Post not yet marked as solved
@eskimo , I have already filed a bug with bug number: FB13678215
But I am not hearing back anything there. Please suggest the next steps
Post not yet marked as solved
Hi @eskimo , Please refer this https://developer.apple.com/forums/thread/747963?login=true&page=1#784413022
Post not yet marked as solved
@eskimo , any updates on this?
Post not yet marked as solved
@eskimo , We could see this issue with older iOS version too whenever the below Tunnel provider configuration is saved to NETunnelProviderManager preferences before calling startTunnelWithOptions
tunnelProvider.protocolConfiguration.includeAllNetworks = NO;
tunnelProvider.protocolConfiguration.excludeLocalNetworks = NO;
tunnelProvider.protocolConfiguration.enforceRoutes = YES;
Issue: when we are trying to access excludedRoute's IP [10.168.10.182 and 192.168.10.65] , it's getting tunnelled because of that few of our APIs are sending failure and we are unable to connect to VPN.
Expected Results : excludedRoutes IPs should go via physical interface.
STEPS TO REPRODUCE
Configure VPN packet tunnel provider config as mentioned above and add some IPs in excludeRoutes
Save the configuration to NETunnelProviderManager preferences using “saveToPreferencesWithCompletionHandler”
Try to connect to VPN
Denied resources are tunneled via VA
NOTE: This behavior is not seen with split tunnel endpoint routes where the tunnel provider configuration is
tunnelProvider.protocolConfiguration.includeAllNetworks = NO;
tunnelProvider.protocolConfiguration.excludeLocalNetworks = YES;
tunnelProvider.protocolConfiguration.enforceRoutes = NO;
Hope this clarifies the issue @eskimo
Post not yet marked as solved
Thanks @eskimo for clarifying this.
@eskimo
Please one more quick question. I am trying to restrict my search to only system keychain using kSecMatchSearchList which requires an array of secKeychainRef. Now to retrieve SecKeychainRef of system keychain(/Library/Keychains/System.keychain
, all of the APIs are deprecated. Could you please provide a sample code with non-deprecated APIs to retrieve SecKeychainRef of system keychain.
SecKeychainOpen("/Library/Keychains/System.keychain", &keychain);
SecKeychainCopyDomainSearchList(kSecPreferencesDomainSystem, &keychain)
Post not yet marked as solved
I used this command - security list-keychains
I have access to the keychain
Post not yet marked as solved
@eskimo, Not in the context to previous question, My question is -> To use attributes like kSecMatchSearchList, kSecUseKeychain -> How to fetch the right keychains (be it system or login) reference? All APIs(SecKeychainCopyDomainSearchList, SecKeychainGetPath, SecKeychainOpen) to achieve that seems to be deprecated.
Also, In the document tn3137, It's mentioned Queries, like those done using SecItemCopyMatching, consult all keychains in the search list. Use kSecMatchSearchList to override this.,
Just to clarify on this does that mean it targets all the keychains present in your system, or by search list it means there is a search list we provide in secItemCopyMatching dictionary?
@eskimo, Please clarify above queries, It will be of big help.
Post not yet marked as solved
Thanks @eskimo for the valuable links. I went through them. But as I have mentioned, my query is when I remove kSecAttrProtocol constraint, I get the below output as one the attribute in result ref.
kSecAttrProtocol : htpx
But when I add that in constraint, I recieve item not found.
NSString *account = @"user";
NSString *server = @"w.x.y.z";
SecProtocolType protocol = kSecProtocolTypeHTTPProxy;
NSDictionary *query = @{
(__bridge id)kSecClass: (__bridge id)kSecClassInternetPassword,
(__bridge id)kSecAttrAccount: account,
(__bridge id)kSecAttrServer: server,
(__bridge id)kSecAttrProtocol:@(protocol),
(__bridge id)kSecReturnAttributes: (__bridge id)kCFBooleanTrue,
(__bridge id)kSecReturnData: (__bridge id)kCFBooleanFalse,
(__bridge id)kSecMatchLimit: (__bridge id)kSecMatchLimitOne
};
CFDictionaryRef result = NULL;
OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)query, (CFTypeRef *)&result);
if (status == errSecSuccess) {
NSDictionary *passwordItem = CFBridgingRelease(result);
NSLog(@"Internet Password Item Found:");
} else if (status == errSecItemNotFound) {
NSLog(@"Internet Password Item Not Found");
} else {
NSLog(@"Error retrieving Internet password: %d (%@)", (int)status, CFBridgingRelease(SecCopyErrorMessageString(status, NULL)));
}
Post not yet marked as solved
@eskimo , I need an individual certificate trust status. How can I get that?
Post not yet marked as solved
@eskimo , Thank you for the information. One more quick question, In the above documentation, It is mentioned that
File-based keychains are stored, as the name suggests, in files. Every context has a keychain search list and a default keychain. In a user context the search list includes a per-user login keychain and a single System keychain, with the former being the default. In the system context the search list includes just the System keychain, which is also the default keychain.
When using the SecItem API to target the file-based keychain:
SecItemAdd adds the item to the default keychain. Use kSecUseKeychain to override this.
Queries, like those done using SecItemCopyMatching, consult all keychains in the search list. Use kSecMatchSearchList to override this.
So to use attributes like kSecMatchSearchList, kSecUseKeychain -> How to fetch the right keychains (be it system or login) reference?
Thanks in advance.
Post not yet marked as solved
@eskimo I went through TN3137 On Mac keychain APIs and implementations .
I could not completely understand the difference between file based keychain and data protection keychain. Could you please help.
Post not yet marked as solved
I misread the link I shared. Bundle.main.appStoreReceiptURL?.lastPathComponent == "sandboxReceipt" returns true for debug build and testflight build both. But return false for the App Store build.
Thanks!
