Issues related to slow keychain access.

Question

Zning OP

Created Sep ’24

Replies 2

Boosts 0

Participants 2

Hello Apple Developer,

I have some questions regarding slow keychain access. We recently launched a product, and users with certain specific device models have reported slow performance. I'm not sure what's causing this issue and would appreciate your help in analyzing it.When using keychain groups, I didn’t specify a group, and on some devices, the queries are particularly slow. I'm unsure of the reason for this.I’m using kSecAttrTokenIDSecureEnclave, and each time I execute SecItemCopyMatching or SecItemDelete, the operation is particularly slow, taking around 2 seconds.It’s strange that when setting the default keychain group (team ID + bundle ID), the access is not slow. However, since the project has enabled the keychain group, if I set a keychain group, I cannot access the data that was stored before setting the keychain group.

Here is a snippet of my code:

    NSMutableDictionary *parameters = [[NSMutableDictionary alloc] initWithObjectsAndKeys:(__bridge id)kSecAttrTokenIDSecureEnclave,(__bridge id)kSecAttrTokenID,
                                   (__bridge id)kSecAttrKeyTypeEC,(__bridge id)kSecAttrKeyType,
                                   @256,(__bridge id)kSecAttrKeySizeInBits,
                                   PrivateKeyAttrs,(__bridge id)kSecPrivateKeyAttrs,nil];


privateKey = SecKeyCreateRandomKey((__bridge CFDictionaryRef)parameters, &error);

Here is a search of my code:

SecKeyRef privateKey = NULL;
//CFTypeRef *private = &privateKey;
NSDictionary *query = nil;

query = @{
    (__bridge id)kSecClass: (__bridge id)kSecClassKey,
    (__bridge id)kSecAttrApplicationTag: serviceID,
    (__bridge id)kSecReturnRef: @YES
};

OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)query, (CFTypeRef *)&privateKey);

if (privateKey) {
    
    CFRelease(privateKey);
    
}

Boost

Answer 1

DTS Engineer OP

Apple

4w

That’s a weird collection of symptoms. There are some cases where keychain access can be gated on user activity — for example, the user needs to authorise the access with Face ID — but I’m not aware of any case where it’d take a few seconds and then work without user intervention.

I have a post, Investigating hard-to-reproduce keychain problems, that explains my overall strategy for investigating problems like this. In this case, the sysdiagnose log should include a spin dump which might give you some idea as to what’s going wrong.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

DTS Engineer OP

Apple

4w

Please reply as a reply. If you reply in the comments, I may not see it. See Quinn’s Top Ten DevForums Tips for this and more titbits.

I find it strange that the issue only appeared on a few devices, not on all of them.

That sort of thing is not super common, but it’s also not unheard of. There’s something odd about the state of the keychain on those devices. That’s why I went to the the trouble of writing up Investigating hard-to-reproduce keychain problems.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0