|
@@ -0,0 +1,313 @@
|
|
|
+/*
|
|
|
+ File: KeychainItemWrapper.m
|
|
|
+ Abstract:
|
|
|
+ Objective-C wrapper for accessing a single keychain item.
|
|
|
+
|
|
|
+ Version: 1.2
|
|
|
+
|
|
|
+ Disclaimer: IMPORTANT: This Apple software is supplied to you by Apple
|
|
|
+ Inc. ("Apple") in consideration of your agreement to the following
|
|
|
+ terms, and your use, installation, modification or redistribution of
|
|
|
+ this Apple software constitutes acceptance of these terms. If you do
|
|
|
+ not agree with these terms, please do not use, install, modify or
|
|
|
+ redistribute this Apple software.
|
|
|
+
|
|
|
+ In consideration of your agreement to abide by the following terms, and
|
|
|
+ subject to these terms, Apple grants you a personal, non-exclusive
|
|
|
+ license, under Apple's copyrights in this original Apple software (the
|
|
|
+ "Apple Software"), to use, reproduce, modify and redistribute the Apple
|
|
|
+ Software, with or without modifications, in source and/or binary forms;
|
|
|
+ provided that if you redistribute the Apple Software in its entirety and
|
|
|
+ without modifications, you must retain this notice and the following
|
|
|
+ text and disclaimers in all such redistributions of the Apple Software.
|
|
|
+ Neither the name, trademarks, service marks or logos of Apple Inc. may
|
|
|
+ be used to endorse or promote products derived from the Apple Software
|
|
|
+ without specific prior written permission from Apple. Except as
|
|
|
+ expressly stated in this notice, no other rights or licenses, express or
|
|
|
+ implied, are granted by Apple herein, including but not limited to any
|
|
|
+ patent rights that may be infringed by your derivative works or by other
|
|
|
+ works in which the Apple Software may be incorporated.
|
|
|
+
|
|
|
+ The Apple Software is provided by Apple on an "AS IS" basis. APPLE
|
|
|
+ MAKES NO WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
|
|
|
+ THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY AND FITNESS
|
|
|
+ FOR A PARTICULAR PURPOSE, REGARDING THE APPLE SOFTWARE OR ITS USE AND
|
|
|
+ OPERATION ALONE OR IN COMBINATION WITH YOUR PRODUCTS.
|
|
|
+
|
|
|
+ IN NO EVENT SHALL APPLE BE LIABLE FOR ANY SPECIAL, INDIRECT, INCIDENTAL
|
|
|
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
|
|
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
|
|
+ INTERRUPTION) ARISING IN ANY WAY OUT OF THE USE, REPRODUCTION,
|
|
|
+ MODIFICATION AND/OR DISTRIBUTION OF THE APPLE SOFTWARE, HOWEVER CAUSED
|
|
|
+ AND WHETHER UNDER THEORY OF CONTRACT, TORT (INCLUDING NEGLIGENCE),
|
|
|
+ STRICT LIABILITY OR OTHERWISE, EVEN IF APPLE HAS BEEN ADVISED OF THE
|
|
|
+ POSSIBILITY OF SUCH DAMAGE.
|
|
|
+
|
|
|
+ Copyright (C) 2010 Apple Inc. All Rights Reserved.
|
|
|
+
|
|
|
+*/
|
|
|
+
|
|
|
+#import "KeychainItemWrapper.h"
|
|
|
+#import <Security/Security.h>
|
|
|
+
|
|
|
+/*
|
|
|
+
|
|
|
+These are the default constants and their respective types,
|
|
|
+available for the kSecClassGenericPassword Keychain Item class:
|
|
|
+
|
|
|
+kSecAttrAccessGroup - CFStringRef
|
|
|
+kSecAttrCreationDate - CFDateRef
|
|
|
+kSecAttrModificationDate - CFDateRef
|
|
|
+kSecAttrDescription - CFStringRef
|
|
|
+kSecAttrComment - CFStringRef
|
|
|
+kSecAttrCreator - CFNumberRef
|
|
|
+kSecAttrType - CFNumberRef
|
|
|
+kSecAttrLabel - CFStringRef
|
|
|
+kSecAttrIsInvisible - CFBooleanRef
|
|
|
+kSecAttrIsNegative - CFBooleanRef
|
|
|
+kSecAttrAccount - CFStringRef
|
|
|
+kSecAttrService - CFStringRef
|
|
|
+kSecAttrGeneric - CFDataRef
|
|
|
+
|
|
|
+See the header file Security/SecItem.h for more details.
