Error when using SecItemAdd with kSecReturnPersistentRef and user presence kSecAttrAccessControl

Question

Created 5d

Replies 6

Boosts 0

Participants 2

I'm trying to add a generic password to the keychain and get back the persistent ID for it, and give it .userPresence access control. Unfortunately, if I include that, I get paramError back from SecItemAdd. Here's the code:

	@discardableResult
	func
	set(username: String, hostname: String?, password: String, comment: String? = nil)
		throws
		-> PasswordEntry
	{
		//	Delete any existing matching password…
		
		if let existing = try? getEntry(forUsername: username, hostname: hostname)
		{
			try deletePassword(withID: existing.id)
		}
		
		//	Store the new password…
		
		var label = username
		if let hostname
		{
			label = label + "@" + hostname
		}
		
		var item: [String: Any] =
		[
			kSecClass as String : kSecClassGenericPassword,
			kSecAttrDescription as String : "TermPass Password",
			
			kSecAttrGeneric as String : self.bundleID.data(using: .utf8)!,
			kSecAttrLabel as String : label,
			kSecAttrAccount as String : username,
			kSecValueData as String : password.data(using: .utf8)!,
			kSecReturnData as String : true,
			kSecReturnPersistentRef as String: true,
		]
		
		if self.synchronizable
		{
			item[kSecAttrSynchronizable as String] = kCFBooleanTrue!
		}
		
		if let hostname
		{
			item[kSecAttrService as String] = hostname
		}
		
		if let comment
		{
			item[kSecAttrComment as String] = comment
		}
		
		//	Apply access control to require the user to prove presence when
		//	retrieving this password…
		
		var error: Unmanaged<CFError>?
		guard
			let accessControl = SecAccessControlCreateWithFlags(nil,
																 kSecAttrAccessibleWhenUnlockedThisDeviceOnly,
																 .userPresence,
																 &error)
		else
		{
			let cfError = error!.takeUnretainedValue() as Error
			throw cfError
		}
		
		item[kSecAttrAccessControl as String] = accessControl
		item[kSecAttrAccessible as String] = kSecAttrAccessibleWhenUnlockedThisDeviceOnly
		
		var result: AnyObject!
		let status = SecItemAdd(item as CFDictionary, &result)
		try Errors.throwIfError(osstatus: status)
		
		load()
		
		guard
			let secItem = result as? [String : Any],
			let persistentRef = secItem[kSecValuePersistentRef as String] as? Data
		else
		{
			throw Errors.malformedItem
		}
		
		let entry = PasswordEntry(id: persistentRef, username: username, hostname: hostname, password: password, comment: comment)
		return entry
	}

(Note that I also tried it omitting kSecAttrAccessible, but it had no effect.)

This code works fine if I omit setting kSecAttrAccessControl.

Any ideas? TIA!

Answered by DTS Engineer in 851332022

I see a three of issues here. First, you’re asking for something that doesn’t make sense. accessControl uses a this-device-only modifier, but you’re setting kSecAttrSynchronizable to true. What’s the point of synchronising something if it’s limited to this device only?

If you want to use the data protection keychain but don’t want things to synchronous, replace kSecAttrSynchronizable with kSecUseDataProtectionKeychain.

Second, you’re setting kSecAttrAccessControl and kSecAttrAccessible. That’s weird because the former subsumes the latter. Note how the value you’re using to kSecAttrAccessible is also being passed when you create accessControl.

Third, kSecAttrSynchronizable has a long list of caveats in the doc comments in <Security/SecItem.h>. One of those is:

Persistent references to synchronizable items should be avoided; while they may work locally, they cannot be moved between devices, and may not resolve if the item is modified on some other device.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Boost

Answer 1

DTS Engineer OP

Apple

5d

What platform is this?

That matters because, if this is macOS, you have access to both the data protection keychain and the file-based keychain. You’re doing a bunch of stuff that’s only possible in the data protection keychain, but you’re not opting in to that. See TN3137 On Mac keychain APIs and implementations for more background.

Oh, and for general hints and tips on using the keychain effectively, see:

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

JetForMe OP

5d

macOS, yes, sorry. I’ll look into this aspect, thank you. I see these items going into the iCloud keychain (the flag is for unit tests where they end up in the login keychain), as viewed via Keychain Access.

