To generate key pair I am using Secure Enclave (kSecAttrTokenIDSecureEnclave). When trying to access generated key pair, iOS system, asks for TouchID. Below is code snapshot how I am generating and accessing key pair.
Is here a way to setup properties/attributes, that Secure Enclave functionality will be able to use without TouchID and Passcode?
Generate key pair:
SecAccessControlRef sacObject = SecAccessControlCreateWithFlags(kCFAllocatorDefault,
kSecAttrAccessibleWhenUnlocked,
kSecAccessControlUserPresence | kSecAccessControlPrivateKeyUsage, &error);
NSDictionary *parameters = #{
(__bridge id)kSecAttrTokenID: (__bridge id)kSecAttrTokenIDSecureEnclave,
(__bridge id)kSecAttrKeyType: (__bridge id)kSecAttrKeyTypeEC,
(__bridge id)kSecAttrKeySizeInBits: #256,
(__bridge id)kSecPrivateKeyAttrs: #{
(__bridge id)kSecAttrAccessControl: (__bridge_transfer id)sacObject,
(__bridge id)kSecAttrIsPermanent: #YES,
(__bridge id)kSecAttrLabel: #“SecKey”,
},
};
SStatus status = SecKeyGeneratePair((__bridge CFDictionaryRef)parameters, &publicKey, &privateKey);
Access key pair:
NSDictionary *query = #{
(__bridge id)kSecClass: (__bridge id)kSecClassKey,
(__bridge id)kSecAttrKeyClass: (__bridge id)kSecAttrKeyClassPrivate,
(__bridge id)kSecAttrLabel: #"SecKey",
(__bridge id)kSecReturnRef: #YES
};
OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)query, (CFTypeRef *)&privateKey);
This code is taken form Apple examples KeychainTouchID. By removing kSecAccessControlTouchIDAny it is possible to generate private key inside secure enclave and later use it without entering a passcode.
SecAccessControlRef sacObject;
// Should be the secret invalidated when passcode is removed? If not then use `kSecAttrAccessibleWhenUnlocked`.
sacObject = SecAccessControlCreateWithFlags(kCFAllocatorDefault,
kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly,
/*kSecAccessControlTouchIDAny |*/ kSecAccessControlPrivateKeyUsage, &error);
// Create parameters dictionary for key generation.
NSDictionary *parameters = #{
(__bridge id)kSecAttrTokenID: (__bridge id)kSecAttrTokenIDSecureEnclave,
(__bridge id)kSecAttrKeyType: (__bridge id)kSecAttrKeyTypeEC,
(__bridge id)kSecAttrKeySizeInBits: #256,
(__bridge id)kSecPrivateKeyAttrs: #{
(__bridge id)kSecAttrAccessControl: (__bridge_transfer id)sacObject,
(__bridge id)kSecAttrIsPermanent: #YES,
(__bridge id)kSecAttrLabel: #"my-se-key",
},
};
Related
I'm developing a react-native app using https://github.com/oblador/react-native-keychain to save and get things from keychain.
The things stored in keychain (and some other things) should be accessible from all our apps. So in xcode under capabilities I have activated an app-group "group.something.test".
I'm using setGenericPassword function of react-native-keychain like this:
await Keychain.setGenericPassword(
'a username',
'a password',
{
service: 'a userId',
accessible: Keychain.ACCESSIBLE.ALWAYS,
accessGroup: 'group.something.test',
accessControl: Keychain.ACCESS_CONTROL.DEVICE_PASSCODE
}
);
In the native module this will store it to the keychain something like this:
SecAccessControlRef sacRef = SecAccessControlCreateWithFlags(kCFAllocatorDefault,
kSecAttrAccessibleAlways,
kSecAccessControlDevicePasscode,
&error);
NSDictionary *attributes = attributes = #{
(__bridge NSString *)kSecClass: (__bridge id)(kSecClassGenericPassword),
(__bridge NSString *)kSecAttrService: service,
(__bridge NSString *)kSecAttrAccount: username,
(__bridge NSString *)kSecValueData: [password dataUsingEncoding:NSUTF8StringEncoding],
(__bridge NSString *)kSecAttrAccessControl] = (__bridge id)sacRef,
(__bridge NSString *)kSecAttrAccessGroup] = accessGroup;
};
...
