Always get -25300(errSecItemNotFound) when using SecItemCopyMatching to list certificate on iOS

Question

Created Mar ’23

Replies 2

Boosts 0

Participants 2

let query: [String: Any] = [
            kSecClass as String: kSecClassCertificate,
            kSecMatchLimit as String: kSecMatchLimitAll
        ]

        var result: CFTypeRef?
        let status = SecItemCopyMatching(query as CFDictionary, &amp;result)
        guard status == errSecSuccess else {
            print("Error retrieving certificates: \(status)")
            return true
        }

It works on macOS, but always gets -25300(errSecItemNotFound) on iOS, so looks it won't be possible to do an equivalent in iOS given the app ecosystem is sandboxed?

Answered by Android2Test in 748206022

Instead of traversing certs to check, I just found a API which can help to check customized cert installed and trusted: SecTrustCreateWithCertificates.

Boost

Answer 1

Android2Test OP

Mar ’23

Accepted Answer

Instead of traversing certs to check, I just found a API which can help to check customized cert installed and trusted: SecTrustCreateWithCertificates.

0

Answer 2

DTS Engineer OP

Apple

Mar ’23

If your high-level goal is to check for trust, using a trust object (SecTrust) is definitely the way to go. However, I wanted to explain why you’re seeing platform differences here.

If you’re writing keychain code on macOS and iOS, you need to understand that iOS always uses the data protection keychain whereas macOS defaults to the file-based keychain. For more details, see TN3137 On Mac keychain APIs and implementations.

The data protection keychain uses a keychain access group protection model. Your app can only ‘see’ keychain items in the access groups it’s entitled to use. For the details, see Sharing Access to Keychain Items Among a Collection of Apps.

If you’re trying to access keychain items created by apps from other developers, or created by the system, they’ll be in an access group that you can’t access.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0