm, signature is in DER x9.62 encoding, input data must be message digest generated by some hash functions. 977 978 @constant kSecKeyAlgorithmECDSASignatureDigestX962SHA1 979 ECDSA algorithm, signature is in DER x9.62 encoding, input data must be message digest created by SHA1 algorithm. 980 981 @constant kSecKeyAlgorithmECDSASignatureDigestX962SHA224 982 ECDSA algorithm, signature is in DER x9.62 encoding, input data must be message digest created by SHA224 algorithm. 983 984 @constant kSecKeyAlgorithmECDSASignatureDigestX962SHA256 985 ECDSA algorithm, signature is in DER x9.62 encoding, input data must be message digest created by SHA256 algorithm. 986 987 @constant kSecKeyAlgorithmECDSASignatureDigestX962SHA384 988 ECDSA algorithm, signature is in DER x9.62 encoding, input data must be message digest created by SHA384 algorithm. 989 990 @constant kSecKeyAlgorithmECDSASignatureDigestX962SHA512 991 ECDSA algorithm, signature is in DER x9.62 encoding, input data must be message digest created by SHA512 algorithm. 992 993 @constant kSecKeyAlgorithmECDSASignatureMessageX962SHA1 994 ECDSA algorithm, signature is in DER x9.62 encoding, SHA-1 digest is generated by called function automatically from input data of any size. 995 996 @constant kSecKeyAlgorithmECDSASignatureMessageX962SHA224 997 ECDSA algorithm, signature is in DER x9.62 encoding, SHA-224 digest is generated by called function automatically from input data of any size. 998 999 @constant kSecKeyAlgorithmECDSASignatureMessageX962SHA256 1000 ECDSA algorithm, signature is in DER x9.62 encoding, SHA-256 digest is generated by called function automatically from input data of any size. 1001 1002 @constant kSecKeyAlgorithmECDSASignatureMessageX962SHA384 1003 ECDSA algorithm, signature is in DER x9.62 encoding, SHA-384 digest is generated by called function automatically from input data of any size. 1004 1005 @constant kSecKeyAlgorithmECDSASignatureMessageX962SHA512 1006 ECDSA algorithm, signature is in DER x9.62 encoding, SHA-512 digest is generated by called function automatically from input data of any size. 1007 1008 @constant kSecKeyAlgorithmRSAEncryptionRaw 1009 Raw RSA encryption or decryption, size of data must match RSA key modulus size. Note that direct 1010 use of this algorithm without padding is cryptographically very weak, it is important to always introduce 1011 some kind of padding. Input data size must be less or equal to the key block size and returned block has always 1012 the same size as block size, as returned by SecKeyGetBlockSize(). 1013 1014 @constant kSecKeyAlgorithmRSAEncryptionPKCS1 1015 RSA encryption or decryption, data is padded using PKCS#1 padding scheme. This algorithm should be used only for 1016 backward compatibility with existing protocols and data. New implementations should choose cryptographically 1017 stronger algorithm instead (see kSecKeyAlgorithmRSAEncryptionOAEP). Input data must be at most 1018 "key block size - 11" bytes long and returned block has always the same size as block size, as returned 1019 by SecKeyGetBlockSize(). 1020 1021 @constant kSecKeyAlgorithmRSAEncryptionOAEPSHA1 1022 RSA encryption or decryption, data is padded using OAEP padding scheme internally using SHA1. Input data must be at most 1023 "key block size - 42" bytes long and returned block has always the same size as block size, as returned 1024 by SecKeyGetBlockSize(). Use kSecKeyAlgorithmRSAEncryptionOAEPSHA1AESGCM to be able to encrypt and decrypt arbitrary long data. 1025 1026 @constant kSecKeyAlgorithmRSAEncryptionOAEPSHA224 1027 RSA encryption or decryption, data is padded using OAEP padding scheme internally using SHA224. Input data must be at most 1028 "key block size - 58" bytes long and returned block has always the same size as block size, as returned 1029 by SecKeyGetBlockSize(). Use kSecKeyAlgorithmRSAEncryptionOAEPSHA224AESGCM to be able to encrypt and decrypt arbitrary long data. 1030 1031 @constant kSecKeyAlgorithmRSAEncryptionOAEPSHA256 1032 RSA encryption or decryption, data is padded using OAEP padding scheme internally using SHA256. Input data must be at most 1033 "key block size - 66" bytes long and returned block has always the same size as block size, as returned 1034 by SecKeyGetBlockSize(). Use kSecKeyAlgorithmRSAEncryptionOAEPSHA256AESGCM to be able to encrypt and decrypt arbitrary long data. 1035 1036 @constant kSecKeyAlgorithmRSAEncryptionOAEPSHA384 1037 RSA encryption or decryption, data is padded using OAEP padding scheme internally using SHA384. Input data must be at most 1038 "key block size - 98" bytes long and returned block has always the same size as block size, as returned 1039 by SecKeyGetBlockSize(). Use kSecKeyAlgorithmRSAEncryptionOAEPSHA384AESGCM to be able to encrypt and decrypt arbitrary long data. 1040 1041 @constant kSecKeyAlgorithmRSAEncryptionOAEPSHA512 1042 RSA encryption or decryption, data is padded using OAEP padding scheme internally using SHA512. Input data must be at most 1043 "key block size - 130" bytes long and returned block has always the same size as block size, as returned 1044 by SecKeyGetBlockSize(). Use kSecKeyAlgorithmRSAEncryptionOAEPSHA512AESGCM to be able to encrypt and decrypt arbitrary long data. 1045 1046 @constant kSecKeyAlgorithmRSAEncryptionOAEPSHA1AESGCM 1047 Randomly generated AES session key is encrypted by RSA with OAEP padding. User data are encrypted using session key in GCM 1048 mode with all-zero 16 bytes long IV (initialization vector). Finally 16 byte AES-GCM tag is appended to ciphertext. 1049 256bit AES key is used if RSA key is 4096bit or bigger, otherwise 128bit AES key is used. Raw public key data is used 1050 as authentication data for AES-GCM encryption. 1051 1052 @constant kSecKeyAlgorithmRSAEncryptionOAEPSHA224AESGCM 1053 Randomly generated AES session key is encrypted by RSA with OAEP padding. User data are encrypted using session key in GCM 1054 mode with all-zero 16 bytes long IV (initialization vector). Finally 16 byte AES-GCM tag is appended to ciphertext. 1055 256bit AES key is used if RSA key is 4096bit or bigger, otherwise 128bit AES key is used. Raw public key data is used 1056 as authentication data for AES-GCM encryption. 1057 1058 @constant kSecKeyAlgorithmRSAEncryptionOAEPSHA256AESGCM 1059 Randomly generated AES session key is encrypted by RSA with OAEP padding. User data are encrypted using session key in GCM 1060 mode with all-zero 16 bytes long IV (initialization vector). Finally 16 byte AES-GCM tag is appended to ciphertext. 1061 256bit AES key is used if RSA key is 4096bit or bigger, otherwise 128bit AES key is used. Raw public key data is used 1062 as authentication data for AES-GCM encryption. 1063 1064 @constant kSecKeyAlgorithmRSAEncryptionOAEPSHA384AESGCM 1065 Randomly generated AES session key is encrypted by RSA with OAEP padding. User data are encrypted using session key in GCM 1066 mode with all-zero 16 bytes long IV (initialization vector). Finally 16 byte AES-GCM tag is appended to ciphertext. 1067 256bit AES key is used if RSA key is 4096bit or bigger, otherwise 128bit AES key is used. Raw public key data is used 1068 as authentication data for AES-GCM encryption. 1069 1070 @constant kSecKeyAlgorithmRSAEncryptionOAEPSHA512AESGCM 1071 Randomly generated AES session key is encrypted by RSA with OAEP padding. User data are encrypted using session key in GCM 1072 mode with all-zero 16 bytes long IV (initialization vector). Finally 16 byte AES-GCM tag is appended to ciphertext. 1073 256bit AES key is used if RSA key is 4096bit or bigger, otherwise 128bit AES key is used. Raw public key data is used 1074 as authentication data for AES-GCM encryption. 1075 1076 @constant kSecKeyAlgorithmECIESEncryptionStandardX963SHA1AESGCM 1077 Legacy ECIES encryption or decryption, use kSecKeyAlgorithmECIESEncryptionStandardVariableIVX963SHA256AESGCM in new code. 1078 Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA1. AES Key size 1079 is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF. 1080 AES-GCM uses 16 bytes long TAG and all-zero 16 byte long IV (initialization vector). 1081 1082 @constant kSecKeyAlgorithmECIESEncryptionStandardX963SHA224AESGCM 1083 Legacy ECIES encryption or decryption, use kSecKeyAlgorithmECIESEncryptionStandardVariableIVX963SHA224AESGCM in new code. 1084 Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA224. AES Key size 1085 is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF. 1086 AES-GCM uses 16 bytes long TAG and all-zero 16 byte long IV (initialization vector). 1087 1088 @constant kSecKeyAlgorithmECIESEncryptionStandardX963SHA256AESGCM 1089 Legacy ECIES encryption or decryption, use kSecKeyAlgorithmECIESEncryptionStandardVariableIVX963SHA256AESGCM in new code. 1090 Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA256. AES Key size 1091 is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF. 1092 AES-GCM uses 16 bytes long TAG and all-zero 16 byte long IV (initialization vector). 1093 1094 @constant kSecKeyAlgorithmECIESEncryptionStandardX963SHA384AESGCM 1095 Legacy ECIES encryption or decryption, use kSecKeyAlgorithmECIESEncryptionStandardVariableIVX963SHA384AESGCM in new code. 1096 Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA384. AES Key size 1097 is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF. 1098 AES-GCM uses 16 bytes long TAG and all-zero 16 byte long IV (initialization vector). 