欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页  >  移动技术

Keychain Services

程序员文章站 2022-04-24 22:00:46
keychain services的相关接口可以让你发现、增加、修改和删除钥匙串中的items。 使用os x的钥匙链访问密码保护服务如下所示: 使用iphone访问网络服务器密钥链服务如下所示:...

keychain services的相关接口可以让你发现、增加、修改和删除钥匙串中的items。

使用os x的钥匙链访问密码保护服务如下所示:

Keychain Services

使用iphone访问网络服务器密钥链服务如下所示:喎? f/ware/vc/"="" target="_blank" class="keylink">vcd4ncjxwpjxpbwcgywx0pq=="" src="/uploadfile/collfiles/20160730/201607300927101045.png" title="\" />

1 functions

1.1 using keychain item search dictionaries

钥匙串由cfdictionary定义键值对。

// 搜索查询
@available(ios 2.0, *)
public func secitemcopymatching(query: cfdictionary, _ result: unsafemutablepointer) -> osstatus
// 增加
@available(ios 2.0, *)
public func secitemadd(attributes: cfdictionary, _ result: unsafemutablepointer) -> osstatus
// 修改
@available(ios 2.0, *)
public func secitemupdate(query: cfdictionary, _ attributestoupdate: cfdictionary) -> osstatus
// 删除
@available(ios 2.0, *)
public func secitemdelete(query: cfdictionary) -> osstatus

1.2 creating access control objects

// 创建一个新的访问控制对象,该对象具有指定的保护类型和标志。
@available(ios 8.0, *)
public func secaccesscontrolcreatewithflags(allocator: cfallocator?, _ protection: anyobject, _ flags: secaccesscontrolcreateflags, _ error: unsafemutablepointer?>) -> secaccesscontrol?

2 constants

2.1 os x keychain services api constants

// 预定义的关键常量时,基于字典的参数使用传递导入/导出功能
@available(ios 2.0, *)
public let ksecimportexportpassphrase: cfstring

2.2 keychain item class keys and values

2.2.1 item class key constant

// 搜索词典条目
@available(ios 2.0, *)
public let ksecclass: cfstring

2.2.2 item class value constants

// 一般密码
@available(ios 2.0, *)
public let ksecclassgenericpassword: cfstring
// 互联网密码
@available(ios 2.0, *)
public let ksecclassinternetpassword: cfstring
// 证书对象
@available(ios 2.0, *)
public let ksecclasscertificate: cfstring
// 专用秘钥
@available(ios 2.0, *)
public let ksecclasskey: cfstring
// 身份对象,包含ksecclasskey和ksecclasscertificate.
@available(ios 2.0, *)
public let ksecclassidentity: cfstring

