Skip to main content

Crate security

Crate security 

Source
Expand description

§security-rs

Safe Rust bindings for Apple’s Security framework on macOS.

Status: v0.2.3 closes every remaining non-exempt gap in the audited macOS Security.framework surface, including advanced Authorization, CMS, Certificate, Identity, Code Signing, Requirement, Task, and Trust helpers.

§Highlights

  • Swift bridge over Security.framework with retained opaque handles and ergonomic Rust wrappers.
  • 100% coverage of the audited non-exempt macOS Security.framework function surface documented in COVERAGE_AUDIT.md.
  • Raw C FFI preserved behind the raw-ffi Cargo feature, now exhaustively covering the non-deprecated macOS SecAccessControl / SecItem / SecKey / SecPolicy headers.
  • Safe modules for all primary logical areas:
    • keychain
    • identity
    • certificate
    • key
    • policy
    • trust
    • authorization
    • code
    • random_bytes
    • transform
    • secure_transport
    • cms
    • key_derivation
    • key_agreement
  • 15 numbered headless examples plus smoke tests across every area.

§Quick start

use security::prelude::*;

fn main() -> Result<(), Box<dyn std::error::Error>> {
    let certificate = Certificate::from_der(&std::fs::read("tests/fixtures/test-cert.der")?)?;
    let policy = Policy::basic_x509()?;
    let mut trust = Trust::new(&certificate, &[policy])?;
    trust.set_anchor_certificates(&[certificate])?;
    trust.set_anchor_certificates_only(true)?;
    trust.evaluate()?;

    let encoded = Transform::encode_base64(b"hello")?;
    assert_eq!(Transform::decode_base64(encoded.as_bytes())?, b"hello");

    let random = SecureRandom::bytes(16)?;
    assert_eq!(random.len(), 16);
    Ok(())
}

§Area overview

  • Keychain: generic-password CRUD, service account listing, access-control creation, and SecAccessControl type IDs.
  • Identity: PKCS#12 import, certificate access, identity creation, preference lookup/updates, system-identity management, and private-key attribute inspection.
  • Certificate: DER/PEM loading, Security item import/export, descriptions, values, preferences, summaries, names, emails, serials, validity dates, and public keys.
  • Key: raw/private-key import, modern signing, RSA encryption/decryption, external representations, block-size inspection, and SecKey type IDs.
  • Policy / Trust: basic X.509, SSL, revocation, generic property builders, policy type IDs, custom anchors, verify dates, exceptions, OCSP / SCT inputs, async evaluation, derived keys, and evaluated trust results.
  • Authorization: authorization creation, external-form round trips, info inspection, and synchronous / async rights acquisition.
  • Code: current-process code objects, host / guest lookup, requirements, static-code creation and validation, resource validation, memory mapping, and task entitlement inspection.
  • RandomBytes: SecRandomCopyBytes wrappers.
  • Transform: base64 encode/decode using deprecated but still functional SecTransform APIs.
  • SecureTransport: minimal context creation, protocol bounds, and state inspection.
  • CMS: certificate-bag helpers plus low-level encoder / decoder access for content, signers, recipients, timestamps, detached payloads, and chain configuration.
  • KeyDerivation: PBKDF2-style symmetric-key derivation through SecKeyDeriveFromPassword.
  • KeyAgreement: ephemeral P-256 key generation and ECDH shared-secret derivation.

§Examples

Run every numbered example:

for ex in examples/*.rs; do cargo run --example "$(basename "$ex" .rs)"; done

Key examples:

  • 01_keychain_password
  • 05_trust_evaluate
  • 07_code_signing_info
  • 11_cms_cert_bag
  • 13_key_agreement_shared_secret
  • 14_key_import_sign_verify
  • 15_key_encrypt_export

§Raw FFI

Enable the legacy raw C declarations when you need direct Security.framework symbols. The raw-ffi feature now exposes the non-deprecated macOS-available SecAccessControl.h, SecItem.h, SecKey.h, and SecPolicy.h surfaces end-to-end:

cargo test --features raw-ffi

The default API path stays on the Swift bridge so Rust code does not call the C-only framework surface directly.

§Coverage notes

See COVERAGE.md for the header audit and per-area implementation / partial / skipped status.

§License

Licensed under either of Apache-2.0 or MIT at your option.

§API documentation

Safe Rust bindings for Apple’s Security.framework on macOS.

Re-exports§

pub use authorization::Authorization;
pub use authorization::AuthorizationOptions;
pub use certificate::Certificate;
pub use certificate::PublicKey;
pub use cms::Cms;
pub use cms::CmsCertificateChainMode;
pub use cms::CmsDecoder;
pub use cms::CmsDigestAlgorithm;
pub use cms::CmsEncoder;
pub use cms::CmsSignedAttributes;
pub use code::Code;
pub use code::CodeSigningFlags;
pub use code::Requirement;
pub use code::SigningInformation;
pub use code::SigningValue;
pub use code::StaticCode;
pub use code::Task;
pub use error::OsStatus;
pub use error::Result;
pub use error::SecurityError;
pub use error::StatusError;
pub use identity::Identity;
pub use key::EncryptionAlgorithm;
pub use key::ExternalFormat;
pub use key::ExternalItemType;
pub use key::KeyType;
pub use key::PrivateKey;
pub use key::SignatureAlgorithm;
pub use key_agreement::AgreementPrivateKey;
pub use key_agreement::AgreementPublicKey;
pub use key_derivation::DerivedKey;
pub use key_derivation::KeyDerivation;
pub use keychain::AccessControl;
pub use keychain::AccessControlFlags;
pub use keychain::AccessControlProtection;
pub use keychain::Keychain;
pub use keychain::KeychainEntry;
pub use policy::Policy;
pub use policy::PolicyIdentifier;
pub use policy::PolicyName;
pub use policy::PolicyProperties;
pub use policy::RevocationFlags;
pub use random_bytes::SecureRandom;
pub use secure_transport::ProtocolVersion;
pub use secure_transport::SecureTransportContext;
pub use secure_transport::SecureTransportState;
pub use transform::Transform;
pub use trust::Trust;
pub use trust::TrustOptions;
pub use trust::TrustResultType;

Modules§

authorization
Safe wrappers for Authorization Services APIs in Security.framework.
certificate
Safe wrappers for SecCertificateRef and public-key APIs in Security.framework.
cms
Safe wrappers for CMS encoder and decoder APIs in Security.framework.
code
Safe wrappers for code-signing APIs such as SecCodeRef and SecTaskRef.
code_signing
Re-exports code-signing wrappers built on Security.framework.
error
Error types used by the Security.framework wrappers. Errors returned by the security-rs bindings.
ffiraw-ffi
Raw FFI declarations for the subset of Security.framework used by this crate.
identity
Safe wrappers for SecIdentityRef.
key
Safe wrappers for SecKeyRef algorithms and private-key APIs.
key_agreement
Safe wrappers for SecKeyRef key-agreement APIs.
key_derivation
Safe wrappers for password-based key-derivation APIs in Security.framework.
keychain
Safe wrappers for keychain and access-control APIs in Security.framework.
policy
Safe wrappers for SecPolicyRef and policy configuration APIs.
prelude
Common imports for users of this crate.
random
Re-exports secure-random wrappers built on SecRandomCopyBytes.
random_bytes
Safe wrappers for SecRandomCopyBytes.
secure_transport
Safe wrappers for Secure Transport session APIs in Security.framework.
transform
Safe wrappers for Security Transforms APIs.
trust
Safe wrappers for SecTrustRef and trust-evaluation APIs.