| Framework | Security/Security.h |
| Declared in | SecBase.h SecCertificate.h SecIdentity.h SecImportExport.h SecKey.h SecPolicy.h SecTrust.h |
Certificate, Key, and Trust Services provides a C API for managing certificates, public and private keys, and trust policies. You can use these services in your application to:
Determine identity by matching a certificate with a private key
Create and request certificate objects
Import certificates, keys, and identities
Create public-private key pairs
Represent trust policies
Certificate, Key, and Trust Services can be used in applications running in Aspen.
SecTrustCreateWithCertificates
SecTrustEvaluate
SecTrustSetAnchorCertificates
SecTrustSetAnchorCertificatesOnly
SecTrustSetVerifyDate
SecTrustGetVerifyTime
SecTrustCopyPublicKey
SecTrustGetCertificateCount
SecTrustGetCertificateAtIndex
Returns a DER representation of a certificate given a certificate object.
CFDataRef SecCertificateCopyData ( SecCertificateRef certificate );
The certificate object for which you wish to return the DER (Distinguished Encoding Rules) representation of the X.509 certificate.
The DER representation of the certificate. Call the CFRelease function to release this object when you are finished with it. Returns NULL if the data passed in the data parameter is not a valid certificate object.
SecCertificate.hReturns a human-readable summary of a certificate.
CFStringRef SecCertificateCopySubjectSummary ( SecCertificateRef certificate );
The certificate object for which you wish to return a summary string.
A string that contains a human-readable summary of the contents of the certificate. Call the CFRelease function to release this object when you are finished with it. Returns NULL if the data passed in the data parameter is not a valid certificate object.
Because all the data in the string comes from the certificate, the string is in whatever language is used in the certificate.
SecCertificate.hCreates a certificate object from a DER representation of a certificate.
SecCertificateRef SecCertificateCreateWithData ( CFAllocatorRef allocator, CFDataRef data );
The CFAllocator object you wish to use to allocate the certificate object.
A DER (Distinguished Encoding Rules) representation of an X.509 certificate.
The newly created certificate object. Call the CFRelease function to release this object when you are finished with it. Returns NULL if the data passed in the data parameter is not a valid DER-encoded X.509 certificate.
The certificate object returned by this function is used as input to other functions in the API.
SecCertificate.hReturns the unique identifier of the opaque type to which a SecCertificate object belongs.
CFTypeID SecCertificateGetTypeID ( void );
A value that identifies the opaque type of a SecCertificateRef object.
This function returns a value that uniquely identifies the opaque type of a SecCertificateRef object. You can compare this value to the CFTypeID identifier obtained by calling the CFGetTypeID function on a specific object. These values might change from release to release or platform to platform.
SecCertificate.h
Retrieves a certificate associated with an identity.
OSStatus SecIdentityCopyCertificate ( SecIdentityRef identityRef, SecCertificateRef *certificateRef );
The identity object for the identity whose certificate you wish to retrieve.
On return, points to the certificate object associated with the specified identity.
A result code. See “Certificate, Key, and Trust Services Result Codes.”
An identity is a digital certificate together with its associated private key.
For a certificate in a keychain, you can cast the SecCertificateRef data type to a SecKeychainItemRef for use with Keychain Services functions.
SecIdentity.hRetrieves the private key associated with an identity.
OSStatus SecIdentityCopyPrivateKey ( SecIdentityRef identityRef, SecKeyRef *privateKeyRef );
The identity object for the identity whose private key you wish to retrieve.
On return, points to the private key object for the specified identity. The private key must be of class type kSecAppleKeyItemClass.
A result code. See “Certificate, Key, and Trust Services Result Codes.”
An identity is a digital certificate together with its associated private key.
SecIdentity.hReturns the unique identifier of the opaque type to which a SecIdentity object belongs.
CFTypeID SecIdentityGetTypeID ( void );
A value that identifies the opaque type of a SecIdentityRef object.
This function returns a value that uniquely identifies the opaque type of a SecIdentityRef object. You can compare this value to the CFTypeID identifier obtained by calling the CFGetTypeID function on a specific object. These values might change from release to release or platform to platform.
SecIdentity.hDecrypts a block of ciphertext.
