07-21-2023, 09:50 PM
My question concerns keychains in iOS (iPhone, iPad, ...). I think (but am not sure) that the implementation of keychains under Mac OS X raises the same question with the same answer.
---
iOS provides five types (classes) of keychain items. You must chose one of those five values for the key `kSecClass` to determine the type:
kSecClassGenericPassword used to store a generic password
kSecClassInternetPassword used to store an internet password
kSecClassCertificate used to store a certificate
kSecClassKey used to store a kryptographic key
kSecClassIdentity used to store an identity (certificate + private key)
After long time of reading apples documentation, blogs and forum-entries, I found out that a keychain item of type `kSecClassGenericPassword` gets its uniqueness from the attributes `kSecAttrAccessGroup`, `kSecAttrAccount` and `kSecAttrService`.
If those three attributes in request 1 are the same as in request 2, then you receive the same generic password keychain item, regardless of any other attributes. If one (or two or all) of this attributes changes its value, then you get different items.
But `kSecAttrService` is only available for items of type `kSecClassGenericPassword`, so it can't be part of the "unique key" of an item of any other type, and there seems to be no documentation that points out clearly which attributes uniquely determine a keychain item.
The sample code in the class "KeychainItemWrapper" of "GenericKeychain" uses the attribute `kSecAttrGeneric` to make an item unique, but this is a bug. The two entries in this example only are stored as two distinct entries, because their `kSecAttrAccessGroup` is different (one has the access group set, the other lets it free). If you try to add a 2nd password without an access group, using Apple's `KeychainItemWrapper`, you will fail.
**So, please, answer my questions:**
- Is it true, that the combination of `kSecAttrAccessGroup`, `kSecAttrAccount` and `kSecAttrService` is the "unique key" of a keychain item whose kSecClass is `kSecClassGenericPassword`?
- Which attributes makes a keychain item unique if its `kSecClass` is not `kSecClassGenericPassword`?
---
iOS provides five types (classes) of keychain items. You must chose one of those five values for the key `kSecClass` to determine the type:
kSecClassGenericPassword used to store a generic password
kSecClassInternetPassword used to store an internet password
kSecClassCertificate used to store a certificate
kSecClassKey used to store a kryptographic key
kSecClassIdentity used to store an identity (certificate + private key)
After long time of reading apples documentation, blogs and forum-entries, I found out that a keychain item of type `kSecClassGenericPassword` gets its uniqueness from the attributes `kSecAttrAccessGroup`, `kSecAttrAccount` and `kSecAttrService`.
If those three attributes in request 1 are the same as in request 2, then you receive the same generic password keychain item, regardless of any other attributes. If one (or two or all) of this attributes changes its value, then you get different items.
But `kSecAttrService` is only available for items of type `kSecClassGenericPassword`, so it can't be part of the "unique key" of an item of any other type, and there seems to be no documentation that points out clearly which attributes uniquely determine a keychain item.
The sample code in the class "KeychainItemWrapper" of "GenericKeychain" uses the attribute `kSecAttrGeneric` to make an item unique, but this is a bug. The two entries in this example only are stored as two distinct entries, because their `kSecAttrAccessGroup` is different (one has the access group set, the other lets it free). If you try to add a 2nd password without an access group, using Apple's `KeychainItemWrapper`, you will fail.
**So, please, answer my questions:**
- Is it true, that the combination of `kSecAttrAccessGroup`, `kSecAttrAccount` and `kSecAttrService` is the "unique key" of a keychain item whose kSecClass is `kSecClassGenericPassword`?
- Which attributes makes a keychain item unique if its `kSecClass` is not `kSecClassGenericPassword`?