using system keychain from swift

OK, let’s start with clarifying terms: What do you mean by “system keychain certificates”? Most folks who ask questions like this are actually interested in getting a digital identity, that is, the combination of a certificate and a private key that matches the public key within that certificate. For example, if you’re trying to do TLS client certificate authentication, you actually need a digital identity, not a certificate.

A digital identity is represented by the

SecIdentity

Also, what is your deployment model? A Mac App Store app? A Developer ID app? A Developer ID command-line tool? Some other program?

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thank you for the info. When I sed "system keychain", I meant a public/private key repository like "windows-my" in windows, in windows I get a public/private key pair using an "alias", I understand that here (OSX) it's different. I didn't think about "deploy model", for the time being I want a local executable CLI program in Swift that wil use native OSX API to access private/public key (identity) to build a digital signature. Thank you again.

I’m sorry but I don’t know anything about the security architecture on Windows, so explaining things in those terms doesn’t help.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

I'm sorry, I didn't express the idea correctly (my english is a bit rustic at least 😝 ).

I thought that OSX keychain works like "windows-my", but it's evident that it is not. It was not my intention to talk about OSX keychain in terms of Windows "windows-my", not even close.

I don't expect a full theory of Security System in OSX (exists documentation for that), just need some refs or clues like "get a SecIdentity".

My app needs special permissions for this? Can I access connected smartcards in the same way? Have you a link to a sample code tha use system keychain and not a "local app" keychain at least in objective-c?

Thank you for your patience.

Have you a link to a sample code tha use system keychain and not a "local app" keychain at least in objective-c?

macOS doesn’t have the concept of “local app” keychain [1]. Rather, each app has its own keychain search list and sees all the items in all the keychains in that search list. This search list typically includes the login keychain and the System keychain, but there can be other keychains inserted in the list, either by the user or programmatically. Such keychains can either be filed-based or backed by security token (like a smart card).

Credentials within the keychain are governed by an access control list, so when you try to use the credential you may end up triggering a user authentication dialog.

Given the above architecture there should be no problems with you seeing digital identities in the System keychain, or in a configured smart card keychain. You can use normal keychain APIs to query for the digital identities you care about and you’ll get back results from all the keychains in the search list (using one of those identity’s private key might trigger an authorisation dialog, but that’s a separate issue).

In short, call

SecItemCopyMatching

var copyResult: CFTypeRef? = nil
let err = SecItemCopyMatching([
    kSecClass: kSecClassIdentity,
    kSecMatchLimit: kSecMatchLimitAll,
    kSecReturnRef: true
] as NSDictionary, &copyResult)
if err == errSecSuccess {
    let identities = copyResult! as! [SecIdentity]
    for identity in identities {
        NSLog("%@", "\(identity)")
    }
}

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

[1] Well, it does when you start dealing with iCloud Keychain, as discussed in this post.

Thank you very much, with your help I was able to get common names from certificates from the keychain. It's a start 😀