Login/Register
iOS keychain: SecItemUpdate returns -50 (paramErr) when updating kSecAttrAccessible
Asked Answered
Solved ioskeychainsecurity-framework
L

1

6

I need to update the kSecAttrAccessible of a keychain entry. I don't need to update the actual data, just the accessibility attribute.

First I try to find the item to make sure that my query dictionary is good:

sanityCheck = SecItemCopyMatching((__bridge CFDictionaryRef)(queryPrivateKey), (void *)&privateKeyRef);

This line successfully finds me the item I am looking for (return code is 0).

I then update the kSecAttrAccessible attribute using the same query:

if (sanityCheck == noErr && privateKeyRef != nil) {
    // found it, update accessibility
    NSMutableDictionary *updatedAttributes = [[NSMutableDictionary alloc] init];
    updatedAttributes[(__bridge id)kSecAttrAccessible] = (__bridge id)kSecAttrAccessibleAlways;
    OSStatus updateItemStatus = SecItemUpdate((__bridge CFDictionaryRef)queryPrivateKey, (__bridge CFDictionaryRef)updatedAttributes);
}

At this point, updateItemStatus is -50 (paramErr).

I have looked at this thread: Is it possible to update a Keychain item's kSecAttrAccessible value? However my issue is different. It returns -50 even if I add kSecValueData to my updatedAttributes. Besides, the documentation also states that we need to add kSecValueData only for iOS 4 and earlier. I am supporting iOS 7 and above, so this shouldn't be my issue.

Could anyone point out what I am missing here? Thanks a lot.

Libeler answered 19/5, 2015 at 22:17 Comment(0)
L
6

The fact that a query can successfully find you the keychain item via SecItemCopyMatching doesn't mean the same query can be used to update the keychain item.

I'm using the following query for item lookup:

[queryPrivateKey setObject:(__bridge id)kSecClassKey forKey:(__bridge id)kSecClass];
[queryPrivateKey setObject:(__bridge id)kSecAttrKeyTypeRSA forKey:(__bridge id)kSecAttrKeyType];
[queryPrivateKey setObject:[NSNumber numberWithBool:YES] forKey:(__bridge id)kSecReturnRef];
[queryPrivateKey setObject:[EncryptionHelper privateKeyTag:JWT_KEYPAIR_TAG] forKey:(__bridge id<NSCopying>)(kSecAttrApplicationTag)];

sanityCheck = SecItemCopyMatching((__bridge CFDictionaryRef)(queryPrivateKey), (void *)&privateKeyef);

However, in order to use this query for item update, I first had to do:

[queryPrivateKey removeObjectForKey:(__bridge id)kSecReturnRef];

Then I can update:

OSStatus updateItemStatus = SecItemUpdate((__bridge CFDictionaryRef)queryPrivateKey,(__bridge CFDictionaryRef)updatedAttributes);

Obviously, kSecReturnRef is not an acceptable key in the query dictionary of SecItemUpdate. I was not able to find the list of acceptable keys of the query of SecItemUpdate from the apple documentation. From the documentation of SecItemUpdate, it seems that only these keys are acceptable, but that doesn't seem to be the correct list as I am expecting keys like kSecClass etc to be in the list. If anyone has an updated doc link please share it, for now it just takes me some trial and error to find out which keys are acceptable for SecItemUpdate.

After the item has been found, there is also another complexity with updating kSecAttrAccessible: you can't update from a higher security setting like kSecAttrAccessibleWhenUnlocked to a lower setting like kSecAttrAccessibleAlways when the phone is locked for security reasons, so the migration has to happen when the phone is unlocked. A good place for the migration is when the app is resumed in foreground, because the device must be in an unlocked state when app is in foreground.

Libeler answered 26/5, 2015 at 23:56 Comment(7)
I am having the same exact problem @SeaJelly. I am using apple's Keychain Wrapper that uses the default kSecAttrAccessible. And I want to update it to kSecAttrAccessibleWhenUnlocked . For some reason I can't seam to be able to update that attribute. Were able to do this successfully?Celestyna
@Celestyna Yes I am able to update my accessibility successfully now, by removing a key pair in my query (first argument of SecItemUpdate) as stated above. But FYI, right now the default is already kSecAttrAccessibleWhenUnlocked. It used to be kSecAttrAccessibleAlways, but that's no longer the case. At some point they changed the default to kSecAttrAccessibleWhenUnlocked. In my case it's the other way around, I want to change it from unlocked (default) to always.Libeler
Sorry I meant kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly. But you are removing the key kSecReturnRef . Shouldn't you remove kSecAttrAccessible and set it back with the setting that you need?Celestyna
@Celestyna For the first argument, you don't need kSecAttrAccessible to be in the query for the lookup. I don't have kSecAttrAccessible in the query. I also don't have kSecReturnRef - I removed it because otherwise the lookup will fail. Then, with the right query, I put kSecAttrAccessible into the second argument (the updated attributes argument), and that does the update for me. Basically you want kSecAttrAccessible only in the second argument but not the first argument.Libeler
got it. I am going to try to do that and will let you know how it goes. ThanksCelestyna
didn't work. Even though I am able to perform the query, I can't update to kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly. OSStatus comes out as -50.Celestyna
SecItemUpdate() does not return anything, it takes a query about what to update and an update description how to update it and the only out values is a status code. So specifying any kSecReturn... isn't meaningful as how would that value be returned?Avowed

© 2022 - 2024 — McMap. All rights reserved.