3 Replies
      Latest reply on Sep 11, 2019 12:13 AM by eskimo
      fbuentello Level 1 Level 1 (0 points)

        Can someone please shed some light on the usage of `.or` & `.and` flags? Though I am able to get the accomplish the entended result using `.userPresence`, I am trying to wrap my head around how to use `.or` & `.and`.

         

        Can someone please provide an example on correct usages of these options?

        • Re: SecAccessControlCreateWithFlags `.or` & `.and`
          eskimo Apple Staff Apple Staff (11,835 points)

          I’ve found that a good way to get an understanding of the various SecAccessControlCreateFlags flags is to look at the groups on this page, namely:

          • Constraints

          • Conjunctions

          • Additional Options

          The flags in the Constraints section define various criteria under which the keychain item can be accessed.  The flags in the Conjunctions section allow you to combine those constraints in various ways.  The flags in the Additional Options section are not related to the constraints system at all.

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"

            • Re: SecAccessControlCreateWithFlags `.or` & `.and`
              fbuentello Level 1 Level 1 (0 points)

              can you provide an example of proper usage?

               

              Below are a few combinations that I tried and received inconclusive results:

               

              let flags = [...]
              var error: Unmanaged?
              guard let access = SecAccessControlCreateWithFlags(nil,
                                                                  kSecAttrAccessibleWhenUnlocked,
                                                                  flags,
                                                                  &error) else { return }
              // ...

               

               

              - DOES NOT WORK:

                - [.userPresence, .or, .devicePasscode]

                - [.userPresence, .or, .applicationPassword]

                - [.devicePasscode, .or, .applicationPassword] - requires both still

                - [.biometryCurrentSet, .or, .applicationPassword] - requires both still

              - WORKS:

                - [.biometryCurrentSet, .or, .devicePasscode] - works as expected FaceID/TouchID first, devicePasscode if failed

                - [.biometryCurrentSet, .devicePasscode]

                - [.devicePasscode, .applicationPassword]

               

              From what I was able to keep track of, it seems like the order doesn't matter? In the case:

               

              let flags = [.devicePasscode, .or, .biometryCurrentSet]

               

              It still asked me for FaceID before device passcode.

                • Re: SecAccessControlCreateWithFlags `.or` & `.and`
                  eskimo Apple Staff Apple Staff (11,835 points)

                  can you provide an example of proper usage?

                  No, sorry.  I haven’t yet had a chance to play with this in detail.  If you want to drive this to a definitive conclusion, you should open a DTS tech support incident, which will allow me to spend a chunk of time researching this.

                  Share and Enjoy

                  Quinn “The Eskimo!”
                  Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                  let myEmail = "eskimo" + "1" + "@apple.com"