pub unsafe static kSecAttrAccessible: &'static CFStringSecItem only.Expand description
Predefined item attribute keys used to get or set values in a dictionary. Not all attributes apply to each item class. The table below lists the currently defined attributes for each item class:
kSecClassGenericPassword item attributes: kSecAttrAccess (macOS only) kSecAttrAccessControl kSecAttrAccessGroup (iOS; also macOS if kSecAttrSynchronizable and/or kSecUseDataProtectionKeychain set) kSecAttrAccessible (iOS; also macOS if kSecAttrSynchronizable and/or kSecUseDataProtectionKeychain set) kSecAttrCreationDate kSecAttrModificationDate kSecAttrDescription kSecAttrComment kSecAttrCreator kSecAttrType kSecAttrLabel kSecAttrIsInvisible kSecAttrIsNegative kSecAttrAccount kSecAttrService kSecAttrGeneric kSecAttrSynchronizable
kSecClassInternetPassword item attributes: kSecAttrAccess (macOS only) kSecAttrAccessControl kSecAttrAccessGroup (iOS; also macOS if kSecAttrSynchronizable and/or kSecUseDataProtectionKeychain set) kSecAttrAccessible (iOS; also macOS if kSecAttrSynchronizable and/or kSecUseDataProtectionKeychain set) kSecAttrCreationDate kSecAttrModificationDate kSecAttrDescription kSecAttrComment kSecAttrCreator kSecAttrType kSecAttrLabel kSecAttrIsInvisible kSecAttrIsNegative kSecAttrAccount kSecAttrSecurityDomain kSecAttrServer kSecAttrProtocol kSecAttrAuthenticationType kSecAttrPort kSecAttrPath kSecAttrSynchronizable
kSecClassCertificate item attributes: kSecAttrAccessible (iOS only) kSecAttrAccessControl (iOS only) kSecAttrAccessGroup (iOS only) kSecAttrCertificateType kSecAttrCertificateEncoding kSecAttrLabel kSecAttrSubject kSecAttrIssuer kSecAttrSerialNumber kSecAttrSubjectKeyID kSecAttrPublicKeyHash kSecAttrSynchronizable
kSecClassKey item attributes: kSecAttrAccess (macOS only) kSecAttrAccessControl kSecAttrAccessGroup (iOS; also macOS if kSecAttrSynchronizable and/or kSecUseDataProtectionKeychain set) kSecAttrAccessible (iOS; also macOS if kSecAttrSynchronizable and/or kSecUseDataProtectionKeychain set) kSecAttrKeyClass kSecAttrLabel kSecAttrApplicationLabel kSecAttrIsPermanent kSecAttrApplicationTag kSecAttrKeyType kSecAttrPRF (macOS only) kSecAttrSalt (macOS only) kSecAttrRounds (macOS only) kSecAttrKeySizeInBits kSecAttrEffectiveKeySize kSecAttrCanEncrypt kSecAttrCanDecrypt kSecAttrCanDerive kSecAttrCanSign kSecAttrCanVerify kSecAttrCanWrap kSecAttrCanUnwrap kSecAttrSynchronizable
Note that the attributes kSecAttrCan* describe attributes of the key itself at relatively high level. Some of these attributes are mathematical – for example, a DSA key cannot encrypt. Others are key-level policy issues – for example, it is good cryptographic hygiene to use an RSA key either for encryption or signing but not both. Compare these to the certificate-level policy values in SecPolicy.h.
kSecClassIdentity item attributes: Since an identity is the combination of a private key and a certificate, this class shares attributes of both kSecClassKey and kSecClassCertificate.
indicates when your application needs access to an item’s data. You should choose the most restrictive option that meets your application’s needs to allow the system to protect that item in the best way possible. See the “kSecAttrAccessible Value Constants” section for a list of values which can be specified. IMPORTANT: This attribute is currently not supported for macOS keychain items, unless the kSecAttrSynchronizable attribute is also present. If both attributes are specified on either macOS or iOS, the value for the kSecAttrAccessible key may only be one whose name does not end with “ThisDeviceOnly”, as those cannot sync to another device.
is SecAccessControl instance which contains access control conditions for item. IMPORTANT: This attribute is mutually exclusive with kSecAttrAccess attribute.
is a SecAccessRef describing the access control settings for this item. This key is available on macOS only.