OSStatus SecKeyDecrypt ( SecKeyRef key, SecPadding padding, const uint8_t *cipherText, size_t cipherTextLen, uint8_t *plainText, size_t *plainTextLen );
private key with which to decrypt the data.
The type of padding used. Possible values are listed in “Digital Signature Padding Types.” Typically, kSecPaddingPKCS1SHA1 is used, which removes PKCS1 padding after decryption. If you specify kSecPaddingNone, the decrypted data is returned as-is.
The data to decrypt.
Length in bytes of the data in the cipherText buffer. This must be less than or equal to the value returned by the SecKeyGetBlockSize function.
On return, the decrypted text.
On input, the size of the buffer provided in the plainText parameter. On output, the amount of data actually placed in the buffer.
A result code. See “Certificate, Key, and Trust Services Result Codes.”
The input buffer (cipherText) can be the same as the output buffer (plainText) to reduce the amount of memory used by the function.
SecKey.hEncrypts a block of plaintext.
OSStatus SecKeyEncrypt ( SecKeyRef key, SecPadding padding, const uint8_t *plainText, size_t plainTextLen, uint8_t *cipherText, size_t *cipherTextLen );
Public key with which to encrypt the data.
The type of padding to use. Possible values are listed in “Digital Signature Padding Types.” Typically, kSecPaddingPKCS1SHA1 is used, which adds PKCS1 padding before encryption. If you specify kSecPaddingNone, the data is encrypted as-is.
The data to encrypt.
Length in bytes of the data in the plainText buffer. This must be less than or equal to the value returned by the SecKeyGetBlockSize function. When PKCS1 padding is performed, the maximum length of data that can be encrypted is 11 bytes less than the value returned by the SecKeyGetBlockSize function (secKeyGetBlockSize() - 11).
On return, the encrypted text.
On input, the size of the buffer provided in the cipherText parameter. On output, the amount of data actually placed in the buffer.
A result code. See “Certificate, Key, and Trust Services Result Codes.”
The input buffer (plainText) can be the same as the output buffer (cipherText) to reduce the amount of memory used by the function.
SecKey.hCreates an asymmetric key pair.
OSStatus SecKeyGeneratePair ( CFDictionaryRef parameters, SecKeyRef *publicKey, SecKeyRef *privateKey );
A dictionary of key-value pairs that specify the type of keys to be generated.
On return, points to the keychain item object of the new public key. Call the CFRelease function to release this object when you are finished with it.
On return, points to the keychain item object of the new private key. Call the CFRelease function to release this object when you are finished with it.
A result code. See “Certificate, Key, and Trust Services Result Codes.”
In order to generate a key pair, the dictionary passed in the parameters parameter must contain at least the following key-value pairs:
A kSecAttrKeyType key with a value of any key type defined in SecItem.h (see Keychain Services Reference), for example, kSecAttrKeyTypeRSA.
A kSecAttrKeySizeInBits key with a value specifying the requested key size in bits. This can be specified as either a CFNumberRef or CFStringRef value. For example, RSA keys may have key size values of 512, 768, 1024, or 2048.
In addition, you can specify a number of attributes for the public and private keys individually. You can do so either by adding key-value pairs to the dictionary directly, or by adding either or both of the keys kSecPrivateKeyAttrs and kSecPublicKeyAttrs. Each of these keys takes as a value a dictionary of key-value pairs that you can use to set these attributes. The possible attributes are as follows; for details on each attribute, see Keychain Services Reference:
kSecAttrLabel Default NULL.
kSecAttrIsPermanent If this key is present and has a Boolean value of true, the key or key pair is added to the default
keychain.
kSecAttrApplicationTag Default NULL.
kSecAttrEffectiveKeySize Default (NULL) sets the effective key size to the same as the total key size (kSecAttrKeySizeInBits).
kSecAttrCanEncrypt Default false for private keys, true for public keys.
kSecAttrCanDecrypt Default true for private keys, false for public keys.
kSecAttrCanDerive Default true.
kSecAttrCanSign Default true for private keys, false for public keys.
kSecAttrCanVerify Default false for private keys, true for public keys.
kSecAttrCanUnwrap Default true for private keys, false for public keys.
