kSecAttrAccessGroup and kSecAttrAccessGroupToken

Hi, team. So, I'm working on reading certificates from the keychain that have been stored or saved by other apps into it. I understand that kSecAttrAccessGroupToken allows us to achieve that. It is a requirement to use com.apple.token group in the entitlements file. Having done that, I cannot store SecSertificates into the keychain, and into the security group. I can do it without the security group, but after adding in the dictionary the kSecAttrAccessGroup: kSecAttrAccessGroupToken, I can no longer add certificates. I get the famous -34018. No entitlement found. However, when I try to read certificates in the same access group, I do not get a -34018 error back. I instead get a -25300, which I understand means no keychain item was found in this access group. How can this be happening? Reading, the entitlement works, writing does not.

Here are my queries: For adding: let addQuery = [ kSecClass: kSecClassCertificate, kSecValueRef: secCertificate as Any, kSecAttrLabel: certificateName, kSecAttrAccessGroup: kSecAttrAccessGroupToken ] as [CFString: Any] let status = SecItemAdd(addQuery as CFDictionary, nil)

For reading:

var item: CFTypeRef? let query = [ kSecClass: kSecClassCertificate, kSecMatchLimit: kSecMatchLimitAll, kSecReturnRef: kCFBooleanTrue as Any, kSecAttrAccessGroup: kSecAttrAccessGroupToken ] as [CFString: Any]

let status = SecItemCopyMatching(query as CFDictionary, &item)

I'm working on reading certificates from the keychain that have been stored or saved by other apps into it.

I need more background before I can assess whether your goal is feasible. First, what platform is this on? This matters because the keychain access model can be very different on macOS. See TN3137 On Mac keychain APIs and implementations. OTOH, if this is iOS or one of its child platforms, things are much simpler.

Second, does “by other apps” mean “other apps created by my team”? Or something else?

Finally, you’re tagged your thread with CryptoTokenKit, which suggests you’re interested in using hardware tokens. Is that right?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hi, Quinn. Thank you very much for your answer. This is for iOS, and for other apps created by anyone. So, the requirement of my app is that the user can be able to use their certificates they have already added from another app into the keychain. Currently we support adding certificates into our app, but those certificates are installed through a configuration profile. We want to make it easier by using the keychain. Some users have their proprietary app that fetches the certificate from the network or from the disk, and could have that stored into the keychain. Then, they would go to our app, and find that the certificates shows up in the keychain and they could start using it in out app. We thought using the security group com.apple.token would achieve that. Right? We are working on a POC, and verifying this capability.

I was not aware there are different kind of tokens, as in hardware tokens.

Thank you.

Oh, and about Cryptotokenkit. You are right. I confusedly added it here. Sorry. We always talk about Cryptotokenkit in my team, but because we also plan to add support for reading tokens from smart cards or usb keys. This question in particular is not really about Cryptotokenkit. I will try to edit the question and remove the tag.

Oh, and about Cryptotokenkit. You are right

Cool. And no worries. I removed the tag to make that clear.

This is for iOS, and for other apps created by anyone.

That’s not going to work. In general, iOS only allows unmediated data exchange between apps from the same team.

We thought using the security group com.apple.token would achieve that. Right?

No. That’s not a real keychain access group. Rather, it’s the group in which credentials from a hardware token show up [1]. You won’t be able to use that for unmediated data exchange between unrelated apps [2].

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Hence my desire to clarify the CryptoTokenKit question.

[2] Well I hope not. If you get this working let me know and I’ll file a bug about that security vulnerability (-:

kSecAttrAccessGroup and kSecAttrAccessGroupToken
 
 
Q