gitwtfhub

wtf is corecrypto?

apple/corecrypto — explained in plain English

Analysis updated 2026-05-18

138C++Audience · researcherComplexity · 5/5LicenseSetup · hard

TL;DR

Apple's low-level cryptography library that underlies iOS and macOS security features, published for research and verification, not for reuse in other products.

Mindmap

mindmap
  root((corecrypto))
    What it does
      Core crypto primitives
      Powers Security framework
      Powers CryptoKit
      Secure boot support
    Tech stack
      C++
      Xcode build
      Kernel and user space
    Use cases
      Security research
      Formal verification
      Regulatory review
    Audience
      Security researchers
      Auditors

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Why would anyone build with this?

REASON 1

Inspect how Apple implements core cryptographic primitives used across its operating systems.

REASON 2

Study the formal verification work done on post-quantum cryptography algorithms.

REASON 3

Verify security claims for compliance or regulatory review.

What's in the stack?

C++Xcode

How it stacks up

apple/corecryptodanking6/veltocfaldyrd/auto-2026
Stars138152157
LanguageC++C++C++
Setup difficultyhardmoderateeasy
Complexity5/53/51/5
Audienceresearchergeneralgeneral

Figures from each repo's GitHub metadata at analysis time.

How do you spin it up?

Difficulty · hard Time to first run · 1day+

Requires Xcode command-line tools on macOS and is intended for inspection rather than integration into other software.

Source is provided only for internal verification and security review, not licensed for redistribution or use in other products.

Wtf does this do

Corecrypto is Apple's low-level cryptography library, the code that sits underneath the security and encryption features you use on every Apple device. It provides the building blocks for things like encrypted messages, secure boot, and cryptographic verification. Apple's own Security framework, CryptoKit, and CommonCrypto all call into this library, but app developers never use corecrypto directly. Apple published the source code primarily so that security researchers and regulators can inspect it and verify that the implementations are correct. The goal on the engineering side is to provide fast, minimal math and cryptography routines that work in many contexts: the operating system kernel, the bootloader that runs before the OS starts, and regular user-space programs. The library is designed so that each module is self-contained and a user of the library only pulls in the routines they actually need. Building the library on macOS requires Xcode's command-line build tool. The repository includes a subdirectory for formal verification, which means the correctness of certain algorithms has been checked using a mathematical proof assistant rather than just testing. A technical overview document in that folder covers formal verification work done on two post-quantum cryptography standards in 2026. The license is restrictive: the code is available only for internal verification and security review, not for redistribution or use in other products. Apple is not accepting outside code contributions. Security vulnerabilities should be reported through Apple's security disclosure process rather than through GitHub issues.

Yoink these prompts

Prompt 1
Explain what corecrypto does and where it sits in Apple's security stack.
Prompt 2
What does the formal verification subdirectory in corecrypto cover?
Prompt 3
How do I build corecrypto on macOS with Xcode's command-line tools?
Prompt 4
What are the license restrictions on using code from corecrypto?

Frequently asked questions

wtf is corecrypto?

Apple's low-level cryptography library that underlies iOS and macOS security features, published for research and verification, not for reuse in other products.

What language is corecrypto written in?

Mainly C++. The stack also includes C++, Xcode.

What license does corecrypto use?

Source is provided only for internal verification and security review, not licensed for redistribution or use in other products.

How hard is corecrypto to set up?

Setup difficulty is rated hard, with roughly 1day+ to a first successful run.

Who is corecrypto for?

Mainly researcher.

View the repo → Decode another repo

This repo across BitVibe Labs

Don't trust strangers blindly. Verify against the repo.