SecKey.hGets the block length associated with a cryptographic key.
size_t SecKeyGetBlockSize ( SecKeyRef key );
The key for which you want the block length.
The block length associated with the key in bytes. If the key is an RSA key, for example, this is the size of the modulus.
SecKey.hReturns the unique identifier of the opaque type to which a SecKey object belongs.
CFTypeID SecKeyGetTypeID ( void );
A value that identifies the opaque type of a SecKeyRef object.
This function returns a value that uniquely identifies the opaque type of a SecKeyRef object. You can compare this value to the CFTypeID identifier obtained by calling the CFGetTypeID function on a specific object. These values might change from release to release or platform to platform.
SecKey.hGenerates a digital signature for a block of data.
OSStatus SecKeyRawSign ( SecKeyRef key, SecPadding padding, const uint8_t *dataToSign, size_t dataToSignLen, uint8_t *sig, size_t *sigLen );
Private key with which to sign the data.
The type of padding to use. Possible values are listed in “Digital Signature Padding Types.” Use kSecPaddingPKCS1SHA1 if the data to be signed is a SHA1 digest of the actual data. If you specify kSecPaddingNone, the data is signed as-is.
The data to be signed. Typically, a digest of the actual data is signed.
Length in bytes of the data in the dataToSign buffer. When PKCS1 padding is performed, the maximum length of data that can be signed is 11 bytes less than the value returned by the SecKeyGetBlockSize function (secKeyGetBlockSize() - 11).
On return, the digital signature.
On input, the size of the buffer provided in the sig parameter. On output, the amount of data actually placed in the buffer.
A result code. See “Certificate, Key, and Trust Services Result Codes.”
The behavior this function with kSecPaddingNone is undefined if the first byte of the data to sign is 0; there is no way to verify leading zeroes, as they are discarded during the calculation.
SecKey.hVerifies a digital signature.
OSStatus SecKeyRawVerify ( SecKeyRef key, SecPadding padding, const uint8_t *signedData, size_t signedDataLen, const uint8_t *sig, size_t sigLen );
Public key with which to verify the data.
The type of padding used. Possible values are listed in “Digital Signature Padding Types.” Use kSecPaddingPKCS1SHA1 if you are verifying a PKCS1-style signature with DER encoding of the digest type and the signed data is a SHA1 digest of the actual data. Specify kSecPaddingNone if no padding was used.
The data for which the signature is being verified. Typically, a digest of the actual data is signed.
Length in bytes of the data in the signedData buffer.
The digital signature to be verified.
Length of the data in the sig buffer.
A result code. See “Certificate, Key, and Trust Services Result Codes.”
SecKey.hReturns the identities and certificates in a PKCS #12-formatted blob.
OSStatus SecPKCS12Import( CFDataRef pkcs12_data, CFDictionaryRef options, CFArrayRef *items );
The PKCS #12 data you wish to decode.
A dictionary of key-value pairs specifying options for the function. See “PKCS #12 Import Options.”
On return, an array of CFDictionary key-value dictionaries. The function returns one dictionary for each item (identity or certificate) in the PKCS #12 blob. For a list of dictionary keys, see “PKCS #12 Import Item Keys.”
A result code. The function returns errSecSuccess if there were no errors, errSecDecode if the blob can't be read or is malformed, and errSecAuthFailed if the password was not correct or data in the blob was damaged. See “Certificate, Key, and Trust Services Result Codes.”
Your application can import a PKCS #12–formatted blob (a file with extension .p12) containing certificates and identities, where an identity is a digital certificate together with its associated private key. You can use the SecPKCS12Import function to obtain SecIdentityRef objects (including SecCertificateRef and SecKeyRef objects) for the identities in the blob, together with SecCertificateRef objects for the certificates in the blob needed to validate the identity, and SecTrustRef trust management objects needed to evaluate trust for the identities. You can then use the Keychain Services API (see Keychain Services Reference) to put the identities and associated certificates in the keychain.
SecImportExport.hReturns a policy object for the default X.509 policy.
SecPolicyRef SecPolicyCreateBasicX509 ( void );
The policy object. Call the CFRelease function to release the object when you are finished with it.
SecPolicy.hReturns a policy object for evaluating SSL certificate chains.
