/* |
File: KeychainItemWrapper.m |
Abstract: |
Objective-C wrapper for accessing a single keychain item. |
|
Version: 1.2 |
|
Disclaimer: IMPORTANT: This Apple software is supplied to you by Apple |
Inc. ("Apple") in consideration of your agreement to the following |
terms, and your use, installation, modification or redistribution of |
this Apple software constitutes acceptance of these terms. If you do |
not agree with these terms, please do not use, install, modify or |
redistribute this Apple software. |
|
In consideration of your agreement to abide by the following terms, and |
subject to these terms, Apple grants you a personal, non-exclusive |
license, under Apple's copyrights in this original Apple software (the |
"Apple Software"), to use, reproduce, modify and redistribute the Apple |
Software, with or without modifications, in source and/or binary forms; |
provided that if you redistribute the Apple Software in its entirety and |
without modifications, you must retain this notice and the following |
text and disclaimers in all such redistributions of the Apple Software. |
Neither the name, trademarks, service marks or logos of Apple Inc. may |
be used to endorse or promote products derived from the Apple Software |
without specific prior written permission from Apple. Except as |
expressly stated in this notice, no other rights or licenses, express or |
implied, are granted by Apple herein, including but not limited to any |
patent rights that may be infringed by your derivative works or by other |
works in which the Apple Software may be incorporated. |
|
The Apple Software is provided by Apple on an "AS IS" basis. APPLE |
MAKES NO WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION |
THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY AND FITNESS |
FOR A PARTICULAR PURPOSE, REGARDING THE APPLE SOFTWARE OR ITS USE AND |
OPERATION ALONE OR IN COMBINATION WITH YOUR PRODUCTS. |
|
IN NO EVENT SHALL APPLE BE LIABLE FOR ANY SPECIAL, INDIRECT, INCIDENTAL |
OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF |
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS |
INTERRUPTION) ARISING IN ANY WAY OUT OF THE USE, REPRODUCTION, |
MODIFICATION AND/OR DISTRIBUTION OF THE APPLE SOFTWARE, HOWEVER CAUSED |
AND WHETHER UNDER THEORY OF CONTRACT, TORT (INCLUDING NEGLIGENCE), |
STRICT LIABILITY OR OTHERWISE, EVEN IF APPLE HAS BEEN ADVISED OF THE |
POSSIBILITY OF SUCH DAMAGE. |
|
Copyright (C) 2010 Apple Inc. All Rights Reserved. |
|
*/ |
|
#import "KeychainItemWrapper.h" |
#import <Security/Security.h> |
|
/* |
|
These are the default constants and their respective types, |
available for the kSecClassGenericPassword Keychain Item class: |
|
kSecAttrAccessGroup - CFStringRef |
kSecAttrCreationDate - CFDateRef |
kSecAttrModificationDate - CFDateRef |
kSecAttrDescription - CFStringRef |
kSecAttrComment - CFStringRef |
kSecAttrCreator - CFNumberRef |
kSecAttrType - CFNumberRef |
kSecAttrLabel - CFStringRef |
kSecAttrIsInvisible - CFBooleanRef |
kSecAttrIsNegative - CFBooleanRef |
kSecAttrAccount - CFStringRef |
kSecAttrService - CFStringRef |
kSecAttrGeneric - CFDataRef |
|
See the header file Security/SecItem.h for more details. |
|
*/ |
|
@interface KeychainItemWrapper (PrivateMethods) |
/* |
The decision behind the following two methods (secItemFormatToDictionary and dictionaryToSecItemFormat) was |
to encapsulate the transition between what the detail view controller was expecting (NSString *) and what the |
Keychain API expects as a validly constructed container class. |
*/ |
- (NSMutableDictionary *)secItemFormatToDictionary:(NSDictionary *)dictionaryToConvert; |
- (NSMutableDictionary *)dictionaryToSecItemFormat:(NSDictionary *)dictionaryToConvert; |
|
// Updates the item in the keychain, or adds it if it doesn't exist. |
- (void)writeToKeychain; |
|
@end |
|
@implementation KeychainItemWrapper |
|
@synthesize keychainItemData, genericPasswordQuery; |
|
- (id)initWithIdentifier: (NSString *)identifier accessGroup:(NSString *) accessGroup; |
{ |
if (self = [super init]) |
{ |
// Begin Keychain search setup. The genericPasswordQuery leverages the special user |
// defined attribute kSecAttrGeneric to distinguish itself between other generic Keychain |
// items which may be included by the same application. |
genericPasswordQuery = [[NSMutableDictionary alloc] init]; |
|
[genericPasswordQuery setObject:(id)kSecClassGenericPassword forKey:(id)kSecClass]; |
[genericPasswordQuery setObject:identifier forKey:(id)kSecAttrGeneric]; |
|
// The keychain access group attribute determines if this item can be shared |
// amongst multiple apps whose code signing entitlements contain the same keychain access group. |
if (accessGroup != nil) |
{ |
#if TARGET_IPHONE_SIMULATOR |
// Ignore the access group if running on the iPhone simulator. |
// |
// Apps that are built for the simulator aren't signed, so there's no keychain access group |
// for the simulator to check. This means that all apps can see all keychain items when run |
