I’m developing an iOS application and aiming to install a PKCS#12 (.p12) certificate into the com.apple.token keychain access group so that Microsoft Edge for iOS, managed via MDM/Intune, can read and use it for client certificate authentication.
I’m attempting to save to the com.apple.token keychain access group, but I’m getting error -34018 (errSecMissingEntitlement) and the item isn’t saved. This occurs on both a physical device and the simulator.
I’m using SecItemAdd from the Security framework to store it. Is this the correct approach? https://developer.apple.com/documentation/security/secitemadd(::)
I have added com.apple.token to Keychain Sharing.
I have also added com.apple.token to the app’s entitlements.
Here is the code I’m using to observe this behavior:
public static func installToTokenGroup(p12Data: Data, password: String) throws -> SecIdentity {
// First, import the P12 to get the identity
let options: [String: Any] = [
kSecImportExportPassphrase as String: password
]
var items: CFArray?
let importStatus = SecPKCS12Import(p12Data as CFData, options as CFDictionary, &items)
guard importStatus == errSecSuccess,
let array = items as? [[String: Any]],
let dict = array.first
else {
throw NSError(domain: NSOSStatusErrorDomain,
code: Int(importStatus),
userInfo: [NSLocalizedDescriptionKey: "Failed to import P12: \(importStatus)"])
}
let identity = dict[kSecImportItemIdentity as String] as! SecIdentity
let addQuery: [String: Any] = [
kSecClass as String: kSecClassIdentity,
kSecValueRef as String: identity,
kSecAttrLabel as String: kSecAttrAccessGroupToken,
kSecAttrAccessible as String: kSecAttrAccessibleAfterFirstUnlock,
kSecAttrAccessGroup as String: kSecAttrAccessGroupToken
]
let status = SecItemAdd(addQuery as CFDictionary, nil)
if status != errSecSuccess && status != errSecDuplicateItem {
throw NSError(domain: NSOSStatusErrorDomain,
code: Int(status),
userInfo: [NSLocalizedDescriptionKey: "Failed to add to token group: \(status)"])
}
return identity
}