Skip to content

Security macOS xcode16.0 b1

Rolf Bjarne Kvinge edited this page Aug 29, 2024 · 3 revisions

#Security.framework https://github.com/xamarin/xamarin-macios/pull/21152

diff -ruN /Applications/Xcode_15.4.0.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/System/Library/Frameworks/Security.framework/Headers/CSCommon.h /Applications/Xcode_16.0.0-beta.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/System/Library/Frameworks/Security.framework/Headers/CSCommon.h
--- /Applications/Xcode_15.4.0.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/System/Library/Frameworks/Security.framework/Headers/CSCommon.h	2024-04-19 06:11:21
+++ /Applications/Xcode_16.0.0-beta.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/System/Library/Frameworks/Security.framework/Headers/CSCommon.h	2024-05-30 02:43:42
@@ -31,13 +31,12 @@
 
 #include <CoreFoundation/CoreFoundation.h>
 #include <TargetConditionals.h>
+#include <stdint.h>
 
 #ifdef __cplusplus
 extern "C" {
 #endif
 
-#include <stdint.h>
-
 /*
  * Some macOS API's use the old style defined name CSSM_DATA and CSSM_OID.
  * These are just typedefs for SecAsn* which are available for iOS. We complete
@@ -245,6 +244,7 @@
 	kSecCSQuickCheck = 1 << 26,		/* (internal) */
 	kSecCSApplyEmbeddedPolicy = 1 << 25, /* Apply Embedded (iPhone) policy regardless of the platform we're running on */
 	kSecCSStripDisallowedXattrs = 1 << 24, /* Strip disallowed xattrs, such as com.apple.FinderInfo and com.apple.ResourceFork */
+    kSecCSMatchGuestRequirementInKernel = 1 << 23, /* Request matching the provided requirement in kernel against the running guest rather than on disk*/
 };
 
 
diff -ruN /Applications/Xcode_15.4.0.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/System/Library/Frameworks/Security.framework/Headers/SecAccessControl.h /Applications/Xcode_16.0.0-beta.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/System/Library/Frameworks/Security.framework/Headers/SecAccessControl.h
--- /Applications/Xcode_15.4.0.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/System/Library/Frameworks/Security.framework/Headers/SecAccessControl.h	2024-04-19 07:19:38
+++ /Applications/Xcode_16.0.0-beta.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/System/Library/Frameworks/Security.framework/Headers/SecAccessControl.h	2024-05-30 05:08:28
@@ -72,8 +72,11 @@
  Constraint: Device passcode
 
  @constant kSecAccessControlWatch
- Constraint: Watch
+ Deprecated, please use kSecAccessControlCompanion instead.
 
+ @constant kSecAccessControlCompanion
+ Constraint: Paired companion device
+ 
  @constant kSecAccessControlOr
  Constraint logic operation: when using more than one constraint, at least one of them must be satisfied.
  