2.3 attribute item keys and values

2.3.1 attribute item keys

每种类型的钥匙串项可以有多个描述属性

cftyperef declaration value readonly ksecclassgenericpassword ksecclassinternetpassword ksecclasscertificate ksecclasskey ksecclassidentity
ksecattraccessible 可访问性类型透明 cftyperef  
ksecattraccesscontrol(ios 8.0) 访问控制 secaccesscontrol  
ksecattraccessgroup 访问组 cfstringref  
ksecattrsynchronizable(ios 7.0) 数据同步或异步到其他设备 cfbooleanref  
ksecattrcreationdate 创建日期 cfdateref      
ksecattrmodificationdate 最后一次修改日期 cfdateref      
ksecattrdescription 描述 cfstringref        
ksecattrcomment 注释 cfstringref        
ksecattrcreator 创造者 cfnumberref        
ksecattrtype 类型 cfnumberref        
ksecattrlabel 标签 cfstringref  
ksecattrisinvisible 是否隐藏 kcfbooleantrue        
ksecattrisnegative 是否具有密码 cfbooleanref        
ksecattraccount 账户 cfstringref        
ksecattrservice 所具有服务 cfstringref          
ksecattrgeneric 用户自定义内容 cfdataref          
ksecattrsecuritydomain cfstringref          
ksecattrserver 服务器域名或ip地址 cfstringref          
ksecattrprotocol 协议 cfnumberref          
ksecattrauthenticationtype 认证类型 cfnumberref          
ksecattrport 网络端口 cfnumberref          
ksecattrpath 访问路径 cfstringref          
ksecattrsubject x.500证书主题名称 cfdataref      
ksecattrissuer x.500证书颁发者名称 cfdataref      
ksecattrserialnumber 序列号 cfdataref      
ksecattrsubjectkeyid 主题id cfdataref      
ksecattrpublickeyhash 公钥hash值 cfdataref      
ksecattrcertificatetype 证书类型 cfnumberref      
ksecattrcertificateencoding 证书编码类型 cfnumberref      
ksecattrkeyclass 密钥类 cftyperef      
ksecattrapplicationlabel 标签(给程序使用) cfstringref        
ksecattrispermanent 是否永久保存加密密钥 cfbooleanref        
ksecattrapplicationtag 标签(私有标签数据) cfdataref        
ksecattrkeytype 加密密钥类型(算法) cfnumberref        
ksecattrkeysizeinbits 密钥总位数 cfnumberref        
ksecattreffectivekeysize 密钥有效位数 cfnumberref        
ksecattrcanencrypt 密钥是否可用于加密 cfbooleanref        
ksecattrcandecrypt 密钥是否可用于解密 cfbooleanref        
ksecattrcanderive 密钥是否可用于导出其他密钥 cfbooleanref        
ksecattrcansign 密钥是否可用于数字签名 cfbooleanref        
ksecattrcanverify 密钥是否可用于验证数字签名 cfbooleanref        
ksecattrcanwrap 密钥是否可用于打包其他密钥 cfbooleanref        
ksecattrcanunwrap 密钥是否可用于解包其他密钥 cfbooleanref        
ksecattrsyncviewhint(ios 9.0) 同步视图中的定义查询 cfstringref            
ksecattrtokenid(ios 9.0) 令牌 cfstringref            
ksecattraccessgroup:如果希望这个keychain的item可以被多个应用share,可以给这个item设置这个属性,类型是cfstringref。应用程序在被编译时,可以在entitlement中指定自己的accessgroup,如果应用的accessgroup名字和keychain item的accessgroup名字一致,那这个应用就可以访问这个item,不过这个设计并不是很好,因为应用的accessgroup是由应用开发者指定的,它可以故意跟其他应用的accessgroup一样,从而访问其他应用的item,更可怕的是还支持wildcard,比如keychain-dumper将自己的accessgroup指定为*,从而可以把keychain中的所有item都dump出来。 ksecattrtokenid: 当前对应的值只有ksecattrtokenidsecureenclave

2.3.2 protocol values

ksecattrprotocol对应的values

let ksecattrprotocolftp: cfstring // ftp protocol.
let ksecattrprotocolftpaccount: cfstring // a client side ftp account.
let ksecattrprotocolhttp: cfstring // http protocol.
let ksecattrprotocolirc: cfstring // irc protocol.
let ksecattrprotocolnntp: cfstring // nntp protocol.
let ksecattrprotocolpop3: cfstring // pop3 protocol.
let ksecattrprotocolsmtp: cfstring // smtp protocol.
let ksecattrprotocolsocks: cfstring // socks protocol.
let ksecattrprotocolimap: cfstring // imap protocol.
let ksecattrprotocolldap: cfstring // ldap protocol.
let ksecattrprotocolappletalk: cfstring // afp over appletalk.
let ksecattrprotocolafp: cfstring // afp over tcp.
let ksecattrprotocoltelnet: cfstring // telnet protocol.
let ksecattrprotocolssh: cfstring // ssh protocol.
let ksecattrprotocolftps: cfstring // ftp over tls/ssl.
let ksecattrprotocolhttps: cfstring // http over tls/ssl.
let ksecattrprotocolhttpproxy: cfstring // http proxy.
let ksecattrprotocolhttpsproxy: cfstring // https proxy.
let ksecattrprotocolftpproxy: cfstring // ftp proxy.
let ksecattrprotocolsmb: cfstring // smb protocol.
let ksecattrprotocolrtsp: cfstring // rtsp protocol.
let ksecattrprotocolrtspproxy: cfstring // rtsp proxy.
let ksecattrprotocoldaap: cfstring // daap protocol.
let ksecattrprotocoleppc: cfstring // remote apple events.
let ksecattrprotocolipp: cfstring // ipp protocol.
let ksecattrprotocolnntps: cfstring // nntp over tls/ssl.
let ksecattrprotocolldaps: cfstring // ldap over tls/ssl.
let ksecattrprotocoltelnets: cfstring // telnet over tls/ssl.
let ksecattrprotocolimaps: cfstring // imap over tls/ssl.
let ksecattrprotocolircs: cfstring // irc over tls/ssl.
let ksecattrprotocolpop3s: cfstring // pop3 over tls/ssl.

