Rust binding for macOS Keychain Services, including TouchID-guarded access to cryptographic keys stored in the Secure Enclave Processor (SEP).
This binding aims to provide a thin wrapper using largely the same type names as Keychain Services itself, but also provide a safe, mostly idiomatic API which does not rely on e.g. Core Foundation types.
NOTE: This is an unofficial binding which is in no way affiliated with Apple!
This crate is experimental and may have bugs/memory safety issues. USE AT YOUR OWN RISK!
Below is a rough outline of the Keychain Service API and what is supported by this crate:
- Keychains (
SecKeychain
)- Creating keychains
- Deleting keychains
- Open keychain (
SecKeychainOpen
) - Keychain status (
SecKeychainGetStatus
) - Keychain version (
SecKeychainGetVersion
) - Set default keychain (
SecKeychainSetDefault
)
- Keychain Items (
SecKeychainItem
)- Creating keychain items
- Fetching keychain items
- Getting keychain item attributes
- Deleting keychain items
- Certificates / Identities (
SecCertificate
)- Creating certificates
- Deleting certificates
- Querying certificates
- Signing certificates
- Cryptographic keys (
SecKey
)- Generating cryptographic keys
- Importing cryptographic keys
- Exporting cryptographic keys
- Deleting cryptographic keys
- Querying cryptographic keys
- Querying cryptographic key attributes
- Digital signatures (ECDSA/RSA)
- Encryption
- Passwords
- Creating passwords
- Querying passwords
- Deleting passwords
This crate has two suites of tests:
- Core:
cargo test
- run a minimal set of tests (e.g. in CI) that work everywhere, but don't cover all functionality. - Interactive:
cargo test --features=interactive-tests --no-run
compile tests which require user interactions, and additionally must be signed by macOS's code signing in order to work. See code signing notes.
The Keychain Service API requires signed code to access much of its
functionality. Accessing many APIs from an unsigned app will return
an ErrorKind::MissingEntitlement
.
Follow the instructions here to create a self-signed code signing certificate: https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html
You will need to use the codesign command-line utility (or XCode) to sign your code before it will be able to access most Keychain Services API functionality.
Licensed under either of
- Apache License, Version 2.0 (LICENSE-APACHE or http://www.apache.org/licenses/LICENSE-2.0)
- MIT license (LICENSE-MIT or http://opensource.org/licenses/MIT)
at your option.
Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you shall be dual licensed as above, without any additional terms or conditions.