I'm working on a VPN project for macOS and outside App Store.
I'm trying to pass client certificate (saved in keychain) into NetworkExtension.
In main App, I created a persistent reference and assign it to identityReference of protocolConfiguration:
Later, retrieve it in NetworkExtension:
It works as expected if NetworkExtension is running in Application Extension mode.
But when running it in System Extension mode, I always got this error: -25294 (errSecNoSuchKeychain)
I think the reason is System Extension runs with root privileges, so it cannot access the user keychain.
But my app will not be published to App Store, it has to be running in System Extension mode.
My question is, is there a way to grant System Extension the permission to get a client certificate (and private key) from user keychain? If this is not possible, how do we pass the client certificate stored in the keychain?
I'm trying to pass client certificate (saved in keychain) into NetworkExtension.
In main App, I created a persistent reference and assign it to identityReference of protocolConfiguration:
Code Block Swift var certificatePersistentRef: CFData? SecKeychainItemCreatePersistentReference(certificate, &certificatePersistentRef) targetManager.protocolConfiguration?.identityReference = (certificatePersistentRef as Data?)!
Later, retrieve it in NetworkExtension:
Code Block Swift if let identityData = self.provider?.protocolConfiguration.identityReference { var item: SecKeychainItem? var retStatus = SecKeychainItemCopyFromPersistentReference(identityData as CFData, &item) if retStatus != errSecSuccess { print(retStatus) } }
It works as expected if NetworkExtension is running in Application Extension mode.
But when running it in System Extension mode, I always got this error: -25294 (errSecNoSuchKeychain)
I think the reason is System Extension runs with root privileges, so it cannot access the user keychain.
But my app will not be published to App Store, it has to be running in System Extension mode.
My question is, is there a way to grant System Extension the permission to get a client certificate (and private key) from user keychain? If this is not possible, how do we pass the client certificate stored in the keychain?