|
|
|
+
|
|
|
+*/
|
|
|
+
|
|
|
+@interface KeychainItemWrapper (PrivateMethods)
|
|
|
+/*
|
|
|
+The decision behind the following two methods (secItemFormatToDictionary and dictionaryToSecItemFormat) was
|
|
|
+to encapsulate the transition between what the detail view controller was expecting (NSString *) and what the
|
|
|
+Keychain API expects as a validly constructed container class.
|
|
|
+*/
|
|
|
+- (NSMutableDictionary *)secItemFormatToDictionary:(NSDictionary *)dictionaryToConvert;
|
|
|
+- (NSMutableDictionary *)dictionaryToSecItemFormat:(NSDictionary *)dictionaryToConvert;
|
|
|
+
|
|
|
+// Updates the item in the keychain, or adds it if it doesn't exist.
|
|
|
+- (void)writeToKeychain;
|
|
|
+
|
|
|
+@end
|
|
|
+
|
|
|
+@implementation KeychainItemWrapper
|
|
|
+
|
|
|
+@synthesize keychainItemData, genericPasswordQuery;
|
|
|
+
|
|
|
+- (id)initWithIdentifier: (NSString *)identifier accessGroup:(NSString *) accessGroup;
|
|
|
+{
|
|
|
+ if (self = [super init])
|
|
|
+ {
|
|
|
+ // Begin Keychain search setup. The genericPasswordQuery leverages the special user
|
|
|
+ // defined attribute kSecAttrGeneric to distinguish itself between other generic Keychain
|
|
|
+ // items which may be included by the same application.
|
|
|
+ genericPasswordQuery = [[NSMutableDictionary alloc] init];
|
|
|
+
|
|
|
+ [genericPasswordQuery setObject:(id)kSecClassGenericPassword forKey:(id)kSecClass];
|
|
|
+ [genericPasswordQuery setObject:identifier forKey:(id)kSecAttrGeneric];
|
|
|
+
|
|
|
+ // The keychain access group attribute determines if this item can be shared
|
|
|
+ // amongst multiple apps whose code signing entitlements contain the same keychain access group.
|
|
|
+ if (accessGroup != nil)
|
|
|
+ {
|
|
|
+#if TARGET_IPHONE_SIMULATOR
|
|
|
+ // Ignore the access group if running on the iPhone simulator.
|
|
|
+ //
|
|
|
+ // Apps that are built for the simulator aren't signed, so there's no keychain access group
|
|
|
+ // for the simulator to check. This means that all apps can see all keychain items when run
|
|
|
+ // on the simulator.
|
|
|
+ //
|
|
|
+ // If a SecItem contains an access group attribute, SecItemAdd and SecItemUpdate on the
|
|
|
+ // simulator will return -25243 (errSecNoAccessForItem).
|
|
|
+#else
|
|
|
+ [genericPasswordQuery setObject:accessGroup forKey:(id)kSecAttrAccessGroup];
|
|
|
+#endif
|
|
|
+ }
|
|
|
+
|
|
|
+ // Use the proper search constants, return only the attributes of the first match.
|
|
|
+ [genericPasswordQuery setObject:(id)kSecMatchLimitOne forKey:(id)kSecMatchLimit];
|
|
|
+ [genericPasswordQuery setObject:(id)kCFBooleanTrue forKey:(id)kSecReturnAttributes];
|
|
|
+
|
|
|
+ NSDictionary *tempQuery = [NSDictionary dictionaryWithDictionary:genericPasswordQuery];
|
|
|
+
|
|
|
+ NSMutableDictionary *outDictionary = nil;
|
|
|
+
|
|
|
+ if (! SecItemCopyMatching((CFDictionaryRef)tempQuery, (CFTypeRef *)&outDictionary) == noErr)
|
|
|
+ {
|
|
|
+ // Stick these default values into keychain item if nothing found.
|
|
|
+ [self resetKeychainItem];
|
|
|
+
|
|
|
+ // Add the generic attribute and the keychain access group.
|
|
|
+ [keychainItemData setObject:identifier forKey:(id)kSecAttrGeneric];
|
|
|
+ if (accessGroup != nil)
|
|
|
+ {
|
|
|
+#if TARGET_IPHONE_SIMULATOR
|
|
|
+ // Ignore the access group if running on the iPhone simulator.
|
|
|
+ //
|
|
|
+ // Apps that are built for the simulator aren't signed, so there's no keychain access group
|
|
|
+ // for the simulator to check. This means that all apps can see all keychain items when run
|
|
|
+ // on the simulator.
|
|
|
+ //
|
|
|
+ // If a SecItem contains an access group attribute, SecItemAdd and SecItemUpdate on the
|
|
|
+ // simulator will return -25243 (errSecNoAccessForItem).
