ios设备中的keychain是一个安全的存储容器,可以用来为不同应用保存敏感信息比如用户名,密码,网络密码,认证令牌。苹果自己用keychain来保存wi-fi网络密码,vpn凭证等等。它是一个sqlite数据库,位于/private/var/keychains/keychain-2.db,其保存的所有数据都是加密过的。模拟器下keychain文件路径:~/library/application support/iphone simulator/4.3/library/keychains
keychain里保存的信息不会因app被删除而丢失,在用户重新安装app后依然有效,数据还在。
关于备份,只会备份数据,到那时不会备份设备的密钥,换句话说,即使拿到数据,也没有办法解密里面的内容。
比较复杂的数据,使用苹果官方发布的keychainitemwrapper或者sfhfkeychainutils会很方便。如果是比较简单的,就不用苹果提供的类了,自己写个简单的类来实现就好了。
两种方法都需要在”build phases“中导入库"security.framework"
一、自己封装的类
(1)实现代码(思路是将数据封装进nsdictionary,通过nskeyedarchiver归档后保存)
a)mykeychain.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
|
//
// mykeychainh
// uuiddemo
//
// created by 555chy on 6/10/
// copyright © 2016 555chy all rights reserved
//
#import <foundation/foundationh>
#import <security/securityh>
@interface mykeychain : nsobject
+ ( bool )save:(nsstring*)service data:(id)data;
+ (id)load:(nsstring*)service;
+ ( void ) delete :(nsstring*)service;
@end
b)mykeychainm
//
// mykeychainm
// uuiddemo
//
// created by 555chy on 6/10/
// copyright © 2016 555chy all rights reserved
//
#import "mykeychainh"
@implementation mykeychain
+ (nsmutabledictionary*) getkeychainquery: (nsstring*)service {
return [nsmutabledictionary dictionarywithobjectsandkeys:
(id)ksecclassgenericpassword, (id)ksecclass,
service, (id)ksecattrservice,
service, (id)ksecattraccount,
(id)ksecattraccessibleafterfirstunlock, (id)ksecattraccessible,
nil nil];
}
+ ( bool ) save:(nsstring*)service data:(id)data {
nsmutabledictionary *keychainquery = [self getkeychainquery:service];
secitemdelete((cfdictionaryref)keychainquery);
[keychainquery setobject:[nskeyedarchiver archiveddatawithrootobject:data] forkey:(id)ksecvaluedata];
return secitemadd((cfdictionaryref)keychainquery, null) == noerr;
}
+ (id) load:(nsstring*)service {
id ret = null;
nsmutabledictionary *keychainquery = [self getkeychainquery:service];
[keychainquery setobject:(id)kcfbooleantrue forkey:(id)ksecreturndata];
[keychainquery setobject:(id)ksecmatchlimitone forkey:(id)ksecmatchlimit];
nsdata *keydata = null;
if (secitemcopymatching((cfdictionaryref)keychainquery, (cftyperef*)( void *)&keydata) == noerr) {
@ try {
ret = [nskeyedunarchiver unarchiveobjectwithdata:keydata];
}
@ catch (nsexception *exception) {
nslog(@ "unarchive of %@ failed: %@" , service, exception);
}
@finally {
}
}
return ret;
}
+ ( void ) delete :(nsstring*)service {
nsmutabledictionary *keychainquery = [self getkeychainquery:service];
secitemdelete((cfdictionaryref)keychainquery);
}
@end
|
c)viewcontroller.m
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
|
//
// viewcontrollerm
// uuiddemo
//
// created by 555chy on 6/10/
// copyright © 2016 555chy all rights reserved
//
#import "viewcontrollerh"
#import "mykeychainh"
@interface viewcontroller ()
@end
@implementation viewcontroller
nsstring *key_package_name = @ "comchyuuiddemouuid" ;
nsstring *key_uuid = @ "uuid" ;
-( void ) saveidfv {
nsstring *idfv = [[[uidevice currentdevice] identifierforvendor] uuidstring];
nslog(@ "get from uidevice, idfv is %@" , idfv);
nsmutabledictionary *datadict = [nsmutabledictionary dictionary];
[datadict setobject:idfv forkey:key_uuid];
bool ret = [mykeychain save:key_package_name data:datadict];
nslog(@ "save %@ %@" , idfv, ret?@ "succ" :@ "fail" );
}
-( void ) reloadidfv {
nsmutabledictionary *loaddata = [mykeychain load:key_package_name];
nsstring *loadidfv = [loaddata objectforkey:key_uuid];
if (loadidfv) {
nslog(@ "load idfv is %@" , loadidfv);
} else {
nslog(@ "load idfv, but it not exist" );
}
}
- ( void )viewdidload {
[super viewdidload];
// do any additional setup after loading the view, typically from a nib
[self reloadidfv];
[self saveidfv];
[self reloadidfv];
[mykeychain delete :key_package_name];
nslog(@ "delete idfv from keychain" );
[self reloadidfv];
[self saveidfv];
}
- ( void )didreceivememorywarning {
[super didreceivememorywarning];
// dispose of any resources that can be recreated
}
@end
|
(2)运行结果
第一次运行
第二次运行
在模拟器上每次运行实际上都是卸载前一个app,然后再安装新的app。而保存在keychain中的idfv标识符依然还在。
(3)基本语法
secitemadd 增
secitemupdate 改
secitemdelete 删
secitemcopymatching 查
(4)secitem.h(变量的介绍基本都在头文件中了,看下头文件中的注释就能明白其中的含义)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
|
/*
* copyright (c) 2006-2014 apple inc all rights reserved
*
* @apple_license_header_start@
*
* this file contains original code and/or modifications of original code
* as defined in and that are subject to the apple public source license
* version 0 (the 'license') you may not use this file except in
* compliance with the license please obtain a copy of the license at
* http://wwwopensourceapplecom/apsl/ and read it before using this
* file
*
* the original code and all software distributed under the license are
* distributed on an 'as is' basis, without warranty of any kind, either
* express or implied, and apple hereby disclaims all such warranties,
* including without limitation, any warranties of merchantability,
* fitness for a particular purpose, quiet enjoyment or non-infringement
* please see the license for the specific language governing rights and
* limitations under the license
*
* @apple_license_header_end@
*/
/*!
@header secitem
secitem defines corefoundation-based constants and functions for
access to security items (certificates, keys, identities, and
passwords)
*/
#ifndef _security_secitem_h_
#define _security_secitem_h_
#include <security/secbaseh>
#include <corefoundation/cfarrayh>
#include <corefoundation/cfdictionaryh>
__begin_decls
cf_assume_nonnull_begin
cf_implicit_bridging_enabled
/*!
@enum class key constant
@discussion predefined key constant used to get or set item class values in
a dictionary its value is one of the constants defined in the value
constants for ksecclass
@constant ksecclass specifies a dictionary key whose value is the item's
class code you use this key to get or set a value of type cftyperef
that contains the item class code
*/
extern const cfstringref ksecclass
__osx_available_starting(__mac_10_6, __iphone_2_0);
/*!
