Small issue with adding a Trusted App to a Keychain Item
Status: Abandoned
Brought to you by:
wadetregaskis
From: Etienne S. <sam...@gm...> - 2007-09-18 06:03:46
|
Hi ! First, thanks for the review of my bug reports, (even if I turned blind regarding the returned KeychainItems ;-)), I've updated my source to lastest CVS, and added my modification to AccessControlList (so I really get TrustedApplication back)... So onto my problem : I have a PreferencePane, and a Helper tool. I can set the account/ password from the PreferencePane, but as the KeychainItem is created by SystemPreferences.app, my helper app triggers the 'give access to keychain item', which I obviously don't want to happen... IMHO the Keychain framework API has some shortcomings here, because I thought I could add my Helper app to the list of allowed app easily, but that's not easy, due to the way Security.framework is layed out. Maybe we can have a [KeychainItem addTrustedApplication: (TrustedApplication*) forAuthorization:(CSSM_ACL_AUTHORIZATION_TAG) tag], or even hide away TrustedApps with NSStrings*... Right now there is no easy way of doing this, because there is no wrapper for SecACLGet/SetAuthorizations. If we can agree on an API for this, I'll try to provide a patch or code, for addition to the source. I thus was forced to resort to a quick trip in C to make that work, but this code crash ;-). If you can provide me with insight on this, it will greatly help me, maybe I'm doing something wrong... Here is what I'm currently doing : mItem is initialized by getting an item from the keychain, and if nonexistent, creating it... // This is code to add our helper to the list of allowed applications Access *access = [mItem access]; NSArray *decryptACLs = [access accessControlListsForDecrypting]; CSSM_ACL_AUTHORIZATION_TAG tags[20]; uint32 tagCount; NSString *helperPath = [[self bundle] pathForResource:@"HelperTool" ofType:@"app"]; TrustedApplication *app = [TrustedApplication trustedApplicationWithPath:helperPath]; NSEnumerator *aclEnum = [decryptACLs objectEnumerator]; AccessControlList *ACL; while ((ACL = [aclEnum nextObject]) != nil) { OSStatus err; AccessControlList *newACL; err = SecACLGetAuthorizations ([ACL ACLRef], tags, &tagCount); if (err != noErr) { NSLog(@"Error Getting: %d", err); return; } /* I'm forced to retrive information BEFORE deleting the item, because this information becomes invalid, and thus the -accessControlListNamed:... below fails */ NSArray *currentApps = [ACL applications]; NSString *currentName = [ACL name]; BOOL currentPass = [ACL requiresPassphrase]; [ACL deleteAccessControlList]; NSMutableArray *appArray = [NSMutableArray arrayWithArray:currentApps]; [appArray addObject:app]; newACL = [AccessControlList accessControlListNamed:currentName fromAccess:access forApplications:appArray requiringPassphrase:currentPass]; err = SecACLSetAuthorizations ([newACL ACLRef], tags, tagCount); if (err != noErr) { NSLog(@"Error Setting: %d", err); return; } } /* Here is my crash, gdb stack trace below */ [mItem setAccess:access]; Here is the stack trace : #0 0xffff0ee6 in ___memcpy at cpu_capabilities.h:228 #1 0x9127eac8 in Security::CssmOwnedData::copy<void> #2 0x9127eb3e in Security::CssmOwnedData::copy #3 0x91281fdf in Security::CssmAutoData::CssmAutoData<Security::CssmData> #4 0x9117b4fd in Security::ListElement::ListElement #5 0x911c9c5a in Security::KeychainCore::TrustedApplication::makeSubject #6 0x911d379c in Security::KeychainCore::ACL::makeSubject #7 0x911d3982 in Security::KeychainCore::ACL::setAccess #8 0x911d1ce1 in Security::KeychainCore::Access::editAccess #9 0x911d1dba in Security::KeychainCore::Access::setAccess #10 0x911c0e7d in SecKeychainItemSetAccess #11 0x0e6cca12 in -[KeychainItem setAccess:] at KeychainItem.m:1015 Thanks for making such a great framework ! It makes it really easy to use Keychains with it ;-) Etienne Samson |