|
|
|
+#else
|
|
|
+ [keychainItemData setObject:accessGroup forKey:(id)kSecAttrAccessGroup];
|
|
|
+#endif
|
|
|
+ }
|
|
|
+ }
|
|
|
+ else
|
|
|
+ {
|
|
|
+ // load the saved data from Keychain.
|
|
|
+ self.keychainItemData = [self secItemFormatToDictionary:outDictionary];
|
|
|
+ }
|
|
|
+
|
|
|
+ [outDictionary release];
|
|
|
+ }
|
|
|
+
|
|
|
+ return self;
|
|
|
+}
|
|
|
+
|
|
|
+- (void)dealloc
|
|
|
+{
|
|
|
+ [keychainItemData release];
|
|
|
+ [genericPasswordQuery release];
|
|
|
+
|
|
|
+ [super dealloc];
|
|
|
+}
|
|
|
+
|
|
|
+- (void)setObject:(id)inObject forKey:(id)key
|
|
|
+{
|
|
|
+ if (inObject == nil) return;
|
|
|
+ id currentObject = [keychainItemData objectForKey:key];
|
|
|
+ if (![currentObject isEqual:inObject])
|
|
|
+ {
|
|
|
+ [keychainItemData setObject:inObject forKey:key];
|
|
|
+ [self writeToKeychain];
|
|
|
+ }
|
|
|
+}
|
|
|
+
|
|
|
+- (id)objectForKey:(id)key
|
|
|
+{
|
|
|
+ return [keychainItemData objectForKey:key];
|
|
|
+}
|
|
|
+
|
|
|
+- (void)resetKeychainItem
|
|
|
+{
|
|
|
+ OSStatus junk = noErr;
|
|
|
+ if (!keychainItemData)
|
|
|
+ {
|
|
|
+ self.keychainItemData = [[NSMutableDictionary alloc] init];
|
|
|
+ }
|
|
|
+ else if (keychainItemData)
|
|
|
+ {
|
|
|
+ NSMutableDictionary *tempDictionary = [self dictionaryToSecItemFormat:keychainItemData];
|
|
|
+ junk = SecItemDelete((CFDictionaryRef)tempDictionary);
|
|
|
+ NSAssert( junk == noErr || junk == errSecItemNotFound, @"Problem deleting current dictionary." );
|
|
|
+ }
|
|
|
+
|
|
|
+ // Default attributes for keychain item.
|
|
|
+ [keychainItemData setObject:@"" forKey:(id)kSecAttrAccount];
|
|
|
+ [keychainItemData setObject:@"" forKey:(id)kSecAttrLabel];
|
|
|
+ [keychainItemData setObject:@"" forKey:(id)kSecAttrDescription];
|
|
|
+
|
|
|
+ // Default data for keychain item.
|
|
|
+ [keychainItemData setObject:@"" forKey:(id)kSecValueData];
|
|
|
+}
|
|
|
+
|
|
|
+- (NSMutableDictionary *)dictionaryToSecItemFormat:(NSDictionary *)dictionaryToConvert
|
|
|
+{
|
|
|
+ // The assumption is that this method will be called with a properly populated dictionary
|
|
|
+ // containing all the right key/value pairs for a SecItem.
|
|
|
+
|
|
|
+ // Create a dictionary to return populated with the attributes and data.
|
|
|
+ NSMutableDictionary *returnDictionary = [NSMutableDictionary dictionaryWithDictionary:dictionaryToConvert];
|
|
|
+
|
|
|
+ // Add the Generic Password keychain item class attribute.
|
|
|
+ [returnDictionary setObject:(id)kSecClassGenericPassword forKey:(id)kSecClass];
|
|
|
+
|
|
|
+ // Convert the NSString to NSData to meet the requirements for the value type kSecValueData.
|
|
|
+ // This is where to store sensitive data that should be encrypted.
|
|
|
+ NSString *passwordString = [dictionaryToConvert objectForKey:(id)kSecValueData];
|
|
|
+ [returnDictionary setObject:[passwordString dataUsingEncoding:NSUTF8StringEncoding] forKey:(id)kSecValueData];
|
|
|
+
|
|
|
+ return returnDictionary;
|
|
|
+}
|
|
|
+
|
|
|
+- (NSMutableDictionary *)secItemFormatToDictionary:(NSDictionary *)dictionaryToConvert
|
|
|
+{
|
|
|
+ // The assumption is that this method will be called with a properly populated dictionary
|
|
|
+ // containing all the right key/value pairs for the UI element.
|
|
|
+
|
|
|
+ // Create a dictionary to return populated with the attributes and data.
