errSecInvalidOwnerEdit returned from SecItemDelete

Have an app I'm working on that stores an item in the keychain. Everything was was working fine. I have a button in the UI that allows the user to clear out the keychain item:


NSDictionary *query = @{(__bridge id)kSecClass: (__bridge id)kSecClassGenericPassword,
                            (__bridge id)kSecAttrService: service,
                            (__bridge id)kSecAttrAccount: accountKey};

OSStatus status = SecItemDelete((__bridge CFDictionaryRef)(query));


Status is -25244 which is errSecInvalidOwnerEdit. This app created the keychain item to begin with. What would be the appropriate way to handle this type of error?

Hi, I have just found this thread, and I am an XPC/daemon developer (for an authorization plugin, which is also important here), so I cannot move to data protection keychain.

Our flow has been the following:

  1. Create a keychain item in System keychain in the daemon:
  • SecTrustedApplicationCreateFromPath to create trusted app references for all variations of authorizationhost and SecurityAgentHelper.
  • SecAccessCreate to create a SecAccess item that includes all SecTrustedApplications from above.
  • SecItemAdd / SecItemUpdate to save the item with this SecAccess instance added to the attributes dictionary: [kSecAttrAccess as String: access]

This is all working fine. But then, if I were to

  1. Delete this keychain item in the daemon:
  • SecTrustedApplicationCreateFromPath to create trusted app references for all variations of authorizationhost and SecurityAgentHelper.
  • SecAccessCreate to create a SecAccess item that includes all SecTrustedApplications from above.
  • SecItemDelete to delete the item with this SecAccess instance added to the attributes dictionary: [kSecAttrAccess as String: access]

I get the above mentioned errSecInvalidOwnerEdit error.

What I noticed is that if I add the daemon itself as another SecTrustedApplication to the SecAccess that is created, then the issue is solved. Why can I create and update an item from the daemon, but not delete, if it was the daemon that created the keychain item previously, in another invocation? Is this an expected behavior?

errSecInvalidOwnerEdit returned from SecItemDelete
 
 
Q