errSecMDSError (-67674) in NetworkExtension while trying to read password from the Keychain (macOS)

I'm trying to pass a password for connecting to VPN using sanboxed System NetworkExtension (with packet tunnel capability on debug or packet-tunnel-provider-systemextension on release version signed with DeveloperID). When system extension tries to read it from the keychain, SecItemCopyMatching returns errSecMDSError (-67674).

What can be a cause why System NetworkExtension can't read password from a reference?

macOS Catalina 10.15.7
App is sandboxed.
System Extension with Network extension is sandboxed (outgoing connections enabled on both app and extension). Has packet-tunnel-provider entitlement.
Up vote post of jaroslavqwerty Down vote post of jaroslavqwerty
925 views
Posted by
jaroslavqwerty
Reply
Add a Comment

Replies

Looks like when I try to write to the Keychain from extension, I get the same error on write.
Posted by
jaroslavqwerty
Up vote reply of jaroslavqwerty Down vote reply of jaroslavqwerty
Add a Comment
If you read your password from the container app and send it over the bridge to your provider when startTunnelWithOptions, does this improve your situation?


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Posted by
meaton
Up vote reply of meaton Down vote reply of meaton
Add a Comment
Can you please explain what do you mean by "the bridge"?

I've found your message from a week ago, which suggests that system extension can't read a value from the keychain if it was written there by an app. So essentially there is no way to just pass persistent reference of a keychain entry from the app to sysex?

What do you think about such sequence:

  1. Send password from the app to system extension via sendProviderMessage -> handleAppMessage

  2. Save it to the keychain from the system extension itself and keep using it in the system extension

  3. Profit :)

One of the reasons why it should be persisted, is because system extension may be used not only from the app itself but also by the system. For example when connection was dropped or system went to sleep and is back, it asks extension to reconnect to VPN automatically, without the app intervention. At this point extension has to get the password from somewhere by itself.
Posted by
jaroslavqwerty
Up vote reply of jaroslavqwerty Down vote reply of jaroslavqwerty
Add a Comment

Can you please explain what do you mean by "the bridge"?

Right, this is jargon that I should avoid using. Essentially, I meant when the container app communicates with the packet tunnel provider over XPC with an method like startTunnelWithOptions, or as you mentioned, through sendProviderMessage and handleAppMessage.

I've found your message from a week ago, which suggests that system extension can't read a value from the keychain if it was written there by an app.

Right, a Network System Extension cannot read Keychain items saved by the container app. In the case of a value based password, I am suggesting a similar workflow with startTunnelWithOptions that you suggesting with items 1 and 2 below.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Posted by
meaton
Up vote reply of meaton Down vote reply of meaton
Add a Comment
I have tried that, and when extension wants to write to the keychain, it always gets error 100001. A little more info and code example in another thread: https://developer.apple.com/forums/thread/672456?login=true&page=1#660300022
Posted by
jaroslavqwerty
Up vote reply of jaroslavqwerty Down vote reply of jaroslavqwerty
Add a Comment