@@ -94,7 +97,8 @@
     kSecAccessControlBiometryCurrentSet     API_AVAILABLE(macos(10.13.4), ios(11.3)) = 1u << 3,
     kSecAccessControlTouchIDCurrentSet      API_DEPRECATED_WITH_REPLACEMENT("kSecAccessControlBiometryCurrentSet", macos(10.12.1, 10.13.4), ios(9.0, 11.3)) = 1u << 3,
     kSecAccessControlDevicePasscode         API_AVAILABLE(macos(10.11), ios(9.0)) = 1u << 4,
-    kSecAccessControlWatch                  API_AVAILABLE(macos(10.15), ios(NA), macCatalyst(13.0)) = 1u << 5,
+    kSecAccessControlWatch                  API_DEPRECATED_WITH_REPLACEMENT("kSecAccessControlCompanion", macos(10.15, 15.0), ios(NA, NA), macCatalyst(13.0, 18.0)) = 1u << 5,
+    kSecAccessControlCompanion              API_AVAILABLE(macos(15.0), ios(18.0), macCatalyst(18.0)) = 1u << 5,
     kSecAccessControlOr                     API_AVAILABLE(macos(10.12.1), ios(9.0)) = 1u << 14,
     kSecAccessControlAnd                    API_AVAILABLE(macos(10.12.1), ios(9.0)) = 1u << 15,
     kSecAccessControlPrivateKeyUsage        API_AVAILABLE(macos(10.12.1), ios(9.0)) = 1u << 30,
diff -ruN /Applications/Xcode_15.4.0.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/System/Library/Frameworks/Security.framework/Headers/SecCertificate.h /Applications/Xcode_16.0.0-beta.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/System/Library/Frameworks/Security.framework/Headers/SecCertificate.h
--- /Applications/Xcode_15.4.0.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/System/Library/Frameworks/Security.framework/Headers/SecCertificate.h	2024-04-19 07:58:38
+++ /Applications/Xcode_16.0.0-beta.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/System/Library/Frameworks/Security.framework/Headers/SecCertificate.h	2024-05-30 10:29:26
@@ -200,6 +200,29 @@
 CFDataRef SecCertificateCopySerialNumberData(SecCertificateRef certificate, CFErrorRef *error)
     API_AVAILABLE(macos(10.13), ios(11.0), watchos(4.0), tvos(11.0));
 
+/*!
+ @function SecCertificateCopyNotValidBeforeDate
+ @abstract Obtain the starting date of the given certificate.
+ @param certificate The certificate from which to get values.
+ @result Returns the absolute time at which the given certificate becomes valid,
+ or NULL if this value could not be obtained. The caller must CFRelease the value returned.
+ */
+__nullable
+CFDateRef SecCertificateCopyNotValidBeforeDate(SecCertificateRef certificate)
+    API_AVAILABLE(macos(15.0), ios(18.0), watchos(11.0), tvos(18.0));
+
+/*!
+ @function SecCertificateCopyNotValidAfterDate
+ @abstract Obtain the expiration date of the given certificate.
+ @param certificate The certificate from which to get values.
+ @result Returns the absolute time at which the given certificate expires,
+ or NULL if this value could not be obtained. The caller must CFRelease the value returned.
+ */
+__nullable
+CFDateRef SecCertificateCopyNotValidAfterDate(SecCertificateRef certificate)
+    API_AVAILABLE(macos(15.0), ios(18.0), watchos(11.0), tvos(18.0));
+
+
 #if TARGET_OS_IPHONE
 /*!
  @function SecCertificateCopySerialNumber
diff -ruN /Applications/Xcode_15.4.0.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/System/Library/Frameworks/Security.framework/Headers/SecImportExport.h /Applications/Xcode_16.0.0-beta.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/System/Library/Frameworks/Security.framework/Headers/SecImportExport.h
--- /Applications/Xcode_15.4.0.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/System/Library/Frameworks/Security.framework/Headers/SecImportExport.h	2024-04-19 07:58:38
+++ /Applications/Xcode_16.0.0-beta.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/System/Library/Frameworks/Security.framework/Headers/SecImportExport.h	2024-05-30 05:08:28
@@ -647,8 +647,9 @@
     @enum Import/Export options
     @discussion Predefined key constants used when passing dictionary-based arguments to import/export functions.
     @constant kSecImportExportPassphrase Specifies a passphrase represented by a CFStringRef to be used when exporting to (or importing from) PKCS#12 format.
-     @constant kSecImportExportKeychain On OSX, specifies a keychain represented by a SecKeychainRef to be used as the target when importing from PKCS#12 format.
-     @constant kSecImportExportAccess On OSX, specifies an access represented by a SecAccessRef for the initial access (ACL) of a key imported from PKCS#12 format.
+    @constant kSecImportExportKeychain On macOS, specifies a keychain represented by a SecKeychainRef to be used as the target when importing from PKCS#12 format.
+    @constant kSecImportExportAccess On macOS, specifies an access represented by a SecAccessRef for the initial access (ACL) of a key imported from PKCS#12 format.
+    @constant kSecImportToMemoryOnly Specifies (with a value of kCFBooleanTrue) that items imported from PKCS#12 format should be kept in process memory only and not permanently stored in the keychain. This can be specified on either macOS or iOS, though it is already default behavior on iOS. If this key is provided, keychain-related import options are ignored since the keychain will not be used.
 */
 extern const CFStringRef kSecImportExportPassphrase
     API_AVAILABLE(macos(10.6), ios(2.0));
@@ -656,6 +657,8 @@
     API_AVAILABLE(macos(10.7), ios(NA));
 extern const CFStringRef kSecImportExportAccess
     API_AVAILABLE(macos(10.7), ios(NA));
+extern const CFStringRef kSecImportToMemoryOnly
+    API_AVAILABLE(macos(15.0), ios(18.0));
 
