Hello,
I am having trouble with changing the ACL for a private key item my app is saving to the system keychain. I want to restrict access to the key, so that only my app can use the private key and not all applications. Applications that try to access it, should be prompted for an administrator password.
When I save the item as a private key, I get:
What I want:
note (I put a random binary but obviously this should be my app)
I am using rust bindings to the security framework, but an answer in swift would suffice. I am really stuck so any help would be greatly appreciated.
let key_options = GenerateKeyOptions::default()
.set_key_type(KeyType::ec())
.set_token(Token::Software)
.to_dictionary();
let key = SecKey::generate(key_options).map_err(|e| anyhow!("Could not generate a private key: {}", e))?;
let sys_keychain = mac::system_keychain()?;
let value = ItemAddValue::Ref(AddRef::Key(key.clone()));
let options = ItemAddOptions::new(value)
.set_label(format!("{}.{}", SERVICE, label))
.set_location(Location::FileKeychain(sys_keychain))
.set_access_group(ACCESS_GROUP)
.to_dictionary();
item::add_item(options).map_err(|e| anyhow!("Failed to add key item to keychain: {}", e))?;
Changing a key’s ACL is generally a losing proposition because, by default, it requires user interaction [1]. The only viable option is to create the key with the correct ACL in the first place.
I think you can do that by generating the key with SecKeyCreateRandomKey and supplying a SecAccess object via kSecAttrAccess.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
[1] If it didn’t, there’d be nothing stopping another program from changing the ACL and then accessing the key.