KeychainAttribute does not work as expected

Question

KeychainAttribute does not work as expected

olvrlrnz opened this issue 6 months ago · comments

Describe the bug

Specifying .useDataProtectionKeychain and/or .keychainAccessGroup("<group>") when creating a KeychainStore has no effect on the keychain item.

To Reproduce

Allocate a store:

let store = KeychainStore(
    itemName: "foo",
    keychainAttributes: [.useDataProtectionKeychain, .keychainAccessGroup(name: "TEAMID.com.example.foobar")]
)

Save an AuthSession
```
try store.save(authSession: auth)
```
Check the 'Access Control' tab in Keychain Access. There's only an entry for the calling application under 'Always allow access by these applications'.

Expected behavior

Specifying .useDataProtectionKeychain saves the item in the 'Local Items' keychain
Specifying .keychainAccessGroup allows members of that group access to the item

Environment

OS: macOS 13.6.3 (22G436)
Library: 41aba100f28395ebe842cd66e5d371cdd46c6792

Additional context

I believe there's a bug in KeychainAttribute.keyName. It should not return the quoted constants but rather the constants itself. So kSecUseDataProtectionKeychain instead of "kSecUseDataProtectionKeychain" because KeychainWrapper uses the return value as-is to assemble the query dictionary for SecItem(Add|Delete|CopyMatching) here

olvrlrnz · Answer 1 · Fri Jan 19 2024 20:57:54 GMT+0800 (China Standard Time)

This quick and dirty fix made it work for me on MacOS:
GTMAppAuth.patch
I guess the isMaxMacOSVersionGreaterThanTenOneFive macro does not do what was intended here. I never saw the key in my queries, that got me thinking.

Also, according to Apple [1], passing accessibility keys along to KeychainHelper (like here) is only supported if kSecUseDataProtectionKeychain is set to true

[1] Apple:

You can use this attribute for macOS keychain items only if you also set a value of true for the kSecUseDataProtectionKeychain key, the kSecAttrSynchronizable key, or both. For any item marked as synchronizable, the value for the kSecAttrAccessible key may only be one whose name does not end with ThisDeviceOnly, as those cannot sync to another device.

mdmathias · Answer 2 · Sat Jan 20 2024 02:28:26 GMT+0800 (China Standard Time)

Hi and thanks for the issue! Since you have a patch, would you mind sending up a pull request for us to take a look at?

mdmathias · Answer 3 · Sat Jan 20 2024 10:30:49 GMT+0800 (China Standard Time)

I have drafted #237 to address this. Still need to do some testing in the example apps and hope to write some unit tests around this issue as well.

mdmathias · Answer 4 · Sat Jan 20 2024 10:31:59 GMT+0800 (China Standard Time)

Some visual proof that this draft PR begins to address the issue.