How to add new SecTrustedApplicationRef to the ACL of a login keychain?

Privacy & Security General
peterLeeMS OP
Created Sep ’21
Replies 3
Boosts 0
Views 674
Participants 2

Let's say I have a login keychain with ACL that contains trusted application list.

Now I want to add a new SecTrustedApplicationRef to this existing list, and hence update the ACL of this object.

Here's the steps I took, but doesn't seem to be working

  1. retrieve keychain item reference of kSecClassGenericPassword object
OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)queryDictionary,(CFTypeRef *)&attributeDictionary);
  1. Then get existing access ref
 SecKeychainItemRef itemRef = (SecKeychainItemRef) CFBridgingRetain([bridgedDict objectForKey:(__bridge id)kSecValueRef]);
     
SecAccessRef accessRef = NULL;
     
status = SecKeychainItemCopyAccess(itemRef,&accessRef);
  1. Update this existing Access Ref by appending a new ACL that contains new trusted apps info
     status = SecACLCreateWithSimpleContents(accessRef, (__bridge CFArrayRef)microsoftTrustedApps, (__bridge CFStringRef)tenantIdentifier, kSecKeychainPromptRequirePassphase, &newAcl);
  1. Finally, update access ref using SecItemUpdate
     NSMutableDictionary *origQuery = [NSMutableDictionary new];
    [origQuery setObject:tenantIdentifier forKey:(__bridge id)kSecAttrService];
    [origQuery setObject:(__bridge id)kSecClassGenericPassword forKey:(__bridge id)kSecClass];

    NSMutableDictionary *updateQuery = [NSMutableDictionary new];
    [updateQuery setObject:(__bridge id)accessRef forKey:(__bridge id)kSecAttrAccess];

    status = SecItemUpdate((CFDictionaryRef)origQuery, (CFDictionaryRef)updateQuery);

It does return errSecSuccess, and I get prompted for passphrase during SecItemUpdate, but the resultant login keychain object in keychain access still doesn't show the new app under "always allow access by these applications" under "Access Control" tab.

Any help would be appreciated. Thanks!

Replies  3
Boosts  0
Views  674
Participants  2
DTS Engineer OP
Apple
Sep ’21

Is the app you’re trying to add from the same team as your app? Or is it from a different team? Or perhaps built in to macOS itself?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
peterLeeMS OP
Sep ’21

So this is how I used to do it

a) Create trusted app object of the app that is creating the ACL using

SecTrustedApplicationCreateFromPath

b) Then I would create a trusted app object that would grant access to all Microsoft-approved apps.

- create requirement using "SecRequirementCreateWithString" using pre-determined code sign requirement

 - SecTrustedApplicationCreateFromRequirement("com.microsoft", requirement, &trustedApplicationRef);

c) Then add object from 1) and 2) in the array and create final accessRef using below API

SecAccessCreate((CFStringRef)accessLabel, (__bridge CFArrayRef)allTrustedApps, accessrefs);

Because SecTrustedApplicationCreateFromPath is deprecated and soon to be gone,

I was hoping to explore an alternative approach where

  1. create login keychain first - since by default it still adds the creating app into the ACL
  2. Then use above approach that I initially shared to add a new ACL containing the new trusted app ref object that was created from code sign requirement, and then append it to the existing access ref object for this login keychain object.
0
DTS Engineer OP
Apple
Oct ’21

Then I would create a trusted app object that would grant access to all Microsoft-approved apps.

At this point I think it’d be best for you to open a DTS tech support incident so that a) I can dedicate more time to your question, and b) we can discuss this stuff in private.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
How to add new SecTrustedApplicationRef to the ACL of a login keychain?
First post date Last post date
 
 
Q