2.3.3 authentication type values

ksecattrauthenticationtype对应的values

let ksecattrauthenticationtypentlm: cfstring // windows nt lan manager authentication.
let ksecattrauthenticationtypemsn: cfstring // microsoft network default authentication.
let ksecattrauthenticationtypedpa: cfstring // distributed password authentication.
let ksecattrauthenticationtyperpa: cfstring // remote password authentication.
let ksecattrauthenticationtypehttpbasic: cfstring // http basic authentication.
let ksecattrauthenticationtypehttpdigest: cfstring // http digest access authentication.
let ksecattrauthenticationtypehtmlform: cfstring // html form based authentication.
let ksecattrauthenticationtypedefault: cfstring // the default authentication type.

2.3.4 key class values

ksecattrkeyclass对应的values

let ksecattrkeyclasspublic: cfstring // 公钥 
let ksecattrkeyclassprivate: cfstring // 私钥
let ksecattrkeyclasssymmetric: cfstring // 对称密钥

2.3.5 key type values

ksecattrkeytype对应的values

let ksecattrkeytypersa: cfstring // rsa公钥加密算法
let ksecattrkeytypeec: cfstring // 非对称加密

2.3.6 keychain item accessibility constants

ksecattraccessible对应的常量,默认ksecattraccessiblewhenunlocked

let ksecattraccessiblewhenunlocked: cfstring // 解锁可访问,加密备份
let ksecattraccessibleafterfirstunlock: cfstring // 设备重启、第一次解锁后可访问,加密备份
let ksecattraccessiblealways: cfstring // 一直可访问,加密备份
@available(ios 8.0, *)
let ksecattraccessiblewhenpasscodesetthisdeviceonly: cfstring // 设备解锁时才被访问,不备份,禁用设备密码会导致这类项目被删除。
let ksecattraccessiblewhenunlockedthisdeviceonly: cfstring // 解锁可访问,不备份
let ksecattraccessibleafterfirstunlockthisdeviceonly: cfstring // 设备重启、第一次解锁后可访问,不备份
let ksecattraccessiblealwaysthisdeviceonly: cfstring // 一直可访问,不备份

2.3.7 ksecattrsynchronizable value constants

使用于secitemcopymatching, secitemupdate, or secitemdelete.

@available(ios 7.0, *)
public let ksecattrsynchronizableany: cfstring // 同步和非同步返回查询结果

2.3.8 ksecattrtokenid value constants

使用ksecattrkeytypeec 256-bits加密,对应使用的ksecattrtokenid和ksecattrtokenidsecureenclave

@available(ios 9.0, *)
public let ksecattrtokenidsecureenclave: cfstring // 秘钥

2.4 search keys

2.4.1 search attribute keys

查询时使用的属性key

let ksecmatchpolicy: cfstring // 指定策略
let ksecmatchitemlist: cfstring // 指定搜索范围 cfarrayref(seckeychainitemref, seckeyref, seccertificateref, secidentityref,cfdataref)数组内的类型必须唯一。仍然会搜索钥匙串,但是搜索结果需要与该数组取交集作为最终结果。
let ksecmatchsearchlist: cfstring // 搜索列表  cfarray
let ksecmatchissuers: cfstring // 指定发行人数组 cfarrayref(ksecattrissuer对应的value)
let ksecmatchemailaddressifpresent: cfstring // 指定邮件地址 cfstringref
let ksecmatchsubjectcontains: cfstring // 指定主题 cfstringref
let ksecmatchcaseinsensitive: cfstring // 指定是否不区分大小写 cfbooleanref(kcfbooleanfalse或不提供此参数,区分大小写;kcfbooleantrue,不区分大小写)
let ksecmatchtrustedonly: cfstring // 指定只搜索可信证书 cfbooleanref(kcfbooleanfalse或不提供此参数,全部证书;kcfbooleantrue,只搜索可信证书)
let ksecmatchvalidondate: cfstring // 指定有效日期 cfdateref(kcfnull表示今天)
let ksecmatchlimit: cfstring // 指定结果数量 cfnumberref(ksecmatchlimitone or ksecmatchlimitall)
let ksecmatchlimitone: cfstring // 首条结果
let ksecmatchlimitall: cfstring // 全部结果

2.4.2 item list key

用于指定要搜索或添加的项目列表的键。用户提供用于查询的列表。当这个列表被提供的时候,不会再搜索钥匙串。

let ksecuseitemlist: cfstring // cfarrayref(seckeychainitemref, seckeyref, seccertificateref, secidentityref, or (for persistent item references) cfdataref items. )

2.5 search results constants

2.5.1 return type keys

搜索的返回值

let ksecreturndata: cfstring // 返回数据(cfdataref) cfbooleanref
let ksecreturnattributes: cfstring // 返回属性字典(cfdictionaryref) cfbooleanref
let ksecreturnref: cfstring // 返回实例(seckeychainitemref, seckeyref, seccertificateref, secidentityref, or cfdataref) cfbooleanref
let ksecreturnpersistentref: cfstring // 返回持久型实例(cfdataref) cfbooleanref

2.5.2 value type keys

let ksecvaluedata: cfstring // data数据(cfdataref)
let ksecvalueref: cfstring // 引用数据(seckeychainitemref, seckeyref, seccertificateref, or secidentityref.)
let ksecvaluepersistentref: cfstring // 强引用数据(cfdataref)

2.6 access control create flags

secaccesscontrolcreateflags方法使用的常数

@available(ios 8.0, *)
public struct secaccesscontrolcreateflags : optionsettype {
    public init(rawvalue: cfindex)

    public static var userpresence: secaccesscontrolcreateflags { get } // user presence policy using touch id or passcode. touch id does not have to be available or enrolled. item is still accessible by touch id even if fingers are added or removed.
    @available(ios 9.0, *)
    public static var touchidany: secaccesscontrolcreateflags { get } // constraint: touch id (any finger). touch id must be available and at least one finger must be enrolled. item is still accessible by touch id even if fingers are added or removed.
    @available(ios 9.0, *)
    public static var touchidcurrentset: secaccesscontrolcreateflags { get } // constraint: touch id from the set of currently enrolled fingers. touch id must be available and at least one finger must be enrolled. when fingers are added or removed, the item is invalidated.
    @available(ios 9.0, *)
    public static var devicepasscode: secaccesscontrolcreateflags { get } // constraint: device passcode
    @available(ios 9.0, *)
    public static var or: secaccesscontrolcreateflags { get } // constraint logic operation: when using more than one constraint, at least one of them must be satisfied.
    @available(ios 9.0, *)
    public static var and: secaccesscontrolcreateflags { get } // constraint logic operation: when using more than one constraint, all must be satisfied.
    @available(ios 9.0, *)
    public static var privatekeyusage: secaccesscontrolcreateflags { get } // create access control for private key operations (i.e. sign operation)
    @available(ios 9.0, *)
    public static var applicationpassword: secaccesscontrolcreateflags { get } // security: application provided password for data encryption key generation. this is not a constraint but additional item encryption mechanism.
}

2.7 other constants

2.7.1 predefined constants

@available(ios 8.0, *)
public let ksecuseoperationprompt: cfstring // ui校验通过
@available(ios 9.0, *)
public let ksecuseauthenticationui: cfstring // 验证ui(cfbooleanref)
@available(ios 9.0, *)
public let ksecuseauthenticationcontext: cfstring // 秘钥item验证(lacontext)

2.7.2 ksecuseauthenticationui value constants

@available(ios 9.0, *)
public let ksecuseauthenticationuiallow: cfstring // ui校验通过
@available(ios 9.0, *)
public let ksecuseauthenticationuifail: cfstring // ui校验出错
@available(ios 9.0, *)
public let ksecuseauthenticationuiskip: cfstring // ui校验跳过

 

喎?>