Expand description
§security-rs
Safe Rust bindings for Apple’s Security framework on macOS.
Status: v0.2.3 closes every remaining non-exempt gap in the audited macOS
Security.frameworksurface, including advanced Authorization, CMS, Certificate, Identity, Code Signing, Requirement, Task, and Trust helpers.
§Highlights
- Swift bridge over
Security.frameworkwith retained opaque handles and ergonomic Rust wrappers. - 100% coverage of the audited non-exempt macOS
Security.frameworkfunction surface documented inCOVERAGE_AUDIT.md. - Raw C FFI preserved behind the
raw-ffiCargo feature, now exhaustively covering the non-deprecated macOSSecAccessControl/SecItem/SecKey/SecPolicyheaders. - Safe modules for all primary logical areas:
keychainidentitycertificatekeypolicytrustauthorizationcoderandom_bytestransformsecure_transportcmskey_derivationkey_agreement
- 15 numbered headless examples plus smoke tests across every area.
§Quick start
use security::prelude::*;
fn main() -> Result<(), Box<dyn std::error::Error>> {
let certificate = Certificate::from_der(&std::fs::read("tests/fixtures/test-cert.der")?)?;
let policy = Policy::basic_x509()?;
let mut trust = Trust::new(&certificate, &[policy])?;
trust.set_anchor_certificates(&[certificate])?;
trust.set_anchor_certificates_only(true)?;
trust.evaluate()?;
let encoded = Transform::encode_base64(b"hello")?;
assert_eq!(Transform::decode_base64(encoded.as_bytes())?, b"hello");
let random = SecureRandom::bytes(16)?;
assert_eq!(random.len(), 16);
Ok(())
}§Area overview
Keychain: generic-password CRUD, service account listing, access-control creation, andSecAccessControltype IDs.Identity: PKCS#12 import, certificate access, identity creation, preference lookup/updates, system-identity management, and private-key attribute inspection.Certificate: DER/PEM loading, Security item import/export, descriptions, values, preferences, summaries, names, emails, serials, validity dates, and public keys.Key: raw/private-key import, modern signing, RSA encryption/decryption, external representations, block-size inspection, andSecKeytype IDs.Policy/Trust: basic X.509, SSL, revocation, generic property builders, policy type IDs, custom anchors, verify dates, exceptions, OCSP / SCT inputs, async evaluation, derived keys, and evaluated trust results.Authorization: authorization creation, external-form round trips, info inspection, and synchronous / async rights acquisition.Code: current-process code objects, host / guest lookup, requirements, static-code creation and validation, resource validation, memory mapping, and task entitlement inspection.RandomBytes:SecRandomCopyByteswrappers.Transform: base64 encode/decode using deprecated but still functionalSecTransformAPIs.SecureTransport: minimal context creation, protocol bounds, and state inspection.CMS: certificate-bag helpers plus low-level encoder / decoder access for content, signers, recipients, timestamps, detached payloads, and chain configuration.KeyDerivation: PBKDF2-style symmetric-key derivation throughSecKeyDeriveFromPassword.KeyAgreement: ephemeral P-256 key generation and ECDH shared-secret derivation.
§Examples
Run every numbered example:
for ex in examples/*.rs; do cargo run --example "$(basename "$ex" .rs)"; doneKey examples:
01_keychain_password05_trust_evaluate07_code_signing_info11_cms_cert_bag13_key_agreement_shared_secret14_key_import_sign_verify15_key_encrypt_export
§Raw FFI
Enable the legacy raw C declarations when you need direct Security.framework symbols. The raw-ffi feature now exposes the non-deprecated macOS-available SecAccessControl.h, SecItem.h, SecKey.h, and SecPolicy.h surfaces end-to-end:
cargo test --features raw-ffiThe default API path stays on the Swift bridge so Rust code does not call the C-only framework surface directly.
§Coverage notes
See COVERAGE.md for the header audit and per-area implementation / partial / skipped status.
§License
Licensed under either of Apache-2.0 or MIT at your option.
§API documentation
Safe Rust bindings for Apple’s Security.framework on macOS.
Re-exports§
pub use authorization::Authorization;pub use authorization::AuthorizationOptions;pub use certificate::Certificate;pub use certificate::PublicKey;pub use cms::Cms;pub use cms::CmsCertificateChainMode;pub use cms::CmsDecoder;pub use cms::CmsDigestAlgorithm;pub use cms::CmsEncoder;pub use cms::CmsSignedAttributes;pub use code::Code;pub use code::CodeSigningFlags;pub use code::Requirement;pub use code::SigningInformation;pub use code::SigningValue;pub use code::StaticCode;pub use code::Task;pub use error::OsStatus;pub use error::Result;pub use error::SecurityError;pub use error::StatusError;pub use identity::Identity;pub use key::EncryptionAlgorithm;pub use key::ExternalFormat;pub use key::ExternalItemType;pub use key::KeyType;pub use key::PrivateKey;pub use key::SignatureAlgorithm;pub use key_agreement::AgreementPrivateKey;pub use key_agreement::AgreementPublicKey;pub use key_derivation::DerivedKey;pub use key_derivation::KeyDerivation;pub use keychain::AccessControl;pub use keychain::AccessControlFlags;pub use keychain::AccessControlProtection;pub use keychain::Keychain;pub use keychain::KeychainEntry;pub use policy::Policy;pub use policy::PolicyIdentifier;pub use policy::PolicyName;pub use policy::PolicyProperties;pub use policy::RevocationFlags;pub use random_bytes::SecureRandom;pub use secure_transport::ProtocolVersion;pub use secure_transport::SecureTransportContext;pub use secure_transport::SecureTransportState;pub use transform::Transform;pub use trust::Trust;pub use trust::TrustOptions;pub use trust::TrustResultType;
Modules§
- authorization
- certificate
- cms
- code
- code_
signing - error
- Errors returned by the
security-rsbindings. - ffi
raw-ffi - Raw FFI declarations for the subset of
Security.frameworkused by this crate. - identity
- key
- key_
agreement - key_
derivation - keychain
- policy
- prelude
- Common imports for users of this crate.
- random
- random_
bytes - secure_
transport - transform
- trust