//

//  MYKeychain.h

//  MYCrypto

//

//  Created by Jens Alfke on 3/23/09.

//  Copyright 2009 Jens Alfke. All rights reserved.

//

#import <Foundation/Foundation.h>

#import "MYCryptoConfig.h"

@class MYSymmetricKey, MYPublicKey, MYPrivateKey, MYCertificate, MYSHA1Digest;

/** A Keychain, a secure database of cryptographic keys.

    This class wraps the Security framework's SecKeychain API. */

@interface MYKeychain : NSObject 

{

    @private

#if !MYCRYPTO_USE_IPHONE_API

    SecKeychainRef _keychain;

#endif

}

/** Returns a MYKeychain instance representing the user's default keychain.

    This is the instance you'll usually want to add keys to. */

+ (MYKeychain*) defaultKeychain;

/** Returns a MYKeychain instance representing the aggregate of all open keychains.

    This is the instance you'll usually want to search for keys with. */

+ (MYKeychain*) allKeychains;

#pragma mark SYMMETRIC KEYS:

/** Randomly generates a new symmetric key, using the given algorithm and key-size in bits.

    The key is persistently added to this keychain. */

- (MYSymmetricKey*) generateSymmetricKeyOfSize: (unsigned)keySizeInBits

                                     algorithm: (uint32_t/*CCAlgorithm*/)algorithm;

/** Enumerates all of the symmetric keys in the keychain, as MYSymmetricKey objects. */

- (NSEnumerator*) enumerateSymmetricKeys;

#pragma mark PUBLIC KEYS:

/** Imports a public key into the keychain, given its external representation

    (as generated by -[MYPublicKey keyData].) */

- (MYPublicKey*) importPublicKey: (NSData*)keyData;

/** Looks up an existing public key with the given digest.

    Returns nil if there is no such key in the keychain.

    (This method does not look for keys embedded in certificates, only 'bare' keys.) */

- (MYPublicKey*) publicKeyWithDigest: (MYSHA1Digest*)pubKeyDigest;

/** Enumerates all public keys in the keychain.

    (This method does not find keys embedded in certificates, only 'bare' keys.) */

- (NSEnumerator*) enumeratePublicKeys;

#pragma mark CERTIFICATES:

/** Imports a certificate into the keychain, given its external representation. */

- (MYCertificate*) importCertificate: (NSData*)data;

/** Looks up an existing certificate with the given public-key digest.

    Returns nil if there is no such certificate in the keychain.

    (This method only looks for keys embedded in certificates, not 'bare' public keys.) */

- (MYCertificate*) certificateWithDigest: (MYSHA1Digest*)pubKeyDigest;

/** Enumerates all certificates in the keychain. */

- (NSEnumerator*) enumerateCertificates;

/** Enumerates all identities in the keychain. */

- (NSEnumerator*) enumerateIdentities;

#pragma mark KEY-PAIRS:

/** Generates a new RSA key-pair and adds both keys to the keychain.

    This is very slow -- it may take seconds, depending on the key size, CPU speed,

    and other random factors. You may want to start some kind of progress indicator before

    calling this method, so the user doesn't think the app has locked up!

    @param keySize  The RSA key length in bits. Must be a power of two. Longer keys are harder

        to break, but operate more slowly and generate larger signatures.

        2048 is a good default choice. You could use 1024 if the data and signatures won't need

        to stay secure for years; or you could use 4096 if you're extremely paranoid. */

- (MYPrivateKey*) generateRSAKeyPairOfSize: (unsigned)keySize;

/** Looks up an existing key-pair whose public key has the given digest.

    Returns nil if there is no such key-pair in the keychain.

    (This method does not look for public keys embedded in certificates, only 'bare' keys.) */

- (MYPrivateKey*) privateKeyWithDigest: (MYSHA1Digest*)pubKeyDigest;

/** Enumerates all key-pairs in the keychain.

    (This method does not find keys embedded in certificates, only 'bare' keys.) */

- (NSEnumerator*) enumeratePrivateKeys;

#pragma mark -

#pragma mark METHODS NOT SUPPORTED ON IPHONE:

/** @name Mac-Only

 *  Functionality not available on iPhone. 

 */

//@{

#if !TARGET_OS_IPHONE

/** Sets whether the keychain is allowed to pop up panels to interact with the user,

    for example to ask for permission to access keys. If user interaction is not

    allowed, all such requests will fail. */

+ (void) setUserInteractionAllowed: (BOOL)allowed;

/** Enumerates all public keys in the keychain that have the given alias string. */

- (NSEnumerator*) symmetricKeysWithAlias: (NSString*)alias;

/** Enumerates all public keys in the keychain that have the given alias string. */

- (NSEnumerator*) publicKeysWithAlias: (NSString*)alias;

- (NSEnumerator*) enumerateIdentitiesWithKeyUsage: (CSSM_KEYUSE)keyUsage;

/** Imports a key-pair into the keychain, given the external representations

    of both the public and private keys.

    Since the private key data is wrapped (encrypted), the Security agent will prompt the user to enter

    the passphrase. */

- (MYPrivateKey*) importPublicKey: (NSData*)pubKeyData 

                       privateKey: (NSData*)privKeyData;

/** Imports a key-pair into the keychain, given the external representations

    of both the public and private keys.

    Since the private key data is wrapped (encrypted), the Security agent will prompt the user to enter

    the passphrase. You can specify the title and prompt message for this alert panel. */

- (MYPrivateKey*) importPublicKey: (NSData*)pubKeyData 

                       privateKey: (NSData*)privKeyData

                       alertTitle: (NSString*)title

                      alertPrompt: (NSString*)prompt;

/** Adds a certificate to this keychain. (It must not already belong to a keychain.) */

- (BOOL) addCertificate: (MYCertificate*)certificate;

/** Imports a certificate into the keychain, given its external representation. */

- (MYCertificate*) importCertificate: (NSData*)data

                                type: (CSSM_CERT_TYPE) type

                            encoding: (CSSM_CERT_ENCODING) encoding;

//@}

#else

/** @name iPhone-Only

 *  Functionality only available on iPhone. 

 */

//@{

- (BOOL) removeAllCertificates;

- (BOOL) removeAllKeys;

//@}

#endif

/** @name Expert (Mac-Only)

 *  Advanced functionality, not available on iPhone. 

 */

//@{

#if !TARGET_OS_IPHONE

/** Creates a MYKeychain for an existing SecKeychainRef. */

- (id) initWithKeychainRef: (SecKeychainRef)keychainRef;

/** Opens a keychain file. */

+ (MYKeychain*) openKeychainAtPath: (NSString*)path;

/** Creates a new keychain file. */

+ (MYKeychain*) createKeychainAtPath: (NSString*)path

                        withPassword: (NSString*)password;

/** Closes and deletes the keychain's file. You should not use this object any more. */

- (BOOL) deleteKeychainFile;

/** Returns the underlying SecKeychainRef for this keychain.

    This will be NULL for the special allKeychains instance, because it doesn't

    represent a single specific keychain. To handle that case, use the

    keychainRefOrDefault property instead. */

@property (readonly) SecKeychainRef keychainRef;

/** Returns the underlying SecKeychainRef for this keychain.

    The special allKeychains instance returns a reference to the default keychain,

    as a convenience. */

@property (readonly) SecKeychainRef keychainRefOrDefault;

/** The path of this keychain's file. */

@property (readonly) NSString* path;

/** The underlying CSSM storage handle; used when calling CSSM APIs. */

@property (readonly) CSSM_CSP_HANDLE CSPHandle;

#endif

//@}

@end