Smartcard Extension and Authorization rights

When i run this code from a command line xcode app on macos 10.12, i got the dialog box asking for permission.


CFArrayRef refs;

OSStatus status = SecTrustSettingsCopyCertificates(kSecTrustSettingsDomainUser, &refs);

SecCertificateRef ref = (SecCertificateRef)CFArrayGetValueAtIndex(refs, 1);

CFMutableDictionaryRef trustDict = CFDictionaryCreateMutable(NULL, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);

SecPolicyRef policy = SecPolicyCreateBasicX509();

CFDictionaryAddValue(trustDict, kSecTrustSettingsPolicy, policy);


//now try to change the trust setting

status = SecTrustSettingsSetTrustSettings(ref, kSecTrustSettingsDomainUser, trustDict);


But the dialog box does not pop up when this is run from inside a Smartcard Extension.


Is it the limitation of a smartcard extension? That you are not allowed to modify trust settings of a certificate?



Michael

Replies

But the dialog box does not pop up when this is run from inside a Smartcard Extension.

This is probably caused by the extension not being allowed to interact with the user. What error do you get back? If this as I suspect, you should get some sort of ‘no user interaction’ error (possible

errAuthorizationInteractionNotAllowed
, but there are others).

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

The error code i got is -60007: errAuthorizationInteractionNotAllowed, this is when the domain is kSecTrustSettingsDomainUser.


I assume, that smartcard extension is not allowed to modify trust settings by design.


I have tried SecKeychainSetUserInteractionAllowed(YES); but still the same.


Is it true that the extension is not allowed to modify trust settings of a certificate?

Is it true that the extension is not allowed to modify trust settings of a certificate?

I don’t know the answer to that specific question, but the meaning of that error is very clear:

  • For things to proceed, the system must present UI to the user

  • The calling code is running in a context where it’s not allowed to present UI to the user

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thanks for the quick response!


From the text i read on the header file, SecTrustSettings.h


* When making changes to the per-user Trust Settings, the user will be

* prompted with an alert panel asking for authentication via user name a

* password (or other credentials normally used for login). This means

* that it is not possible to modify per-user Trust Settings when not

* running in a GUI environment (i.e. the user is not logged in via

* Loginwindow).


With this and your second bullet about the context the code is currently running, i can assume that it is impossible to show the authentication dialog box.