2

I'm using the ARCified KeychainItemWrapper and having trouble migrating the data in one keychain item to another item. Basically I'm trying to copy the contents from an app specific item to a shared item. For brevity I've only put in the user name since it fails there.

KeychainItemWrapper *legacyKeychainItem = [[KeychainItemWrapper alloc] initWithIdentifier:@"mainLogin" accessGroup:@"C35BXHSRSA.com.foo.bar"];
NSString *legacyUser = [legacyKeychainItem objectForKey:(__bridge id)kSecAttrAccount];

self.migratedKeychainItem = [[KeychainItemWrapper alloc] initWithIdentifier:@"security" accessGroup:@"C35BXHSRSA.com.foo.security"];
// dies here
[self.migratedKeychainItem setObject:legacyUser forKey:(__bridge id)kSecAttrAccount];

It dies in the KeychainItemWrapper method writeToKeychain throwing NSAssert( result == noErr, @"Couldn't update the Keychain Item." );

Looking up the error in the Keychain Services Reference tells me

errSecDuplicateItem –25299 The item already exists.

I can confirm this issue by hard coding/altering the string and the code works perfectly, but I'm trying to migrate data... so identical is important. The question is, why is this throwing an error when it's 2 different keychain items and how the heck do I get it to work as desired?

DBD
  • 23,075
  • 12
  • 60
  • 84
  • As KeyChainItemWrapper is not a class from the iOS SDK, one could only guess that you were possibly referring to [dhoerl / KeychainItemWrapper](https://gist.github.com/dhoerl/1170641). – Till Apr 23 '13 at 21:01
  • That is a correct. The original version is part of Apple's sample code for Keychain Services. Then someone made an ARC'd version so we don't have to add complier flags every time. – DBD Apr 23 '13 at 21:10
  • It's not that difficult to exclude a single file from ARC – ott-- Apr 23 '13 at 21:30

1 Answers1

1

You already have a keychain item with the "new" user name and same other primary keys (account, service, etc), and it is NOT the one you are updating. So the updated item collides with the old item and you get –25299.

You can add a little debug code with SecItemCopyMatching (ask for an array result) and look.

If you are sure you don't want the old item, delete it. If you do, then you need a new naming scheme.

Stripes
  • 4,161
  • 2
  • 25
  • 29
  • The iOS simulator has it's own keychain. This is stored in ``~/Library/Application\ Support/iPhone\ Simulator/6.0/Library/Keychains/`` on your Mac, and is NOT your login keychain (i.e. the simulator keychain is not accessible from Keychain Access) – quellish Apr 24 '13 at 22:04
  • Oh yeah. I knew that. Updated answer. Thanks. – Stripes Apr 25 '13 at 05:10
  • Updated the code with a pertinent line. Your answer makes sense, but as you can (now) see in the code, the `legacyKeychainItem` and the `migratedKeychainItem` have different identifiers and different access groups – DBD Apr 25 '13 at 13:37
  • The simulator keychain is persistent storage and "Reset content and settings" does not clear it. So when your code is wrong the first time, often even if you fix the code the data will cause problems like what you are describing - there is already a stored value in the keychain from a previous attempt blocking your fix from working. That is VERY common (and why my I have a SenTestCase class that clears the keychain for me before and after each run!) – quellish Apr 25 '13 at 22:25
  • I haven't used the simulator for any of this code. Strictly device work. – DBD Apr 30 '13 at 16:46