Security Interface

RSS for tag

The Security Interface framework is a set of Objective-C classes that provide user interface elements for programs that implement security features.

Posts under Security Interface tag

18 Posts
Sort by:

Post

Replies

Boosts

Views

Activity

How to modify the login right for headless login
Hello -- I am developing an Authentication Plug-in for the purpose of invoking login with no user interaction (headless). There seems to be sufficient documentation and sample code on how to implement a plug-in and mechanism, and debug the same, which is great. What I am trying to understand is exactly how to modify the login right (system.login.console) in order to accomplish my goal. Question 1: I had the idea of installing my mechanism as the first mechanism of the login right, and when invoked to set the username and password into the engine’s context, in the belief that this would negate the system from needing to display the login screen. I didn’t modify or remove any other mechanisms. This did not work, in the sense that the login screen was still shown. Should this work in theory? Question 2: I then tried modifying the login right to remove anything that interacted with the user, leaving only the following: <array> <string>builtin:prelogin</string> <string>builtin:login-begin</string> <string>builtin:forward-login,privileged</string> <string>builtin:auto-login,privileged</string> <string>MyAuthPlugin:customauth,privileged</string> <string>PKINITMechanism:auth,privileged</string> <string>builtin:login-success</string> <string>HomeDirMechanism:login,privileged</string> <string>HomeDirMechanism:status</string> <string>MCXMechanism:login</string> <string>CryptoTokenKit:login</string> </array> The mechanisms I removed were: <string>builtin:policy-banner</string> <string>loginwindow:login</string> <string>builtin:reset-password,privileged</string> <string>loginwindow:FDESupport,privileged</string> <string>builtin:authenticate,privileged</string> <string>loginwindow:success</string> <string>loginwindow:done</string> In place of builtin:authenticate I supplied my own mechanism to verify the user’s password using OD and then set the username and password in the context. This attempt appears to have failed quite badly, as authd reported an error almost immediately (I believe it was related to the AuthEngine failing to init). There’s very little information to go on as to what each of these mechanisms do, and which are required, etc. Am I on the wrong track in attempting this? What would be the correct approach?
1
0
180
6d
Wifi and Power option while developing Mac OS X Authorisation Plugin.
Hi, I am working on Authorisation Plugin for Mac OS X and able to get going for most of the parts and taking inspiration from Jamf Authorisation Plugin repo https://github.com/jamf/NoMADLogin-AD. I have seen in project they are implementing logic for following. Connecting to Wifi Power management (Sleep, Restart, Power Off) Question: I was wondering these things need to be implemented or is there a way some components from Mac OS X could be integrated calling some API and I don't have to implement them and I see say a top bar where these items are viable as we see in default login screen. I have developed my own login screen and I do see it is all blank everything I have to implement from scratch. Trying luck here if any API is out there to reduce work, else no option but to implement all logic. I'll really appreciate if someone just could help me know such API's are present or not. In case there are will save lot of effort. Thanks,
5
0
169
1w
How to perform actions as root from GUI apps on macOS?
I'm building a tool for admins in the enterprise context. The app needs to do some things as root, such as executing a script. I was hoping to implement a workflow where the user clicks a button, then will be shown the authentication prompt, enter the credentials and then execute the desired action. However, I couldn't find a way to implement this. AuthorizationExecuteWithPrivileges looked promising, but that's deprecated since 10.7. I've now tried to use a launch daemon that's contained in the app bundle with XPC, but that seems overly complicated and has several downsides (daemon with global machservice and the approval of a launch daemon suggests to the user that something's always running in the background). Also I'd like to stream the output of the executed scripts in real time back to the UI which seems very complicated to implement in this fashion. Is there a better way to enable an app to perform authorized privilege escalation for certain actions? What about privileged helper tools? I couldn't find any documentation about them. I know privilege escalation is not allowed in the App Store, but that's not relevant for us.
4
0
313
Jan ’25
Some questions about Device Check
I've got a few questions about device check, and would be grateful if anybody knows the answers: why is DC not reset when the device transfers between users? The canonical example of why an app might use DC is if it offers a promotion and to stop user's from getting that promotion multiple times. However, using the same example scenario yes you've stopped the first user from getting multiple promotions but then if that device is transferred to another user you've stopped them from getting any promotions at all? how can you test things when the bits can't be reset? If once you've set the bits on a device then you can no longer ever use that device again to test the apps behavior in the situation when the bits are unset. does the app have complete freedom to set the timestamp to whatever it wants? For example, could the app set a bit with a timestamp of epoch? if the bits are shared between all apps from the same developer, then supposing that developer have more apps in the App Store then there are bits? If they have 5 apps offering a promotion and a device has previously had 4 apps installed, then the user wants to install a 5th app, but with all 4 bits now then the user will be able to abuse the promotion on the 5th app because the app has no way of recording if the promo has been used or not as the collective bits have been used up?