a CFStringRef indicating which access group a item is in. The access groups that a particular application has membership in are determined by two entitlements for that application. The application-identifier entitlement contains the application’s single access group, unless there is a keychain-access-groups entitlement present. The latter has as its value a list of access groups; the first item in this list is the default access group. Unless a specific access group is provided as the value of kSecAttrAccessGroup when SecItemAdd is called, new items are created in the application’s default access group. Specifying this attribute in SecItemCopyMatching, SecItemUpdate, or SecItemDelete calls limits the search to the specified access group (of which the calling application must be a member to obtain matching results.) To share keychain items between multiple applications, each application must have a common group listed in its keychain-access-groups entitlement, and each must specify this shared access group name as the value for the kSecAttrAccessGroup key in the dictionary passed to SecItem functions.
a CFBooleanRef indicating whether the item in question can be synchronized. To add a new item which can be synced to other devices, or to obtain synchronizable results from a query, supply this key with a value of kCFBooleanTrue. If the key is not supplied, or has a value of kCFBooleanFalse, then no synchronizable items will be added or returned. A predefined value, kSecAttrSynchronizableAny, may be provided instead of kCFBooleanTrue if both synchronizable and non-synchronizable results are desired.
IMPORTANT: Specifying the kSecAttrSynchronizable key has several caveats:
- Updating or deleting items using the kSecAttrSynchronizable key will affect all copies of the item, not just the one on your local device. Be sure that it makes sense to use the same password on all devices before deciding to make a password synchronizable.
- Starting in iOS 14, macOS 11, and watchOS 7, the keychain synchronizes passwords, certificates, and cryptographic keys. Earlier OS versions synchronize only passwords.
- Items stored or obtained using the kSecAttrSynchronizable key cannot specify SecAccessRef-based access control with kSecAttrAccess. If a password is intended to be shared between multiple applications, the kSecAttrAccessGroup key must be specified, and each application using this password must have a ‘keychain-access-groups’ entitlement with the specified access group value.
- Items stored or obtained using the kSecAttrSynchronizable key may not also specify a kSecAttrAccessible value which is incompatible with syncing (namely, those whose names end with “ThisDeviceOnly”.)
- On macOS, when kSecAttrSynchronizable is set to true, returning references is supported only for Certificate, Key or Identity items.
- Persistent references to synchronizable items should be avoided; while they may work locally, they cannot be moved between devices, and may not resolve if the item is modified on some other device.
- When specifying a query that uses the kSecAttrSynchronizable key, search keys are limited to the item’s class and attributes. The only search constant which may be used is kSecMatchLimit; other constants using the kSecMatch prefix are not supported at this time.
non-synchronizable results should be returned from this query. This may be used as a value for the kSecAttrSynchronizable dictionary key in a call to SecItemCopyMatching, SecItemUpdate, or SecItemDelete.
value is the item’s creation date. You use this key to get a value of type CFDateRef that represents the date the item was created.
whose value is the item’s modification date. You use this key to get a value of type CFDateRef that represents the last time the item was updated.
the item’s description attribute. You use this key to set or get a value of type CFStringRef that represents a user-visible string describing this particular kind of item (e.g., “disk image password”).
item’s comment attribute. You use this key to set or get a value of type CFStringRef containing the user-editable comment for this item.
item’s creator attribute. You use this key to set or get a value of type CFNumberRef that represents the item’s creator. This number is the unsigned integer representation of a four-character code (e.g., ‘aCrt’).
type attribute. You use this key to set or get a value of type CFNumberRef that represents the item’s type. This number is the unsigned integer representation of a four-character code (e.g., ‘aTyp’).
item’s label attribute. You use this key to set or get a value of type CFStringRef containing the user-visible label for this item.
item’s invisible attribute. You use this key to set or get a value of type CFBooleanRef that indicates whether the item is invisible (i.e., should not be displayed.)
item’s negative attribute. You use this key to set or get a value of type CFBooleanRef that indicates whether there is a valid password associated with this keychain item. This is useful if your application doesn’t want a password for some particular service to be stored in the keychain, but prefers that it always be entered by the user.
item’s account attribute. You use this key to set or get a CFStringRef that contains an account name. (Items of class kSecClassGenericPassword, kSecClassInternetPassword have this attribute.)
item’s service attribute. You use this key to set or get a CFStringRef that represents the service associated with this item. (Items of class kSecClassGenericPassword have this attribute.)
item’s generic attribute. You use this key to set or get a value of CFDataRef that contains a user-defined attribute. (Items of class kSecClassGenericPassword have this attribute.)
is the item’s security domain attribute. You use this key to set or get a CFStringRef value that represents the Internet security domain. (Items of class kSecClassInternetPassword have this attribute.)
item’s server attribute. You use this key to set or get a value of type CFStringRef that contains the server’s domain name or IP address. (Items of class kSecClassInternetPassword have this attribute.)
item’s protocol attribute. You use this key to set or get a value of type CFNumberRef that denotes the protocol for this item (see the SecProtocolType enum in SecKeychainItem.h). (Items of class kSecClassInternetPassword have this attribute.)