0

Answer 3

JetForMe OP

4d

Okay, looking into TN3137, it says

To target the data protection keychain, set the kSecUseDataProtectionKeychain attribute or the kSecAttrSynchronizable attribute to true.

I am setting kSecAttrSynchronizable to true when adding items, so it should be using the data protection keychain.

0

Answer 4

DTS Engineer OP

Apple

4d

Recommended

I see a three of issues here. First, you’re asking for something that doesn’t make sense. accessControl uses a this-device-only modifier, but you’re setting kSecAttrSynchronizable to true. What’s the point of synchronising something if it’s limited to this device only?

If you want to use the data protection keychain but don’t want things to synchronous, replace kSecAttrSynchronizable with kSecUseDataProtectionKeychain.

Second, you’re setting kSecAttrAccessControl and kSecAttrAccessible. That’s weird because the former subsumes the latter. Note how the value you’re using to kSecAttrAccessible is also being passed when you create accessControl.

Third, kSecAttrSynchronizable has a long list of caveats in the doc comments in <Security/SecItem.h>. One of those is:

Persistent references to synchronizable items should be avoided; while they may work locally, they cannot be moved between devices, and may not resolve if the item is modified on some other device.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 5

JetForMe OP

3d

I see a three of issues here. First, you’re asking for something that doesn’t make sense. accessControl uses a this-device-only modifier, but you’re setting kSecAttrSynchronizable to true. What’s the point of synchronising something if it’s limited to this device only?

This stems from a misunderstanding of kSecAttrAccessibleWhenUnlockedThisDeviceOnly, I think. I set it to kSecAttrAccessibleWhenUnlocked, and it still didn’t work.

Second, you’re setting kSecAttrAccessControl and kSecAttrAccessible. That’s weird because the former subsumes the latter. Note how the value you’re using to kSecAttrAccessible is also being passed when you create accessControl.

I removed the kSecAttrAccessible attribute altogether, and it still gives me paramErr.

Persistent references to synchronizable items should be avoided; while they may work locally, they cannot be moved between devices, and may not resolve if the item is modified on some other device.

I only use the identifier locally and in-memory, so it doesn’t matter if it’s not valid on other machines, but this seems like an unnecessary limitation either way, since it’s not hard to make a globally unique identifier.

Something that's confusing to me is that when you call SecAccessControlCreateWithFlags(), you pass both "protection" and "access control" constraints, which seem to have at least semantic overlap. I want the user to have to provide access to the password each time it is used, rather than only when unlocked. My understanding is that that’s what .userPresence does, but it seems like that could have also been a protection class. What does it mean to say kSecAttrAccessibleAlways and .userPresence, for example? And the "ThisDeviceOnly" variants could imply that unlocking on one device doesn't automatically unlock on another device, hence why I was using that.

In any case, I'm using kSecAttrAccessControl because I want each use of the password to require the user actually be there (I get that the system won’t always prompt, that it caches authorization for some amount of time, but that's okay).

In any case, I still can't figure out why it won’t let me add .userPresence to the password.

…

On a whim I removed the kSecAttrSynchronizable = true, and that got rid of the error! I’m not explicitly using kSecUseDataProtectionKeychain, which is not what I was expecting. For example, TN3137 says:

To target the data protection keychain, set the kSecUseDataProtectionKeychain attribute or the kSecAttrSynchronizable attribute to true.

And lastly just to confirm: Something stored with .userPresence requires presence even to query attributes and not the password value itself? That's the behavior I'm seeing. I can work with that, but I wasn't expecting it for some reason.

0

Answer 6

DTS Engineer OP

Apple

3d

On a whim I removed the kSecAttrSynchronizable = true, and that got rid of the error!

Right, because that gets you back to the file-based keychain and it ignores the kSecAttrAccessControl attribute.

which seem to have at least semantic overlap

Kinda. What you’re seeing here is the implementation leaking into the API. The protection parameter controls how the property is protected within the keychain database. It’s directly analogous to the kSecAttrAccessible attribute. The flags parameter controls how programs are allowed to use an item. Obviously the system must be able to decrypt the item in order for your app to use it, so protection has pre-eminence. However, assuming that’s the case then the protections expressed in flags kicks in.

I agree that the API could be nicer, but you couldn’t just fold flags into protection. There are things like kSecAccessControlOr that couldn’t be represented in a simple list of protections.

Anyway, if you’re looking for a nicer API then I recommend that you explore Local Authentication, and specifically LASecret.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0