Browser Access to Keychain Private Key

Hi everyone,

We are building an application on macOS (and iOS) that can install client certificates for mTLS handshake. This part is working great and the certificates are imported into login keychain. The problem comes when a user tries to use those certificates from the browser. Then he is presented with the Keychain access dialog to be able to use the private key from the installed certificate. We would like to hide this dialog so that the user flow is as streamlined as possible.

We succeeded in hiding the Keychain dialog in Safari by importing the private key with a flag that allows all applications access to it. This is enough for Safari since Apple applications are part of the key's partition list by default. This, however, doesn't work for, e.g., Chrome. We've experimented with calling the security set-key-partition-list command, but that still requires the Keychain password (shows the dialog) and it seems impossible to select just our private key with it.

So my question is, how can we hide the Keychain dialog when using our certificate from Chrome? Would maybe working with the Objective-C methods SecKeychainItemSetAccess or the newer SecItemUpdate allow us to set the partition-list without a Keychain dialog window? Is there another option that doesn't set the key partition list?

Best regards, Marek Vinkler

There is not a general way to do this, because it depends on how the target browser accesses the keychain. If, for example, the browser uses the data protection keychain exclusively — which is the case on iOS and is good practice on macOS — then there’s no way for you to inject identities into its keychain access groups.

We've experimented with calling the security set-key-partition-list command, but that still requires the Keychain password (shows the dialog)

Right. That’s not accidental. As of macOS… oh gosh… I don’t remember… probably around 10.12… there’s no way for an app to ‘donate’ a keychain item to an app from another team without user approval. This isn’t an accident, but a security hardening feature.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

It's kind of unfortunate, since for mTLS the browser team never installs its own client certificates, but they are always donated in one way or another. But as my boss says, it is what it is. Anyway, thank you very much for your confirmation.

Browser Access to Keychain Private Key
 
 
Q