|
|
|
+ NSMutableDictionary *returnDictionary = [NSMutableDictionary dictionaryWithDictionary:dictionaryToConvert];
|
|
|
+
|
|
|
+ // Add the proper search key and class attribute.
|
|
|
+ [returnDictionary setObject:(id)kCFBooleanTrue forKey:(id)kSecReturnData];
|
|
|
+ [returnDictionary setObject:(id)kSecClassGenericPassword forKey:(id)kSecClass];
|
|
|
+
|
|
|
+ // Acquire the password data from the attributes.
|
|
|
+ NSData *passwordData = NULL;
|
|
|
+ if (SecItemCopyMatching((CFDictionaryRef)returnDictionary, (CFTypeRef *)&passwordData) == noErr)
|
|
|
+ {
|
|
|
+ // Remove the search, class, and identifier key/value, we don't need them anymore.
|
|
|
+ [returnDictionary removeObjectForKey:(id)kSecReturnData];
|
|
|
+
|
|
|
+ // Add the password to the dictionary, converting from NSData to NSString.
|
|
|
+ NSString *password = [[[NSString alloc] initWithBytes:[passwordData bytes] length:[passwordData length]
|
|
|
+ encoding:NSUTF8StringEncoding] autorelease];
|
|
|
+ [returnDictionary setObject:password forKey:(id)kSecValueData];
|
|
|
+ }
|
|
|
+ else
|
|
|
+ {
|
|
|
+ // Don't do anything if nothing is found.
|
|
|
+ NSAssert(NO, @"Serious error, no matching item found in the keychain.\n");
|
|
|
+ }
|
|
|
+
|
|
|
+ [passwordData release];
|
|
|
+
|
|
|
+ return returnDictionary;
|
|
|
+}
|
|
|
+
|
|
|
+- (void)writeToKeychain
|
|
|
+{
|
|
|
+ NSDictionary *attributes = NULL;
|
|
|
+ NSMutableDictionary *updateItem = NULL;
|
|
|
+ OSStatus result;
|
|
|
+
|
|
|
+ if (SecItemCopyMatching((CFDictionaryRef)genericPasswordQuery, (CFTypeRef *)&attributes) == noErr)
|
|
|
+ {
|
|
|
+ // First we need the attributes from the Keychain.
|
|
|
+ updateItem = [NSMutableDictionary dictionaryWithDictionary:attributes];
|
|
|
+ // Second we need to add the appropriate search key/values.
|
|
|
+ [updateItem setObject:[genericPasswordQuery objectForKey:(id)kSecClass] forKey:(id)kSecClass];
|
|
|
+
|
|
|
+ // Lastly, we need to set up the updated attribute list being careful to remove the class.
|
|
|
+ NSMutableDictionary *tempCheck = [self dictionaryToSecItemFormat:keychainItemData];
|
|
|
+ [tempCheck removeObjectForKey:(id)kSecClass];
|
|
|
+
|
|
|
+#if TARGET_IPHONE_SIMULATOR
|
|
|
+ // Remove the access group if running on the iPhone simulator.
|
|
|
+ //
|
|
|
+ // Apps that are built for the simulator aren't signed, so there's no keychain access group
|
|
|
+ // for the simulator to check. This means that all apps can see all keychain items when run
|
|
|
+ // on the simulator.
|
|
|
+ //
|
|
|
+ // If a SecItem contains an access group attribute, SecItemAdd and SecItemUpdate on the
|
|
|
+ // simulator will return -25243 (errSecNoAccessForItem).
|
|
|
+ //
|
|
|
+ // The access group attribute will be included in items returned by SecItemCopyMatching,
|
|
|
+ // which is why we need to remove it before updating the item.
|
|
|
+ [tempCheck removeObjectForKey:(id)kSecAttrAccessGroup];
|
|
|
+#endif
|
|
|
+
|
|
|
+ // An implicit assumption is that you can only update a single item at a time.
|
|
|
+
|
|
|
+ result = SecItemUpdate((CFDictionaryRef)updateItem, (CFDictionaryRef)tempCheck);
|
|
|
+ NSAssert( result == noErr, @"Couldn't update the Keychain Item." );
|
|
|
+ }
|
|
|
+ else
|
|
|
+ {
|
|
|
+ // No previous item found; add the new one.
|
|
|
+ result = SecItemAdd((CFDictionaryRef)[self dictionaryToSecItemFormat:keychainItemData], NULL);
|
|
|
+ NSAssert( result == noErr, @"Couldn't add the Keychain Item." );
|
|
|
+ }
|
|
|
+}
|
|
|
+
|
|
|
+@end
|