SecAccessControlCreateWithFlags `.or` & `.and`

Can someone please shed some light on the usage of `.or` & `.and` flags? Though I am able to get the accomplish the entended result using `.userPresence`, I am trying to wrap my head around how to use `.or` & `.and`.


Can someone please provide an example on correct usages of these options?

I’ve found that a good way to get an understanding of the various

SecAccessControlCreateFlags
flags is to look at the groups on this page, namely:
  • Constraints

  • Conjunctions

  • Additional Options

The flags in the Constraints section define various criteria under which the keychain item can be accessed. The flags in the Conjunctions section allow you to combine those constraints in various ways. The flags in the Additional Options section are not related to the constraints system at all.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

can you provide an example of proper usage?


Below are a few combinations that I tried and received inconclusive results:


let flags = [...]
var error: Unmanaged?
guard let access = SecAccessControlCreateWithFlags(nil,
                                                    kSecAttrAccessibleWhenUnlocked,
                                                    flags,
                                                    &error) else { return }
// ...



- DOES NOT WORK:

- [.userPresence, .or, .devicePasscode]

- [.userPresence, .or, .applicationPassword]

- [.devicePasscode, .or, .applicationPassword] - requires both still

- [.biometryCurrentSet, .or, .applicationPassword] - requires both still

- WORKS:

- [.biometryCurrentSet, .or, .devicePasscode] - works as expected FaceID/TouchID first, devicePasscode if failed

- [.biometryCurrentSet, .devicePasscode]

- [.devicePasscode, .applicationPassword]


From what I was able to keep track of, it seems like the order doesn't matter? In the case:


let flags = [.devicePasscode, .or, .biometryCurrentSet]


It still asked me for FaceID before device passcode.

can you provide an example of proper usage?

No, sorry. I haven’t yet had a chance to play with this in detail. If you want to drive this to a definitive conclusion, you should open a DTS tech support incident, which will allow me to spend a chunk of time researching this.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi Quinn, did anything ever come out of this?

did anything ever come out of this?

Yep. I’m not sure whether it was from fbuentello, but at some point I did get an incident about this and I spent a bunch of time digging into the details.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

SecAccessControlCreateWithFlags `.or` & `.and`
 
 
Q