SecPolicyRef SecPolicyCreateSSL ( Boolean server, CFStringRef hostname );
Specify true to return a policy for SSL server certificates.
If you specify a value for this parameter, the policy will require the specified value to match the host name in the leaf certificate.
The policy object. Call the CFRelease function to release the object when you are finished with it.
SecPolicy.hReturns the unique identifier of the opaque type to which a SecPolicy object belongs.
CFTypeID SecPolicyGetTypeID ( void );
A value that identifies the opaque type of a SecPolicyRef object.
This function returns a value that uniquely identifies the opaque type of a SecPolicyRef object. You can compare this value to the CFTypeID identifier obtained by calling the CFGetTypeID function on a specific object. These values might change from release to release or platform to platform.
SecPolicy.hReturns the public key for a leaf certificate after it has been evaluated.
SecKeyRef SecTrustCopyPublicKey ( SecTrustRef trust );
The trust management object for the certificate that has been evaluated. Use the SecTrustCreateWithCertificates function to create a trust management object.
The leaf certificate's public key, or NULL if it the public key could not be extracted (this can happen with DSA certificate chains if the parameters in the chain cannot be found). Call the CFRelease function to release this object when you are finished with it.
You should call the SecTrustEvaluate function before calling this function.
SecTrust.h
Creates a trust management object based on certificates and policies.
OSStatus SecTrustCreateWithCertificates ( CFArrayRef certificates, CFTypeRef policies, SecTrustRef *trustRef );
The certificate to be verified, plus any other certificates you think might be useful for verifying the certificate. The certificate to be verified must be the first in the array. If you want to specify only one certificate, you can pass a SecCertificateRef object; otherwise, pass an array of SecCertificateRef objects.
References to one or more policies to be evaluated. You can pass a single SecPolicyRef object, or an array of one or more SecPolicyRef objects. Use the SecPolicySearchCopyNext function to obtain policy objects. If you pass in multiple policies, all policies must verify for the certificate chain to be considered valid.
On return, points to the newly created trust management object. Call the CFRelease function to release this object when you are finished with it.
A result code. See “Certificate, Key, and Trust Services Result Codes.”
The trust management object includes a reference to the certificate to be verified, plus pointers to the policies to be evaluated for those certificates. You can optionally include references to other certificates, including anchor certificates, that you think might be in the certificate chain needed to verify the first (leaf) certificate. Any input certificates that turn out to be irrelevant are harmlessly ignored. Call the SecTrustEvaluate function to evaluate the trust for the returned trust management object.
If not all the certificates needed to verify the leaf certificate are included in the certificates parameter, SecTrustEvaluate searches for certificates in the keychain search list (see SecTrustSetKeychains) and in the system’s store of anchor certificates (see SecTrustSetAnchorCertificates). However, you should gain a significant performance benefit by passing in the entire certificate chain, in order, in the certificates parameter.
SecTrust.h
Evaluates trust for the specified certificate and policies.
OSStatus SecTrustEvaluate ( SecTrustRef trust, SecTrustResultType *result );
The trust management object to evaluate. A trust management object includes the certificate to be verified plus the policy or policies to be used in evaluating trust. It can optionally also include other certificates to be used in verifying the first certificate. Use the SecTrustCreateWithCertificates function to create a trust management object.
On return, points to a result type reflecting the result of this evaluation. See “Trust Result Type Constants” for descriptions of possible values.
A result code. See “Certificate, Key, and Trust Services Result Codes.”
This function evaluates a certificate’s validity to establish trust for a particular use—for example, in creating a digital signature or to establish a Secure Sockets Layer connection. Before you call this function, you can optionally call any of the SecTrustSet... functions (such as SecTrustSetParameters or SecTrustSetVerifyDate) to set values for parameters and options.
The SecTrustEvaluate function validates a certificate by verifying its signature plus the signatures of the certificates in its certificate chain, up to the anchor certificate, according to the policy or policies included in the trust management object. For each policy, the function evaluates trust according to the user-specified trust setting (see SecTrustSetUserTrust and SecTrustGetUserTrust). For an example of user-specified trust settings, use the Keychain Access utility and look at any certificate.