@enum class value constants
@discussion predefined item class constants used to get or set values in
a dictionary the ksecclass constant is the key and its value is one
of the constants defined here
@constant ksecclassgenericpassword specifies generic password items
@constant ksecclassinternetpassword specifies internet password items
@constant ksecclasscertificate specifies certificate items
@constant ksecclasskey specifies key items
@constant ksecclassidentity specifies identity items
*/
extern const cfstringref ksecclassgenericpassword
__osx_available_starting(__mac_10_7, __iphone_2_0);
extern const cfstringref ksecclassinternetpassword
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecclasscertificate
__osx_available_starting(__mac_10_7, __iphone_2_0);
extern const cfstringref ksecclasskey
__osx_available_starting(__mac_10_7, __iphone_2_0);
extern const cfstringref ksecclassidentity
__osx_available_starting(__mac_10_7, __iphone_2_0);
/*!
@enum attribute key constants
@discussion predefined item attribute keys used to get or set values in a
dictionary not all attributes apply to each item class the table
below lists the currently defined attributes for each item class:
ksecclassgenericpassword item attributes:
ksecattraccessible
ksecattraccesscontrol
ksecattraccessgroup
ksecattrcreationdate
ksecattrmodificationdate
ksecattrdescription
ksecattrcomment
ksecattrcreator
ksecattrtype
ksecattrlabel
ksecattrisinvisible
ksecattrisnegative
ksecattraccount
ksecattrservice
ksecattrgeneric
ksecattrsynchronizable
ksecclassinternetpassword item attributes:
ksecattraccessible
ksecattraccesscontrol
ksecattraccessgroup
ksecattrcreationdate
ksecattrmodificationdate
ksecattrdescription
ksecattrcomment
ksecattrcreator
ksecattrtype
ksecattrlabel
ksecattrisinvisible
ksecattrisnegative
ksecattraccount
ksecattrsecuritydomain
ksecattrserver
ksecattrprotocol
ksecattrauthenticationtype
ksecattrport
ksecattrpath
ksecattrsynchronizable
ksecclasscertificate item attributes:
ksecattraccessible
ksecattraccesscontrol
ksecattraccessgroup
ksecattrcertificatetype
ksecattrcertificateencoding
ksecattrlabel
ksecattrsubject
ksecattrissuer
ksecattrserialnumber
ksecattrsubjectkeyid
ksecattrpublickeyhash
ksecattrsynchronizable
ksecclasskey item attributes:
ksecattraccessible
ksecattraccesscontrol
ksecattraccessgroup
ksecattrkeyclass
ksecattrlabel
ksecattrapplicationlabel
ksecattrispermanent
ksecattrapplicationtag
ksecattrkeytype
ksecattrkeysizeinbits
ksecattreffectivekeysize
ksecattrcanencrypt
ksecattrcandecrypt
ksecattrcanderive
ksecattrcansign
ksecattrcanverify
ksecattrcanwrap
ksecattrcanunwrap
ksecattrsynchronizable
ksecclassidentity item attributes:
since an identity is the combination of a private key and a
certificate, this class shares attributes of both ksecclasskey and
ksecclasscertificate
@constant ksecattraccessible specifies a dictionary key whose value
indicates when your application needs access to an item's data you
should choose the most restrictive option that meets your application's
needs to allow the system to protect that item in the best way possible
see the "ksecattraccessible value constants" section for a list of
values which can be specified
important: this attribute is currently not supported for os x keychain
items, unless the ksecattrsynchronizable attribute is also present if
both attributes are specified on either os x or ios, the value for the
ksecattraccessible key may only be one whose name does not end with
"thisdeviceonly", as those cannot sync to another device
@constant ksecattraccesscontrol specifies a dictionary key whose value
is secaccesscontrol instance which contains access control conditions
for item
@constant ksecattraccessgroup specifies a dictionary key whose value is
a cfstringref indicating which access group a item is in the access
groups that a particular application has membership in are determined by
two entitlements for that application the application-identifier
entitlement contains the application's single access group, unless
there is a keychain-access-groups entitlement present the latter
has as its value a list of access groups; the first item in this list
is the default access group unless a specific access group is provided
as the value of ksecattraccessgroup when secitemadd is called, new items
are created in the application's default access group specifying this
attribute in secitemcopymatching, secitemupdate, or secitemdelete calls
limits the search to the specified access group (of which the calling
application must be a member to obtain matching results) to share
keychain items between multiple applications, each application must have
a common group listed in its keychain-access-groups entitlement, and each
must specify this shared access group name as the value for the
ksecattraccessgroup key in the dictionary passed to secitem functions
@constant ksecattrsynchronizable specifies a dictionary key whose value is
a cfbooleanref indicating whether the item in question can be synchronized
to add a new item which can be synced to other devices, or to obtain
synchronizable results from a query, supply this key with a value of
kcfbooleantrue if the key is not supplied, or has a value of
kcfbooleanfalse, then no synchronizable items will be added or returned
a predefined value, ksecattrsynchronizableany, may be provided instead of
kcfbooleantrue if both synchronizable and non-synchronizable results are
desired
important: specifying the ksecattrsynchronizable key has several caveats:
- updating or deleting items using the ksecattrsynchronizable key will
affect all copies of the item, not just the one on your local device
be sure that it makes sense to use the same password on all devices
before deciding to make a password synchronizable
- only password items can currently be synchronized keychain syncing
is not supported for certificates or cryptographic keys
- items stored or obtained using the ksecattrsynchronizable key cannot
specify secaccessref-based access control with ksecattraccess if a
password is intended to be shared between multiple applications, the
ksecattraccessgroup key must be specified, and each application
using this password must have a 'keychain-access-groups' entitlement
with the specified access group value
- items stored or obtained using the ksecattrsynchronizable key may
not also specify a ksecattraccessible value which is incompatible
with syncing (namely, those whose names end with "thisdeviceonly")
- items stored or obtained using the ksecattrsynchronizable key cannot
be specified by reference you must pass ksecreturnattributes and/or
ksecreturndata to retrieve results; ksecreturnref is currently not
supported for synchronizable items
- persistent references to synchronizable items should be avoided;
while they may work locally, they cannot be moved between devices,
and may not resolve if the item is modified on some other device
- when specifying a query that uses the ksecattrsynchronizable key,
search keys are limited to the item's class and attributes
the only search constant which may be used is ksecmatchlimit; other
constants using the ksecmatch prefix are not supported at this time
@constant ksecattrcreationdate (read-only) specifies a dictionary key whose
value is the item's creation date you use this key to get a value
of type cfdateref that represents the date the item was created
@constant ksecattrmodificationdate (read-only) specifies a dictionary key
whose value is the item's modification date you use this key to get
a value of type cfdateref that represents the last time the item was
updated
@constant ksecattrdescription specifies a dictionary key whose value is
the item's description attribute you use this key to set or get a
value of type cfstringref that represents a user-visible string
describing this particular kind of item (eg, "disk image password")
@constant ksecattrcomment specifies a dictionary key whose value is the
item's comment attribute you use this key to set or get a value of
type cfstringref containing the user-editable comment for this item
@constant ksecattrcreator specifies a dictionary key whose value is the
item's creator attribute you use this key to set or get a value of
type cfnumberref that represents the item's creator this number is
the unsigned integer representation of a four-character code (eg,
'acrt')
@constant ksecattrtype specifies a dictionary key whose value is the item's
type attribute you use this key to set or get a value of type
cfnumberref that represents the item's type this number is the
unsigned integer representation of a four-character code (eg,
'atyp')
@constant ksecattrlabel specifies a dictionary key whose value is the
item's label attribute you use this key to set or get a value of
type cfstringref containing the user-visible label for this item
@constant ksecattrisinvisible specifies a dictionary key whose value is the
item's invisible attribute you use this key to set or get a value
of type cfbooleanref that indicates whether the item is invisible
(ie, should not be displayed)
@constant ksecattrisnegative specifies a dictionary key whose value is the
item's negative attribute you use this key to set or get a value of
type cfbooleanref that indicates whether there is a valid password
associated with this keychain item this is useful if your application
doesn't want a password for some particular service to be stored in
the keychain, but prefers that it always be entered by the user
@constant ksecattraccount specifies a dictionary key whose value is the
item's account attribute you use this key to set or get a cfstringref
that contains an account name (items of class
ksecclassgenericpassword, ksecclassinternetpassword have this
attribute)
@constant ksecattrservice specifies a dictionary key whose value is the
item's service attribute you use this key to set or get a cfstringref
that represents the service associated with this item (items of class
ksecclassgenericpassword have this attribute)
@constant ksecattrgeneric specifies a dictionary key whose value is the
item's generic attribute you use this key to set or get a value of
cfdataref that contains a user-defined attribute (items of class
ksecclassgenericpassword have this attribute)
