We have utilised the KeyChain Framework for Adding items into KeyChain.
- We have Generated KeyPair using 'SecKeyGeneratePair' API as below
-
(OSStatus)generateAssymetricKeyPair:(NSUInteger)bitSize{ OSStatus sanityCheck = noErr; SecKeyRef publicKeyRef = NULL; SecKeyRef privateKeyRef = NULL;
NSString *appGrpIdentifier = @"group.com.sample.xyz"
// Set the private key attributes. NSDictionary *privateKeyAttr = @{(id)kSecAttrIsPermanent: @YES, (id)kSecAttrApplicationTag: [TAG_ASSYMETRIC_PRIVATE_KEY dataUsingEncoding:NSUTF8StringEncoding], (id)kSecAttrCanEncrypt:@NO, (id)kSecAttrCanDecrypt:@YES, (id)kSecAttrAccessGroup: appGrpIdentifier };
// Set the public key attributes. NSDictionary *publicKeyAttr = @{(id)kSecAttrIsPermanent: @YES, (id)kSecAttrApplicationTag: [TAG_ASSYMETRIC_PUBLIC_KEY dataUsingEncoding:NSUTF8StringEncoding], (id)kSecAttrCanEncrypt:@YES, (id)kSecAttrCanDecrypt:@NO, (id)kSecAttrAccessGroup: appGrpIdentifier };
// Set top level attributes for the keypair. NSDictionary *keyPairAttr = @{(id)kSecAttrKeyType: (id)kSecAttrKeyTypeRSA, (id)kSecAttrKeySizeInBits: @(bitSize), (id)kSecClass: (id)kSecClassKey, (id)kSecPrivateKeyAttrs: privateKeyAttr, (id)kSecPublicKeyAttrs: publicKeyAttr, // MOBSF-WARNING-SUPPRESS: <We cannot use the MobSF recommended atributes for KeyChain items as it does not meet the application requirement> (id)kSecAttrAccessible: (id)kSecAttrAccessibleAfterFirstUnlock, // mobsf-ignore: ios_keychain_weak_accessibility_value // MOBSF-SUPPRESS-END (id)kSecAttrAccessGroup: appGrpIdentifier };
// Generate Assymetric keys sanityCheck = SecKeyGeneratePair((CFDictionaryRef)keyPairAttr, &publicKeyRef, &privateKeyRef); if(sanityCheck == errSecSuccess){ NSLog(@"[DB_ENCRYPTION] <ALA_INFO> [OS-CCF] CALLED Assymetric keys are generated"); } else{ NSLog(@"[DB_ENCRYPTION] <ALA_ERROR> [OS-CCF] CALLED Error while generating asymetric keys : %d", (int)sanityCheck); }
if (publicKeyRef) { CFRelease(publicKeyRef); } if (privateKeyRef) { CFRelease(privateKeyRef); }
return sanityCheck;
}
- KeyPair is added into the KeyChain
- (BOOL)saveSymetricKeyToKeychain:(NSData *)symmetricKeyData keyIdentifier:(NSString *)keyIdentifier
{ NSString *appGrpIdentifier = [KeychainGroupManager getAppGroupIdentifier]; NSDictionary *query = @{ (__bridge id)kSecClass: (__bridge id)kSecClassKey, (__bridge id)kSecAttrApplicationTag: keyIdentifier, (__bridge id)kSecValueData: symmetricKeyData, (__bridge id)kSecAttrKeyClass: (__bridge id)kSecAttrKeyClassSymmetric, // MOBSF-WARNING-SUPPRESS: <We cannot use the MobSF recommended atributes for KeyChain items as it does not meet the application requirement> (__bridge id)kSecAttrAccessible: (__bridge id)kSecAttrAccessibleAfterFirstUnlock, // mobsf-ignore: ios_keychain_weak_accessibility_value // MOBSF-SUPPRESS-END (__bridge id)kSecAttrAccessGroup: appGrpIdentifier };
// Now add the key to the Keychain
status = SecItemAdd((__bridge CFDictionaryRef)query, NULL);
if (status == errSecSuccess) {
NSLog(@"[DB_ENCRYPTION] Key successfully stored in the Keychain");
return YES;
} else {
NSLog(@"<ALA_ERROR> [DB_ENCRYPTION] Error storing key in the Keychain: %d", (int)status);
return NO;
}
}
- Post App Transfer, we are able to retrieve the Public & Private Key Reference without rebuilding the keychain
Query:- Is this attribute "kSecAttrAccessGroup" helping us to retrieve the KeyChain items without having to rebuild on App Transfer to New Apple Account as described in this set of guidelines. Could you please explain in detail on this.
https://developer.apple.com/help/app-store-connect/transfer-an-app/overview-of-app-transfer
Keychain sharing continues to work only until the app is updated. Therefore, you must rebuild the keychain when submitting updates. If your keychain group is defined in the Xcode project, replace it with a group created by the recipient, incorporating their Team ID for continued keychain sharing. After the update, users must re-login once as the app cannot retrieve the authentication token from the keychain.