For each policy, SecTrustEvaluate starts with the leaf certificate and checks each certificate in the chain, in turn, for a valid user-specified trust setting. It uses the first such value it finds for the trust evaluation. For example, if the user-specified trust for the leaf certificate is not set, the first intermediate certificate is set to “Always Trust,” and one of the other intermediate certificates is set to “Never Trust,” SecTrustEvaluate trusts the certificate. Thus, you can use a user-specified trust setting for a certificate closer to the leaf to override a setting closer to the anchor.
If there is no user-specified trust setting for the entire certificate chain, the SecTrustEvaluate function returns kSecTrustResultUnspecified as the result type. In that case, you should call the SFCertificateTrustPanel class in the Security Interface Framework Reference to let the user specify a trust setting for the certificate. Alternately, you can use a default value. If you use a default value, you should provide a preference setting so that the user can change the default.
If SecTrustEvaluate returns kSecTrustResultRecoverableTrustFailure as the result type, you can call the SecTrustGetResult function for details of the problem. Then, as appropriate, you can call one or more of the SecTrustSet... functions to correct or bypass the problem, or you can inform the user of the problem and call the SFCertificateTrustPanel class to let the user change the trust setting for the certificate. When you think you have corrected the problem, call SecTrustEvaluate again. Each time you call SecTrustEvaluate, it discards the results of any previous evaluation and replaces them with the new results. If SecTrustEvaluate returns kSecTrustResultFatalTrustFailure, on the other hand, changing parameter values and calling SecTrustEvaluate again is unlikely to be successful.
If not all the certificates needed to verify the leaf certificate are included in the trust management object, then SecTrustEvaluate searches for certificates in the keychain search list (see SecTrustSetKeychains) and in the system’s store of anchor certificates (see SecTrustSetAnchorCertificates).
By default, SecTrustEvaluate uses the current date and time when verifying a certificate. However, you can call the SecTrustSetVerifyDate function before calling SecTrustEvaluate to set an other date and time to use when verifying the certificate.
Before you call SecTrustEvaluate, you can optionally use the SecTrustSetParameters function to set one or more actions to modify the evaluation or to pass data required by an action.
The results of the trust evaluation are stored in the trust management object. Call the SecTrustGetResult function to get more information about the results of the trust evaluation, or the SecTrustGetCssmResult function to get information about the evaluation in a form that can be passed to CSSM functions.
SecTrust.hReturns a specific certificate from the certificate chain used to evaluate trust.
SecCertificateRef SecTrustGetCertificateAtIndex ( SecTrustRef trust, CFIndex ix );
The trust management object for the certificate that has been evaluated. Use the SecTrustCreateWithCertificates function to create a trust management object and the SecTrustEvaluate function to evaluate the certificate chain.
The index number of the requested certificate. Index numbers start at 0 for the leaf certificate and end at the anchor (or the last certificate if no anchor was found). Use the SecTrustGetCertificateCount function to get the total number of certificates in the chain.
A certificate object for the requested certificate.
You must call the SecTrustEvaluate function before calling this function.
SecTrust.hReturns the number of certificates in an evaluated certificate chain.
CFIndex SecTrustGetCertificateCount ( SecTrustRef trust );
The trust management object for the certificate that has been evaluated. Use the SecTrustCreateWithCertificates function to create a trust management object and the SecTrustEvaluate function to evaluate the certificate chain.
The number of certificates in the certificate chain.
You must call the SecTrustEvaluate function before calling this function.
SecTrust.hReturns the unique identifier of the opaque type to which a SecTrust object belongs.
CFTypeID SecTrustGetTypeID ( void );
A value that identifies the opaque type of a SecTrustRef object.
This function returns a value that uniquely identifies the opaque type of a SecTrustRef object. You can compare this value to the CFTypeID identifier obtained by calling the CFGetTypeID function on a specific object. These values might change from release to release or platform to platform.
SecTrust.hGets the absolute time against which the certificates in a trust management object are verified.
CFAbsoluteTime SecTrustGetVerifyTime ( SecTrustRef trust );
The trust management object whose verification time you want to get. A trust management object includes one or more certificates plus the policy or policies to be used in evaluating trust. Use the SecTrustCreateWithCertificates function to create a trust management object.
The absolute time at which the certificates should be checked for validity.