is the item’s authentication type attribute. You use this key to set or get a value of type CFNumberRef that denotes the authentication scheme for this item (see the kSecAttrAuthenticationType value constants below).
port attribute. You use this key to set or get a CFNumberRef value that represents an Internet port number. (Items of class kSecClassInternetPassword have this attribute.)
path attribute, typically this is the path component of the URL. You use this key to set or get a CFStringRef value that represents a path. (Items of class kSecClassInternetPassword have this attribute.)
value is the item’s subject. You use this key to get a value of type CFDataRef that contains the X.500 subject name of a certificate. (Items of class kSecClassCertificate have this attribute.)
is the item’s issuer. You use this key to get a value of type CFDataRef that contains the X.500 issuer name of a certificate. (Items of class kSecClassCertificate have this attribute.)
value is the item’s serial number. You use this key to get a value of type CFDataRef that contains the serial number data of a certificate. (Items of class kSecClassCertificate have this attribute.)
value is the item’s subject key ID. You use this key to get a value of type CFDataRef that contains the subject key ID of a certificate. (Items of class kSecClassCertificate have this attribute.)
whose value is the item’s public key hash. You use this key to get a value of type CFDataRef that contains the hash of a certificate’s public key. (Items of class kSecClassCertificate have this attribute.)
whose value is the item’s certificate type. You use this key to get a value of type CFNumberRef that denotes the certificate type (On iOS, currently the value of this attribute must be equal to the version of the X509 certificate. So, 1 for v1, 2 for v2, and 3 for v3 certificates). (On macOS, see the CSSM_CERT_TYPE enum in cssmtype.h). Only items of class kSecClassCertificate have this attribute.
key whose value is the item’s certificate encoding. You use this key to get a value of type CFNumberRef that denotes the certificate encoding (On iOS, currently only the value 3 meaning kSecAttrCertificateEncodingDER is supported). On macOS, see the CSSM_CERT_ENCODING enum in cssmtype.h. Only items of class kSecClassCertificate have this attribute.
value is one of kSecAttrKeyClassPublic, kSecAttrKeyClassPrivate or kSecAttrKeyClassSymmetric.
is the key’s application label attribute. This is different from the kSecAttrLabel (which is intended to be human-readable). This attribute is used to look up a key programmatically; in particular, for keys of class kSecAttrKeyClassPublic and kSecAttrKeyClassPrivate, the value of this attribute is the hash of the public key. This item is a type of CFDataRef. Legacy keys may contain a UUID in this field as a CFStringRef.
CFBooleanRef indicating whether the key in question will be stored permanently.
CFBooleanRef indicating that the key in question can only be exported in a wrapped (encrypted) format. macOS only.
CFBooleanRef indicating whether the key in question can be exported from its keychain container. macOS only.
CFDataRef containing private tag data.
CFNumberRef indicating the algorithm associated with this key (On iOS, currently only the value 42 is supported, alternatively you can use kSecAttrKeyTypeRSA). (On macOS, see the CSSM_ALGORITHMS enum in cssmtype.h).
(pseudo-random function) for this key (see “kSecAttrPRF Value Constants”.) macOS only.
CFData containing the salt to use for this key. macOS only.
number of rounds for the pseudo-random function specified by kSecAttrPRF. macOS only.
is a CFNumberRef indicating the number of bits in this key.
is a CFNumberRef indicating the effective number of bits in this key. For example, a DES key has a kSecAttrKeySizeInBits of 64, but a kSecAttrEffectiveKeySize of 56 bits.
CFBooleanRef indicating whether the key in question can be used to encrypt data.
CFBooleanRef indicating whether the key in question can be used to decrypt data.
CFBooleanRef indicating whether the key in question can be used to derive another key.
CFBooleanRef indicating whether the key in question can be used to create a digital signature.
CFBooleanRef indicating whether the key in question can be used to verify a digital signature.
CFBooleanRef indicating whether the key in question can be used to wrap another key.
CFBooleanRef indicating whether the key in question can be used to unwrap another key.
a CFStringRef. This value is part of the primary key of each item, and can be used to help distiguish Sync Views when defining their queries. iOS and sychronizable items only.
indicates that item is backed by external token. Value of this attribute is CFStringRef uniquely identifying containing token. When this attribute is not present, item is stored in internal keychain database. Note that once item is created, this attribute cannot be changed - in other words it is not possible to migrate existing items to, from or between tokens. Currently the only available value for this attribute is kSecAttrTokenIDSecureEnclave, which indicates that item (private key) is backed by device’s Secure Enclave.
See also Apple’s documentation