OSStatus osStatus = SecItemAdd((__bridge CFDictionaryRef) attributes, NULL);
...
And keychain items are retrieved in the following way:
await Keychain.getGenericPassword({ service: 'a userId' });
Which will will run the following native code:
NSDictionary *query = #{
(__bridge NSString *)kSecClass: (__bridge id)(kSecClassGenericPassword),
(__bridge NSString *)kSecAttrService: service,
(__bridge NSString *)kSecReturnAttributes: (__bridge id)kCFBooleanTrue,
(__bridge NSString *)kSecReturnData: (__bridge id)kCFBooleanTrue,
(__bridge NSString *)kSecMatchLimit: (__bridge NSString *)kSecMatchLimitOne,
(__bridge NSString *)kSecUseOperationPrompt:#"Authenticate to retrieve secret"
};
CFTypeRef foundTypeRef = NULL;
OSStatus osStatus = SecItemCopyMatching((__bridge CFDictionaryRef) query, (CFTypeRef*)&foundTypeRef);
This works fine in the first app, I can store and retrieve an item from the keychain.
When I deploy a second app through xcode by just changing Display name and Bundle identifier to something different it also works. I can retrieve the key saved by the first app.
However if I now go back to the first app and try to retrieve the keychain item osStatus is -25308 (errSecInteractionNotAllowed).
If I uninstall the second app, it will start working in the first app again.
What am I doing wrong? Is there something more I need to do in the project settings?
I have also tried with keychain group capability, having the same keychain group as the first index in the keychain groups array, using that id as kSecAttrAccessGroup.
I am using the following code to remove saved keychain data from my App.
for (id secclass in #[
(__bridge id)kSecClassGenericPassword,
(__bridge id)kSecClassInternetPassword,
(__bridge id)kSecClassCertificate,
(__bridge id)kSecClassKey,
(__bridge id)kSecClassIdentity]) {
NSMutableDictionary *query = [NSMutableDictionary dictionaryWithObjectsAndKeys:
secclass, (__bridge id)kSecClass,
nil];
SecItemDelete((__bridge CFDictionaryRef)query);
}
This works well, but I'm not sure if this deletes keychain data for other apps,sites,ect..
I don't think it does, but I am not too sure. Please let me know.
If it did, that would be a huge security problem.
(It doesn't. You're fine.)
I don't find the information regarding such error code when calling SecItemAdd, what could be causing it?
Thanks in advance
EDIT: This is the function where I get the error:
+ (BOOL)storeWithKey:(NSString *)keyStr withValueStr:(NSString *)valueStr
{
if ((keyStr != nil) && (![keyStr isEqualToString:#""]) &&
(valueStr != nil) && (![valueStr isEqualToString:#""])) {
NSData *valueData = [valueStr dataUsingEncoding:NSUTF8StringEncoding];
NSString *service = [[NSBundle mainBundle] bundleIdentifier];
NSDictionary *secItem = #{(__bridge id)kSecClass : (__bridge id)kSecClassInternetPassword,
(__bridge id)kSecAttrService : service,
(__bridge id)kSecAttrAccount : keyStr,
(__bridge id)kSecValueData : valueData};
CFTypeRef result = NULL;
// Store value and get the result code
OSStatus status = SecItemAdd((__bridge CFDictionaryRef)secItem, &result);
NSLog(#"'writeToKeychain'. %#", [self getErrorMessage:status]);
return [self checkIfInKeychain:status];
}
else {
return NO;
}
}
-50 means One or more parameters passed to a function were not valid. You're wrong combination of parameters.
If you use kSecAttrService and kSecAttrAccount, kSecClass should be kSecClassGenericPassword.
NSDictionary *secItem = #{(__bridge id)kSecClass : (__bridge id)kSecClassGenericPassword,
(__bridge id)kSecAttrService : service,
(__bridge id)kSecAttrAccount : keyStr,
(__bridge id)kSecValueData : valueData};
If you use kSecClassInternetPassword as kSecClass, you should use kSecAttrServer and kSecAttrPort (If needed) instead kSecAttrService.
NSDictionary *secItem = #{(__bridge id)kSecClass : (__bridge id)kSecClassInternetPassword,
(__bridge id)kSecAttrServer : #"example.com",
(__bridge id)kSecAttrPort : #(80), // Optional
(__bridge id)kSecAttrAccount : keyStr,
(__bridge id)kSecValueData : valueData};
The documentation for the error codes are in the Security/SecBase.h file. You can find them at the end.
