Small issue with adding a Trusted App to a Keychain Item
Status: Abandoned
Brought to you by:
wadetregaskis
Menu
▾
▴
Small issue with adding a Trusted App to a Keychain Item
|
From: Etienne S. <sam...@gm...> - 2007-09-18 06:03:46
|
Hi !
First, thanks for the review of my bug reports, (even if I turned
blind regarding the returned KeychainItems ;-)), I've updated my
source to lastest CVS, and added my modification to AccessControlList
(so I really get TrustedApplication back)...
So onto my problem :
I have a PreferencePane, and a Helper tool. I can set the account/
password from the PreferencePane, but as the KeychainItem is created
by SystemPreferences.app, my helper app triggers the 'give access to
keychain item', which I obviously don't want to happen... IMHO the
Keychain framework API has some shortcomings here, because I thought
I could add my Helper app to the list of allowed app easily, but
that's not easy, due to the way Security.framework is layed out.
Maybe we can have a [KeychainItem addTrustedApplication:
(TrustedApplication*) forAuthorization:(CSSM_ACL_AUTHORIZATION_TAG)
tag], or even hide away TrustedApps with NSStrings*...
Right now there is no easy way of doing this, because there is no
wrapper for SecACLGet/SetAuthorizations. If we can agree on an API
for this, I'll try to provide a patch or code, for addition to the
source.
I thus was forced to resort to a quick trip in C to make that work,
but this code crash ;-). If you can provide me with insight on this,
it will greatly help me, maybe I'm doing something wrong...
Here is what I'm currently doing :
mItem is initialized by getting an item from the keychain, and if
nonexistent, creating it...
// This is code to add our helper to the list of allowed
applications
Access *access = [mItem access];
NSArray *decryptACLs = [access accessControlListsForDecrypting];
CSSM_ACL_AUTHORIZATION_TAG tags[20];
uint32 tagCount;
NSString *helperPath = [[self bundle]
pathForResource:@"HelperTool"
ofType:@"app"];
TrustedApplication *app = [TrustedApplication
trustedApplicationWithPath:helperPath];
NSEnumerator *aclEnum = [decryptACLs objectEnumerator];
AccessControlList *ACL;
while ((ACL = [aclEnum nextObject]) != nil) {
OSStatus err;
AccessControlList *newACL;
err = SecACLGetAuthorizations ([ACL ACLRef], tags, &tagCount);
if (err != noErr) {
NSLog(@"Error Getting: %d", err);
return;
}
/* I'm forced to retrive information BEFORE deleting the item,
because this information becomes invalid,
and thus the -accessControlListNamed:... below fails */
NSArray *currentApps = [ACL applications];
NSString *currentName = [ACL name];
BOOL currentPass = [ACL requiresPassphrase];
[ACL deleteAccessControlList];
NSMutableArray *appArray = [NSMutableArray
arrayWithArray:currentApps];
[appArray addObject:app];
newACL = [AccessControlList accessControlListNamed:currentName
fromAccess:access
forApplications:appArray
requiringPassphrase:currentPass];
err = SecACLSetAuthorizations ([newACL ACLRef], tags,
tagCount);
if (err != noErr) {
NSLog(@"Error Setting: %d", err);
return;
}
}
/* Here is my crash, gdb stack trace below */
[mItem setAccess:access];
Here is the stack trace :
#0 0xffff0ee6 in ___memcpy at cpu_capabilities.h:228
#1 0x9127eac8 in Security::CssmOwnedData::copy<void>
#2 0x9127eb3e in Security::CssmOwnedData::copy
#3 0x91281fdf in
Security::CssmAutoData::CssmAutoData<Security::CssmData>
#4 0x9117b4fd in Security::ListElement::ListElement
#5 0x911c9c5a in Security::KeychainCore::TrustedApplication::makeSubject
#6 0x911d379c in Security::KeychainCore::ACL::makeSubject
#7 0x911d3982 in Security::KeychainCore::ACL::setAccess
#8 0x911d1ce1 in Security::KeychainCore::Access::editAccess
#9 0x911d1dba in Security::KeychainCore::Access::setAccess
#10 0x911c0e7d in SecKeychainItemSetAccess
#11 0x0e6cca12 in -[KeychainItem setAccess:] at KeychainItem.m:1015
Thanks for making such a great framework ! It makes it really easy to
use Keychains with it ;-)
Etienne Samson
|