SecTrust.h
Sets the anchor certificates used when evaluating a trust management object.
OSStatus SecTrustSetAnchorCertificates ( SecTrustRef trust, CFArrayRef anchorCertificates );
The trust management object containing the certificate you want to evaluate. A trust management object includes the certificate to be verified plus the policy or policies to be used in evaluating trust. It can optionally also include other certificates to be used in verifying the first certificate. Use the SecTrustCreateWithCertificates function to create a trust management object.
A reference to an array of SecCertificateRef objects representing the set of anchor certificates that are to be considered valid (trusted) anchors by the SecTrustEvaluate function when verifying a certificate. Pass NULL to restore the default set of anchor certificates.
A result code. See “Certificate, Key, and Trust Services Result Codes.”
The SecTrustEvaluate function looks for an anchor certificate in the array of certificates specified by the SecTrustSetAnchorCertificates function, or uses a default set provided by the system. In Mac OS X v10.3, for example, the default set of anchors is in the keychain file /System/Library/Keychains/X509Anchors. If you want to create a set of anchor certificates by modifying the default set, call the SecTrustCopyAnchorCertificates function to obtain the current set of anchor certificates, modify that set as you wish, and create a new array of certificates. Then call SecTrustSetAnchorCertificates with the modified array.
The list of custom anchor certificates is stored in the trust management object and can be retrieved with the SecTrustCopyCustomAnchorCertificates function.
Use the SecTrustSetKeychains function to set the keychains searched for intermediate certificates in the certificate chain.
Important: Calling this function without also calling SecTrustSetAnchorCertificatesOnly disables the trusting of any anchors other than the ones specified by this function call.
SecTrust.hReenables trusting built-in anchor certificates.
OSStatus SecTrustSetAnchorCertificatesOnly ( SecTrustRef trust, Boolean anchorCertificatesOnly );
The trust management object containing the certificate you want to evaluate. A trust management object includes the certificate to be verified plus the policy or policies to be used in evaluating trust. It can optionally also include other certificates to be used in verifying the first certificate. Use the SecTrustCreateWithCertificates function to create a trust management object.
If true, disables trusting any anchors other than the ones passed in with the SecTrustSetAnchorCertificates function. If false, the built-in anchor certificates are also trusted. If this function is not called, only the anchors explicitly passed in are trusted.
A result code. See “Certificate, Key, and Trust Services Result Codes.”
SecTrust.h
Sets the date and time against which the certificates in a trust management object are verified.
OSStatus SecTrustSetVerifyDate ( SecTrustRef trust, CFDateRef verifyDate );
The trust management object whose verification date you want to set. A trust management object includes one or more certificates plus the policy or policies to be used in evaluating trust. Use the SecTrustCreateWithCertificates function to create a trust management object.
The date and time to use when verifying the certificate.
A result code. See “Certificate, Key, and Trust Services Result Codes.”
By default, the SecTrustEvaluate function uses the current date and time when verifying a certificate. However, you can use SecTrustSetVerifyDate to set another date and time to use when verifying a certificate. For example, you can determine whether the certificate was valid when the document was signed rather than whether it’s valid at the present time.
SecTrust.hAbstract Core Foundation-type object representing an X.509 certificate.
typedef struct __SecCertificate *SecCertificateRef;
A SecCertificateRef object for a certificate that is stored in a keychain can be safely cast to a SecKeychainItemRef for manipulation as a keychain item. On the other hand, if the SecCertificateRef is not stored in a keychain, casting the object to a SecKeychainItemRef and passing it to Keychain Services functions returns errors.
SecBase.h
Abstract Core Foundation-type object representing an identity.
typedef struct __SecIdentity *SecIdentityRef;
A SecIdentityRef object contains a SecKeyRef object and an associated SecCertificateRef object.
SecBase.h
Abstract Core Foundation-type object representing an asymmetric key.
typedef struct __SecKey *SecKeyRef;
A SecKeyRef object for a key that is stored in a keychain can be safely cast to a SecKeychainItemRef for manipulation as a keychain item. On the other hand, if the SecKeyRef is not stored in a keychain, casting the object to a SecKeychainItemRef and passing it to Keychain Services functions returns errors.