@constant ksecattrsecuritydomain specifies a dictionary key whose value
is the item's security domain attribute you use this key to set or
get a cfstringref value that represents the internet security domain
(items of class ksecclassinternetpassword have this attribute)
@constant ksecattrserver specifies a dictionary key whose value is the
item's server attribute you use this key to set or get a value of
type cfstringref that contains the server's domain name or ip address
(items of class ksecclassinternetpassword have this attribute)
@constant ksecattrprotocol specifies a dictionary key whose value is the
item's protocol attribute you use this key to set or get a value of
type cfnumberref that denotes the protocol for this item (see the
secprotocoltype enum in seckeychainitemh) (items of class
ksecclassinternetpassword have this attribute)
@constant ksecattrauthenticationtype specifies a dictionary key whose value
is the item's authentication type attribute you use this key to set
or get a value of type cfnumberref that denotes the authentication
scheme for this item (see the ksecattrauthenticationtype value
constants below)
@constant ksecattrport specifies a dictionary key whose value is the item's
port attribute you use this key to set or get a cfnumberref value
that represents an internet port number (items of class
ksecclassinternetpassword have this attribute)
@constant ksecattrpath specifies a dictionary key whose value is the item's
path attribute, typically this is the path component of the url you use
this key to set or get a cfstringref value that represents a path (items
of class ksecclassinternetpassword have this attribute)
@constant ksecattrsubject (read-only) specifies a dictionary key whose
value is the item's subject you use this key to get a value of type
cfdataref that contains the x500 subject name of a certificate
(items of class ksecclasscertificate have this attribute)
@constant ksecattrissuer (read-only) specifies a dictionary key whose value
is the item's issuer you use this key to get a value of type
cfdataref that contains the x500 issuer name of a certificate (items
of class ksecclasscertificate have this attribute)
@constant ksecattrserialnumber (read-only) specifies a dictionary key whose
value is the item's serial number you use this key to get a value
of type cfdataref that contains the serial number data of a
certificate (items of class ksecclasscertificate have this
attribute)
@constant ksecattrsubjectkeyid (read-only) specifies a dictionary key whose
value is the item's subject key id you use this key to get a value
of type cfdataref that contains the subject key id of a certificate
(items of class ksecclasscertificate have this attribute)
@constant ksecattrpublickeyhash (read-only) specifies a dictionary key
whose value is the item's public key hash you use this key to get a
value of type cfdataref that contains the hash of a certificate's
public key (items of class ksecclasscertificate have this attribute)
@constant ksecattrcertificatetype (read-only) specifies a dictionary key
whose value is the item's certificate type you use this key to get
a value of type cfnumberref that denotes the certificate type
(currently only the value of this attribute must be equal to the
version of the x509 certificate so 1 for v1 2 for v2 and 3 for v3
certificates) only items of class ksecclasscertificate have this
attribute
@constant ksecattrcertificateencoding (read-only) specifies a dictionary
key whose value is the item's certificate encoding you use this key
to get a value of type cfnumberref that denotes the certificate
encoding (currently only the value 3 meaning
ksecattrcertificateencodingder is supported) only items of class
ksecclasscertificate have this attribute
@constant ksecattrkeyclass (read only) specifies a dictionary key whose
value is one of ksecattrkeyclasspublic, ksecattrkeyclassprivate or
ksecattrkeyclasssymmetric
@constant ksecattrapplicationlabel specifies a dictionary key whose value
is the key's application label attribute this is different from the
ksecattrlabel (which is intended to be human-readable) this attribute
is used to look up a key programmatically; in particular, for keys of
class ksecattrkeyclasspublic and ksecattrkeyclassprivate, the value of
this attribute is the hash of the public key
@constant ksecattrispermanent specifies a dictionary key whose value is a
cfbooleanref indicating whether the key in question will be stored
permanently
@constant ksecattrapplicationtag specifies a dictionary key whose value is a
cfdataref containing private tag data
@constant ksecattrkeytype specifies a dictionary key whose value is a
cfnumberref indicating the algorithm associated with this key
(currently only the value 42 is supported, alternatively you can use
ksecattrkeytypersa)
@constant ksecattrkeysizeinbits specifies a dictionary key whose value
is a cfnumberref indicating the number of bits in this key
@constant ksecattreffectivekeysize specifies a dictionary key whose value
is a cfnumberref indicating the effective number of bits in this key
for example, a des key has a ksecattrkeysizeinbits of 64, but a
ksecattreffectivekeysize of 56 bits
@constant ksecattrcanencrypt specifies a dictionary key whole value is a
cfbooleanref indicating whether the key in question can be used to
encrypt data
@constant ksecattrcandecrypt specifies a dictionary key whose value is a
cfbooleanref indicating whether the key in question can be used to
decrypt data
@constant ksecattrcanderive specifies a dictionary key whole value is a
cfbooleanref indicating whether the key in question can be used to
derive another key
@constant ksecattrcansign specifies a dictionary key whole value is a
cfbooleanref indicating whether the key in question can be used to
create a digital signature
@constant ksecattrcanverify specifies a dictionary key whole value is a
cfbooleanref indicating whether the key in question can be used to
verify a digital signature
@constant ksecattrcanwrap specifies a dictionary key whole value is a
cfbooleanref indicating whether the key in question can be used to
wrap another key
@constant ksecattrcanunwrap specifies a dictionary key whole value is a
cfbooleanref indicating whether the key in question can be used to
unwrap another key
@constant ksecattrsyncviewhint specifies a dictionary key whose value is
a cfstringref this value is part of the primary key of each item, and
can be used to help distiguish sync views when defining their
queries
@constant ksecattrtokenid specifies a dictionary key whose presence
indicates that item is backed by external token value of this attribute
is cfstringref uniquely identifying containing token when this attribute
is not present, item is stored in internal keychain database
note that once item is created, this attribute cannot be changed - in other
words it is not possible to migrate existing items to, from or between tokens
currently the only available value for this attribute is
ksecattrtokenidsecureenclave, which indicates that item (private key) is
backed by device's secure enclave
*/
extern const cfstringref ksecattraccessible
__osx_available_starting(__mac_10_9, __iphone_4_0);
extern const cfstringref ksecattraccesscontrol
__osx_available_starting(__mac_10_10, __iphone_8_0);
extern const cfstringref ksecattraccessgroup
__osx_available_starting(__mac_10_9, __iphone_3_0);
extern const cfstringref ksecattrsynchronizable
__osx_available_starting(__mac_10_9, __iphone_7_0);
extern const cfstringref ksecattrcreationdate
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrmodificationdate
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrdescription
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrcomment
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrcreator
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrtype
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrlabel
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrisinvisible
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrisnegative
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattraccount
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrservice
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrgeneric
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrsecuritydomain
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrserver
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrprotocol
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrauthenticationtype
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrport
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrpath
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrsubject
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrissuer
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrserialnumber
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrsubjectkeyid
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrpublickeyhash
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrcertificatetype
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrcertificateencoding
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrkeyclass
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrapplicationlabel
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrispermanent
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrapplicationtag
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrkeytype
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrkeysizeinbits
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattreffectivekeysize
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrcanencrypt
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrcandecrypt
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrcanderive
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrcansign
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrcanverify
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrcanwrap
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrcanunwrap
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrsyncviewhint
__osx_available_starting(__mac_10_11, __iphone_9_0);
extern const cfstringref ksecattrtokenid
__osx_available_starting(__mac_10_11, __iphone_9_0);
/*!
