Using SecItemUpdate to change the kSecAttrAccessControl value of a private key protected by the Secure Enclave

I am trying to use SecItemUpdate in order to change the kSecAttrAccessControl value on a private key protected by the Secure Enclave as well as an .applicationPassword - which I want to change. I have been unsuccessful getting the query and attributesToUpdate dictionaries right though, with SecItemUpdate returning either errSecParamerrSecNoSuchAttr or errSecAuthFailed. Am I on the right track here or am I trying to do something that is not possible?

Post not yet marked as solved Up vote post of jzilske Down vote post of jzilske
1.2k views
Posted by
jzilske
Reply
Add a Comment

Replies

Update: The documentation for SecItemUpdate includes the following w.r.t. the attributesToUpdate dictionary:

Only real keychain attributes are permitted in this dictionary (no "meta" attributes are allowed.) 

It is unclear (at least to me) what those "meta" attributes may be. Is kSecAttrAccessControl maybe one of them?

Posted by
jzilske
Up vote reply of jzilske Down vote reply of jzilske
Add a Comment

I dug a little deeper (thanks, Quinn!) and found two possibly related errors in the system log. errSecNoSuchAttr seems to be caused by

error:[-25303] Error Domain=NSOSStatusErrorDomain Code=-25303 "attribute u_CredRef not found in class keys" UserInfo={numberOfErrorsDeep=0, NSDescription=attribute u_CredRef not found in class keys}

while errSecAuthFailed seems to be a fallout from

evaluateAccessControl on LAContext[5448:4] cid:17 returned Error Domain=com.apple.LocalAuthentication Code=-1009 "ACL operation is not allowed: 'oe'" UserInfo={NSDebugDescription=ACL operation is not allowed: 'oe', NSLocalizedDescription=Vorgang ist nicht zulässig.}

I filed this as FB11884381, FWIW.

Posted by
jzilske
Up vote reply of jzilske Down vote reply of jzilske

  • Are there any updates on this? I tried filing a code level support incident on the same problem last November, but Apple closed it without even bothering to respond to me.

    Sergey
Add a Comment

FWIW, the resolution of the feedback I filed was basically "works as designed".

Posted by
jzilske
Up vote reply of jzilske Down vote reply of jzilske
Add a Comment

Apple closed it without even bothering to respond to me.

Without responding at all? Or with a response saying that DTS can’t help you with this?

"works as designed"

Yep. I’m not sure of the timing here, but I came across this issue myself and listed in in SecItem: Pitfalls and Best Practices (under Add-only Attributes).

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment