I am trying to use SecItemUpdate
in order to change the kSecAttrAccessControl
value on a private key protected by the Secure Enclave as well as an .applicationPassword
- which I want to change. I have been unsuccessful getting the query
and attributesToUpdate
dictionaries right though, with SecItemUpdate
returning either errSecParam
, errSecNoSuchAttr
or errSecAuthFailed
. Am I on the right track here or am I trying to do something that is not possible?
Using SecItemUpdate to change the kSecAttrAccessControl value of a private key protected by the Secure Enclave
Update: The documentation for SecItemUpdate
includes the following w.r.t. the attributesToUpdate
dictionary:
Only real keychain attributes are permitted in this dictionary (no "meta" attributes are allowed.)
It is unclear (at least to me) what those "meta" attributes may be. Is kSecAttrAccessControl
maybe one of them?
I dug a little deeper (thanks, Quinn!) and found two possibly related errors in the system log. errSecNoSuchAttr
seems to be caused by
error:[-25303] Error Domain=NSOSStatusErrorDomain Code=-25303 "attribute u_CredRef not found in class keys" UserInfo={numberOfErrorsDeep=0, NSDescription=attribute u_CredRef not found in class keys}
while errSecAuthFailed
seems to be a fallout from
evaluateAccessControl on LAContext[5448:4] cid:17 returned Error Domain=com.apple.LocalAuthentication Code=-1009 "ACL operation is not allowed: 'oe'" UserInfo={NSDebugDescription=ACL operation is not allowed: 'oe', NSLocalizedDescription=Vorgang ist nicht zulässig.}
I filed this as FB11884381, FWIW.
FWIW, the resolution of the feedback I filed was basically "works as designed".
Apple closed it without even bothering to respond to me.
Without responding at all? Or with a response saying that DTS can’t help you with this?
"works as designed"
Yep. I’m not sure of the timing here, but I came across this issue myself and listed in in SecItem: Pitfalls and Best Practices (under Add-only Attributes).
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"