I am trying to access Keychain Item after my FileVault login, But I am unable to do this.I have seen that similar kind of issue was in Error acessing keychain item from OS X authorization plugin ,Please help me with this already struggling with this from a week.
Asked
Active
Viewed 183 times
1
-
Seems like we're on the same boat with this issue. I even tried to read .p12 file using method `SecPKCS12Import` and it failed from loginWindow authorisation plugin. Let me know if you've find anything. thanks ! – Irad K Dec 17 '19 at 22:57
1 Answers
0
I've encountered a similar situation, it appears that non privileged authorization plugins cannot access 'system' keychain. So I created in advance a new keychain with the items required by the authentication plugin.
// blabla is pw for keychain and blabla2 is pw for p12 file.
security create-keychain -p balboa /tmp/my.keychain
security unlock-keychain -p balboa /tmp/my.keychain
sudo -A security import /tpm/mycert.p12 -k /tmp/my.keychain -P blabla2 -A
Than, From the authorization plugin, I successfully manage to access the item inside the keychain. In the following pseudo code, I demonstrate how to get a certificate from keychain according to issuer, but any other way for accessing the keychain for reading is also allowed.
SecKeychainRef myKeychain = nil;
SecKeychainOpen( "/tmp/my.keychain", &myKeychain);
NSString * keychainPassword = @"blabla";
SecKeychainUnlock(myKeychain, [keychainPassword length], [keychainPassword UTF8String], true);
CFArrayRef keychainToSearchIdentity = CFArrayCreate(kCFAllocatorDefault, (const void **) &myKeychain, 1, &kCFTypeArrayCallBacks);
const void *keys[] = {kSecMatchSearchList, kSecClass, kSecReturnRef, kSecMatchIssuers};
const void *values[] = { keychainToSearchIdentity, kSecClassIdentity, kCFBooleanTrue, mySearchCriteriaIssuers };
CFDictionaryRef searchItemDict = CFDictionaryCreeate(NULL, keys, values, 4 ,NULL, NULL);
SecItemCopyMatch(searchItemDict, &myIdentity);
Irad K
- 867
- 6
- 20