@enum ksecattraccessible value constants
@discussion predefined item attribute constants used to get or set values
in a dictionary the ksecattraccessible constant is the key and its
value is one of the constants defined here
when asking secitemcopymatching to return the item's data, the error
errsecinteractionnotallowed will be returned if the item's data is not
available until a device unlock occurs
@constant ksecattraccessiblewhenunlocked item data can only be accessed
while the device is unlocked this is recommended for items that only
need be accesible while the application is in the foreground items
with this attribute will migrate to a new device when using encrypted
backups
@constant ksecattraccessibleafterfirstunlock item data can only be
accessed once the device has been unlocked after a restart this is
recommended for items that need to be accesible by background
applications items with this attribute will migrate to a new device
when using encrypted backups
@constant ksecattraccessiblealways item data can always be accessed
regardless of the lock state of the device this is not recommended
for anything except system use items with this attribute will migrate
to a new device when using encrypted backups
@constant ksecattraccessiblewhenpasscodesetthisdeviceonly item data can
only be accessed while the device is unlocked this class is only
available if a passcode is set on the device this is recommended for
items that only need to be accessible while the application is in the
foreground items with this attribute will never migrate to a new
device, so after a backup is restored to a new device, these items
will be missing no items can be stored in this class on devices
without a passcode disabling the device passcode will cause all
items in this class to be deleted
@constant ksecattraccessiblewhenunlockedthisdeviceonly item data can only
be accessed while the device is unlocked this is recommended for items
that only need be accesible while the application is in the foreground
items with this attribute will never migrate to a new device, so after
a backup is restored to a new device, these items will be missing
@constant ksecattraccessibleafterfirstunlockthisdeviceonly item data can
only be accessed once the device has been unlocked after a restart
this is recommended for items that need to be accessible by background
applications items with this attribute will never migrate to a new
device, so after a backup is restored to a new device these items will
be missing
@constant ksecattraccessiblealwaysthisdeviceonly item data can always
be accessed regardless of the lock state of the device this option
is not recommended for anything except system use items with this
attribute will never migrate to a new device, so after a backup is
restored to a new device, these items will be missing
*/
extern const cfstringref ksecattraccessiblewhenunlocked
__osx_available_starting(__mac_10_9, __iphone_4_0);
extern const cfstringref ksecattraccessibleafterfirstunlock
__osx_available_starting(__mac_10_9, __iphone_4_0);
extern const cfstringref ksecattraccessiblealways
__osx_available_starting(__mac_10_9, __iphone_4_0);
extern const cfstringref ksecattraccessiblewhenpasscodesetthisdeviceonly
__osx_available_starting(__mac_10_10, __iphone_8_0);
extern const cfstringref ksecattraccessiblewhenunlockedthisdeviceonly
__osx_available_starting(__mac_10_9, __iphone_4_0);
extern const cfstringref ksecattraccessibleafterfirstunlockthisdeviceonly
__osx_available_starting(__mac_10_9, __iphone_4_0);
extern const cfstringref ksecattraccessiblealwaysthisdeviceonly
__osx_available_starting(__mac_10_9, __iphone_4_0);
/*!
@enum ksecattrprotocol value constants
@discussion predefined item attribute constants used to get or set values
in a dictionary the ksecattrprotocol constant is the key and its
value is one of the constants defined here
@constant ksecattrprotocolftp
@constant ksecattrprotocolftpaccount
@constant ksecattrprotocolhttp
@constant ksecattrprotocolirc
@constant ksecattrprotocolnntp
@constant ksecattrprotocolpop
@constant ksecattrprotocolsmtp
@constant ksecattrprotocolsocks
@constant ksecattrprotocolimap
@constant ksecattrprotocolldap
@constant ksecattrprotocolappletalk
@constant ksecattrprotocolafp
@constant ksecattrprotocoltelnet
@constant ksecattrprotocolssh
@constant ksecattrprotocolftps
@constant ksecattrprotocolhttps
@constant ksecattrprotocolhttpproxy
@constant ksecattrprotocolhttpsproxy
@constant ksecattrprotocolftpproxy
@constant ksecattrprotocolsmb
@constant ksecattrprotocolrtsp
@constant ksecattrprotocolrtspproxy
@constant ksecattrprotocoldaap
@constant ksecattrprotocoleppc
@constant ksecattrprotocolipp
@constant ksecattrprotocolnntps
@constant ksecattrprotocolldaps
@constant ksecattrprotocoltelnets
@constant ksecattrprotocolimaps
@constant ksecattrprotocolircs
@constant ksecattrprotocolpop3s
*/
extern const cfstringref ksecattrprotocolftp
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrprotocolftpaccount
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrprotocolhttp
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrprotocolirc
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrprotocolnntp
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrprotocolpop3
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrprotocolsmtp
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrprotocolsocks
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrprotocolimap
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrprotocolldap
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrprotocolappletalk
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrprotocolafp
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrprotocoltelnet
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrprotocolssh
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrprotocolftps
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrprotocolhttps
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrprotocolhttpproxy
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrprotocolhttpsproxy
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrprotocolftpproxy
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrprotocolsmb
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrprotocolrtsp
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrprotocolrtspproxy
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrprotocoldaap
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrprotocoleppc
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrprotocolipp
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrprotocolnntps
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrprotocolldaps
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrprotocoltelnets
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrprotocolimaps
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrprotocolircs
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrprotocolpop3s
__osx_available_starting(__mac_10_6, __iphone_2_0);
/*!