You can also find them referenced by the documentation to SecItemAdd. https://developer.apple.com/library/ios/documentation/Security/Reference/keychainservices/#//apple_ref/doc/uid/TP30000898-CH5g-CJBEABHG
I've been looking all around but still not found the answer. Any idea how to return all kSecAttrAccounts from keychain? I would like to get back a list of every identifier I used when creating keychain items, then to choose the one I want to delete it using a "[KeychainWrapper deleteItemFromKeychainWithIdentifier:identifier] method".
It works fine when I remember the username (identifier) I used when creating the account but cannot figure out how to have them all back when you created lots of them.
I tried a kind of basic [dictionary objectForKey:(__bridge(id)kSecAttrAccount)] but it does not make it.
Thanks a lot!!
Tricho
Use kSecMatchLimitAll to get all values in your query dictionary for kSecMatchLimit
(__bridge id)kSecMatchLimitAll, (__bridge id)kSecMatchLimit
It will fetch all passwords in keychain for kSecClassGenericPassword.You can use other keychain classes as well like this
NSMutableDictionary *query = [NSMutableDictionary dictionaryWithObjectsAndKeys:
(__bridge id)kCFBooleanTrue, (__bridge id)kSecReturnAttributes,
(__bridge id)kSecMatchLimitAll, (__bridge id)kSecMatchLimit,
(__bridge id)kSecClassGenericPassword, (__bridge id)kSecClass, //change your class in query
nil];
CFTypeRef result = NULL;
SecItemCopyMatching((__bridge CFDictionaryRef)query, &result);
NSLog(#"%#", (__bridge id)result);
if (result != NULL) CFRelease(result);
EDIT : For delting all keys of your app you can use
+(void)deleteAllKeychainItems{
NSArray *secItemClasses = #[(__bridge id)kSecClassGenericPassword,
(__bridge id)kSecClassInternetPassword,
(__bridge id)kSecClassCertificate,
(__bridge id)kSecClassKey,
(__bridge id)kSecClassIdentity];
for (id secItemClass in secItemClasses) {
NSDictionary *spec = #{(__bridge id)kSecClass:secItemClass};
SecItemDelete((__bridge CFDictionaryRef)spec);
}
}
It will delete all keychain items including all accounts password or values associated.
I'm struggling with iOS keychain and i can't seem to find any good documentation.
Anyway, I have two apps, and basically all i want to do is share some data in the keychain and keep some data private so that the other app cannot access it.
I've tried to implement the KeychainItemWrapper provided by Apple, but this is simply not working. I have no issue sharing data, but if i don't set an access group, the data is still shared. I working with a device not the simulator, which could lead to the same problems.
Here is my code
App 1 :
KeychainItemWrapper *item = [[KeychainItemWrapper alloc] initWithIdentifier:#"SharedKeyChainApp" accessGroup:nil];
[item setObject:#"MyAccount" forKey:(__bridge id)kSecAttrAccount];
[item setObject:#"SecureValue" forKey:(__bridge id)kSecValueData];
App 2 :
KeychainItemWrapper *keychain = [[KeychainItemWrapper alloc] initWithIdentifier:#"SharedKeyChainApp" accessGroup:nil];
NSString *data = [keychain objectForKey:(__bridge id)kSecValueData];
NSLog(#"data is : %#",data); //Prints "data is : SecureValue"
If I remove in project properties my keychain group in one or the other app, it won't print anything. But obviously i'm not able to share data between those two apps anymore.
Thanks
If it's a shared keychain then it's shared. All the data in it will be accessible to any other app which can access the keychain.
You could:
Create 2 keychain. One shared and one private. Sharable stuff goes in shared, private stuff goes in private.
Encrypt data you won't want to to share with others.
I'd probably go with the first. IMHO, KeychainItemWrapper is pretty poor as grab and use code. It's old code which provides little in the way of functionality. I'm attaching a quick and dirty bit of code I wrote to play with and test out using the key chain functionality without KeychainItemWrapper. In this case I was playing with items both in "app" and "Security" to create some shared and non-shared items. You can't really tell that here since it's just some test code and sharing is under Targets->Capabilities->Keychain Sharing.
