The primary keys are as follows (derived from open source files from Apple, see Schema.m4, KeySchema.m4 and SecItem.cpp):
- For a keychain item of class
kSecClassGenericPassword
, the primary key is the combination of
kSecAttrAccount
andkSecAttrService
. - For a keychain item of class
kSecClassInternetPassword
, the primary key is the combination ofkSecAttrAccount
,kSecAttrSecurityDomain
,kSecAttrServer
,kSecAttrProtocol
,kSecAttrAuthenticationType
,kSecAttrPort
andkSecAttrPath
. - For a keychain item of class
kSecClassCertificate
, the primary key is the combination ofkSecAttrCertificateType
,kSecAttrIssuer
andkSecAttrSerialNumber
. - For a keychain item of class
kSecClassKey
, the primary key is the combination ofkSecAttrApplicationLabel
,kSecAttrApplicationTag
,kSecAttrKeyType
,
kSecAttrKeySizeInBits
,kSecAttrEffectiveKeySize
, and the creator, start date and end date which are not exposed by SecItem yet. - For a keychain item of class
kSecClassIdentity
I haven’t found info on the primary key fields in the open source files, but as an identity is the combination of a private key and a certificate, I assume the primary key is the combination of the primary key fields forkSecClassKey
andkSecClassCertificate
.
As each keychain item belongs to a keychain access group, it feels like the keychain access group (field kSecAttrAccessGroup
) is an added field to all these primary keys.