User Profile

I try to use SecPKCS12Import to retrieve SecIdentityRef from PKCS#12 blob and store SecCertificateRef & SecKeyRef into keychain separately, so that I can use kSecAttrAccessControl to only protect private key with TouchID. The same code works on iOS, but not on Mac. The problem is SecPKCS12Import already saved the identity into keychain. I tried to delete the stored identity, however, no matter using SecItemDelete with transient reference or persistent reference of identity or delete both SecCertficateRef and SecKeyRef, the record will be deleted from keychain -> My Certificates and keychain -> Keys, but alwasy leave the certficate in keychain -> Certificates. If I use SecItemAdd to add certificate back, I got errSecDuplicateItem, using SecItemCopyMatching or SecItemDelete, I got errSecItemNotFound. The strange part is, even I open keychain app to manually delete the cert, I got error prompt saying deleting item not found, but after that, the cert disppear from keychain -> Certificates.Since I cannot delete identity and the add it back with access control attributes. I tried to use SecItemImport to avoid saving identity into keychain. However, this API only returns list of SecCertificateRef instead of SecIdentityRef. I found similar issue discussed on https://forums.developer.apple.com/thread/31711Is there anyway to retreive identity from PKCS#12 blob and make kSecAttrAccessControl protect the private key only?

Hi, we uses WKWebView to load IDP login page and the client cert authentication is also required after user credential submitted. We implemented didReceiveAuthenticationChallenge function to retrieve the client cert from our app and create NSURLCredential with NSURLCredentialPersistenceNone. However, we found the client cert get cached. When IDP issues a new client cert and the old cert become invalid, although the user import the new cert into our app, the cache of the old cert is used, didReceiveAuthenticationChallenge is not called. We tried to use WKWebsiteData to delete all cookies and website data include WKWebsiteDataTypeMemoryCache, disckCache and localStorage, but no luck. The only workaround is terminate our app and restart it will clear the cache. Is there anything we missed? Thanks, Ying

We have an MacOS application with uninstaller. When the app is installed via dmg file, users get prompt for TouchID (when touch bar available). However when users run our uninstaller app, users alwasy get prompt with login credential.Looking into the document of Authorization APIs, it says:"When your application requests authorization, the Security Server may request the user to authenticate. Authorization Services allows you to take full advantage of the Security Server’s authentication plug-in architecture to deal with authentication for you. Instead of a user name and password, the authentication may use fingerprints or smart cards, but your application code stays the same."We basically grab the execute right to run uninstall script with the following code: status = AuthorizationCreate(NULL, kAuthorizationEmptyEnvironment, flags, &auth_ref); if ( status != errAuthorizationSuccess ) { return status; } AuthorizationItem item = { kAuthorizationRightExecute, 0, NULL, 0 }; AuthorizationRights rights = { 1, &item }; flags = (kAuthorizationFlagDefaults | kAuthorizationFlagInteractionAllowed | kAuthorizationFlagPreAuthorize | kAuthorizationFlagExtendRights); status = AuthorizationCopyRights( auth_ref, &rights, NULL, flags, NULL ); if ( status != errAuthorizationSuccess ) { break; } FILE * channel = NULL; status = AuthorizationExecuteWithPrivileges(auth_ref, exepath, kAuthorizationFlagDefaults, exeargs, &channel);Do we miss anything to make authentication with TouchID?

Hi,I use SecStaticCodeCheckValidity(staticCode, kSecCSConsiderExpiration, NULL) to verify file signature. My understanding is if timestamp exists in the signature, the signing time will be used for validation. Otherwise, the "now" time will be used for validation. I use codesign utility to sign the file with "--timestamp=none" so that no timestamp generated (I found kSecCodeInfoTime/"signed time" in signature, which I belive is internal signing time that specified by the signer).I then change system time to future time and make sure the signing certs in keychain are expired. I expected SecStaticCodeCheckValidity() returns errSecCertificateExpired, but it actually returns errSecSuccess. Did I do anything wrong here?