我需要以安全的方式在OS X应用程序上存储客户端身份,只有我的应用程序才能访问它。没有提示要求权限。
当我试图存储客户端身份时,问题立即出现。 这是代码示例(到目前为止我绑定了什么):
- (BOOL)saveClientIdentity:(SecIdentityRef)clientIdentity error:(NSError**) error
{
NSDictionary *attributes = @{
(__bridge id)kSecAttrAccessible:(__bridge id)kSecAttrAccessibleAlwaysThisDeviceOnly,
(__bridge id)kSecValueRef:(__bridge id)clientIdentity,
(__bridge id)kSecAttrApplicationTag:[kMyKeychainAttrApplicationTag dataUsingEncoding: NSUTF8StringEncoding],
(__bridge id)kSecAttrAccessGroup:kMyKeychainAttrAccessGroup
};
OSStatus status = SecItemAdd((__bridge CFDictionaryRef)attributes, NULL);
// status == -25299
…
}
我不断获得代码-25299并且工具会出现问题:
$ security error -25299
Error: 0xFFFF9D2D -25299 The specified item already exists in the keychain.
因此它尝试覆盖全局客户端身份(我从未成功为此应用程序编写客户端身份,因此不应该存在此类冲突)并且我不知道该怎么做。 它必须是专用于此应用程序。
我验证了各个加载代码会发生什么。它加载了我的开发者身份,我不希望这样。
- (SecIdentityRef)clientIdentity
{
NSDictionary *attributes =
@{
(__bridge id)kSecClass:(__bridge id)kSecClassIdentity,
(__bridge id)kSecAttrAccessible:(__bridge id)kSecAttrAccessibleAlwaysThisDeviceOnly,
(__bridge id)kSecAttrApplicationTag:[kMyKeychainAttrApplicationTag dataUsingEncoding: NSUTF8StringEncoding],
(__bridge id)kSecAttrAccessGroup:kMyKeychainAttrAccessGroup
};
CFTypeRef universalResult = NULL;
OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)attributes, &universalResult);
SecIdentityRef result = (SecIdentityRef)universalResult;
if (result)
{
CFAutorelease(result);
}
if (status != noErr)
{
NSLog(@"Failed to load client identity: %@", NSErrorFromStatusErrorCode(status));
}
return result;
}
我需要为iOS使用相同的代码,但这里应该没有问题,因为默认情况下,iOS密钥链不会在应用程序之间共享。
答案 0 :(得分:1)
我找到了很好的解决方案。 诀窍是创建自定义密钥链,而不是在该密钥链中存储客户端身份。
所以基本上有树步骤。
首先创建或打开自定义密钥链:
NSString *keychainpath = self.customKeychainPath;
unsigned char password[SHA_DIGEST_LENGTH];
GenerateCustomKeychainPassword(password);
OSStatus status = SecKeychainCreate(keychainpath.UTF8String,
SHA_DIGEST_LENGTH,
password,
NO,
NULL,
&customKeychain);
if (status == errSecDuplicateKeychain)
{
status = SecKeychainOpen(keychainpath.UTF8String, &customKeychain);
if (status == errSecSuccess)
{
status = SecKeychainUnlock(customKeychain,
SHA_DIGEST_LENGTH,
password,
TRUE);
if (status != errSecSuccess)
{
NSLog(@"%s Failed to unlock custom keychain: %@",
__PRETTY_FUNCTION__, NSErrorFromStatusErrorCode(status));
}
}
}
else if (status != errSecSuccess)
{
NSLog(@"%s Failed to unlock custom keychain: %@",
__PRETTY_FUNCTION__, NSErrorFromStatusErrorCode(status));
}
将客户身份添加到该密钥链
OSStatus status = errSecSuccess;
CFTypeRef persistent_ref = NULL;
NSDictionary *dict = @{
(id)kSecValueRef:(id)secItem,
(id)kSecReturnPersistentRef:(id)kCFBooleanTrue,
#if !TARGET_OS_IPHONE
(id)kSecUseKeychain:(__bridge id)customKeychain,
#endif
};
status = SecItemAdd((CFDictionaryRef)dict, &persistent_ref);
NSCAssert(status != errSecParam, @"Wrong contents of dictionary");
if (status == errSecDuplicateItem)
{
NSLog(@"%s Item: %@ already exists", __PRETTY_FUNCTION__, secItem);
return NULL;
}
return (CFDataRef)persistent_ref;
从钥匙串中读取项目(persistent_ref可以存储在用户默认值中)
NSDictionary *dict = @{
(id)kSecClass:(__bridge id)itemType,//kSecClassIdentity,
(id)kSecReturnRef:(id)kCFBooleanTrue,
(id)kSecValuePersistentRef:persistantRef,
#if !TARGET_OS_IPHONE
(id)kSecUseKeychain:(__bridge id)customKeychain,
#endif
};
OSStatus status = SecItemCopyMatching((CFDictionaryRef)dict, &result);
NSCAssert(status != errSecParam, @"Invalid arguments");
return result;
答案 1 :(得分:0)
我在SSKeychain方面取得了很大的成功,SSKeychain最近被弃用了SAMKeychain.它适用于iOS和Mac,所以它也应该解决你的跨平台问题。