1099 1100 @constant kSecKeyAlgorithmECIESEncryptionStandardX963SHA512AESGCM 1101 Legacy ECIES encryption or decryption, use kSecKeyAlgorithmECIESEncryptionStandardVariableIVX963SHA512AESGCM in new code. 1102 Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA512. AES Key size 1103 is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF. 1104 AES-GCM uses 16 bytes long TAG and all-zero 16 byte long IV (initialization vector). 1105 1106 @constant kSecKeyAlgorithmECIESEncryptionCofactorX963SHA1AESGCM 1107 Legacy ECIES encryption or decryption, use kSecKeyAlgorithmECIESEncryptionCofactorVariableIVX963SHA256AESGCM in new code. 1108 Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA1. AES Key size 1109 is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF. 1110 AES-GCM uses 16 bytes long TAG and all-zero 16 byte long IV (initialization vector). 1111 1112 @constant kSecKeyAlgorithmECIESEncryptionCofactorX963SHA224AESGCM 1113 Legacy ECIES encryption or decryption, use kSecKeyAlgorithmECIESEncryptionCofactorVariableIVX963SHA224AESGCM in new code. 1114 Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA224. AES Key size 1115 is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF. 1116 AES-GCM uses 16 bytes long TAG and all-zero 16 byte long IV (initialization vector). 1117 1118 @constant kSecKeyAlgorithmECIESEncryptionCofactorX963SHA256AESGCM 1119 Legacy ECIES encryption or decryption, use kSecKeyAlgorithmECIESEncryptionCofactorVariableIVX963SHA256AESGCM in new code. 1120 Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA256. AES Key size 1121 is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF. 1122 AES-GCM uses 16 bytes long TAG and all-zero 16 byte long IV (initialization vector). 1123 1124 @constant kSecKeyAlgorithmECIESEncryptionCofactorX963SHA384AESGCM 1125 Legacy ECIES encryption or decryption, use kSecKeyAlgorithmECIESEncryptionCofactorVariableIVX963SHA384AESGCM in new code. 1126 Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA384. AES Key size 1127 is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF. 1128 AES-GCM uses 16 bytes long TAG and all-zero 16 byte long IV (initialization vector). 1129 1130 @constant kSecKeyAlgorithmECIESEncryptionCofactorX963SHA512AESGCM 1131 Legacy ECIES encryption or decryption, use kSecKeyAlgorithmECIESEncryptionCofactorVariableIVX963SHA512AESGCM in new code. 1132 Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA512. AES Key size 1133 is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF. 1134 AES-GCM uses 16 bytes long TAG and all-zero 16 byte long IV (initialization vector). 1135 1136 @constant kSecKeyAlgorithmECIESEncryptionStandardVariableIVX963SHA224AESGCM 1137 ECIES encryption or decryption. This algorithm does not limit the size of the message to be encrypted or decrypted. 1138 Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA224. AES Key size 1139 is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF. 1140 AES-GCM uses 16 bytes long TAG, AES key is first half of KDF output and 16 byte long IV (initialization vector) is second half 1141 of KDF output. 1142 1143 @constant kSecKeyAlgorithmECIESEncryptionStandardVariableIVX963SHA256AESGCM 1144 ECIES encryption or decryption. This algorithm does not limit the size of the message to be encrypted or decrypted. 1145 Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA256. AES Key size 1146 is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF. 1147 AES-GCM uses 16 bytes long TAG, AES key is first half of KDF output and 16 byte long IV (initialization vector) is second half 1148 of KDF output. 1149 1150 @constant kSecKeyAlgorithmECIESEncryptionStandardVariableIVX963SHA384AESGCM 1151 ECIES encryption or decryption. This algorithm does not limit the size of the message to be encrypted or decrypted. 1152 Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA384. AES Key size 1153 is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF. 1154 AES-GCM uses 16 bytes long TAG, AES key is first half of KDF output and 16 byte long IV (initialization vector) is second half 1155 of KDF output. 1156 1157 @constant kSecKeyAlgorithmECIESEncryptionStandardVariableIVX963SHA512AESGCM 1158 ECIES encryption or decryption. This algorithm does not limit the size of the message to be encrypted or decrypted. 1159 Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA512. AES Key size 1160 is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF. 1161 AES-GCM uses 16 bytes long TAG, AES key is first half of KDF output and 16 byte long IV (initialization vector) is second half 1162 of KDF output. 1163 1164 @constant kSecKeyAlgorithmECIESEncryptionCofactorVariableIVX963SHA224AESGCM 1165 ECIES encryption or decryption. This algorithm does not limit the size of the message to be encrypted or decrypted. 1166 Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA224. AES Key size 1167 is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF. 1168 AES-GCM uses 16 bytes long TAG, AES key is first half of KDF output and 16 byte long IV (initialization vector) is second half 1169 of KDF output. 