kSecAttrAccessibleAfterFirstUnlock not allowing access even after first unlock iOS
Asked Answered
L

1

8

So I have an old sensitive access key that currently has an accessibility of kSecAttrAccessible WhenUnlocked and I want to update it to kSecAttrAccessibleAfterFirstUnlock.

I'm using Lockbox and call this:

[Lockbox setString:accessKey forKey:self.accessKeyName accessibility:kSecAttrAccessibleAfterFirstUnlock];

Which in turn, calls this:

-(BOOL)setObject:(NSString *)obj forKey:(NSString *)key accessibility:(CFTypeRef)accessibility
{
    OSStatus status;

    NSString *hierKey = [self _hierarchicalKey:key];

    // If the object is nil, delete the item
    if (!obj) {
        NSMutableDictionary *query = [self _query];
        [query setObject:hierKey forKey:(LOCKBOX_ID)kSecAttrService];
        status = SecItemDelete((LOCKBOX_DICTREF)query);
        return (status == errSecSuccess);
    }

    NSMutableDictionary *dict = [self _service];
    [dict setObject: hierKey forKey: (LOCKBOX_ID) kSecAttrService];
    [dict setObject: (LOCKBOX_ID)(accessibility) forKey: (LOCKBOX_ID) kSecAttrAccessible];
    [dict setObject: [obj dataUsingEncoding:NSUTF8StringEncoding] forKey: (LOCKBOX_ID) kSecValueData];

    status = SecItemAdd ((LOCKBOX_DICTREF) dict, NULL);
    if (status == errSecDuplicateItem) {
        NSMutableDictionary *query = [self _query];
        [query setObject:hierKey forKey:(LOCKBOX_ID)kSecAttrService];
        status = SecItemDelete((LOCKBOX_DICTREF)query);
        if (status == errSecSuccess)
            status = SecItemAdd((LOCKBOX_DICTREF) dict, NULL);
    }
    if (status != errSecSuccess)
        DLog(@"SecItemAdd failed for key %@: %d", hierKey, (int)status);

    return (status == errSecSuccess);
}

As you can see above, the Lockbox code seems to try to add the item if there's a duplicate. I've put a breakpoint there and can confirm that it does work.

However, sometimes it still gives an error of:

<Error>:  SecOSStatusWith error:[-25308] The operation couldn’t be completed. (OSStatus error -25308 - Remote error : The operation couldn‚Äôt be completed. (OSStatus error -25308 - ks_crypt: e00002e2 failed to unwrap item (class 6, bag: 0) Access to item attempted while keychain is locked.))

I don't understand why I would be getting this - I've already unlocked my phone and it should be working fine. Any ideas?

I should also add that I need to access this when the app is killed and revived in the background through a region monitoring update.

Lundy answered 21/12, 2014 at 4:29 Comment(2)
Hey, did you resolve this issue? I am facing a very similar issue. My keychain access throws the same error when the app is killed and launched in backgroundBah
@Bah did u find solution?Cleanup
L
6

I had to clear out the old key before the new one. You can do that or you can make a new key with a different name with the new kSecAccessibility value.

Lundy answered 4/7, 2015 at 21:46 Comment(1)
or update the old token with the new accessible policyElectrolysis

© 2022 - 2024 — McMap. All rights reserved.