4 Replies
      Latest reply: Feb 23, 2017 2:46 AM by michaelang12345 RSS
      michaelang12345 Level 1 Level 1 (10 points)

        When i run this code from a command line xcode app on macos 10.12, i got the dialog box asking for permission.

         

          CFArrayRef refs;

          OSStatus status = SecTrustSettingsCopyCertificates(kSecTrustSettingsDomainUser, &refs);

           SecCertificateRef ref = (SecCertificateRef)CFArrayGetValueAtIndex(refs, 1);

          CFMutableDictionaryRef trustDict = CFDictionaryCreateMutable(NULL, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);

          SecPolicyRef policy = SecPolicyCreateBasicX509();

          CFDictionaryAddValue(trustDict, kSecTrustSettingsPolicy, policy);

         

          //now try to change the trust setting

          status = SecTrustSettingsSetTrustSettings(ref, kSecTrustSettingsDomainUser, trustDict);

         

        But the dialog box does not pop up when this is run from inside a Smartcard Extension.

         

        Is it the limitation of a smartcard extension? That you are not allowed to modify trust settings of a certificate?

         

         

        Michael

        • Re: Smartcard Extension and Authorization rights
          eskimo Apple Staff Apple Staff (5,995 points)

          But the dialog box does not pop up when this is run from inside a Smartcard Extension.

          This is probably caused by the extension not being allowed to interact with the user.  What error do you get back?  If this as I suspect, you should get some sort of ‘no user interaction’ error (possible errAuthorizationInteractionNotAllowed, but there are others).

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"

            • Re: Smartcard Extension and Authorization rights
              michaelang12345 Level 1 Level 1 (10 points)

              The error code i got is -60007: errAuthorizationInteractionNotAllowed, this is when the domain is kSecTrustSettingsDomainUser.

               

              I assume, that smartcard extension is not allowed to modify trust settings by design.

               

              I have tried SecKeychainSetUserInteractionAllowed(YES); but still the same.

               

              Is it true that the extension is not allowed to modify trust settings of a certificate?

                • Re: Smartcard Extension and Authorization rights
                  eskimo Apple Staff Apple Staff (5,995 points)

                  Is it true that the extension is not allowed to modify trust settings of a certificate?

                  I don’t know the answer to that specific question, but the meaning of that error is very clear:

                  • For things to proceed, the system must present UI to the user

                  • The calling code is running in a context where it’s not allowed to present UI to the user

                  Share and Enjoy

                  Quinn “The Eskimo!”
                  Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                  let myEmail = "eskimo" + "1" + "@apple.com"

                    • Re: Smartcard Extension and Authorization rights
                      michaelang12345 Level 1 Level 1 (10 points)

                      Thanks for the quick response!

                       

                      From the text i read on the header file, SecTrustSettings.h

                       

                              * When making changes to the per-user Trust Settings, the user will be

                              * prompted with an alert panel asking for authentication via user name a

                              * password (or other credentials normally used for login). This means

                              * that it is not possible to modify per-user Trust Settings when not

                              * running in a GUI environment (i.e. the user is not logged in via

                              * Loginwindow).

                       

                      With this and your second bullet about the context the code is currently running, i can assume that it is impossible to show the authentication dialog box.