SecBase.h
Contains information about a policy.
typedef struct OpaqueSecPolicyRef *SecPolicyRef;
SecPolicy.h
Contains information about trust management.
typedef struct __SecTrust *SecTrustRef;
SecTrust.h
Specifies the type of padding to be used when creating or verifying a digital signature.
typedef uint32_t SecPadding; enum { kSecPaddingNone = 0,
kSecPaddingPKCS1 = 1,
kSecPaddingPKCS1MD2 = 0x8000,
kSecPaddingPKCS1MD5 = 0x8001,
kSecPaddingPKCS1SHA1 = 0x8002,
};
kSecPaddingNoneNo padding.
Available in iPhone OS 2.0 and later.
Declared in SecKey.h.
kSecPaddingPKCS1PKCS1 padding.
Available in iPhone OS 2.0 and later.
Declared in SecKey.h.
kSecPaddingPKCS1MD2Data to be signed is an MD2 hash.
Standard ASN.1 padding is done, as well as PKCS1 padding of the underlying RSA operation. Used with SecKeyRawSign and SecKeyRawVerify only.
Available in iPhone OS 2.0 and later.
Declared in SecKey.h.
kSecPaddingPKCS1MD5Data to be signed is an MD5 hash.
Standard ASN.1 padding is done, as well as PKCS1 padding of the underlying RSA operation. Used with SecKeyRawSign and SecKeyRawVerify only.
Available in iPhone OS 2.0 and later.
Declared in SecKey.h.
kSecPaddingPKCS1SHA1Data to be signed is a SHA1 hash.
Standard ASN.1 padding will be done, as well as PKCS1 padding of the underlying RSA operation. Used with SecKeyRawSign and SecKeyRawVerify only.
Available in iPhone OS 2.0 and later.
Declared in SecKey.h.
Use these dictionary keys with the SecKeyGeneratePair function.
CFTypeRef kSecPrivateKeyAttrs; CFTypeRef kSecPublicKeyAttrs;
kSecPrivateKeyAttrsPrivate cryptographic key attributes.
The corresponding value is a CFDictionaryRef dictionary conatining key-value pairs for attributes specific to the private key to be generated.
Available in iPhone OS 2.0 and later.
Declared in SecKey.h.
kSecPublicKeyAttrsPublic cryptographic key attributes.
The corresponding value is a CFDictionaryRef dictionary conatining key-value pairs for attributes specific to the public key to be generated.
Available in iPhone OS 2.0 and later.
Declared in SecKey.h.
Specifies the trust result type.
typedef enum {
kSecTrustResultInvalid,
kSecTrustResultProceed,
kSecTrustResultConfirm,
kSecTrustResultDeny,
kSecTrustResultUnspecified,
kSecTrustResultRecoverableTrustFailure,
kSecTrustResultFatalTrustFailure,
kSecTrustResultOtherError
} SecTrustResultType;
kSecTrustResultInvalidInvalid setting or result. Usually, this result indicates that the SecTrustEvaluate function did not complete successfully.
Available in iPhone OS 2.0 and later.
Declared in SecTrust.h.
kSecTrustResultProceedThe user indicated that you may trust the certificate for the purposes designated in the specified policies. This value may be returned by the SecTrustEvaluate function or stored as part of the user trust settings. In the Keychain Access utility, this value is termed “Always Trust.”
Available in iPhone OS 2.0 and later.
Declared in SecTrust.h.
kSecTrustResultConfirmConfirmation from the user is required before proceeding. This value may be returned by the SecTrustEvaluate function or stored as part of the user trust settings. In the Keychain Access utility, this value is termed “Ask Permission.”
Available in iPhone OS 2.0 and later.
Declared in SecTrust.h.
kSecTrustResultDenyThe user specified that the certificate should not be trusted. This value may be returned by the SecTrustEvaluate function or stored as part of the user trust settings. In the Keychain Access utility, this value is termed “Never Trust.”
Available in iPhone OS 2.0 and later.
Declared in SecTrust.h.
kSecTrustResultUnspecifiedThe user did not specify a trust setting. This value may be returned by the SecTrustEvaluate function or stored as part of the user trust settings. In the Keychain Access utility, this value is termed “Use System Policy.” This is the default user setting.