1170 1171 @constant kSecKeyAlgorithmECIESEncryptionCofactorVariableIVX963SHA256AESGCM 1172 ECIES encryption or decryption. This algorithm does not limit the size of the message to be encrypted or decrypted. 1173 Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA256. AES Key size 1174 is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF. 1175 AES-GCM uses 16 bytes long TAG, AES key is first half of KDF output and 16 byte long IV (initialization vector) is second half 1176 of KDF output. 1177 1178 @constant kSecKeyAlgorithmECIESEncryptionCofactorVariableIVX963SHA384AESGCM 1179 ECIES encryption or decryption. This algorithm does not limit the size of the message to be encrypted or decrypted. 1180 Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA384. AES Key size 1181 is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF. 1182 AES-GCM uses 16 bytes long TAG, AES key is first half of KDF output and 16 byte long IV (initialization vector) is second half 1183 of KDF output. 1184 1185 @constant kSecKeyAlgorithmECIESEncryptionCofactorVariableIVX963SHA512AESGCM 1186 ECIES encryption or decryption. This algorithm does not limit the size of the message to be encrypted or decrypted. 1187 Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA512. AES Key size 1188 is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF. 1189 AES-GCM uses 16 bytes long TAG, AES key is first half of KDF output and 16 byte long IV (initialization vector) is second half 1190 of KDF output. 1191 1192 @constant kSecKeyAlgorithmECDHKeyExchangeCofactor 1193 Compute shared secret using ECDH cofactor algorithm, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys. 1194 This algorithm does not accept any parameters, length of output raw shared secret is given by the length of the key. 1195 1196 @constant kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA1 1197 Compute shared secret using ECDH cofactor algorithm, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys 1198 and apply ANSI X9.63 KDF with SHA1 as hashing function. Requires kSecKeyKeyExchangeParameterRequestedSize and allows 1199 kSecKeyKeyExchangeParameterSharedInfo parameters to be used. 1200 1201 @constant kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA224 1202 Compute shared secret using ECDH cofactor algorithm, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys 1203 and apply ANSI X9.63 KDF with SHA224 as hashing function. Requires kSecKeyKeyExchangeParameterRequestedSize and allows 1204 kSecKeyKeyExchangeParameterSharedInfo parameters to be used. 1205 1206 @constant kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA256 1207 Compute shared secret using ECDH cofactor algorithm, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys 1208 and apply ANSI X9.63 KDF with SHA256 as hashing function. Requires kSecKeyKeyExchangeParameterRequestedSize and allows 1209 kSecKeyKeyExchangeParameterSharedInfo parameters to be used. 1210 1211 @constant kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA384 1212 Compute shared secret using ECDH cofactor algorithm, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys 1213 and apply ANSI X9.63 KDF with SHA384 as hashing function. Requires kSecKeyKeyExchangeParameterRequestedSize and allows 1214 kSecKeyKeyExchangeParameterSharedInfo parameters to be used. 1215 1216 @constant kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA512 1217 Compute shared secret using ECDH cofactor algorithm, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys 1218 and apply ANSI X9.63 KDF with SHA512 as hashing function. Requires kSecKeyKeyExchangeParameterRequestedSize and allows 1219 kSecKeyKeyExchangeParameterSharedInfo parameters to be used. 1220 1221 @constant kSecKeyAlgorithmECDHKeyExchangeStandard 1222 Compute shared secret using ECDH algorithm without cofactor, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys. 1223 This algorithm does not accept any parameters, length of output raw shared secret is given by the length of the key. 1224 1225 @constant kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA1 1226 Compute shared secret using ECDH algorithm without cofactor, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys 1227 and apply ANSI X9.63 KDF with SHA1 as hashing function. Requires kSecKeyKeyExchangeParameterRequestedSize and allows 1228 kSecKeyKeyExchangeParameterSharedInfo parameters to be used. 1229 1230 @constant kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA224 1231 Compute shared secret using ECDH algorithm without cofactor, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys 1232 and apply ANSI X9.63 KDF with SHA224 as hashing function. Requires kSecKeyKeyExchangeParameterRequestedSize and allows 1233 