Hi,I am trying to figure out how I can set the kSecACLAuthorizationPartitionID when creating a private key that will later be used by the macOS system ("apple:"). This key is to be used for things like Wi-Fi (eapolagent) and so on.I have been experimenting with the below code, the private key is created correctly, ACL is set and it is added to the keychain, however it seems it is overwritten when I add the key to the keychain: // create standard access
SecAccessRef access = SecAccessCreateWithOwnerAndACL(0, 0, kSecUseOnlyUID, NULL, &error);
// build partitions list
NSMutableArray* partitions = [[NSMutableArray alloc] init];
// we want the apple system to be able to sign with this key
[partitions addObject:@"apple:"];
NSMutableDictionary *descriptionDict = [[NSMutableDictionary alloc] init];
[descriptionDict setObject:(__bridge id)partitions
forKey:(__bridge id)@"Partitions"];
NSData *xmlData = [NSPropertyListSerialization dataFromPropertyList:descriptionDict
format:NSPropertyListXMLFormat_v1_0
errorDescription:&error];
SecACLRef newAcl = NULL;
status = SecACLCreateWithSimpleContents(access, NULL, (CFStringRef)[self hexStringValue:xmlData], kSecKeychainPromptRequirePassphase, &newAcl);
NSArray* authorizations = @[(__bridge id)kSecACLAuthorizationPartitionID];
// update ACL
status = SecACLUpdateAuthorizations(newAcl, (__bridge CFArrayRef) authorizations);At this point, if I loop through the access ACLS, all look well.And I proceed to create the key:SecKeyRef privateKey = SecKeyCreateFromData((CFDictionaryRef)attributes, (CFDataRef)encodedKeyData, &error);And then add this to the keychain with the access I created above NSMutableDictionary *attributes = [[NSMutableDictionary alloc] init];
[attributes setObject:(__bridge id)privateKey
forKey:(id)kSecValueRef];
[attributes setObject:(id)kSecClassKey
forKey:(id)kSecClass];
[attributes setObject:tag
forKey:(id)kSecAttrApplicationTag];
[attributes setObject:(__bridge id)access
forKey:(__bridge id)kSecAttrAccess ];
err = SecItemAdd((__bridge CFDictionaryRef)attributes, NULL);All this runs without error, however dumping the keychain, I can see the ACL as follows: entry 0:
authorizations (1): any
don't-require-password
description: <NULL>
applications: <null>
entry 1:
authorizations (1): partition_id
don't-require-password
description: unsigned:
applications: <null>
entry 2:
authorizations (1): change_acl
don't-require-password
description: <NULL>
applications: <null>The "unsigned:" is I assume due to me running the app in debug mode, but it looks like the ACL I set is ignored and the keychain API hardcodes this to the caller partition_id.I have also tried to set the partition_id after adding the key to the keychain, but this requires the password of the User, something we do not want to request for obvious reasons.Is what I am trying even possible? Can you set the partition_id when creating a key?Thanks,S.
Post not yet marked as solved
Hi,Due to legacy reasons we are looking to push a VPN EAP-TLS configuration via mobileconfig, but we need to have it use an existing certificate/privatekey that is present in the users keychain.We believe this is not possible in the .mobileconfig itself as this assumes you would be supplying the certificate/keypair in the .mobileconfig.Something like the identity-preference for WiFi networks would fit our needs, but we have not been able to identify the service string that would allow us to connect a Certificate to a particular VPN configuration.We are open to alternatives, we also have the ability to invoke certain Apple API (similar to CWKeychainSetWiFiEAPIdentity for example).Any help is appreciated.
Thanks,
S.
Post not yet marked as solved
Hi,So I requested some help on the Enterprise Forum before when 11.3 hit:https://forums.developer.apple.com/thread/100177and I have opened a bug report:https://bugreport.apple.com/web/?problemID=39413430But as I have not been able to get any help I was hoping to see if the BETA forum has any idea on this. As of now the current 11.4 BETA (4) is still affected.Thanks,S.-------- original question -------Steps to Reproduce:1. Setup captive portal that shows a webpage with a link to a downloadable mobileconfig2. Have iOS 11.3 device connect to captive portal 3. iOS 11.3 opens CNA browser4. CNA browser shows webpage with link to a downloadable mobileconfig5. User clicks on link to download mobileconfigExpected Results:Mobileconfig is launched and configures device.Actual Results:CNA browser shows content of mobileconfig.