 /*!
     @enum Import/Export item description
@@ -698,6 +701,15 @@
      @result errSecSuccess in case of success. errSecDecode means either the
        blob can't be read or it is malformed. errSecAuthFailed means an
        incorrect password was supplied, or data in the container is damaged.
+     @discussion The normal behavior of this function is to import items into process
+       memory on iOS, and into the default keychain on macOS. You can modify this behavior
+       with entries in the options dictionary. To specify a file-based keychain and
+       legacy access control on macOS, provide kSecImportExportKeychain with a SecKeychainRef
+       value, and/or kSecImportExportAccess with a SecAccessRef value. In macOS 14 and later,
+       it is possible to specify the data protection keychain instead of a file-based keychain
+       by including kSecUseDataProtectionKeychain with a value of kCFBooleanTrue. Starting with
+       macOS 15 and iOS 18, kSecImportToMemoryOnly (with a value of kCFBooleanTrue) allows you
+       to skip importing to the keychain on macOS and explicitly specify iOS behavior.
 */
 OSStatus SecPKCS12Import(CFDataRef pkcs12_data, CFDictionaryRef options, CFArrayRef * __nonnull CF_RETURNS_RETAINED items)
      API_AVAILABLE(macos(10.6), ios(2.0));
diff -ruN /Applications/Xcode_15.4.0.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/System/Library/Frameworks/Security.framework/Headers/SecItem.h /Applications/Xcode_16.0.0-beta.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/System/Library/Frameworks/Security.framework/Headers/SecItem.h
--- /Applications/Xcode_15.4.0.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/System/Library/Frameworks/Security.framework/Headers/SecItem.h	2024-04-08 10:36:29
+++ /Applications/Xcode_16.0.0-beta.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/System/Library/Frameworks/Security.framework/Headers/SecItem.h	2024-05-30 04:52:57
@@ -851,6 +851,10 @@
     @constant kSecMatchSubjectContains Specifies a dictionary key whose value
         is a CFStringRef. If provided, returned certificates or identities
         will be limited to those containing this string in the subject.
+    @constant kSecMatchHostOrSubdomainOfHost Specifies a dictionary key whose value
+        is a CFStringRef. If provided, returned internet passwords will be limited to those which
+        have a server host that is equal to or a subdomain of this string. This filter only works on
+        the Data Protection Keychain on macOS.
     @constant kSecMatchSubjectStartsWith OS X only. Specifies a dictionary key whose value
         is a CFStringRef. If provided, returned certificates or identities
         will be limited to those with subject names that start with this string.
@@ -901,6 +905,8 @@
     API_AVAILABLE(macos(10.6), ios(2.0));
 extern const CFStringRef kSecMatchSubjectContains
     API_AVAILABLE(macos(10.6), ios(2.0));
+extern const CFStringRef kSecMatchHostOrSubdomainOfHost
+    API_AVAILABLE(macos(15.0), ios(18.0));