kSecKeyKeyExchangeParameterSharedInfo parameters to be used. 1234 1235 @constant kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA256 1236 Compute shared secret using ECDH algorithm without cofactor, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys 1237 and apply ANSI X9.63 KDF with SHA256 as hashing function. Requires kSecKeyKeyExchangeParameterRequestedSize and allows 1238 kSecKeyKeyExchangeParameterSharedInfo parameters to be used. 1239 1240 @constant kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA384 1241 Compute shared secret using ECDH algorithm without cofactor, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys 1242 and apply ANSI X9.63 KDF with SHA384 as hashing function. Requires kSecKeyKeyExchangeParameterRequestedSize and allows 1243 kSecKeyKeyExchangeParameterSharedInfo parameters to be used. 1244 1245 @constant kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA512 1246 Compute shared secret using ECDH algorithm without cofactor, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys 1247 and apply ANSI X9.63 KDF with SHA512 as hashing function. Requires kSecKeyKeyExchangeParameterRequestedSize and allows 1248 kSecKeyKeyExchangeParameterSharedInfo parameters to be used. 1249 */ 1250 1251 typedef CFStringRef SecKeyAlgorithm CF_STRING_ENUM 1252 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1253 1254 extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureRaw 1255 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1256 1257 extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPKCS1v15Raw 1258 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1259 1260 extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA1 1261 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1262 extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA224 1263 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1264 extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA256 1265 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1266 extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA384 1267 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1268 extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA512 1269 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1270 1271 extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA1 1272 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1273 extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA224 1274 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1275 extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA256 1276 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1277 extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA384 1278 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1279 extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA512 1280 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1281 1282 extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPSSSHA1 1283 __OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0); 1284 extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPSSSHA224 1285 __OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0); 1286 extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPSSSHA256 1287 __OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0); 1288 extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPSSSHA384 1289 __OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0); 1290 extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPSSSHA512 1291 __OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0); 1292 1293 extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureMessagePSSSHA1 1294 __OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0); 1295 extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureMessagePSSSHA224 1296 __OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0); 1297 extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureMessagePSSSHA256 1298 __OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0); 1299 extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureMessagePSSSHA384 1300 __OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0); 1301 extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureMessagePSSSHA512 1302 __OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0); 1303 1304 extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureRFC4754 1305 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1306 1307 extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureDigestX962 1308 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1309 extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureDigestX962SHA1 1310 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1311 extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureDigestX962SHA224 1312 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1313 extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureDigestX962SHA256 1314 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1315 extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureDigestX962SHA384 1316 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1317 extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureDigestX962SHA512 1318 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1319 1320 extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureMessageX962SHA1 1321 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1322 extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureMessageX962SHA224 1323 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1324 extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureMessageX962SHA256 1325 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1326 extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureMessageX962SHA384 1327 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1328 extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureMessageX962SHA512 1329 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1330 1331 extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionRaw 1332 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1333 extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionPKCS1 1334 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1335 extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA1 1336 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1337 extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA224 1338 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1339 extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA256 1340 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1341 extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA384 1342 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1343 extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA512 1344 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1345 1346 extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA1AESGCM 1347 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1348 extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA224AESGCM 1349 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1350 extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA256AESGCM 1351 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1352 extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA384AESGCM 1353 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1354 extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA512AESGCM 1355 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1356 1357 extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionStandardX963SHA1AESGCM 1358 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1359 extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionStandardX963SHA224AESGCM 1360 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1361 extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionStandardX963SHA256AESGCM 1362 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1363 extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionStandardX963SHA384AESGCM 1364 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1365 extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionStandardX963SHA512AESGCM 1366 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1367 1368 extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionCofactorX963SHA1AESGCM 1369 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1370 extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionCofactorX963SHA224AESGCM 1371 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1372 extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionCofactorX963SHA256AESGCM 1373 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1374 extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionCofactorX963SHA384AESGCM 1375 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1376 extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionCofactorX963SHA512AESGCM 1377 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1378 1379 extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionStandardVariableIVX963SHA224AESGCM 1380 __OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0); 1381 extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionStandardVariableIVX963SHA256AESGCM 1382 __OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0); 1383 extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionStandardVariableIVX963SHA384AESGCM 1384 __OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0); 1385 extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionStandardVariableIVX963SHA512AESGCM 1386 __OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0); 