Login/Register
iOS Keychain SecItemAdd returns -25243
Asked Answered
Solved ioskeychain
A

7

12

I'm working on updating an iPhone application with a minor change in its default configuration. It's been awhile since I've built it last, though, and so I've upgraded Xcode to 4.2 and included iOS 5 support in the latest builds.

When I go to test on the device, I get the following assertion error:

2011-11-02 20:57:18.869 RoseBandwidth[903:707] Tried to add item, got result: -25243
2011-11-02 20:57:18.870 RoseBandwidth[903:707] *** Assertion failure in -[KeychainItemWrapper writeToKeychain], /Users/tim/code/RoseBandwidth/Classes/KeychainItemWrapper.m:312
2011-11-02 20:57:18.872 RoseBandwidth[903:707] *** Terminating app due to uncaught exception 'NSInternalInconsistencyException', reason: 'Couldn't add the Keychain Item.'

I'm using the implementation of the KeychainItemWrapper class from Apple's GenericKeychain project. It's worth noting that this error only shows up on the device, not in the Simulator (and I'm aware of the access group restriction differences between platforms, but usually I thought that caused problems on the Simulator, not actual hardware).

Why would I be getting this error back? I've touched nothing relevant to the keychain-related parts of the app; it stores and retrieves data exactly like it used to.

Aphaeresis answered 3/11, 2011 at 1:14 Comment(0)
S
18

Okay, I couldn't quite get your project to build, but from How to share keychain data between iOS applications I think you might want to check your entitlements file. At least in the github project you didn't have anything specified in the Keychain Access Groups.

Sestet answered 3/11, 2011 at 1:41 Comment(1)
I'd upvote you more than once if I could - that answer was downright wizardly. Turns out I lost my entitlements file somewhere along the way, so re-enabling them (and playing with provisioning profiles for awhile) fixed this issue. Thanks!Aphaeresis
T
9

For future searchers who happen to end up here, another possible cause of the -25243 error (which means No access control, BTW) is running on the simulator.

My best theory is the app's provisioning profile (or the signature thereof) is how the app knows what its bundle seed is. And the bundle seed needs to be part of the your keychain's access group name. But apps run on the simulator don't get signed, and so have a missing (or different?) bundle seed than you specified keychain-access-group.

Or something. It's all so poorly documented, it's hard to tell what's what. Just try running it on a device and see if that helps.

Travistravus answered 30/3, 2012 at 19:41 Comment(1)
This is a good point - thanks for raising it. I note in my original question that I'm using Apple's KeychainItemWrapper class, which includes a compiler #if clause to check whether the app is running on the simulator. People who aren't using that wrapper do need to take precautions.Aphaeresis
B
5

For those of you getting this error and trying to achieve "Shared Key Chain Access" between two apps:

You need to create an App Id for your app with same Team Id you selected when you first activated "Shared Keychain Access" in 'Capabilities'. Create your App Id in here: Apple Member Center

After that you need to create provisioning profile from that App Id and download it to your computer.(Double click it to install to x-code)

I assume you already know you need "App ID Prefix" to access key chain, but for those who don't know: "App ID Prefix" is unique text identifier associated with your Apple developer account:enter image description here

To access "SharedKeychain" you need to implement it like this before you try to write or read from keychain

keychainAccessGroupName = "AB123CDE45.myKeyChainGroup":

You can check out this tutorial for further info:Share Keychain between iOS apps.

Hope that helps.

Betelgeuse answered 21/6, 2016 at 7:7 Comment(0)
J
3

I get the same error from time to time in the simulator even if I did not touch the code. A reset of the simulator solves the problem for me.

See this question/answer how to reset the simulator: https://stackoverflow.com/a/3442326

Jipijapa answered 27/6, 2012 at 10:3 Comment(1)
+1: Well, this is annoying... I'm getting the same issue with the simulator (and a reset sure does fix it), but (I believe) it's not happening on the device. You ever see this randomly happen on the device?Cholecystotomy
S
1

As others have pointed out, in device builds error -25243 is often caused by trying to access a keychain access group that you don't have permissions for. (It's missing from your Entitlements.plist file or your provisioning profile.)

But in the simulator there can be another cause. The simulator doesn't support keychain access groups at all, so if you set the kSecAttrAccessGroup property on a keychain item and try to write it you'll get this -25243 error code.

FYI, Apple's GenericKeychain sample code has this comment:

// Ignore the access group if running on the iPhone simulator.
// 
// Apps that are built for the simulator aren't signed, so there's no keychain access group
// for the simulator to check. This means that all apps can see all keychain items when run
// on the simulator.
//
// If a SecItem contains an access group attribute, SecItemAdd and SecItemUpdate on the
// simulator will return -25243 (errSecNoAccessForItem).
Suprasegmental answered 28/4, 2014 at 23:31 Comment(0)
S
0

This worked for me when I used a production certificate and provisioning profile. Using debug did not work.

Sinker answered 21/8, 2016 at 19:35 Comment(0)
M
0

In my experience, I get that return value -25243 when I realized that I was trying to pass kSecMatchLimit with kSecMatchLimitOne and kSecReturnData with kCFBooleanTrue values to the SecItemAdd() function. I removed those and double checked the app ids and provisioning profiles and everything is good.

I am not sure if this is helpful or not, but in my experience if you will use SecItemAdd() function for shared keychain access, those two parameters must not be there.

Metalware answered 14/8, 2017 at 11:39 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.