Security Framework Error Codes

Q: When calling various Security Framework routines I have noticed return values that are not explicitly documented by the Security API. What do these error values mean?

A: The Security framework can return an error from three distinct categories:

  • An OSStatus error, e.g., errSecNoSuchKeychain (-25294).

  • A UNIX errno-style error code + 100000, e.g., EINVAL (22) + 100000.

  • An error from Common Security Services Manager (CSSM), one of the technologies that underlies the Security framework, e.g., CSSM_ADDIN_AUTHENTICATE_FAILED (0x8001011c).

General OSStatus-style error codes can be found in MacErrors.h. Security related OSStatus-style error codes are defined in various headers within the Security framework: SecBase.h, AuthSession.h, SecureTransport.h, and Authorization.h.

All errno-style error codes are listed in /usr/include/sys/errno.h.

CSSM errors are listed in cssmerr.h. In addition, you can get a human readable form of CSSM errors using cssmPerror, provided by the Security framework, in order to translate a received CSSM error value into its canonical name. Below is an example call within a gdb session:

(gdb) call (void)cssmPerror(0, 0x8001011c)
error: CSSM_ADDIN_AUTHENTICATE_FAILED
(gdb) call (void)cssmPerror(0, 2147549468)
error: CSSM_ADDIN_AUTHENTICATE_FAILED

Note: The Security framework adds 100000 to errno-style error codes so that the returned values will not collide with existing OSStatus values.

Document Revision History

DateNotes
2006-11-16First Version

Posted: 2006-11-16

Did this document help you?
Yes: Tell us what works for you.
It’s good, but: Report typos, inaccuracies, and so forth.
It wasn’t helpful: Tell us what would have helped.