pub struct Keychain { /* private fields */ }Expand description
A parsed (and possibly unlocked) macOS keychain database.
Keychain owns the file bytes, the parsed table catalogue, the discovered
schema, and its unlock state. Extraction methods take &self because
every state mutation happens during Keychain::unlock /
Keychain::try_unlock.
Implementations§
Source§impl Keychain
impl Keychain
Sourcepub fn generic_passwords(&self) -> Result<Vec<GenericPassword>>
pub fn generic_passwords(&self) -> Result<Vec<GenericPassword>>
Return all generic-password records.
Returns Error::Locked if the keychain has not been unlocked
(or partially unlocked via Keychain::try_unlock). When
try_unlock was used and per-record decryption fails, metadata
fields are still populated and password is None.
Sourcepub fn internet_passwords(&self) -> Result<Vec<InternetPassword>>
pub fn internet_passwords(&self) -> Result<Vec<InternetPassword>>
Return all internet-password records. Semantics match
Keychain::generic_passwords.
Sourcepub fn private_keys(&self) -> Result<Vec<PrivateKey>>
pub fn private_keys(&self) -> Result<Vec<PrivateKey>>
Return all private-key records.
Under try_unlock, records whose payload fails to decrypt are
still returned with metadata populated but name empty and
data empty.
Sourcepub fn certificates(&self) -> Result<Vec<Certificate>>
pub fn certificates(&self) -> Result<Vec<Certificate>>
Return all X.509 certificate records. Certificates are not
encrypted at rest, so they are fully populated regardless of
unlock state (subject to the Locked guard).
Sourcepub fn password_hash(&self) -> Result<String>
pub fn password_hash(&self) -> Result<String>
Export the keychain password hash in
$keychain$*<salt_hex>*<iv_hex>*<ciphertext_hex> format
(compatible with hashcat mode 23100 and John the Ripper).
Does not require unlock.
Source§impl Keychain
impl Keychain
Sourcepub fn open_default() -> Result<Self>
pub fn open_default() -> Result<Self>
Open the default macOS login keychain at
$HOME/Library/Keychains/login.keychain-db.
Returns Error::Io on hosts where $HOME is unset or the file
is absent (every non-macOS target).
Sourcepub fn open_file<P: AsRef<Path>>(path: P) -> Result<Self>
pub fn open_file<P: AsRef<Path>>(path: P) -> Result<Self>
Open a keychain from a specific path.
Sourcepub fn open_bytes<B: Into<Vec<u8>>>(buf: B) -> Result<Self>
pub fn open_bytes<B: Into<Vec<u8>>>(buf: B) -> Result<Self>
Open a keychain from an in-memory buffer.
Sourcepub fn builder() -> KeychainBuilder
pub fn builder() -> KeychainBuilder
Construct a KeychainBuilder for the case that needs a custom
logger or wants to defer source selection.
Source§impl Keychain
impl Keychain
Sourcepub fn unlock(&mut self, cred: Credential) -> Result<()>
pub fn unlock(&mut self, cred: Credential) -> Result<()>
Decrypt the keychain using cred. On failure the keychain is left
locked, so extraction methods return Error::Locked.
Takes the credential by value so it is consumed (and dropped) by the unlock attempt rather than lingering at the call site.
Sourcepub fn try_unlock(&mut self, cred: Option<Credential>) -> Result<()>
pub fn try_unlock(&mut self, cred: Option<Credential>) -> Result<()>
Attempt to decrypt, but fall back to metadata-only extraction instead of failing on a wrong credential.
Noneenables partial mode without attempting decryption.Some(cred)attempts a full unlock; a wrong password / key leaves the keychain in partial mode and returnsOk(())(checkSelf::unlockedto tell full from partial). Only a structural problem (e.g. a corrupt table) returnsErr.
Sourcepub const fn unlocked(&self) -> bool
pub const fn unlocked(&self) -> bool
true once a Self::unlock / Self::try_unlock has fully decrypted
the database key. false in locked and partial states.