Use kSecAttrAccessControl to only protect the private key in a SecIdentityRef

I try to use SecPKCS12Import to retrieve SecIdentityRef from PKCS#12 blob and store SecCertificateRef & SecKeyRef into keychain separately, so that I can use kSecAttrAccessControl to only protect private key with TouchID. The same code works on iOS, but not on Mac.

The problem is SecPKCS12Import already saved the identity into keychain. I tried to delete the stored identity, however, no matter using SecItemDelete with transient reference or persistent reference of identity or delete both SecCertficateRef and SecKeyRef, the record will be deleted from keychain -> My Certificates and keychain -> Keys, but alwasy leave the certficate in keychain -> Certificates. If I use SecItemAdd to add certificate back, I got errSecDuplicateItem, using SecItemCopyMatching or SecItemDelete, I got errSecItemNotFound. The strange part is, even I open keychain app to manually delete the cert, I got error prompt saying deleting item not found, but after that, the cert disppear from keychain -> Certificates.

Since I cannot delete identity and the add it back with access control attributes. I tried to use SecItemImport to avoid saving identity into keychain. However, this API only returns list of SecCertificateRef instead of SecIdentityRef. I found similar issue discussed on https://forums.developer.apple.com/thread/31711

Is there anyway to retreive identity from PKCS#12 blob and make kSecAttrAccessControl protect the private key only?

Up vote post of yingha Down vote post of yingha
901 views
Posted by
yingha
Reply
Add a Comment

Replies

Have you tried calling 

SecItemUpdate
to change the 
kSecAttrAccessControl
value on the private key item?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

I tried SecItemUpdate which doesn't return error, but also doesn't make any effect on the key item since using SecItemCopyMatching to retrieve identity or key, or using key for signing doesn't prompt TouchID or password. I can also see the key in keychian -> Keys. But if I use SecKeyGeneratePair with with kSecAttrAccessControl to generate key pair, I don't see the key in keychain -> Keys

Posted by
yingha
Up vote reply of yingha Down vote reply of yingha

  • Did you find a solution for this please? Currently facing the same issue with a SecKeychainItemRef

    silvanchetcuti
Add a Comment

I see that you’ve raised this question via other channels, so I’m going to bow out here.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Currently facing the same issue with a SecKeychainItemRef

A SecKeychainItemRef means you’re using the legacy keychain API, which can only talk to the file-based keychain, which doesn’t support this type of access control.

If you’re unfamiliar with the various keychain APIs and implementations on the Mac, see On Mac Keychains.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment