3 Replies
      Latest reply on Aug 3, 2018 1:35 AM by eskimo
      Sardeep Level 1 Level 1 (0 points)

        I am trying to read Access Control List of a KeychainItem. I want to modify access for this KeychainItem so that it doesn't prompt for password everytime my app tries for access it.  KeychainItem contains private key.

        Below the code snippet I am using.

         

        SecAccessRef secaccess;
        OSStatus ret = SecKeychainItemCopyAccess(pKeychain, &secaccess);

         

        SecKeychainItemCopyAccess fails with error -25243 (The specified item has no access control ).

        I believe every item has access control as per the link https://developer.apple.com/documentation/security/keychain_services/access_control_lists?language=objc

         

        My test program ask for password everytime I run it with options "Always Allow" , "Deny" , "Allow". As per documentation, "Always Allow" option will add access control for the KeychainItem. But If I choose Always Allow option, SecKeychainItemCopyAccess fails with same error in subsequent run also.

         

        Since I am new to MacOS, I am not sure if I am doing it right.

        I am trying on MacOS 10.13.4 and 10.12

         

        Thanks.

        • Re: Error -25243 while calling SecKeychainItemCopyAccess API
          eskimo Apple Staff Apple Staff (9,405 points)

          Who created this keychain item?  My general recommendation is that you set the ACL at creation time, because changing it after the fact will trigger a user authorisation dialog.

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"

            • Re: Error -25243 while calling SecKeychainItemCopyAccess API
              Sardeep Level 1 Level 1 (0 points)

              KeychainItem is already present in the system. My app wont't create it so can't set ACL at creation time.

              Apart from this, My app contains a daemon and I am trying the above mention functionality from daemon. From daemon I am not getting user authorisation dialog even after setting 'SecKeychainSetUserInteractionAllowed' to true.

               

              Moreover setting user interaction doesn't make any sense, but I tried that approach as well.

                • Re: Error -25243 while calling SecKeychainItemCopyAccess API
                  eskimo Apple Staff Apple Staff (9,405 points)

                  KeychainItem is already present in the system.

                  OK.  Working with items that you didn’t create has always been a bit tricky from an access control perspective, and there’s been some changes in recent OS releases that make it even harder.  I’m not fully up to speed on those changes, so I don’t have a simple answer for you.  My recommendation is that you open a DTS tech support incident and discuss this with DTS’s keychain expert.

                  Share and Enjoy

                  Quinn “The Eskimo!”
                  Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                  let myEmail = "eskimo" + "1" + "@apple.com"