 extern const CFStringRef kSecMatchSubjectStartsWith
     API_AVAILABLE(macos(10.7), ios(NA));
 extern const CFStringRef kSecMatchSubjectEndsWith
diff -ruN /Applications/Xcode_15.4.0.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/System/Library/Frameworks/Security.framework/Headers/SecProtocolTypes.h /Applications/Xcode_16.0.0-beta.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/System/Library/Frameworks/Security.framework/Headers/SecProtocolTypes.h
--- /Applications/Xcode_15.4.0.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/System/Library/Frameworks/Security.framework/Headers/SecProtocolTypes.h	2024-04-19 07:58:38
+++ /Applications/Xcode_16.0.0-beta.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/System/Library/Frameworks/Security.framework/Headers/SecProtocolTypes.h	2024-05-30 05:04:36
@@ -99,17 +99,17 @@
  * @constant tls_ciphersuite_CHACHA20_POLY1305_SHA256
  */
 typedef CF_ENUM(uint16_t, tls_ciphersuite_t) {
-    tls_ciphersuite_RSA_WITH_3DES_EDE_CBC_SHA CF_SWIFT_NAME(RSA_WITH_3DES_EDE_CBC_SHA) = 0x000A,
+    tls_ciphersuite_RSA_WITH_3DES_EDE_CBC_SHA CF_ENUM_DEPRECATED(10_15, 15_0, 13_0, 18_0) CF_SWIFT_NAME(RSA_WITH_3DES_EDE_CBC_SHA) = 0x000A,
     tls_ciphersuite_RSA_WITH_AES_128_CBC_SHA CF_SWIFT_NAME(RSA_WITH_AES_128_CBC_SHA) = 0x002F,
     tls_ciphersuite_RSA_WITH_AES_256_CBC_SHA CF_SWIFT_NAME(RSA_WITH_AES_256_CBC_SHA) = 0x0035,
     tls_ciphersuite_RSA_WITH_AES_128_GCM_SHA256 CF_SWIFT_NAME(RSA_WITH_AES_128_GCM_SHA256) = 0x009C,
     tls_ciphersuite_RSA_WITH_AES_256_GCM_SHA384 CF_SWIFT_NAME(RSA_WITH_AES_256_GCM_SHA384) = 0x009D,
     tls_ciphersuite_RSA_WITH_AES_128_CBC_SHA256 CF_SWIFT_NAME(RSA_WITH_AES_128_CBC_SHA256) = 0x003C,
     tls_ciphersuite_RSA_WITH_AES_256_CBC_SHA256 CF_SWIFT_NAME(RSA_WITH_AES_256_CBC_SHA256) = 0x003D,
-    tls_ciphersuite_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA CF_SWIFT_NAME(ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA) = 0xC008,
+    tls_ciphersuite_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA CF_ENUM_DEPRECATED(10_15, 15_0, 13_0, 18_0) CF_SWIFT_NAME(ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA) = 0xC008,
     tls_ciphersuite_ECDHE_ECDSA_WITH_AES_128_CBC_SHA CF_SWIFT_NAME(ECDHE_ECDSA_WITH_AES_128_CBC_SHA) = 0xC009,
     tls_ciphersuite_ECDHE_ECDSA_WITH_AES_256_CBC_SHA CF_SWIFT_NAME(ECDHE_ECDSA_WITH_AES_256_CBC_SHA) = 0xC00A,
-    tls_ciphersuite_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA CF_SWIFT_NAME(ECDHE_RSA_WITH_3DES_EDE_CBC_SHA) = 0xC012,
+    tls_ciphersuite_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA CF_ENUM_DEPRECATED(10_15, 15_0, 13_0, 18_0) CF_SWIFT_NAME(ECDHE_RSA_WITH_3DES_EDE_CBC_SHA) = 0xC012,
     tls_ciphersuite_ECDHE_RSA_WITH_AES_128_CBC_SHA CF_SWIFT_NAME(ECDHE_RSA_WITH_AES_128_CBC_SHA) = 0xC013,
     tls_ciphersuite_ECDHE_RSA_WITH_AES_256_CBC_SHA CF_SWIFT_NAME(ECDHE_RSA_WITH_AES_256_CBC_SHA) = 0xC014,
     tls_ciphersuite_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 CF_SWIFT_NAME(ECDHE_ECDSA_WITH_AES_128_CBC_SHA256) = 0xC023,
Clone this wiki locally