我正在使用MAC应用程序从MY Application创建VPN连接。
经过大量的研究后我发现我需要运行应用程序作为ROOT来存储用户密码和sharedSecretKey在 SYSTEM 钥匙串中。
应用程序用户不会以ROOT打开应用程序,因此我需要在 SYSTEM KEYCHAIN 中添加用户密码和sharedsecretkey,而无需ROOT访问。
我在网上搜索并发现Apple提供此代码:https://developer.apple.com/library/mac/samplecode/SMJobBless/Introduction/Intro.html https://developer.apple.com/library/mac/samplecode/EvenBetterAuthorizationSample/Introduction/Intro.html
但不明白我如何在我的应用程序中使用这两个代码来存储用户密码和SharedSecretKey SYSTEM KEYCHAIN WITH OUT ROOT ACCESS 。
任何帮助将不胜感激。
提前致谢。
这是我在SYSTEM KEYCHAIN中添加密码的代码如果我将代码作为ROOT运行,那么这项工作非常有用。
// Vendor dependencies
#import <Security/SecKeychain.h>
// Local dependencies
#import "VPNKeychain.h"
// These are the applications which are going to get access to new Keychain items.
// How do we know them? Just create a VPN service manualy and run the following command:
// security dump-keychain -a /Library/Keychains/System.keychain
// Among the results, you will find your VPN service and you can see the paths that have access to it
static const char * trustedAppPaths[] = {
"/System/Library/Frameworks/SystemConfiguration.framework/Versions/A/Helpers/SCHelper", "/System/Library/PreferencePanes/Network.prefPane/Contents/XPCServices/com.apple.preference.network.remoteservice.xpc",
"/System/Library/CoreServices/SystemUIServer.app",
"/usr/sbin/pppd",
"/usr/sbin/racoon",
"/usr/libexec/configd",
};
// This class contains all code we need to handle System Keychain Items
// Exit status codes: 60-79
@implementation VPNKeychain
// This will create a PPP Password Keychain Item
+ (int) createPasswordKeyChainItem:(NSString*)label forService:(NSString*)service withAccount:(NSString*)account andPassword:(NSString*)password {
return [self createItem:label withService:service account:account description:@"PPP Password" andPassword:password];
}
// This will create an IPSec Shared Secret Keychain Item
+ (int) createSharedSecretKeyChainItem:(NSString*)label forService:(NSString*)service withPassword:(NSString*)password {
service = [NSString stringWithFormat:@"%@.SS", service];
return [self createItem:label withService:service account:@"" description:@"IPSec Shared Secret" andPassword:password];
}
// A generic method to create Keychain Items holding Network service passwords
+ (int) createItem:(NSString*)label withService:(NSString*)service account:(NSString*)account description:(NSString*)description andPassword:(NSString*)password {
// This variable will hold all sorts of operation status responses
OSStatus status;
// Converting the NSStrings to char* variables which we will need later
const char *labelUTF8 = [label UTF8String];
const char *serviceUTF8 = [service UTF8String];
const char *accountUTF8 = [account UTF8String];
const char *descriptionUTF8 = [description UTF8String];
const char *passwordUTF8 = [password UTF8String];
// This variable is soon to hold the System Keychain
SecKeychainRef keychain = NULL;
status = SecKeychainCopyDomainDefault(kSecPreferencesDomainSystem, &keychain);
if (status == errSecSuccess) {
NSLog(@"Succeeded opening System Keychain");