@enum ksecattrauthenticationtype value constants
@discussion predefined item attribute constants used to get or set values
in a dictionary the ksecattrauthenticationtype constant is the key
and its value is one of the constants defined here
@constant ksecattrauthenticationtypentlm
@constant ksecattrauthenticationtypemsn
@constant ksecattrauthenticationtypedpa
@constant ksecattrauthenticationtyperpa
@constant ksecattrauthenticationtypehttpbasic
@constant ksecattrauthenticationtypehttpdigest
@constant ksecattrauthenticationtypehtmlform
@constant ksecattrauthenticationtypedefault
*/
extern const cfstringref ksecattrauthenticationtypentlm
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrauthenticationtypemsn
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrauthenticationtypedpa
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrauthenticationtyperpa
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrauthenticationtypehttpbasic
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrauthenticationtypehttpdigest
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrauthenticationtypehtmlform
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecattrauthenticationtypedefault
__osx_available_starting(__mac_10_6, __iphone_2_0);
/*!
@enum ksecattrkeyclass value constants
@discussion predefined item attribute constants used to get or set values
in a dictionary the ksecattrkeyclass constant is the key
and its value is one of the constants defined here
@constant ksecattrkeyclasspublic
@constant ksecattrkeyclassprivate
@constant ksecattrkeyclasssymmetric
*/
extern const cfstringref ksecattrkeyclasspublic
__osx_available_starting(__mac_10_7, __iphone_2_0);
extern const cfstringref ksecattrkeyclassprivate
__osx_available_starting(__mac_10_7, __iphone_2_0);
extern const cfstringref ksecattrkeyclasssymmetric
__osx_available_starting(__mac_10_7, __iphone_2_0);
/*!
@enum ksecattrkeytype value constants
@discussion predefined item attribute constants used to get or set values
in a dictionary the ksecattrkeytype constant is the key
and its value is one of the constants defined here
@constant ksecattrkeytypersa
@constant ksecattrkeytypeec
*/
extern const cfstringref ksecattrkeytypersa
__osx_available_starting(__mac_10_7, __iphone_2_0);
extern const cfstringref ksecattrkeytypeec
__osx_available_starting(__mac_10_9, __iphone_4_0);
/*!
@enum ksecattrsynchronizable value constants
@discussion predefined item attribute constants used to get or set values
in a dictionary the ksecattrsynchronizable constant is the key
and its value is one of the constants defined here
@constant ksecattrsynchronizableany specifies that both synchronizable and
non-synchronizable results should be returned from this query this may
be used as a value for the ksecattrsynchronizable dictionary key in a
call to secitemcopymatching, secitemupdate, or secitemdelete
*/
extern const cfstringref ksecattrsynchronizableany
__osx_available_starting(__mac_10_9, __iphone_7_0);
/*!
@enum search constants
@discussion predefined search constants used to set values in a query
dictionary you can specify a combination of search attributes and
item attributes when looking for matching items with the
secitemcopymatching function
@constant ksecmatchpolicy specifies a dictionary key whose value is a
secpolicyref if provided, returned certificates or identities must
verify with this policy
@constant ksecmatchissuers specifies a dictionary key whose value is a
cfarray of x500 names (of type cfdataref) if provided, returned
certificates or identities will be limited to those whose
certificate chain contains one of the issuers provided in this list
@constant ksecmatchemailaddressifpresent specifies a dictionary key whose
value is a cfstringref containing an rfc822 email address if
provided, returned certificates or identities will be limited to those
that contain the address, or do not contain any email address
@constant ksecmatchsubjectcontains specifies a dictionary key whose value
is a cfstringref if provided, returned certificates or identities
will be limited to those containing this string in the subject
@constant ksecmatchcaseinsensitive specifies a dictionary key whose value
is a cfbooleanref if this value is kcfbooleanfalse, or is not
provided, then case-sensitive string matching is performed
@constant ksecmatchtrustedonly specifies a dictionary key whose value is
a cfbooleanref if provided with a value of kcfbooleantrue, only
certificates which can be verified back to a trusted anchor will be
returned if this value is kcfbooleanfalse, or is not provided, then
both trusted and untrusted certificates may be returned
@constant ksecmatchvalidondate specifies a dictionary key whose value is
of type cfdateref if provided, returned keys, certificates or
identities will be limited to those which are valid for the given date
pass a value of kcfnull to indicate the current date
@constant ksecmatchlimit specifies a dictionary key whose value is a
cfnumberref if provided, this value specifies the maximum number of
results to return if not provided, results are limited to the first
item found predefined values are provided for a single item
(ksecmatchlimitone) and all matching items (ksecmatchlimitall)
@constant ksecmatchlimitone specifies that results are limited to the first
item found; used as a value for the ksecmatchlimit dictionary key
@constant ksecmatchlimitall specifies that an unlimited number of results
may be returned; used as a value for the ksecmatchlimit dictionary
key
*/
extern const cfstringref ksecmatchpolicy
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecmatchitemlist
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecmatchsearchlist
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecmatchissuers
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecmatchemailaddressifpresent
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecmatchsubjectcontains
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecmatchcaseinsensitive
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecmatchtrustedonly
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecmatchvalidondate
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecmatchlimit
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecmatchlimitone
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecmatchlimitall
__osx_available_starting(__mac_10_6, __iphone_2_0);
/*!
@enum return type key constants
@discussion predefined return type keys used to set values in a dictionary
you use these keys to specify the type of results which should be
returned by the secitemcopymatching or secitemadd function you can
specify zero or more of these return types if more than one of these
result types is specified, the result is returned as a cfdictionaryref
whose keys are the result types and values are the requested data
@constant ksecreturndata specifies a dictionary key whose value is of type
cfbooleanref a value of kcfbooleantrue indicates that the data of
an item (cfdataref) should be returned for keys and password
items, data is secret (encrypted) and may require the user to enter
a password for access
@constant ksecreturnattributes specifies a dictionary key whose value is
of type cfbooleanref a value of kcfbooleantrue indicates that the
(non-encrypted) attributes of an item (cfdictionaryref) should be
returned
@constant ksecreturnref specifies a dictionary key whose value is a
cfbooleanref a value of kcfbooleantrue indicates that a reference
should be returned depending on the item class requested, the
returned reference(s) may be of type seckeychainitemref, seckeyref,
seccertificateref, or secidentityref
@constant ksecreturnpersistentref specifies a dictionary key whose value
is of type cfbooleanref a value of kcfbooleantrue indicates that a
persistent reference to an item (cfdataref) should be returned
*/
extern const cfstringref ksecreturndata
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecreturnattributes
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecreturnref
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecreturnpersistentref
__osx_available_starting(__mac_10_6, __iphone_2_0);
/*!
@enum value type key constants
@discussion predefined value type keys used to pass values in a dictionary
you can specify zero or more of these types depending on the function
you are calling for secitemcopymatching or secitemadd these are
used as keys in the results dictionary
@constant ksecvaluedata specifies a dictionary key whose value is of type
cfdataref for keys and password items, data is secret (encrypted)
and may require the user to enter a password for access
@constant ksecvalueref specifies a dictionary key whose value, depending
on the item class requested, is of type seckeychainitemref, seckeyref,
seccertificateref, or secidentityref
@constant ksecvaluepersistentref specifies a dictionary key whose value
is of type cfdataref the bytes in this cfdataref can be stored by
the caller and used on a subsequent invocation of the application (or
even a different application) to retrieve the item referenced by it
*/
extern const cfstringref ksecvaluedata
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecvalueref
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecvaluepersistentref
__osx_available_starting(__mac_10_6, __iphone_2_0);
/*!