0
1
217
Dec ’24
Verify the Password using the AuthorizationCopyRights
Hi everyone, I’m working on building a passwordless login system on macOS using the NameAndPassword module. As part of the implementation, I’m verifying if the password provided by the user is correct before passing it to the macOS login window. Here’s the code snippet I’m using for authentication: // Create Authorization reference AuthorizationRef authorization = NULL; // Define Authorization items AuthorizationItem items[2]; items[0].name = kAuthorizationEnvironmentPassword; items[0].value = (void *)password; items[0].valueLength = (password != NULL) ? strlen(password) : 0; items[0].flags = 0; items[1].name = kAuthorizationEnvironmentUsername; items[1].value = (void *)userName; items[1].valueLength = (userName != NULL) ? strlen(userName) : 0; items[1].flags = 0; // Prepare AuthorizationRights and AuthorizationEnvironment AuthorizationRights rights = {2, items}; AuthorizationEnvironment environment = {2, items}; // Create the authorization reference [Logger debug:@"Authorization creation start"]; OSStatus createStatus = AuthorizationCreate(NULL, &amp;environment, kAuthorizationFlagDefaults, &amp;authorization); if (createStatus != errAuthorizationSuccess) { [Logger debug:@"Authorization creation failed"]; return false; } // Set authorization flags (disable interaction) AuthorizationFlags flags = kAuthorizationFlagDefaults | kAuthorizationFlagExtendRights; // Attempt to copy rights OSStatus status = AuthorizationCopyRights(authorization, &amp;rights, &amp;environment, flags, NULL); // Free the authorization reference if (authorization) { AuthorizationFree(authorization, kAuthorizationFlagDefaults); } // Log the result and return if (status == errAuthorizationSuccess) { [Logger debug:@"Authentication passed"]; return true; } else { [Logger debug:@"Authentication failed"]; return false; } } This implementation works perfectly when the password is correct. However, if the password is incorrect, it tries to re-call the macOS login window, which is already open. even i though i did not used the kAuthorizationFlagInteractionAllowed flag. This causes the process to get stuck and makes it impossible to proceed. I’ve tried logging the flow to debug where things go wrong, but I haven’t been able to figure out how to stop the system from re-calling the login window. Does anyone know how to prevent this looping behavior or gracefully handle an incorrect password in this scenario? I’d appreciate any advice or suggestions to resolve this issue. Thanks in advance for your help!
7
1
585
Dec ’24
How to Use System Keychain for Password Storage in an Authorization Plugin with Custom UI?
Hello developers, I'm currently working on an authorization plugin for macOS. I have a custom UI implemented using SFAuthorizationPluginView, which prompts the user to input their password. The plugin is running in non-privileged mode, and I want to store the password securely in the system keychain. However, I came across an article that states the system keychain can only be accessed in privileged mode. At the same time, I read that custom UIs, like mine, cannot be displayed in privileged mode. This presents a dilemma: In non-privileged mode: I can show my custom UI but can't access the system keychain. In privileged mode: I can access the system keychain but can't display my custom UI. Is there any workaround to achieve both? Can I securely store the password in the system keychain while still using my custom UI, or am I missing something here? Any advice or suggestions are highly appreciated! Thanks in advance! 😊
1
0
485
Dec ’24
MFA MacOS At ScreenSaver (Lock Screen).
Hi , I did The MFA(2FA) of Email OTP For MacOS Login Screen using, Authorization Plugin, Using This git hub project. It is working For Login Screen , Im trying to Add The Same plugin for LockScreen but it is not working at lock Screen , Below is the reffrense theard For The issue , https://developer.apple.com/forums/thread/127614, please Share The Code that should Present the NSwindow at Screen Saver (Lock Screen) MacOS .
2
0
631
Sep ’24
Mutual TLS using Private Key and Certificate
I'm developing an SDK that will allow iOS devices (iOS 13+) to connect to AWS IoT Core using Native C. The endpoint requires a mutual TLS handshake to connect. I have been able to successfully import a Certificate and Private Key into the keychain but am unable to generate a SecIdentityRef from them for use in setting up a nw_protocol_options_t. I've looked through other forum posts and have been unable to figure out what's going on (Some are from 5+ years ago and maybe things have changed since then). After prepping the raw data for the cert and key into expected formats I import the certificate: const void *add_keys[] = { kSecClass, kSecAttrLabel, kSecAttrSerialNumber, kSecValueData, kSecReturnRef }; const void *add_values[] = { kSecClassCertificate, label, serial_data, cert_data, kCFBooleanTrue }; attributes = CFDictionaryCreate( cf_alloc, add_keys, add_values, 5, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); status = SecItemAdd(attributes, (CFTypeRef *)out_certificate); Next I import the private key: const void *add_keys[] = { kSecClass, kSecAttrKeyClass, kSecAttrKeyType, kSecAttrApplicationLabel, kSecAttrLabel, kSecValueData, kSecReturnRef }; const void *add_values[] = { kSecClassKey, kSecAttrKeyClassPrivate, key_type, application_label, label, key_data, kCFBooleanTrue }; attributes = CFDictionaryCreate( cf_alloc, add_keys, add_values, 7, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); status = SecItemAdd(attributes, (CFTypeRef *)out_private_key); The full code handles duplicate items in which case attributes are updated. Following the successful import of the cert and key to the keychain, I attempt to retrieve the identity with the following: SecIdentityRef identity = NULL; CFDictionaryRef query = NULL; const void *query_keys[] = { kSecClass, kSecReturnRef, // kSecAttrSerialNumber, // kSecAttrLabel kSecMatchLimit }; const void *query_values[] = { kSecClassIdentity, kCFBooleanTrue, // cert_serial_data, // cert_label_ref kSecMatchLimitAll }; query = CFDictionaryCreate( cf_alloc, query_keys, query_values, 3, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); OSStatus identity_status = SecItemCopyMatching(query, (CFTypeRef *)&identity); I have attempted using various search parameters related to the label and the serial of the certificate. Based on other forum post suggestions I have also tried expanding the search to kSecMatchLimitAll to get back ANY stored kSecClassIdentity and all variations returned OSStatus of -25300 (errSecItemNotFound). Once I am able to retrieve the SecIdentityRef, my understanding is that I can add it to the following during creation of the socket: nw_protocol_options_t tls_options = nw_tls_create_options(); sec_protocol_options_t sec_options = nw_tls_copy_sec_protocol_options(tls_options); sec_protocol_options_set_min_tls_protocol_version(sec_options, tls_protocol_version_TLSv12); sec_protocol_options_set_max_tls_protocol_version(sec_options, tls_protocol_version_TLSv13); sec_protocol_options_set_local_identity(sec_options, SecIdentityRef); Am I missing some step that is required to create an identity from the certificate and private key? I have tested the cert/key pair and they connect properly when using the old deprecated SecItemImport and SecIdentityCreateWithCertificate (on our old macOS only implementation). I will continue to dig through Apple documentation as well as more forum posts but I feel like I'm hitting a wall and missing something very obvious as this seems like a very common networking task. Thanks! The provided links below are to the full code related to the work in progress iOS import functions: Link to import function https://github.com/awslabs/aws-c-io/blob/cad8639ef0ea08ba3cc74b72cfc1c9866adbb7e5/source/darwin/darwin_pki_utils.c#L735 Link to private key import: https://github.com/awslabs/aws-c-io/blob/cad8639ef0ea08ba3cc74b72cfc1c9866adbb7e5/source/darwin/darwin_pki_utils.c#L561 Link to certificate import: https://github.com/awslabs/aws-c-io/blob/cad8639ef0ea08ba3cc74b72cfc1c9866adbb7e5/source/darwin/darwin_pki_utils.c#L398
10
0
1.1k
Aug ’24
Server Trust Authentication with same URL Session has uncertain response time behavior
Hello Folks I have a Custom UrlSessionDeleagte which is checking server authentication by overriding method func urlSession(_ session: URLSession, didReceive challenge: URLAuthenticationChallenge, completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -&gt; Swift.Void) { if (challenge.protectionSpace.authenticationMethod == NSURLAuthenticationMethodServerTrust) { let serverTrust = challenge.protectionSpace.serverTrust // Applying additional validations. if(validated) { completionHandler(.useCredential, URLCredential(trust:serverTrust)) } } else { completionHandler(.performDefaultHandling, nil) } Initialized URL Session as below and reusing it in subsequent requests. if(urlSession != nil) { urlSession = URLSession(configuration: URLSessionConfiguration.Default, delegate: customURLSessionDelegate, delegateQueue : nil) } Now the issue is the uncertainty in response time First request - say took approx 11 secs. Second request if send immediately (&lt; 2 secs difference from last call) - took only 0.2 secs or 1.2 secs. Third request if send after &gt;20 secs - took again 12 secs. I want to know whether it is an implementation issue, or iOS behavior of handling the Server trust Authentication process in this way? Because the time it took after initializing a DataTask to checking server Auth differes. Also when call is sent immdiately it does not checkk Authentication again, but when send a after ~20 secs debugger fall on the Authentication method again, even if the URlsession instance was same.
0
0
501
Aug ’24
SFAuthorizationPluginView Implementation in Swift
Hi, I am currently trying to develop an authorization plugin using SFAuthorizationPluginView. My objective is to display a webView to the user for authentication purposes. I have based my work on the updated NameandPassword example : https://github.com/antoinebell/NameAndPassword. I have seen that the header for the SFAuthorizationPluginView class exists in Swift. However, I have not found any implementation examples of an authorization plugin in Swift. I have attempted to implement this on my own but am encountering difficulties displaying my embedded view within a ViewController. Is it possible to create an authorization plug-in in Swift ?
3
0
812
Oct ’24
security set-key-partition-list valid values
Hi Devs, i have a question concerning the security set-key-partition-list -S command. I want to use it to enable a code signing certificate being used by codesign and productbuild to sign without sudo or a password prompt. Some sources indicate i need to add codesign: as partition but some don't even mention this. So my question is what partitions are even possible to add? What does partitions in this context mean? How can i find out which i need for productbuild and codesign? Thanks in advance Paul
1
1
1k
May ’24