Apple Keychain-backed KeyStore (MVP, ECDSA P‑256)

[ariawisp]

Summary

• Adds a new module cryptography-provider-apple-keychain that implements the experimental KeyStore API on Apple platforms using Security.framework and the Data Protection Keychain. This MVP focuses on ECDSA P‑256 key lifecycle and DER signatures. RSA and AES are stubbed for follow-ups.

Dependency

• Depends on Add experimental storage API module (KeyStore, AccessPolicy, KeyAttributes) #119. Please merge that first; this PR is based on it and will rebase cleanly afterward.

What’s included

• New module: cryptography-provider-apple-keychain
  • AppleKeyStore implements KeyStore:
    • ECDSA P‑256 AsymmetricStore with generate/get/exists/delete
    • Maps AccessPolicy → SecAccessControlCreateWithFlags and accessibility classes; uses kSecMatchLimitOne and kSecUseDataProtectionKeychain.
    • Stores non-extractable private keys (kSecAttrIsPermanent = true); public key export allowed.
  • ECDSA key wrappers (DER signatures only in MVP):
    • Sign with SecKeyCreateSignature, verify with SecKeyVerifySignature.
    • Private key export throws; public key export supports RAW point and minimal SPKI DER encoder; PEM wrapper helper.
• Tests: AppleKeyStoreEcdsaTest (generate → sign/verify → delete) on Apple targets.
  • Test runs on macOS only (src/macosArm64Test) to avoid simulator keychain variability.
  • Uses cryptography-provider-base NSData helpers for safe bridging; minimal local CF bridging utilities for CFDataRef interop.
• Build integration
  • Module added to settings and project map.
  • ABI baselines under cryptography-providers/apple-keychain/api/.

Design notes

• Keys are persisted in the Data Protection Keychain (kSecUseDataProtectionKeychain=true) with kSecMatchLimitOne for lookups.
• Note: DP Keychain is disabled by default to ensure reliable local/CI runs. Enable via CKP_USE_DP_KEYCHAIN=1 if you want to exercise that path locally.
• Labels: binary-safe label is stored in kSecAttrApplicationTag; optional human-readable kSecAttrLabel is omitted in MVP for compatibility.
• Access policy: presence-gating via kSecAccessControlUserPresence; accessibility class as requested; ECDSA P‑256 is implicit for ECSECPrimeRandom in MVP.
• Private keys are non-extractable; public key export is supported for verification and distribution.

Out of scope for this PR

• RSA (PSS/PKCS1/OAEP) and AES stores — to land in follow-ups.
• Ed25519/X25519 stores — will follow after core EdDSA/XDH PRs are merged upstream; may be feature-flagged initially.
• Per-operation authentication contexts (e.g., LAContext) and attestation flows.

Testing & CI

• Adds host tests for Apple (ECDSA P‑256 lifecycle and DER sign/verify). Presence-gated flows remain opt-in via AccessPolicy and are not required for CI.

Risk & compatibility

• Fully additive provider module. Depends on the experimental storage API (cryptography-storage).
• Uses Security.framework APIs with correct CFRef lifecycles and provider-base bridging; no private key export.

Related issues

• Relates-to: Key and certificates management and storage #19 (Key and certificates management and storage)
  • Provides an Apple Keychain implementation of the new KeyStore API.
• Relates-to: Architecture surrounding keys #63 (Architecture surrounding keys)
  • Complements the storage API groundwork. Common key supertypes remain a separate, optional PR.

Notes for reviewers

• Focus is to land ECDSA P‑256 storage reliably, with correct Keychain semantics and DER signatures. Additional algorithms and features can be layered in subsequent PRs.