Post not yet marked as solved
I am trying to use SecItemUpdate in order to change the kSecAttrAccessControl value on a private key protected by the Secure Enclave as well as an .applicationPassword - which I want to change. I have been unsuccessful getting the query and attributesToUpdate dictionaries right though, with SecItemUpdate returning either errSecParam, errSecNoSuchAttr or errSecAuthFailed. Am I on the right track here or am I trying to do something that is not possible?
Post not yet marked as solved
If on iOS an app protects a keychain item with an access control list that specifies .biometryCurrentSet in its SecAccessControlCreateFlags the app loses access to the item if the set of currently enrolled fingers (for Touch ID) or the currently enrolled user (for Face ID) changes - which corresponds to a change of the evaluatedPolicyDomainState.
We have users reporting loss of such items even though - as they assure us - they have not touched (no pun intended) anything under "[Touch|Face] ID & Code" in Preferences.app.
Is there another reason why an app may lose access to such items?
Post not yet marked as solved
Our app creates ECDSA signatures by calling SecKeyCreateSignature() using a private key that is protected by the secure enclave. On iOS 17 beta our backend rejects some of those signatures as invalid while on previous iOS versions everything is fine. Did anything change in the security framework in iOS 17 that I missed in the release notes or the API diffs?
Post not yet marked as solved
The (archived) Local and Remote Notifications Programming Guide contains the following:
To support a background update notification, make sure that the payload’s aps dictionary includes the content-available key with a value of 1. If there are user-visible updates that go along with the background update, you can set the alert, sound, or badge keys in the aps dictionary, as appropriate.
The current documentation however reads:
To send a background notification, create a remote notification with an aps dictionary that includes only the content-available key, as shown in the sample code below. You may include custom keys in the payload, but the aps dictionary must not contain any keys that would trigger user interactions.
What caused this change and why is no longer supported to send additional keys (e.g. an alert dictionary) in the aps dictionary of a background notification?
Post not yet marked as solved
If a host is pinned by specifying its SPKI fingerprint under NSAppTransportSecurity > NSPinnedDomains > <hostname> > NSPinnedLeafIdentities and pinning fails the following errors are raised:
Error Domain=NSURLErrorDomain, Code=-1200 (i.e. NSURLErrorSecureConnectionFailed)
Error Domain=kCFErrorDomainCFNetwork, Code=-1200 (i.e. kCFURLErrorSecureConnectionFailed)
_kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802 (i.e. errSSLFatalAlert)
The topmost error's UserInfo dictionary contains a NSLocalizedRecoverySuggestion of "Would you like to connect to the server anyway?".
How would I go about doing so given that urlSession(_:task:didReceive:completionHandler:)has already been called at this point?
Post not yet marked as solved
I am slightly confused as to how I am supposed to maintain persistent access to a SecureEnclave.P256.Signing.PrivateKey. Do I have to persist the key myself (using its dataRepresentation property and code along the lines of Storing CryptoKit Keys in the Keychain or is there another persistent reference to the key inside the Secure Enclave that I can use later?
Post not yet marked as solved
We are seeing crashes lately that seem to be caused by PAC, but we are not yet building for the arm64e architecture as advertised here. Is it likely that adopting that architecture will alleviate these crashes?
Post not yet marked as solved
The unified logging system on iOS can allegedly be configured by means of configuration profiles (as alluded to e.g. here), but documentation as to how to do that seems to be scarce.
I am especially interested in whether it is possible to create a profile that auto-expires after a predefined time period (as the one for use with Apple Pay available here does).
Can anyone point me in the right direction?
Post not yet marked as solved
Is there an API to create a .logarchive file from the contents of e.g. a OSLogStore?
Post not yet marked as solved
Is it possible to send remote notifications via APNs to an iOS app from two provider servers one of which uses certificate-based authentication while the other uses token-based authentication? The documentation states:
To send notifications, your provider server must establish either token-based or certificate-based trust with APNs
However, this only applies to one server and not two.
StackOverflow: https://stackoverflow.com/a/51726097
Post not yet marked as solved
The documentation states:
iOS, iPadOS, macOS, and tvOS apps can share a single target. watchOS apps remain in a separate target.
Why is that?
Post not yet marked as solved
As a follow-up to a Networking lab conversation I had on Tuesday I have the following question:
Is there a way to use nscurl to connect to a server that requires client authentication by providing a client certificate? None of the documented options seem to allow that, but maybe there is an undocumented one...
Post not yet marked as solved
OAEP (i.e. Optimal Asymmetric Encryption Padding) as defined in RFC 2437 is
parameterized by the choice of hash function and mask generation function.
The hash function is usually either SHA-1 or SHA-2 while the only mask generation function defined is MGF1 which itself is
based on a hash function.
In the Security.framework this padding scheme is available as OAEP (deprecated as of iOS 15) and as properties of the SecKeyAlgorithm structure, e.g. rsaEncryptionOAEPSHA1. The documentation for both only reads
No overview available
but from the comments in SecKey.h can be gleaned that at least for rsaEncryptionOAEPSHA1
data is padded using OAEP padding scheme internally using SHA1.
So it seems that while using SecKeyAlgorithm the choice of hash function corresponds to selecting a property of the structure; the question that remains is whether this hash function is used for both the encoding scheme and the mask generation function. I suppose that this is in fact the case, but I am unable to find anything corroborating this.
Post not yet marked as solved
I currently have two valid Apple Distribution certificates (old and new, say) in my login keychain (which Xcode recognises in Settings > Accounts) and a project with a manual code signing setup such that a provisioning profile which references the old certificate is specified for the PROVISIONING_PROFILE_SPECIFIER build setting.
While building, though, Xcode complains about the profile not containing some signing certificate (which I assume refers to the new one and which would be expected since I have yet to update it) and fails the build. This effectively means that I cannot have two valid certificates in the keychain and use two profiles where one references the old and the other the new certificate. Am I missing something here?
Post not yet marked as solved
From man arc4random - x-man-page://arc4random (on macOS 10.15):
The original version of this random number generator used the RC4 (also known as ARC4) algorithm. In OS X 10.12 it was replaced with the NIST-approved AES cipher
Does this hold true for iOS as well and if so from which version on?