Hello,
I'm investigating the use of persistent extension to expose certificates and keys to applications. I am investigating on macOS and iOS but I am currently testing on macOS.
I'm able to list the exposed certificate. I thought I could restrict the search to my particular token with kSecAttrTokenID (and the ID I provided to addTokenConfiguration(for: ), e.g. the string "COMPANY-macOS-pext"), but it doesn't work.
So I tried to list all the tokens available from my app, using the following code adapted from SecurityTool:
static func listAllKeychains() {
listKeychains (ofType: SecPreferencesDomain.user)
listKeychains (ofType: SecPreferencesDomain.system)
listKeychains (ofType: SecPreferencesDomain.common)
listKeychains (ofType: SecPreferencesDomain.dynamic)
}
static func listKeychains (ofType type: SecPreferencesDomain) {
var searchList: CFArray?
let status = SecKeychainCopyDomainSearchList(type, &searchList)
if ( status != errSecSuccess) {
logger.debug("error getting Keychains list : \(status).")
return
}
guard let keychains = searchList as? [SecKeychain] else {
logger.debug("Error on retrieved keychains")
return
}
for keychain in keychains {
var pName = Array(repeating: 0 as Int8, count: 1024)
var pLength = UInt32(pName.count)
let oStatus = SecKeychainGetPath(keychain, &pLength, &pName)
if oStatus == errSecSuccess {
let buffer = [UInt8](unsafeBitCast(pName, to: [UInt8].self))
let name: String = String(bytes: buffer, encoding: .ascii) ?? "Unable to get string"
logger.debug("Keychain \(keychain.hashValue) : \(name)")
} else {
logger.debug("Error getting pathname of keychain \(keychain.hashValue)")
}
}
}
I just get the user keychain and the system keychain.
- Am I missing something here ?
- How can I list the keychain provided by the extension ?
- Is it possible to restrict a search for the items provided by my extension ?
Regards, ++dom