} else {
NSLog(@"Could not obtain System Keychain: %@", SecCopyErrorMessageString(status, NULL));
return 60;
}
NSLog(@"Unlocking System Keychain");
status = SecKeychainUnlock(keychain, 0, NULL, FALSE);
if (status == errSecSuccess) {
NSLog(@"Succeeded unlocking System Keychain");
} else {
NSLog(@"Could not unlock System Keychain: %@", SecCopyErrorMessageString(status, NULL));
return 61;
}
// This variable is going to hold our new Keychain Item
SecKeychainItemRef item = nil;
SecAccessRef access = nil;
status = SecAccessCreate(CFSTR("Some VPN Test"), (__bridge CFArrayRef)(self.trustedApps), &access);
if(status == noErr) {
NSLog(@"Created empty Keychain access object");
} else {
NSLog(@"Could not unlock System Keychain: %@", SecCopyErrorMessageString(status, NULL));
return 62;
}
// Putting together the configuration options
SecKeychainAttribute attrs[] = {
{kSecLabelItemAttr, (int)strlen(labelUTF8), (char *)labelUTF8},
{kSecAccountItemAttr, (int)strlen(accountUTF8), (char *)accountUTF8},
{kSecServiceItemAttr, (int)strlen(serviceUTF8), (char *)serviceUTF8},
{kSecDescriptionItemAttr, (int)strlen(descriptionUTF8), (char *)descriptionUTF8},
};
SecKeychainAttributeList attributes = {sizeof(attrs) / sizeof(attrs[0]), attrs};
status = SecKeychainItemCreateFromContent(kSecGenericPasswordItemClass, &attributes, (int)strlen(passwordUTF8), passwordUTF8, keychain, access, &item);
if(status == noErr) {
NSLog(@"Successfully created Keychain Item");
} else {
NSLog(@"Creating Keychain item failed: %@", SecCopyErrorMessageString(status, NULL));
return 63;
}
return 0;
}
+(NSArray*) trustedApps {
NSMutableArray *apps = [NSMutableArray array];
SecTrustedApplicationRef app;
OSStatus err;
for (int i = 0; i < (sizeof(trustedAppPaths) / sizeof(*trustedAppPaths)); i++) {
err = SecTrustedApplicationCreateFromPath(trustedAppPaths[i], &app);
if (err == errSecSuccess) {
//NSLog(@"SecTrustedApplicationCreateFromPath succeeded: %@", SecCopyErrorMessageString(err, NULL));
} else {
NSLog(@"SecTrustedApplicationCreateFromPath failed: %@", SecCopyErrorMessageString(err, NULL));
}
[apps addObject:(__bridge id)app];
}
return apps;
}
答案 0 :(得分:1)
您链接到的示例代码中对此进行了解释,请参阅ReadMe.txt:
运行示例后,系统会提示您输入管理员用户名和 密码即可。输入您的管理员用户名和密码,如果一切顺利的话 好吧,示例窗口将显示&#34;帮助工具可用!&#34; 表明一切正常。如果没有,您可以在控制台中查看 记录有关失败的信息。
一般来说,您的应用程序必须在某个时候要求管理员凭据。
<强>更新
这应该通过特权助手工具来完成,如引用的SMJobBless示例所示。您的帮助工具应该为您的应用执行钥匙串访问。以下是安装此类帮助工具的主要步骤:
使用AuthorizationCreate函数创建授权对象。
使用给定的权限集对对象执行预授权
AuthorizationCopyRights功能。这实际上会导致向您的用户询问管理员凭据。
使用launchd验证,安装和注册帮助工具
SMJobBless功能。
安装并注册帮助工具后,您应该使用NSXPCConnection与帮助工具交谈。有关如何实现它的详细信息,请参阅Sandboxing with NSXPCConnection示例代码。
答案 1 :(得分:1)
在OS X中,应用程序不直接处理用户凭据,而是通过函数调用AuthorizationCopyRights请求系统执行此操作,该函数调用Authorization Services中记录。
Gui应用程序无法直接执行管理(root)操作,而自Yosemite(10.10)以来,Gui应用程序无法以root身份运行。相反,您的应用程序必须通过XPC服务使用“帮助”应用程序,这是SMJobBless和BetterAuthorization示例演示的内容。您可以阅读有关XPC here的更多信息。
在您的情况下,您需要创建一个这样的帮助应用程序,它具有访问系统密钥链的必要权限。
请注意,如果您计划通过Apple Store分发应用程序,则必须对应用程序进行沙盒处理,并且不能使用任何安全服务,例如调用AuthorizationCopyRights函数。