Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support user-defined generic password options/attributes. #220

Merged
merged 1 commit into from
Dec 18, 2024
Merged

Support user-defined generic password options/attributes. #220

merged 1 commit into from
Dec 18, 2024

Conversation

tmpfs
Copy link
Contributor

@tmpfs tmpfs commented Dec 15, 2024
edited
Loading

This is a quick sketch to discuss support for custom attributes/options when creating generic passwords.

The desire is to be able to support more complex use cases such as specifying kSecAccessControl, kSecAccessGroup etc. for a generic password.

Currently I've added this as an additional set_generic_password_options() function so as not to introduce any breaking changes but ultimately I think a builder style API for PasswordOptions would be more ergonomic. Perhaps:

let options = PasswordOptions::builder()
  .service("com.example")
  .account("user-id")
  .password("mock-password")
  .access_control(AccessControlOptions::USER_PRESENCE)
  .access_group("com.example.shared-keychain-group")
  .build()
  .unwrap();  // Panic here as kSecAccessControl and kSecAccessGroup are mutually exclusive?

Then we could make the breaking change that set_generic_password() just accepts PasswordOptions and the password and wouldn't need the additional function if that is acceptable for the next major release.

I notice in #186 there are other people that would also like to be able to use kSecAccessControl with SecItemAdd so I think it makes sense that we support the other attributes too.

Your thoughts and feedback would be appreciated 🙏

Closes #219

@crashdump
Copy link
Contributor

Just for info, in the key management side of things, the pattern is to use a GenerateOptions struct which contains all your parameters, such as access control, etc.

rust-security-framework/security-framework/src/key.rs

Line 149 in b2189b2

pub fn new(options: &GenerateKeyOptions) -> Result<Self, CFError> { 

pub struct GenerateKeyOptions {
    /// kSecAttrKeyType
    pub key_type: Option<KeyType>,
    /// kSecAttrKeySizeInBits
    pub size_in_bits: Option<u32>,
    /// kSecAttrLabel
    pub label: Option<String>,
    /// kSecAttrTokenID
    pub token: Option<Token>,
    /// Which keychain to store the key in, if any.
    pub location: Option<Location>,
    /// Access control
    pub access_control: Option<SecAccessControl>,
}

Validation parameters is implemented in the GenerateKeyOptions::to_dictionary() method.

@kornelski kornelski merged commit 878034e into kornelski:main Dec 18, 2024
6 checks passed
@kornelski
Copy link
Owner

Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support for using custom PasswordOptions?
3 participants
@tmpfs @crashdump @kornelski