Available in iPhone OS 2.0 and later.
Declared in SecTrust.h.
kSecTrustResultRecoverableTrustFailureTrust denied; retry after changing settings. For example, if trust is denied because the certificate has expired, you can ask the user whether to trust the certificate anyway. If the user answers yes, then use the SecTrustSetUserTrust function to set the user trust setting to kSecTrustResultProceed and call SecTrustEvaluate again. This value may be returned by the SecTrustEvaluate function but not stored as part of the user trust settings.
Available in iPhone OS 2.0 and later.
Declared in SecTrust.h.
kSecTrustResultFatalTrustFailureTrust denied; no simple fix is available. For example, if a certificate cannot be verified because it is corrupted, trust cannot be established without replacing the certificate. This value may be returned by the SecTrustEvaluate function but not stored as part of the user trust settings.
Available in iPhone OS 2.0 and later.
Declared in SecTrust.h.
kSecTrustResultOtherErrorA failure other than that of trust evaluation; for example, an internal failure of the SecTrustEvaluate function. This value may be returned by the SecTrustEvaluate function but not stored as part of the user trust settings.
Available in iPhone OS 2.0 and later.
Declared in SecTrust.h.
These constants may be returned by the SecTrustEvaluate function or stored as one of the user trust settings (see SecTrustSetUserTrust), as noted. When evaluating user trust, both SecTrustGetUserTrust and SecTrustEvaluate start with the leaf certificate and work through the chain down to the anchor. The SecTrustGetUserTrust function returns the user trust setting of the first certificate for which the setting is other than kSecTrustResultUnspecified. Similarly, the function uses the user trust setting of the first certificate for which the setting is other than kSecTrustResultUnspecified, regardless of the user trust settings of other certificates in the chain.
Specifies options for the SecPKCS12Import function.
CFStringRef kSecImportExportPassphrase;
kSecImportExportPassphrasePassword.
The corresponding value is of type CFStringRef and contains the password used to decrypt the PKCS #12 blob.
Available in iPhone OS 2.0 and later.
Declared in SecImportExport.h.
Dictionary keys used in the dictionaries returned by the SecPKCS12Import function.
extern CFStringRef kSecImportItemLabel; extern CFStringRef kSecImportItemKeyID; extern CFStringRef kSecImportItemTrust; extern CFStringRef kSecImportItemCertChain; extern CFStringRef kSecImportItemIdentity;
kSecImportItemLabelItem label.
The corresponding value is of type CFStringRef. The format of the string is implementation specific.
Available in iPhone OS 2.0 and later.
Declared in SecImportExport.h.
kSecImportItemKeyIDKey ID.
The corresponding value is of type CFDataRef. This unique ID is often the SHA-1 digest of the public encryption key.
Available in iPhone OS 2.0 and later.
Declared in SecImportExport.h.
kSecImportItemTrustTrust management object.
The corresponding value is of type SecTrustRef. The trust reference returned by the SecPKCS12Import function has been evaluated against the basic X.509 policy and includes as complete a certificate chain as could be constructed from the certificates in the PKCS #12 blob, certificates on the keychain, and any other certificates available to the system. You can use the SecTrustEvaluate function if you want to know whether the certificate chain is complete and valid (according to the basic X.509 policy). There is no guarantee that the evaluation will succeed.
Available in iPhone OS 2.0 and later.
Declared in SecImportExport.h.
kSecImportItemCertChainCertificate list.
The corresponding value is of type CFArrayRef. The array consists of SecCertificateRef objects for all the certificates in the PKCS #12 blob. This list might differ from that in the trust management object if there is more than one identity in the blob or if the blob contains extra certificates (for example, an intermediate certificate that is not yet valid but might be needed to establish validity in the near future).
Available in iPhone OS 2.0 and later.
Declared in SecImportExport.h.
kSecImportItemIdentityIdentity object.
The corresponding value is of type SecIdentityRef and represents one identity contained in the PKCS #12 blob.
Available in iPhone OS 2.0 and later.
Declared in SecImportExport.h.
The most common result codes returned by Certificate, Key, and Trust Services are listed in the table below. The assigned error space is discontinuous: –25240..–25279 and –25290..–25329.
Last updated: 2008-11-19
