我尝试使用iOS钥匙串测试加密。
Domain=com.apple.LocalAuthentication Code=-1009 "ACL operation is not allowed: 'od'" UserInfo={NSLocalizedDescription=ACL operation is not allowed: 'od'}
这是我的测试代码:
func testEncrpytKeychain() {
let promise = expectation(description: "Unlock")
let data: Data! = self.sampleData
let text: String! = self.sampleText
wait(for: [promise], timeout: 30)
let chain = Keychain(account: "tester", serviceName: "testing2", access: .whenPasscodeSetThisDeviceOnly, accessGroup: nil)
chain.unlockChain { reply, error in
defer {
promise.fulfill()
}
guard error == nil else {
// ** FAILS ON THIS LINE WITH OSSTATUS ERROR **
XCTAssert(false, "Error: \(String(describing: error))")
return
}
guard let cipherData = try? chain.encrypt(data) else {
XCTAssert(false, "Cipher Data not created")
return
}
XCTAssertNotEqual(cipherData, data)
guard let clearData = try? chain.decrypt(cipherData) else {
XCTAssert(false, "Clear Data not decrypted")
return
}
XCTAssertEqual(clearData, data)
let clearText = String(data: clearData, encoding: .utf8)
XCTAssertEqual(clearText, text)
}
}
这是底层的异步unlockChain代码:
// context is a LAContext
func unlockChain(_ callback: @escaping (Bool, Error?) -> Void) {
var error: NSError? = nil
guard context.canEvaluatePolicy(.deviceOwnerAuthentication, error: &error) else {
callback(false, error)
return
}
context.evaluateAccessControl(control, operation: .createItem, localizedReason: "Access your Account") { (reply, error) in
self.context.evaluateAccessControl(self.control, operation: .useItem, localizedReason: "Access your Account") { (reply, error) in
self.unlocked = reply
callback(reply, error)
}
}
}
以下是上下文和控件对象的制作方法
init(account: String, serviceName: String = (Bundle.main.bundleIdentifier ?? ""), access: Accessibility = .whenUnlocked, accessGroup: String? = nil) {
self.account = account
self.serviceName = serviceName
self.accessGroup = accessGroup
self.access = access
var error: Unmanaged<CFError>? = nil
self.control = SecAccessControlCreateWithFlags(kCFAllocatorDefault,
access.attrValue,
[.privateKeyUsage],
&error)
if let e: Error = error?.takeRetainedValue() {
Log.error(e)
}
self.context = LAContext()
}
我无法找到有关此错误的一点信息:
Domain=com.apple.LocalAuthentication Code=-1009
OSStatus Code site doesn't contain anything for it either
感谢任何帮助,谢谢。
答案 0 :(得分:0)
我在创建新私钥之前删除了以前的私钥,解决了同样的问题。
我猜想在iOS10上(11没有显示错误),当SecKeyCreateRandomKey(...)具有相同的标记/大小但访问设置不同时,它只返回true但是使用旧的(感觉奇怪但谁知道)?
这是我刚刚删除它的懒惰C函数(只记得设置ApplicationPrivateKeyTag:
void deletePrivateKey()
{
CFStringRef ApplicationPrivateKeyTag = CFSTR("your tag here");
const void* keys[] = {
kSecAttrApplicationTag,
kSecClass,
kSecAttrKeyClass,
kSecReturnRef,
};
const void* values[] = {
ApplicationPrivateKeyTag,
kSecClassKey,
kSecAttrKeyClassPrivate,
kCFBooleanTrue,
};
CFDictionaryRef params = CFDictionaryCreate(kCFAllocatorDefault, keys, values, (sizeof(keys)/sizeof(void*)), NULL, NULL);
OSStatus status = SecItemDelete(params);
if (params) CFRelease(params);
if (ApplicationPrivateKeyTag) CFRelease(ApplicationPrivateKeyTag);
if (status == errSecSuccess)
return true;
return false;
}
FWIW:看起来苹果更新their doc about the Security Framework and the SecureEnclave,现在更容易理解。