- (void)viewDidLoad {
[super viewDidLoad];
// [self removeKeychainItem];
// [self addKeychainItem];
[self searchForKeychainItems];
}
- (void)searchForKeychainItems {
[self log:#"\n\n EXISTING KEYCHAIN ITEM(S)"];
NSDictionary *query = #{(__bridge id)kSecClass: (__bridge id)kSecClassGenericPassword,
(__bridge id)kSecMatchLimit: (__bridge id)kSecMatchLimitAll,
(__bridge id)kSecReturnData: (__bridge id)kCFBooleanTrue, // returns password
(__bridge id)kSecReturnAttributes: (__bridge id)kCFBooleanTrue, // returns rest of data
// (__bridge id)kSecAttrAccessGroup: #"AAAAAAAAAA.com.foo.Security"
// (__bridge id)kSecAttrAccessGroup: #"AAAAAAAAAA.com.foo.app"
};
OSStatus resultCode;
CFArrayRef *searchResults = nil;
resultCode = SecItemCopyMatching((__bridge CFDictionaryRef)query, (CFTypeRef *)&searchResults);
NSArray *foo = CFBridgingRelease(searchResults);
[self log:[NSString stringWithFormat:#"Search result code: %d", (int)resultCode]];
[self log:[NSString stringWithFormat:#"Search Results: %#", foo]];
NSDictionary *keychainItem = foo[0];
NSString *password = [[NSString alloc] initWithData:[keychainItem objectForKey:(__bridge id)kSecValueData] encoding:NSUTF8StringEncoding];
[self log:[NSString stringWithFormat:#"password is `%#`", password]];
}
- (void)addKeychainItem {
[self log:#"\n\n ADDING KEYCHAIN ITEM"];
NSDictionary *genericDataDictionary = #{#"authState": #"1",
#"lastAuthDate": #"2/11/2014",
#"otherCrap": #"poo"};
NSData *encodedGenericData = [NSKeyedArchiver archivedDataWithRootObject:genericDataDictionary];
NSData *encodedPassword = [#"secret" dataUsingEncoding:NSUTF8StringEncoding];
NSDictionary *query = #{(__bridge id)kSecClass: (__bridge id)kSecClassGenericPassword,
(__bridge id)kSecAttrCreator: #"MyCom",
(__bridge id)kSecAttrComment: #"keychain tests",
(__bridge id)kSecAttrService: #"Credentials",
(__bridge id)kSecAttrAccount: #"username",
(__bridge id)kSecValueData: encodedPassword,
(__bridge id)kSecAttrGeneric: encodedGenericData,
(__bridge id)kSecAttrAccessGroup: #"AAAAAAAAAA.com.foo.Security"
};
OSStatus result;
result = SecItemAdd((__bridge CFDictionaryRef)query, NULL);
NSLog(#"Add status code: %d", (int)result);
}
- (void)removeKeychainItem {
[self log:#"\n\n REMOVING KEYCHAIN ITEM"];
NSDictionary *query = #{(__bridge id)kSecClass: (__bridge id)kSecClassGenericPassword,
// (__bridge id)kSecAttrCreator: #"MyCom",
// (__bridge id)kSecAttrService: #"Credentials",
(__bridge id)kSecAttrComment: #"New Keychain standards Test Item",
// (__bridge id)kSecAttrAccount: #"username",
// (__bridge id)kSecValueData: [#"password" dataUsingEncoding:NSUTF8StringEncoding],
// (__bridge id)kSecAttrGeneric: encodedGenericData
// (__bridge id)kSecAttrAccessGroup: #"AAAAAAAAAA.com.foo.Security"
};
OSStatus resultsCode;
resultsCode = SecItemDelete((__bridge CFDictionaryRef)query);
NSLog(#"Delete results code: %d", (int)resultsCode);
}
- (void)log:(NSString *)text {
self.textView.text = [[self.textView.text stringByAppendingString:text] stringByAppendingString:#"\n"];
}
One thing to be aware of is that you need to add both a private and a shared access group. The private access group should match the app's bundle ID and come before the shared one.
<dict>
<key>keychain-access-groups</key>
<array>
<string>$(AppIdentifierPrefix)<APP BUNDLE ID></string>
<string>$(AppIdentifierPrefix)com.mybusiness.shared</string>
</array>
</dict>
If you only add a single named access group then this will be the default for all keychain items effectively sharing everything.