@enum other constants
@discussion predefined constants used to set values in a dictionary
@constant ksecuseitemlist specifies a dictionary key whose value is a
cfarray of items if provided, this array is treated as the set of
all possible items to search, or add if the api being called is
secitemadd the items in this array may be of type seckeyref,
seccertificateref, secidentityref, or cfdataref (for a persistent
item reference) the items in the array must all be of the same
type when this attribute is provided, no keychains are searched
@constant ksecuseoperationprompt specifies a dictionary key whose value
is a cfstringref that represents a user-visible string describing
the operation for which the application is attempting to authenticate
the application is responsible for the text localization
@constant ksecusenoauthenticationui specifies a dictionary key whose value
is a cfbooleanref if provided with a value of kcfbooleantrue, the error
errsecinteractionnotallowed will be returned if the item is attempting
to authenticate with ui
@constant ksecuseauthenticationui specifies a dictionary key whose value
is one of ksecuseauthenticationuiallow, ksecuseauthenticationuifail, ksecuseauthenticationuiskip
@constant ksecuseauthenticationcontext specifies a dictionary key whose value
is lacontext to be used for keychain item authentication
* if the item requires authentication and this key is omitted, a new context
will be created just for the purpose of the single call
* if the specified context has been previously authenticated, the operation
will succeed without asking user for authentication
* if the specified context has not been previously authenticated, the new
authentication will be started on this context, allowing caller to
eventually reuse the sucessfully authenticated context in subsequent
keychain operations
*/
extern const cfstringref ksecuseitemlist
__osx_available_starting(__mac_10_6, __iphone_2_0);
extern const cfstringref ksecuseoperationprompt
__osx_available_starting(__mac_10_10, __iphone_8_0);
extern const cfstringref ksecusenoauthenticationui
__osx_available_but_deprecated_msg(__mac_10_10, __mac_10_11, __iphone_8_0, __iphone_9_0, "use a ksecauthenticationui instead" );
extern const cfstringref ksecuseauthenticationui
__osx_available_starting(__mac_10_11, __iphone_9_0);
extern const cfstringref ksecuseauthenticationcontext
__osx_available_starting(__mac_10_11, __iphone_9_0);
/*!
@enum ksecuseauthenticationui value constants
@discussion predefined item attribute constants used to get or set values
in a dictionary the ksecuseauthenticationui constant is the key and its
value is one of the constants defined here
if the key ksecuseauthenticationui not provided then ksecuseauthenticationuiallow
is used as default
@constant ksecuseauthenticationuiallow specifies that authenticate ui can appear
@constant ksecuseauthenticationuifail specifies that the error
errsecinteractionnotallowed will be returned if an item needs
to authenticate with ui
@constant ksecuseauthenticationuiallowskip specifies that all items which need
to authenticate with ui will be silently skipped this value can be used
only with secitemcopymatching
*/
extern const cfstringref ksecuseauthenticationuiallow
__osx_available_starting(__mac_10_11, __iphone_9_0);
extern const cfstringref ksecuseauthenticationuifail
__osx_available_starting(__mac_10_11, __iphone_9_0);
extern const cfstringref ksecuseauthenticationuiskip
__osx_available_starting(__mac_10_11, __iphone_9_0);
/*!
@enum ksecattrtokenid value constants
@discussion predefined item attribute constant used to get or set values
in a dictionary the ksecattrtokenid constant is the key and its value
can be ksecattrtokenidsecureenclave
@constant ksecattrtokenidsecureenclave specifies well-known identifier of the
token implemented using device's secure enclave the only keychain items
supported by the secure enclave token are 256-bit elliptic curve keys
(ksecattrkeytypeec) keys must be generated on the secure enclave using
seckeygeneratekeypair call with ksecattrtokenid set to
ksecattrtokenidsecureenclave in the parameters dictionary, it is not
possible to import pregenerated keys to ksecattrtokenidsecureenclave token
*/
extern const cfstringref ksecattrtokenidsecureenclave
__osx_available_starting(__mac_na, __iphone_9_0);
/*!
@function secitemcopymatching
@abstract returns one or more items which match a search query
@param query a dictionary containing an item class specification and
optional attributes for controlling the search see the "keychain
search attributes" section for a description of currently defined
search attributes
@param result on return, a cftyperef reference to the found item(s) the
exact type of the result is based on the search attributes supplied
in the query, as discussed below
@result a result code see "security error codes" (secbaseh)
@discussion attributes defining a search are specified by adding key/value
pairs to the query dictionary
a typical query consists of:
* a ksecclass key, whose value is a constant from the class
constants section that specifies the class of item(s) to be searched
* one or more keys from the "attribute key constants" section, whose value
is the attribute data to be matched
* one or more keys from the "search constants" section, whose value is
used to further refine the search
* a key from the "return type key constants" section, specifying the type of
results desired
result types are specified as follows:
* to obtain the data of a matching item (cfdataref), specify
ksecreturndata with a value of kcfbooleantrue
* to obtain the attributes of a matching item (cfdictionaryref), specify
ksecreturnattributes with a value of kcfbooleantrue
* to obtain a reference to a matching item (seckeychainitemref,
seckeyref, seccertificateref, or secidentityref), specify ksecreturnref
with a value of kcfbooleantrue
* to obtain a persistent reference to a matching item (cfdataref),
specify ksecreturnpersistentref with a value of kcfbooleantrue note
that unlike normal references, a persistent reference may be stored
on disk or passed between processes
* if more than one of these result types is specified, the result is
returned as a cfdictionaryref containing all the requested data
* if a result type is not specified, no results are returned
by default, this function returns only the first match found to obtain
more than one matching item at a time, specify ksecmatchlimit with a value
greater than the result will be a cfarrayref containing up to that
number of matching items; the items' types are described above
to filter a provided list of items down to those matching the query,
specify a ksecmatchitemlist whose value is a cfarray of seckeychainitemref,
seckeyref, seccertificateref, or secidentityref items the objects in the
provided array must be of the same type
to convert from a persistent item reference to a normal item reference,
specify a ksecvaluepersistentref whose value a cfdataref (the persistent
reference), and a ksecreturnref whose value is kcfbooleantrue
*/
osstatus secitemcopymatching(cfdictionaryref query, cftyperef * __nullable cf_returns_retained result)
__osx_available_starting(__mac_10_6, __iphone_2_0);
/*!
