Error -25243 while calling SecKeychainItemCopyAccess API

I am trying to read Access Control List of a KeychainItem. I want to modify access for this KeychainItem so that it doesn't prompt for password everytime my app tries for access it. KeychainItem contains private key.

Below the code snippet I am using.


SecAccessRef secaccess;
OSStatus ret = SecKeychainItemCopyAccess(pKeychain, &secaccess);


SecKeychainItemCopyAccess fails with error -25243 (The specified item has no access control ).

I believe every item has access control as per the link https://developer.apple.com/documentation/security/keychain_services/access_control_lists?language=objc


My test program ask for password everytime I run it with options "Always Allow" , "Deny" , "Allow". As per documentation, "Always Allow" option will add access control for the KeychainItem. But If I choose Always Allow option, SecKeychainItemCopyAccess fails with same error in subsequent run also.


Since I am new to MacOS, I am not sure if I am doing it right.

I am trying on MacOS 10.13.4 and 10.12


Thanks.

Up vote post of Sardeep Down vote post of Sardeep
811 views
Posted by
Sardeep
Reply
Add a Comment

Replies

Who created this keychain item? My general recommendation is that you set the ACL at creation time, because changing it after the fact will trigger a user authorisation dialog.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

KeychainItem is already present in the system. My app wont't create it so can't set ACL at creation time.

Apart from this, My app contains a daemon and I am trying the above mention functionality from daemon. From daemon I am not getting user authorisation dialog even after setting 'SecKeychainSetUserInteractionAllowed' to true.


Moreover setting user interaction doesn't make any sense, but I tried that approach as well.

Posted by
Sardeep
Up vote reply of Sardeep Down vote reply of Sardeep
Add a Comment

KeychainItem is already present in the system.

OK. Working with items that you didn’t create has always been a bit tricky from an access control perspective, and there’s been some changes in recent OS releases that make it even harder. I’m not fully up to speed on those changes, so I don’t have a simple answer for you. My recommendation is that you open a DTS tech support incident and discuss this with DTS’s keychain expert.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment