Keychain Services for Rust 🔐 

Rust binding for macOS Keychain Services, including TouchID-guarded access to cryptographic keys stored in the Secure Enclave Processor (SEP).

This binding aims to provide a thin wrapper using largely the same type names as Keychain Services itself, but also provide a safe, mostly idiomatic API which does not rely on e.g. Core Foundation types.

NOTE: This is an unofficial binding which is in no way affiliated with Apple!

[Documentation]

Status

This crate is experimental and may have bugs/memory safety issues. USE AT YOUR OWN RISK!

Below is a rough outline of the Keychain Service API and what is supported by this crate:

• [ ] Keychains (SecKeychain)
  • [x] Creating keychains
  • [x] Deleting keychains
  • [ ] Open keychain (SecKeychainOpen)
  • [ ] Keychain status (SecKeychainGetStatus)
  • [ ] Keychain version (SecKeychainGetVersion)
  • [ ] Set default keychain (SecKeychainSetDefault)
• [ ] Keychain Items (SecKeychainItem)
  • [x] Creating keychain items
  • [x] Fetching keychain items
  • [x] Getting keychain item attributes
  • [ ] Deleting keychain items
• [ ] Certificates / Identities (SecCertificate)
  • [ ] Creating certificates
  • [ ] Deleting certificates
  • [ ] Querying certificates
  • [ ] Signing certificates
• [ ] Cryptographic keys (SecKey)
  • [x] Generating cryptographic keys
  • [ ] Importing cryptographic keys
  • [x] Exporting cryptographic keys
  • [ ] Deleting cryptographic keys
  • [x] Querying cryptographic keys
  • [x] Querying cryptographic key attributes
  • [x] Digital signatures (ECDSA/RSA)
  • [ ] Encryption
• [x] Passwords
  • [x] Creating passwords
  • [x] Querying passwords
  • [ ] Deleting passwords

Tests

This crate has two suites of tests:

• Core: cargo test - run a minimal set of tests (e.g. in CI) that work everywhere, but don't cover all functionality.
• Interactive: cargo test --features=interactive-tests --no-run compile tests which require user interactions, and additionally must be signed by macOS's code signing in order to work. See code signing notes.

Code Signing

The Keychain Service API requires signed code to access much of its functionality. Accessing many APIs from an unsigned app will return an ErrorKind::MissingEntitlement.

Follow the instructions here to create a self-signed code signing certificate: https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html

You will need to use the [codesign] command-line utility (or XCode) to sign your code before it will be able to access most Keychain Services API functionality.

License

Licensed under either of * Apache License, Version 2.0 (LICENSE-APACHE or http://www.apache.org/licenses/LICENSE-2.0) * MIT license (LICENSE-MIT or http://opensource.org/licenses/MIT)

at your option.

Contribution

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you shall be dual licensed as above, without any additional terms or conditions.