@function secitemadd
@abstract add one or more items to a keychain
@param attributes a dictionary containing an item class specification and
optional entries specifying the item's attribute values see the
"attribute key constants" section for a description of currently defined
attributes
@param result on return, a cftyperef reference to the newly added item(s)
the exact type of the result is based on the values supplied
in attributes, as discussed below pass null if this result is not
required
@result a result code see "security error codes" (secbaseh)
@discussion attributes defining an item are specified by adding key/value
pairs to the attributes dictionary to add multiple items to a keychain
at once use the ksecuseitemlist key with an array of items as its value
this is currently only supported for non password items
result types are specified as follows:
* to obtain the data of the added item (cfdataref), specify
ksecreturndata with a value of kcfbooleantrue
* to obtain all the attributes of the added item (cfdictionaryref),
specify ksecreturnattributes with a value of kcfbooleantrue
* to obtain a reference to the added item (seckeychainitemref, seckeyref,
seccertificateref, or secidentityref), specify ksecreturnref with a
value of kcfbooleantrue
* to obtain a persistent reference to the added item (cfdataref), specify
ksecreturnpersistentref with a value of kcfbooleantrue note that
unlike normal references, a persistent reference may be stored on disk
or passed between processes
* if more than one of these result types is specified, the result is
returned as a cfdictionaryref containing all the requested data
* if a result type is not specified, no results are returned
*/
osstatus secitemadd(cfdictionaryref attributes, cftyperef * __nullable cf_returns_retained result)
__osx_available_starting(__mac_10_6, __iphone_2_0);
/*!
@function secitemupdate
@abstract modify zero or more items which match a search query
@param query a dictionary containing an item class specification and
optional attributes for controlling the search see the "attribute
constants" and "search constants" sections for a description of
currently defined search attributes
@param attributestoupdate a dictionary containing one or more attributes
whose values should be set to the ones specified only real keychain
attributes are permitted in this dictionary (no "meta" attributes are
allowed) see the "attribute key constants" section for a description of
currently defined value attributes
@result a result code see "security error codes" (secbaseh)
@discussion attributes defining a search are specified by adding key/value
pairs to the query dictionary
*/
osstatus secitemupdate(cfdictionaryref query,
cfdictionaryref attributestoupdate)
__osx_available_starting(__mac_10_6, __iphone_2_0);
/*!
@function secitemdelete
@abstract delete zero or more items which match a search query
@param query a dictionary containing an item class specification and
optional attributes for controlling the search see the "attribute
constants" and "search constants" sections for a description of
currently defined search attributes
@result a result code see "security error codes" (secbaseh)
@discussion attributes defining a search are specified by adding key/value
pairs to the query dictionary
by default, this function deletes all items matching the specified query
you can change this behavior by specifying one of the follow keys:
* to delete an item identified by a transient reference, specify
ksecvalueref with a reference returned by using the ksecreturnref
key in a previous call to secitemcopymatching or secitemadd
* to delete an item identified by a persistent reference, specify
ksecvaluepersistentref with a persistent reference returned by
using the ksecreturnpersistentref key to secitemcopymatching or
secitemadd
* to delete multiple items specify ksecmatchitemlist with an array
of references
* if more than one of these result keys is specified, the behavior is
undefined
*/
osstatus secitemdelete(cfdictionaryref query)
__osx_available_starting(__mac_10_6, __iphone_2_0);
cf_implicit_bridging_disabled
cf_assume_nonnull_end
__end_decls
#endif /* !_security_secitem_h_ */
|
二、苹果官方的keychainitemwrapper
官方示例地址
https://developer.apple.com/library/ios/samplecode/generickeychain/listings/classes_keychainitemwrapper_m.html#//apple_ref/doc/uid/dts40007797-classes_keychainitemwrapper_m-dontlinkelementid_10
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
|
/*
file: keychainitemwrapperm
abstract:
objective-c wrapper for accessing a single keychain item
version: 2
disclaimer: important: this apple software is supplied to you by apple
inc ("apple") in consideration of your agreement to the following
terms, and your use, installation, modification or redistribution of
this apple software constitutes acceptance of these terms if you do
not agree with these terms, please do not use, install, modify or
redistribute this apple software
in consideration of your agreement to abide by the following terms, and
subject to these terms, apple grants you a personal, non-exclusive
license, under apple's copyrights in this original apple software (the
"apple software"), to use, reproduce, modify and redistribute the apple
software, with or without modifications, in source and/or binary forms;
provided that if you redistribute the apple software in its entirety and
without modifications, you must retain this notice and the following
text and disclaimers in all such redistributions of the apple software
neither the name, trademarks, service marks or logos of apple inc may
be used to endorse or promote products derived from the apple software
without specific prior written permission from apple except as
expressly stated in this notice, no other rights or licenses, express or
implied, are granted by apple herein, including but not limited to any
patent rights that may be infringed by your derivative works or by other
works in which the apple software may be incorporated
the apple software is provided by apple on an "as is" basis apple
makes no warranties, express or implied, including without limitation
the implied warranties of non-infringement, merchantability and fitness
for a particular purpose, regarding the apple software or its use and
operation alone or in combination with your products
in no event shall apple be liable for any special, indirect, incidental
or consequential damages (including, but not limited to, procurement of
substitute goods or services; loss of use, data, or profits; or business
interruption) arising in any way out of the use, reproduction,
modification and/or distribution of the apple software, however caused
and whether under theory of contract, tort (including negligence),
strict liability or otherwise, even if apple has been advised of the
possibility of such damage
copyright (c) 2010 apple inc all rights reserved
*/
#import "keychainitemwrapperh"
#import <security/securityh>
/*
these are the default constants and their respective types,
available for the ksecclassgenericpassword keychain item class:
ksecattraccessgroup - cfstringref
ksecattrcreationdate - cfdateref
ksecattrmodificationdate - cfdateref
ksecattrdescription - cfstringref
ksecattrcomment - cfstringref
ksecattrcreator - cfnumberref
ksecattrtype - cfnumberref
ksecattrlabel - cfstringref
ksecattrisinvisible - cfbooleanref
ksecattrisnegative - cfbooleanref
ksecattraccount - cfstringref
ksecattrservice - cfstringref
ksecattrgeneric - cfdataref
see the header file security/secitemh for more details
*/
@interface keychainitemwrapper (privatemethods)
/*
the decision behind the following two methods (secitemformattodictionary and dictionarytosecitemformat) was
to encapsulate the transition between what the detail view controller was expecting (nsstring *) and what the
keychain api expects as a validly constructed container class
*/
- (nsmutabledictionary *)secitemformattodictionary:(nsdictionary *)dictionarytoconvert;
- (nsmutabledictionary *)dictionarytosecitemformat:(nsdictionary *)dictionarytoconvert;
// updates the item in the keychain, or adds it if it doesn't exist
- ( void )writetokeychain;
@end
@implementation keychainitemwrapper
