Skip to main content

Crate security

Crate security 

Source
Expand description

§security-rs

Safe Rust bindings for Apple’s Security framework on macOS.

Status: v0.2.0 adopts a Swift bridge for the safe API and expands coverage across keychain, identities, certificates, policies, trust, authorization, code signing, random bytes, transforms, SecureTransport, CMS, key derivation, and key agreement.

§Highlights

  • Swift bridge over Security.framework with retained opaque handles and ergonomic Rust wrappers.
  • Raw C FFI preserved behind the raw-ffi Cargo feature.
  • Safe modules for all primary logical areas:
    • keychain
    • identity
    • certificate
    • policy
    • trust
    • authorization
    • code
    • random_bytes
    • transform
    • secure_transport
    • cms
    • key_derivation
    • key_agreement
  • Headless examples and smoke tests for every area.

§Quick start

use security::prelude::*;

fn main() -> Result<(), Box<dyn std::error::Error>> {
    let certificate = Certificate::from_der(&std::fs::read("tests/fixtures/test-cert.der")?)?;
    let policy = Policy::basic_x509()?;
    let mut trust = Trust::new(&certificate, &[policy])?;
    trust.set_anchor_certificates(&[certificate])?;
    trust.set_anchor_certificates_only(true)?;
    trust.evaluate()?;

    let encoded = Transform::encode_base64(b"hello")?;
    assert_eq!(Transform::decode_base64(encoded.as_bytes())?, b"hello");

    let random = SecureRandom::bytes(16)?;
    assert_eq!(random.len(), 16);
    Ok(())
}

§Area overview

  • Keychain: generic-password CRUD and service account listing.
  • Identity: PKCS#12 import, certificate access, and private-key attribute inspection.
  • Certificate: DER/PEM loading, summaries, names, emails, serials, validity dates, and public keys.
  • Policy / Trust: basic X.509, SSL, revocation, custom anchors, and evaluated trust results.
  • Authorization: authorization creation and external-form round trips.
  • Code: current-process code objects, static-code inspection, designated requirements, and task entitlements.
  • RandomBytes: SecRandomCopyBytes wrappers.
  • Transform: base64 encode/decode using deprecated but still functional SecTransform APIs.
  • SecureTransport: minimal context creation, protocol bounds, and state inspection.
  • CMS: certificate-bag encode/decode.
  • KeyDerivation: PBKDF2-style symmetric-key derivation through SecKeyDeriveFromPassword.
  • KeyAgreement: ephemeral P-256 key generation and ECDH shared-secret derivation.

§Examples

Run every numbered example:

for ex in examples/*.rs; do cargo run --example "$(basename "$ex" .rs)"; done

Key examples:

  • 01_keychain_password
  • 05_trust_evaluate
  • 07_code_signing_info
  • 11_cms_cert_bag
  • 13_key_agreement_shared_secret

§Raw FFI

Enable the legacy raw C declarations when you need direct Security.framework symbols:

cargo test --features raw-ffi

The default API path stays on the Swift bridge so Rust code does not call the C-only framework surface directly.

§Coverage notes

See COVERAGE.md for the header audit and per-area implementation / partial / skipped status.

§License

Licensed under either of Apache-2.0 or MIT at your option.

§API documentation

Safe Rust bindings for Apple’s Security.framework on macOS.

Re-exports§

pub use authorization::Authorization;
pub use authorization::AuthorizationOptions;
pub use certificate::Certificate;
pub use certificate::PublicKey;
pub use cms::Cms;
pub use code::Code;
pub use code::SigningInformation;
pub use code::SigningValue;
pub use code::StaticCode;
pub use code::Task;
pub use error::OsStatus;
pub use error::Result;
pub use error::SecurityError;
pub use error::StatusError;
pub use identity::Identity;
pub use key_agreement::AgreementPrivateKey;
pub use key_agreement::AgreementPublicKey;
pub use key_derivation::DerivedKey;
pub use key_derivation::KeyDerivation;
pub use keychain::Keychain;
pub use keychain::KeychainEntry;
pub use policy::Policy;
pub use policy::RevocationFlags;
pub use random_bytes::SecureRandom;
pub use secure_transport::ProtocolVersion;
pub use secure_transport::SecureTransportContext;
pub use secure_transport::SecureTransportState;
pub use transform::Transform;
pub use trust::Trust;

Modules§

authorization
certificate
cms
code
code_signing
error
Errors returned by the security-rs bindings.
ffiraw-ffi
Raw FFI declarations for the subset of Security.framework used by this crate.
identity
key_agreement
key_derivation
keychain
policy
prelude
Common imports for users of this crate.
random
random_bytes
secure_transport
transform
trust