Keychain errSecItemNotFound

Question

Created 1d

Replies 3

Boosts 0

Participants 2

Hello Apple Developer: I encountered some issues during development. I encrypted the secret key and stored it in the Keychain, but it failed when I tried to read it. I would like to ask if there is any problem with the code I wrote. Below is my code, including the storage and retrieval

NSMutableDictionary *query = [[NSMutableDictionary alloc] initWithObjectsAndKeys:(id)kSecClassGenericPassword,(id)kSecClass,

                                  serviceID,(id)kSecAttrService,

                                  @YES,(id)kSecReturnData,nil];

    

    CFTypeRef dataTypeRef = NULL;

    NSLog(@"SecItemCopyMatching");

    OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)(query), &dataTypeRef);

    NSLog(@"SecItemCopyMatching end status = %d",status);

    if (status == errSecSuccess) {

        

        *privateData = CFBridgingRelease(dataTypeRef);

        return 0;

        

    }else{

        

        return status;

        

    }

NSMutableDictionary *attributespri = [[NSMutableDictionary alloc] initWithObjectsAndKeys:

        (id)kSecClassGenericPassword, (id)kSecClass,

        serviceID,                   (id)kSecAttrService,

        outData,                     (id)kSecValueData,

    nil];



    CFTypeRef dataRef = NULL;

    OSStatus priStatus = SecItemAdd((__bridge CFDictionaryRef)attributespri, &dataRef);



    if (dataRef) CFRelease(dataRef);

    return priStatus == noErr;

Answered by DTS Engineer in 884212022

I’m gonna start you out with SecItem: Fundamentals. It explains how you should think about the keychain. Once you internalise that, a lot of its behaviour makes sense.

As to what’s going on here, it’s hard to say without more context. My first question is: What platform are you on?

This matters because, if you’re on the Mac, the keychain has a lot of additional complexity. TN3137 On Mac keychain APIs and implementations explains the details.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Boost

Answer 1

DTS Engineer OP

Apple

1d

Recommended

I’m gonna start you out with SecItem: Fundamentals. It explains how you should think about the keychain. Once you internalise that, a lot of its behaviour makes sense.

As to what’s going on here, it’s hard to say without more context. My first question is: What platform are you on?

This matters because, if you’re on the Mac, the keychain has a lot of additional complexity. TN3137 On Mac keychain APIs and implementations explains the details.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

iceboy OP

11h

I am using the iOS platform. I would like to ask: when using kSecClassGenericPassword, is the kSecAttrAccount attribute required? I did not set kSecAttrAccount and kSecAttrAccessible when saving data on older iOS versions. Will this cause problems when querying Keychain items on iOS 26?

0

Answer 3

DTS Engineer OP

Apple

30m

I am using the iOS platform.

Cool.

iOS only has one keychain implementation, equivalent to the data protection keychain on macOS, and that simplifies your life.

I did not set kSecAttrAccount and kSecAttrAccessible when saving data on older iOS versions.

kSecAttrAccessible is unlikely to be the problem:

Your current code leaves out that attribute from the query and return dictionary you pass to SecItemCopyMatching. In that context a missing attribute is treated as wildcard, so it’ll make any item regardless of what it’s kSecAttrAccessible value is.
If the value is not present in the add dictionary you pass to SecItemAdd, the system will default to using no value for kSecAttrAccessible and, assuming there’s no kSecAttrAccessGroup attribute, it’ll place the item in your app’s default keychain access group. Sharing access to keychain items among a collection of apps explains how that’s calculate.

kSecAttrAccount is trickier. It’s a critical contributor to item uniqueness for generic password keychain items, along with kSecAttrService. If you’re managing a single keychain item then it’s best to set both of these to some hard-coded string. If you haven’t done that in the past then the values will actually end up being empty, which complicates matters.

To sort this out you need to know what exactly got recorded by previous versions of your code. I explain how to do that in the Lost Keychain Items and Lost Keychain Items, Redux sections of SecItem: Pitfalls and Best Practices. Alternatively, you can reset your keychain using the technique described in the Starting from Scratch section of that same post.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0