@synthesize keychainitemdata, genericpasswordquery;
- (id)initwithidentifier: (nsstring *)identifier accessgroup:(nsstring *) accessgroup;
{
if (self = [super init])
{
// begin keychain search setup the genericpasswordquery leverages the special user
// defined attribute ksecattrgeneric to distinguish itself between other generic keychain
// items which may be included by the same application
genericpasswordquery = [[nsmutabledictionary alloc] init];
[genericpasswordquery setobject:(id)ksecclassgenericpassword forkey:(id)ksecclass];
[genericpasswordquery setobject:identifier forkey:(id)ksecattrgeneric];
// the keychain access group attribute determines if this item can be shared
// amongst multiple apps whose code signing entitlements contain the same keychain access group
if (accessgroup != nil)
{
#if target_iphone_simulator
// ignore the access group if running on the iphone simulator
//
// apps that are built for the simulator aren't signed, so there's no keychain access group
// for the simulator to check this means that all apps can see all keychain items when run
// on the simulator
//
// if a secitem contains an access group attribute, secitemadd and secitemupdate on the
// simulator will return -25243 (errsecnoaccessforitem)
#else
[genericpasswordquery setobject:accessgroup forkey:(id)ksecattraccessgroup];
#endif
}
// use the proper search constants, return only the attributes of the first match
[genericpasswordquery setobject:(id)ksecmatchlimitone forkey:(id)ksecmatchlimit];
[genericpasswordquery setobject:(id)kcfbooleantrue forkey:(id)ksecreturnattributes];
nsdictionary *tempquery = [nsdictionary dictionarywithdictionary:genericpasswordquery];
nsmutabledictionary *outdictionary = nil;
if (! secitemcopymatching((cfdictionaryref)tempquery, (cftyperef *)&outdictionary) == noerr)
{
// stick these default values into keychain item if nothing found
[self resetkeychainitem];
// add the generic attribute and the keychain access group
[keychainitemdata setobject:identifier forkey:(id)ksecattrgeneric];
if (accessgroup != nil)
{
#if target_iphone_simulator
// ignore the access group if running on the iphone simulator
//
// apps that are built for the simulator aren't signed, so there's no keychain access group
// for the simulator to check this means that all apps can see all keychain items when run
// on the simulator
//
// if a secitem contains an access group attribute, secitemadd and secitemupdate on the
// simulator will return -25243 (errsecnoaccessforitem)
#else
[keychainitemdata setobject:accessgroup forkey:(id)ksecattraccessgroup];
#endif
}
}
else
{
// load the saved data from keychain
selfkeychainitemdata = [self secitemformattodictionary:outdictionary];
}
[outdictionary release];
}
return self;
}
- ( void )dealloc
{
[keychainitemdata release];
[genericpasswordquery release];
[super dealloc];
}
- ( void )setobject:(id)inobject forkey:(id)key
{
if (inobject == nil) return ;
id currentobject = [keychainitemdata objectforkey:key];
if (![currentobject isequal:inobject])
{
[keychainitemdata setobject:inobject forkey:key];
[self writetokeychain];
}
}
- (id)objectforkey:(id)key
{
return [keychainitemdata objectforkey:key];
}
- ( void )resetkeychainitem
{
osstatus junk = noerr;
if (!keychainitemdata)
{
selfkeychainitemdata = [[nsmutabledictionary alloc] init];
}
else if (keychainitemdata)
{
nsmutabledictionary *tempdictionary = [self dictionarytosecitemformat:keychainitemdata];
junk = secitemdelete((cfdictionaryref)tempdictionary);
nsassert( junk == noerr || junk == errsecitemnotfound, @ "problem deleting current dictionary" );
}
// default attributes for keychain item
[keychainitemdata setobject:@ "" forkey:(id)ksecattraccount];
[keychainitemdata setobject:@ "" forkey:(id)ksecattrlabel];
[keychainitemdata setobject:@ "" forkey:(id)ksecattrdescription];
// default data for keychain item
[keychainitemdata setobject:@ "" forkey:(id)ksecvaluedata];
}
- (nsmutabledictionary *)dictionarytosecitemformat:(nsdictionary *)dictionarytoconvert
{
// the assumption is that this method will be called with a properly populated dictionary
// containing all the right key/value pairs for a secitem
// create a dictionary to return populated with the attributes and data
nsmutabledictionary *returndictionary = [nsmutabledictionary dictionarywithdictionary:dictionarytoconvert];
// add the generic password keychain item class attribute
[returndictionary setobject:(id)ksecclassgenericpassword forkey:(id)ksecclass];
// convert the nsstring to nsdata to meet the requirements for the value type ksecvaluedata
// this is where to store sensitive data that should be encrypted
nsstring *passwordstring = [dictionarytoconvert objectforkey:(id)ksecvaluedata];
[returndictionary setobject:[passwordstring datausingencoding:nsutf8stringencoding] forkey:(id)ksecvaluedata];
return returndictionary;
}
- (nsmutabledictionary *)secitemformattodictionary:(nsdictionary *)dictionarytoconvert
{
// the assumption is that this method will be called with a properly populated dictionary
// containing all the right key/value pairs for the ui element
// create a dictionary to return populated with the attributes and data
nsmutabledictionary *returndictionary = [nsmutabledictionary dictionarywithdictionary:dictionarytoconvert];
// add the proper search key and class attribute
[returndictionary setobject:(id)kcfbooleantrue forkey:(id)ksecreturndata];
[returndictionary setobject:(id)ksecclassgenericpassword forkey:(id)ksecclass];
// acquire the password data from the attributes
nsdata *passworddata = null;
if (secitemcopymatching((cfdictionaryref)returndictionary, (cftyperef *)&passworddata) == noerr)
{
// remove the search, class, and identifier key/value, we don't need them anymore
[returndictionary removeobjectforkey:(id)ksecreturndata];
// add the password to the dictionary, converting from nsdata to nsstring
nsstring *password = [[[nsstring alloc] initwithbytes:[passworddata bytes] length:[passworddata length]
encoding:nsutf8stringencoding] autorelease];
[returndictionary setobject:password forkey:(id)ksecvaluedata];
}
else
{
// don't do anything if nothing is found
nsassert(no, @ "serious error, no matching item found in the keychain\n" );
}
[passworddata release];
return returndictionary;
}
- ( void )writetokeychain
{
nsdictionary *attributes = null;
nsmutabledictionary *updateitem = null;
osstatus result;
if (secitemcopymatching((cfdictionaryref)genericpasswordquery, (cftyperef *)&attributes) == noerr)
{
// first we need the attributes from the keychain
updateitem = [nsmutabledictionary dictionarywithdictionary:attributes];
// second we need to add the appropriate search key/values
[updateitem setobject:[genericpasswordquery objectforkey:(id)ksecclass] forkey:(id)ksecclass];
// lastly, we need to set up the updated attribute list being careful to remove the class
nsmutabledictionary *tempcheck = [self dictionarytosecitemformat:keychainitemdata];
[tempcheck removeobjectforkey:(id)ksecclass];
#if target_iphone_simulator
// remove the access group if running on the iphone simulator
//
// apps that are built for the simulator aren't signed, so there's no keychain access group
// for the simulator to check this means that all apps can see all keychain items when run
// on the simulator
//
// if a secitem contains an access group attribute, secitemadd and secitemupdate on the
// simulator will return -25243 (errsecnoaccessforitem)
//
// the access group attribute will be included in items returned by secitemcopymatching,
// which is why we need to remove it before updating the item
[tempcheck removeobjectforkey:(id)ksecattraccessgroup];
#endif
// an implicit assumption is that you can only update a single item at a time
result = secitemupdate((cfdictionaryref)updateitem, (cfdictionaryref)tempcheck);
nsassert( result == noerr, @ "couldn't update the keychain item" );
}
else
{
// no previous item found; add the new one
result = secitemadd((cfdictionaryref)[self dictionarytosecitemformat:keychainitemdata], null);
nsassert( result == noerr, @ "couldn't add the keychain item" );
}
}
@end
|
看到这里会发现苹果的keychainwrapper和我们自定义的工具类实现原理都一样,就是调用那几个方法,所以就不展开介绍了,将来有空再补上。
原文链接:http://blog.csdn.net/chy555chy/article/details/51628162