All geek questions in one place

IOS keychain - errSecItemNotFound with iOS 9.2 beta 3

I use a keychain to store sensitive data.

Since iOS 9.2 beta 3, I can not get sensitive data created from a previous version of iOS (e.g. iOS 9.1). I have an errSecItemNotFound error when using SecItemCopyMatching. No problem with iOS 9.1 (neither iOS 9.2 beta 2 nor iOS 7.x / 8.x / 9.0).

Very strange: my source code creates new sensitive data if it does not exist, so with iOS 9.2 beta 3 I have new sensitive data, but if I return to iOS 9.1, I get old sensitive data, etc. when returning to iOS 9.2 beta 3 ... Since I'm using the same request, it seems like the keyring is duplicated ...

Here is my code for adding sensitive data:

NSMutableDictionary *symmetricKeyAttr = [NSMutableDictionary dictionary]; [symmetricKeyAttr setObject:(__bridge id)kSecAttrAccessibleWhenUnlockedThisDeviceOnly forKey:(__bridge id)kSecAttrAccessible]; [symmetricKeyAttr setObject:(__bridge id)kSecClassKey forKey:(__bridge id)kSecClass]; [symmetricKeyAttr setObject:[NSNumber numberWithUnsignedInt:CSSM_ALGID_AES] forKey:(__bridge id)kSecAttrKeyType]; [symmetricKeyAttr setObject:[NSNumber numberWithUnsignedInt:(unsigned int)(kChosenCipherKeySize << 3)] forKey:(__bridge id)kSecAttrKeySizeInBits]; [symmetricKeyAttr setObject:[NSNumber numberWithUnsignedInt:(unsigned int)(kChosenCipherKeySize << 3)] forKey:(__bridge id)kSecAttrEffectiveKeySize]; [symmetricKeyAttr setObject:(id)kCFBooleanTrue forKey:(__bridge id)kSecAttrCanEncrypt]; [symmetricKeyAttr setObject:(id)kCFBooleanTrue forKey:(__bridge id)kSecAttrCanDecrypt]; [symmetricKeyAttr setObject:(id)kCFBooleanFalse forKey:(__bridge id)kSecAttrCanDerive]; [symmetricKeyAttr setObject:(id)kCFBooleanFalse forKey:(__bridge id)kSecAttrCanSign]; [symmetricKeyAttr setObject:(id)kCFBooleanFalse forKey:(__bridge id)kSecAttrCanVerify]; [symmetricKeyAttr setObject:(id)kCFBooleanFalse forKey:(__bridge id)kSecAttrCanWrap]; [symmetricKeyAttr setObject:(id)kCFBooleanFalse forKey:(__bridge id)kSecAttrCanUnwrap]; [symmetricKeyAttr setObject:accessGroup forKey:(__bridge id)kSecAttrAccessGroup]; [symmetricKeyAttr setObject:applicationTag forKey:(__bridge id)kSecAttrApplicationTag]; [symmetricKeyAttr setObject:sensitiveData forKey:(__bridge id)kSecValueData]; OSStatus sanityCheck = SecItemAdd((__bridge CFDictionaryRef) symmetricKeyAttr, NULL);

Here is my code for getting sensitive data:

 NSMutableDictionary * querySymmetricKey = [NSMutableDictionary dictionary]; [querySymmetricKey setObject:(__bridge id)kSecClassKey forKey:(__bridge id)kSecClass]; [querySymmetricKey setObject:[NSNumber numberWithUnsignedInt:CSSM_ALGID_AES] forKey:(__bridge id)kSecAttrKeyType]; [querySymmetricKey setObject:[NSNumber numberWithBool:YES] forKey:(__bridge id)kSecReturnData]; [querySymmetricKey setObject:applicationTag forKey:(__bridge id)kSecAttrApplicationTag]; [querySymmetricKey setObject:accessGroup forKey:(__bridge id)kSecAttrAccessGroup]; CFDataRef symmetricKeyDataRef = NULL; OSStatus sanityCheck = SecItemCopyMatching((__bridge CFDictionaryRef)querySymmetricKey, (CFTypeRef *)&symmetricKeyDataRef);

Where:

  • sensitiveData is sensitive data for storage (e.g. <ac746cc2 80f72948 59d0d8b7 a5de4bad 5d9e9eb1 a400fba3 c85f3f2e 675d58bf>)
  • accessGroup is a concatenation of the command identifier and the application
  • identifier (e.g. XXXXXXXXXX.com.toto.tata) applicationTag is a tag associated with reasonable data (e.g. <746F746F>)

Additional items:

  • The problem occurs only with 64-bit devices, without problems with 32-bit devices.
  • Replacing CSSM_ALGID_AES with CSSM_ALGID_NONE solves the problem (i.e. data created using iOS 9.1 can be loaded correctly using iOS 9.2 beta 3), but this is unacceptable because I must be able to read data created on iOS 9.1. using CSSM_ALGID_AES.
  • The problem is not related to kSecAttrAccessGroup: I still have a problem when I delete this property.
  • I "reproduced" the problem with the sample from Apple ( https://developer.apple.com/library/ios/samplecode/CryptoExercise ). This example also uses CSSM_ALGID_AES, not kSecAttrAccessGroup. Using a 64-bit device: a key created with iOS 9.1 (<bdd17fe1 f515e2b1 14de7c43 c4cb6a70>) was found with iOS 9.2 beta 3 but has a different value (<73b205e2 46230f69 fa0f347c 2958e6b1>) !! Using a 32-bit device: the key is the same between iOS 9.1 and iOS 9.2 beta 3.

Notes:

  • I already posted this question on the Apple forum, but did not answer from Apple ... https://forums.developer.apple.com/message/87080
  • I switch between iOS 9.1 and 9.2 beta 3 using IPSW files without restoring the backup, but I have the same problem if I back up.

Any idea?

+5
source share
1 answer

I have the same problem with official iOS9.2, I can play it on any device tested with iPhone 6, iPhone 5S and iPad Pro.

No problem on the iPhone 4S and iPad mini, I checked it with every device.

0
source

Source: https://habr.com/ru/post/1235887/

More articles:


All Articles