1387 1388 extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionCofactorVariableIVX963SHA224AESGCM 1389 __OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0); 1390 extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionCofactorVariableIVX963SHA256AESGCM 1391 __OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0); 1392 extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionCofactorVariableIVX963SHA384AESGCM 1393 __OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0); 1394 extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionCofactorVariableIVX963SHA512AESGCM 1395 __OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0); 1396 1397 extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeStandard 1398 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1399 extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA1 1400 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1401 extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA224 1402 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1403 extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA256 1404 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1405 extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA384 1406 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1407 extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA512 1408 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1409 1410 extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeCofactor 1411 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1412 extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA1 1413 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1414 extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA224 1415 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1416 extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA256 1417 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1418 extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA384 1419 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1420 extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA512 1421 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1422 1423 /*! 1424 @function SecKeyCreateSignature 1425 @abstract Given a private key and data to sign, generate a digital signature. 1426 @param key Private key with which to sign. 1427 @param algorithm One of SecKeyAlgorithm constants suitable to generate signature with this key. 1428 @param dataToSign The data to be signed, typically the digest of the actual data. 1429 @param error On error, will be populated with an error object describing the failure. 1430 See "Security Error Codes" (SecBase.h). 1431 @result The signature over dataToSign represented as a CFData, or NULL on failure. 1432 @discussion Computes digital signature using specified key over input data. The operation algorithm 1433 further defines the exact format of input data, operation to be performed and output signature. 1434 */ 1435 CFDataRef _Nullable SecKeyCreateSignature(SecKeyRef key, SecKeyAlgorithm algorithm, CFDataRef dataToSign, CFErrorRef *error) 1436 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1437 1438 /*! 1439 @function SecKeyVerifySignature 1440 @abstract Given a public key, data which has been signed, and a signature, verify the signature. 1441 @param key Public key with which to verify the signature. 1442 @param algorithm One of SecKeyAlgorithm constants suitable to verify signature with this key. 1443 @param signedData The data over which sig is being verified, typically the digest of the actual data. 1444 @param signature The signature to verify. 1445 @param error On error, will be populated with an error object describing the failure. 1446 See "Security Error Codes" (SecBase.h). 1447 @result True if the signature was valid, False otherwise. 1448 @discussion Verifies digital signature operation using specified key and signed data. The operation algorithm 1449 further defines the exact format of input data, signature and operation to be performed. 1450 */ 1451 Boolean SecKeyVerifySignature(SecKeyRef key, SecKeyAlgorithm algorithm, CFDataRef signedData, CFDataRef signature, CFErrorRef *error) 1452 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1453 1454 /*! 1455 @function SecKeyCreateEncryptedData 1456 @abstract Encrypt a block of plaintext. 1457 @param key Public key with which to encrypt the data. 1458 @param algorithm One of SecKeyAlgorithm constants suitable to perform encryption with this key. 1459 @param plaintext The data to encrypt. The length and format of the data must conform to chosen algorithm, 1460 typically be less or equal to the value returned by SecKeyGetBlockSize(). 1461 @param error On error, will be populated with an error object describing the failure. 1462 See "Security Error Codes" (SecBase.h). 1463 @result The ciphertext represented as a CFData, or NULL on failure. 1464 @discussion Encrypts plaintext data using specified key. The exact type of the operation including the format 1465 of input and output data is specified by encryption algorithm. 1466 */ 1467 CFDataRef _Nullable SecKeyCreateEncryptedData(SecKeyRef key, SecKeyAlgorithm algorithm, CFDataRef plaintext, 1468 CFErrorRef *error) 1469 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1470 1471 /*! 1472 @function SecKeyCreateDecryptedData 1473 @abstract Decrypt a block of ciphertext. 1474 @param key Private key with which to decrypt the data. 1475 @param algorithm One of SecKeyAlgorithm constants suitable to perform decryption with this key. 1476 @param ciphertext The data to decrypt. The length and format of the data must conform to chosen algorithm, 1477 typically be less or equal to the value returned by SecKeyGetBlockSize(). 1478 @param error On error, will be populated with an error object describing the failure. 1479 See "Security Error Codes" (SecBase.h). 1480 @result The plaintext represented as a CFData, or NULL on failure. 1481 @discussion Decrypts ciphertext data using specified key. The exact type of the operation including the format 1482 of input and output data is specified by decryption algorithm. 1483 */ 1484 CFDataRef _Nullable SecKeyCreateDecryptedData(SecKeyRef key, SecKeyAlgorithm algorithm, CFDataRef ciphertext, 1485 CFErrorRef *error) 1486 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1487 1488 /*! 1489 @enum SecKeyKeyExchangeParameter SecKey Key Exchange parameters 1490 @constant kSecKeyKeyExchangeParameterRequestedSize Contains CFNumberRef with requested result size in bytes. 1491 @constant kSecKeyKeyExchangeParameterSharedInfo Contains CFDataRef with additional shared info 1492 for KDF (key derivation function). 1493 */ 1494 typedef CFStringRef SecKeyKeyExchangeParameter CF_STRING_ENUM 1495 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1496 extern const SecKeyKeyExchangeParameter kSecKeyKeyExchangeParameterRequestedSize 1497 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1498 extern const SecKeyKeyExchangeParameter kSecKeyKeyExchangeParameterSharedInfo 1499 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1500 1501 /*! 1502 @function SecKeyCopyKeyExchangeResult 1503 @abstract Perform Diffie-Hellman style of key exchange operation, optionally with additional key-derivation steps. 1504 @param algorithm One of SecKeyAlgorithm constants suitable to perform this operation. 1505 @param publicKey Remote party's public key. 1506 @param parameters Dictionary with parameters, see SecKeyKeyExchangeParameter constants. Used algorithm 1507 determines the set of required and optional parameters to be used. 1508 @param error Pointer to an error object on failure. 1509 See "Security Error Codes" (SecBase.h). 1510 @result Result of key exchange operation as a CFDataRef, or NULL on failure. 1511 */ 1512 CFDataRef _Nullable SecKeyCopyKeyExchangeResult(SecKeyRef privateKey, SecKeyAlgorithm algorithm, SecKeyRef publicKey, CFDictionaryRef parameters, CFErrorRef *error) 1513 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1514 1515 /*! 1516 @enum SecKeyOperationType 1517 @abstract Defines types of cryptographic operations available with SecKey instance. 1518 1519 @constant kSecKeyOperationTypeSign 1520 Represents SecKeyCreateSignature() 1521 1522 @constant kSecKeyOperationTypeVerify 1523 Represents SecKeyVerifySignature() 1524 1525 @constant kSecKeyOperationTypeEncrypt 1526 Represents SecKeyCreateEncryptedData() 1527 1528 @constant kSecKeyOperationTypeDecrypt 1529 Represents SecKeyCreateDecryptedData() 1530 1531 @constant kSecKeyOperationTypeKeyExchange 1532 Represents SecKeyCopyKeyExchangeResult() 1533 */ 1534 typedef CF_ENUM(CFIndex, SecKeyOperationType) { 1535 kSecKeyOperationTypeSign = 0, 1536 kSecKeyOperationTypeVerify = 1, 1537 kSecKeyOperationTypeEncrypt = 2, 1538 kSecKeyOperationTypeDecrypt = 3, 1539 kSecKeyOperationTypeKeyExchange = 4, 1540 } __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1541 1542 /*! 1543 @function SecKeyIsAlgorithmSupported 1544 @abstract Checks whether key supports specified algorithm for specified operation. 1545 @param key Key to query 1546 @param operation Operation type for which the key is queried 1547 @param algorithm Algorithm which is queried 1548 @return True if key supports specified algorithm for specified operation, False otherwise. 1549 */ 1550 Boolean SecKeyIsAlgorithmSupported(SecKeyRef key, SecKeyOperationType operation, SecKeyAlgorithm algorithm) 1551 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); 1552 1553 CF_IMPLICIT_BRIDGING_DISABLED 1554 CF_ASSUME_NONNULL_END 1555 1556 __END_DECLS 1557 1558 #endif /* !_SECURITY_SECKEY_H_ */