Post not yet marked as solved
Steps to Reproduce:1. Setup captive portal that shows a webpage with a link to a downloadable mobileconfig2. Have iOS 11.3 device connect to captive portal 3. iOS 11.3 opens CNA browser4. CNA browser shows webpage with link to a downloadable mobileconfig5. User clicks on link to download mobileconfigExpected Results:Mobileconfig is launched and configures device.Actual Results:CNA browser shows content of mobileconfig.
Post not yet marked as solved
Hi,Is there a reason for the eapolclient needing to prompt the user 3 times in HighSierra when you want to connect to a new Network with EAP-TLS (Client Certificate)?Assuming the client has:* privatekey+certificate+identity in keychain* profile containing WPA2-Enterprise/EAP-TLS config (pushed via mobileconfig)The sequence is now:* connect to WiFi network* eapolclient wants access to key "xxxx" in your keychain.* eapolclient wants access to key "com.apple.network.eap.user.identity.wlan.ssid.***" in your keychain.* eapolclient wants access to change permission of the "xxxx" in your keychain.Where every request from eapoclient requires the user to enter their login password.Is there a way to have the "eapoclient" prompt 1 time, then remember the login password for the subsequent requests or maybe setup the "eapolclient" as a trusted system application that would have access to these things without the need for a password?Thanks,S.
Post not yet marked as solved
Hi,We are seeing some strange behavior on the latest macOS 10.13.2. Considering the following code example where we are trying to list the Identites in a keychain:NSMutableDictionary* query = [NSMutableDictionary dictionaryWithObjectsAndKeys:
kSecClassIdentity, kSecClass,
kCFBooleanTrue, kSecReturnRef,
kCFBooleanTrue, kSecReturnAttributes,
kSecMatchLimitAll, kSecMatchLimit,
nil];
NSArray* identities = nil;
OSStatus status = SecItemCopyMatching((CFDictionaryRef)query, (CFTypeRef*)&identities);
if (status == errSecSuccess) {In certain cases identities is nil which does not seem to follow the way the function returns information. (status != errSecSuccess if no info was found in the query).We have seen some similar questions on the forum:https://forums.developer.apple.com/message/46898#46898https://forums.developer.apple.com/message/262088#262088But I feel these are examples of adding a malformed key and then trying to retrieve it again. We are search for ALL identities.Any advice would be appreciated.Thanks,S.
Post not yet marked as solved
Hi,I am facing an issue where the user is prompted to "Enter your password" for a WPA2-Enterprise Wireless network pre-configured for EAP-TLS/802.1x via mobileconfig/SCEP. This does NOT occur on a device without any previous profiles for the targeted Wireless Network SSID. This seems to only occur when adding the same profile or a new profile with the same SSID.This problem occurs when the user clicks on the wireless network to initiate the connection manually, auto-join works fine. Normally this manual connection would proceed without user interaction, as it is using the installed Client Certificate. In iOS 11 it shows a prompt for username/password. Clicking on "cancel" will allow the user to connect.We started seeing this on BETA 7 and have not seen a fix yet.I have opened a BUG report but have had no reply yet, was wondering if anyone had any tips.Thanks,S.
Post not yet marked as solved
Hi,I am facing an issue where the user is prompted "Enter your password" for a WPA2-Enterprise Wireless network pre-configured for EAP-TLS/802.1x via mobileconfig/SCEP.This does NOT occur on a device without any previous profiles for the targeted Wireless Network SSID. This seems to only occur when adding the same profile or a new profile with the same SSID.This problem occurs when the user clicks on the wireless network to initiate the connection manually, auto-join works fine. Normally this manual connection would proceed without user interaction, as it is using the installed Client Certificate. From iOS 11 BETA 7 onwards it shows a prompt for "Enter your Password" where you now can select an Identity. The "Enter your password" title name is quite confusing as there is no password to be entered, clicking on "cancel" will allow the user to connect, but no matter what we fill in as Username or Identity it will not connect. Allowing the device to auto-join works fine, no prompt is shown.Has anyone seen this issue? We are still seeing this in the latest release (11.0 Gold Master (15A372)).S.
secure.