Getting prompt for accessing key in keychain even when access is allowed for all applications

Question

Dhan18 OP

Created Dec ’21

Replies 8

Boosts 0

Views 1.4k

Participants 3

Hi,

I am creating a simple command line tool that opens a connection to a URL using NWConnection API. The URL does client authentication and I need to present the client certificate to the server.

I have setup a protocol challenge block using sec_protocol_options_set_challenge_block and I present the sec_identity_t to the sec_protocol_verify_complete_t. However I always get a prompt that my application wants to access the private key in the keychain.

I have given all applications access to this item but I am still getting this prompt. The prompt handles specifically after I have called the sec_protocol_verify_complete_t.

            var identity: SecIdentity?

            let status = SecIdentityCreateWithCertificate(nil, cert!, &identity)

            if (status == errSecSuccess) {

                print("got the identity")

                let secIdentity = sec_identity_create(identity!)

                challengeComplete(secIdentity) <--prompt happens after this

Is this some bug or there is a way to disable the prompt?

Thanks

Boost

Answer 1

MobileTen OP

Dec ’21

Creating the identity is one thing, accessing the keychain, priceless. Any access to the keychain will result in being prompted for credentials because it needs to unlock the keychain. This is also dependant on how access to the keychain was set up by the API performing the access.

https://developer.apple.com/documentation/security/certificate_key_and_trust_services

0

Answer 2

Dhan18 OP

Dec ’21

Hello MobileTen,

Thanks for your response. Is there a way to set this up such that the keychain access is not prompted and allowed automatically on a managed/supervised machine?

0

Answer 3

DTS Engineer OP

Apple

Dec ’21

Is your command-line tool signed with a stable signing identity? That is, Apple Development or Developer ID Application?

Who added the digital identity to your keychain?

Which keychain is it in? The login keychain? Or the system keychain? Or something else?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 4

Dhan18 OP

Dec ’21

Hello Quinn,

Thanks for your response. My command line tool was signed with my development certificate for testing, basically I built using Xcode and ran locally. But ultimately this code will be part of a launch daemon that is sent to apple for notarisation as part of the package.

I imported a p12 file into the keychain manually using the keychain access app and added it to the login keychain.

Regards, Dhananjay

0

Answer 5

DTS Engineer OP

Apple

Dec ’21

I imported a .p12 file into the keychain manually using the Keychain Access app and added it to the login keychain.

I think you’re hitting the cross-team check that we added to the keychain in… oh… somewhere around the 10.9 timeframe. In short, a program from team A can’t access keychain items created by team B, or the system, without a security alert.

You should be able to get around this by adding the tool to the item’s ACL in Keychain Access.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 6

Dhan18 OP

Dec ’21

Hello Quinn,

Thanks for following up on this. I tried two options in the Keychain Access App GUI for the private key of the certificate:

Allow all applications to access this item
Specifically added my tool to the list of "Always allow access by these applications"

I also tried using the -A option of security import command but that didn't hep as well.

Please let me know if the above is what you meant by adding the tool to the item's ACL in keychain access.

0

Answer 7

Dhan18 OP

Jan ’22

Hello Quinn,

Is there a way to automatically give my tool access to the private key in the keychain using Configuration profiles or something else on a managed device?

Regards,

0

Answer 8

DTS Engineer OP

Apple

Jan ’22

Is there a way to automatically give my tool access to the private key in the keychain using Configuration profiles or something else on a managed device?

No, sadly. This is a much-requested feature, especially on iOS, but it’s never been implemented. I encourage you to file your own enhancement request for this, describing your specific requirements.

Please post your bug number, just for the record.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0