1

I've got an application that also configures and runs a daemon. I am trying to give both the daemon and the application access permissions to the keychain item. The basic code:

SecKeychainItemRef item;
// create a generic password item
SecTrustedApplicationRef appRef[2];
SecAccessRef ref;
SecTrustedApplicationCreateFromPath( NULL, &appRef[0] );
SecTrustedApplicationCreateFromPath( DAEMON_PATH, &appRef[1] );
CFArrayRef trustList = CFArrayCreate( NULL, ( void *)appRef, sizeof(appRef)/sizeof(*appRef), NULL );
SecAccessCreate( descriptor, trustList, &ref );
SecKeychainItemSetAccess( item, ref );

The keychain entry is created, however the only application listed in the Keychain Access tool as always having access is the main application. Let's call it FOO.app. DAEMON_PATH points to the absolute path of the daemon which is in the application bundle -- call it FOO.daemon.

If I manually go within Keychain Access and select the daemon, it does get added to the list.

Any idea on how to get SecTrustedApplicationCreateFromPath to honor the full/absolute path?

Zlobaton
  • 664
  • 1
  • 9
  • 21
jims
  • 161
  • 1
  • 5

1 Answers1

1

If you need an answer today...

I tried to replace access object for existing keychain item with no success, too. So, I decided to modify existing access object rather than replace it, and this approach works well.

The following pseudocode demonstrates the idea. Declarations, CFRelease()s and error checking are stripped for clarity sake.

SecKeychainItemCopyAccess(item, &accessObj);
SecAccessCopySelectedACLList(accessObj, CSSM_ACL_AUTHORIZATION_DECRYPT, &aclList);
assert(CFArrayGetCount(aclList) == 1);
acl = (SecACLRef)CFArrayGetValueAtIndex(aclList, 0);
SecACLCopySimpleContents(acl, &appList, &desc, &prompt_selector);
SecTrustedApplicationCreateFromPath(MY_APP_PATH, &app);
newAppList = CFArrayCreate(NULL, (const void**)&app, 1, NULL);
SecACLSetSimpleContents(acl, newAppList, desc, &psel);
SecKeychainItemSetAccess(item, accessObj);

I used SecAccessCopySelectedACLList to search for an ACL object with an appropriate authorization tag. You may require some other way for ACL filtering.

The straightforward access object creation must be more tricky, you are to create the same ACL structure as Keychain Access app does, rather than use default SecAccessCreate()'s ACLs. I couldn't cope with that way.

stkuzma
  • 23
  • 1
  • 6
  • I'm currently facing a similar problem. I used this solution and the application executable gets added to the ACL, however, I can't access the object later without prompting the user. Did you solve this problem? My question: http://stackoverflow.com/questions/24345870/accessing-os-x-keychain-item-from-trusted-application – Michał Siwek Jun 23 '14 at 18:31
  • @stkuzma for me `SecKeychainItemCopyAccess` API is failing with error -25243 (the specified item has no access control). I guess every `KeychainItem` has access control. Any idea what could possibly go wrong here? – Sardeep Lakhera Aug 02 '18 at 07:22
  • @MichałSiwek Even `SecKeychainItemSetAccess` gives error -25243 for me. Any inputs on that? – Sardeep Lakhera Aug 02 '18 at 07:24
  • @stkuzma are you trying to modify the ACL of keychain in System Keychain or its in Login keychain? – Sardeep Lakhera Jan 31 '19 at 06:29