macOS Keychain Services wrapper for accessing the system and user's cryptographic keychains, as well as keys stored in the Secure Enclave Processor (SEP).
This crate provides a thin, low-level binding with a safe, mostly idiomatic Rust API. Ideally however, it should be wrapped up in higher level, easy-to-use libraries, as the API it presents is rather complicated and arcane.
For more information on Keychain Services`, see: https://developer.apple.com/documentation/security/keychain_services/keychains
The Keychain Service API requires signed code to access much of its
functionality. Accessing many APIs from an unsigned app will return
an error with a kind of
Follow the instructions here to create a self-signed code signing certificate: https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html
You will need to use the codesign command-line utility (or XCode) to sign your code before it will be able to access most Keychain Services API functionality. When you sign, you will need an entitlements file which grants access to the Keychain Services API. Below is an example:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>keychain-access-groups</key> <array> <string>$(AppIdentifierPrefix)com.example.MyApplication</string> </array> </dict> </plist>
Access control policy (a.k.a. ACL) for a keychain item, combining both a
Access control restrictions for a particular keychain item.
Application-specific key labels, i.e. key fingerprints.
Application-specific tags for keychain items.
Human readable/meaningful labels for keychain items.
Conjunctions (and/or) on keychain item access.
Constraints on keychain item access.
Options for keychain item access.
Keychain item accessibility restrictions (from most to least restrictive).
Classes of keys supported by Keychain Services (not to be confused with
Types of keys supported by Keychain Services (not to be confused with
Internet protocols optionally associated with
Identifiers for external storage tokens for cryptographic keys (i.e. Secure Enclave).
Kinds of errors.
Marker trait for types which can be used as