// on the simulator. |
// |
// If a SecItem contains an access group attribute, SecItemAdd and SecItemUpdate on the |
// simulator will return -25243 (errSecNoAccessForItem). |
#else |
[genericPasswordQuery setObject:accessGroup forKey:(id)kSecAttrAccessGroup]; |
#endif |
} |
|
// Use the proper search constants, return only the attributes of the first match. |
[genericPasswordQuery setObject:(id)kSecMatchLimitOne forKey:(id)kSecMatchLimit]; |
[genericPasswordQuery setObject:(id)kCFBooleanTrue forKey:(id)kSecReturnAttributes]; |
|
NSDictionary *tempQuery = [NSDictionary dictionaryWithDictionary:genericPasswordQuery]; |
|
NSMutableDictionary *outDictionary = nil; |
|
if (! SecItemCopyMatching((CFDictionaryRef)tempQuery, (CFTypeRef *)&outDictionary) == noErr) |
{ |
// Stick these default values into keychain item if nothing found. |
[self resetKeychainItem]; |
|
// Add the generic attribute and the keychain access group. |
[keychainItemData setObject:identifier forKey:(id)kSecAttrGeneric]; |
if (accessGroup != nil) |
{ |
#if TARGET_IPHONE_SIMULATOR |
// Ignore the access group if running on the iPhone simulator. |
// |
// Apps that are built for the simulator aren't signed, so there's no keychain access group |
// for the simulator to check. This means that all apps can see all keychain items when run |
// on the simulator. |
// |
// If a SecItem contains an access group attribute, SecItemAdd and SecItemUpdate on the |
// simulator will return -25243 (errSecNoAccessForItem). |
#else |
[keychainItemData setObject:accessGroup forKey:(id)kSecAttrAccessGroup]; |
#endif |
} |
} |
else |
{ |
// load the saved data from Keychain. |
self.keychainItemData = [self secItemFormatToDictionary:outDictionary]; |
} |
|
[outDictionary release]; |
} |
|
return self; |
} |
|
- (void)dealloc |
{ |
[keychainItemData release]; |
[genericPasswordQuery release]; |
|
[super dealloc]; |
} |
|
- (void)setObject:(id)inObject forKey:(id)key |
{ |
if (inObject == nil) return; |
id currentObject = [keychainItemData objectForKey:key]; |
if (![currentObject isEqual:inObject]) |
{ |
[keychainItemData setObject:inObject forKey:key]; |
[self writeToKeychain]; |
} |
} |
|
- (id)objectForKey:(id)key |
{ |
return [keychainItemData objectForKey:key]; |
} |
|
- (void)resetKeychainItem |
{ |
OSStatus junk = noErr; |
if (!keychainItemData) |
{ |
self.keychainItemData = [[NSMutableDictionary alloc] init]; |
} |
else if (keychainItemData) |
{ |
NSMutableDictionary *tempDictionary = [self dictionaryToSecItemFormat:keychainItemData]; |
junk = SecItemDelete((CFDictionaryRef)tempDictionary); |
NSAssert( junk == noErr || junk == errSecItemNotFound, @"Problem deleting current dictionary." ); |
} |
|
// Default attributes for keychain item. |
[keychainItemData setObject:@"" forKey:(id)kSecAttrAccount]; |
[keychainItemData setObject:@"" forKey:(id)kSecAttrLabel]; |
[keychainItemData setObject:@"" forKey:(id)kSecAttrDescription]; |
|
// Default data for keychain item. |
[keychainItemData setObject:@"" forKey:(id)kSecValueData]; |
} |
|
- (NSMutableDictionary *)dictionaryToSecItemFormat:(NSDictionary *)dictionaryToConvert |
{ |
// The assumption is that this method will be called with a properly populated dictionary |
// containing all the right key/value pairs for a SecItem. |
|
// Create a dictionary to return populated with the attributes and data. |
NSMutableDictionary *returnDictionary = [NSMutableDictionary dictionaryWithDictionary:dictionaryToConvert]; |
|
// Add the Generic Password keychain item class attribute. |
[returnDictionary setObject:(id)kSecClassGenericPassword forKey:(id)kSecClass]; |
|
// Convert the NSString to NSData to meet the requirements for the value type kSecValueData. |
// This is where to store sensitive data that should be encrypted. |
NSString *passwordString = [dictionaryToConvert objectForKey:(id)kSecValueData]; |
[returnDictionary setObject:[passwordString dataUsingEncoding:NSUTF8StringEncoding] forKey:(id)kSecValueData]; |
|
return returnDictionary; |
} |
|
- (NSMutableDictionary *)secItemFormatToDictionary:(NSDictionary *)dictionaryToConvert |
{ |
// The assumption is that this method will be called with a properly populated dictionary |
// containing all the right key/value pairs for the UI element. |
|
// Create a dictionary to return populated with the attributes and data. |
NSMutableDictionary *returnDictionary = [NSMutableDictionary dictionaryWithDictionary:dictionaryToConvert]; |
|
// Add the proper search key and class attribute. |
[returnDictionary setObject:(id)kCFBooleanTrue forKey:(id)kSecReturnData]; |
[returnDictionary setObject:(id)kSecClassGenericPassword forKey:(id)kSecClass]; |
|
// Acquire the password data from the attributes. |
NSData *passwordData = NULL; |
if (SecItemCopyMatching((CFDictionaryRef)returnDictionary, (CFTypeRef *)&passwordData) == noErr) |
{ |
// Remove the search, class, and identifier key/value, we don't need them anymore. |
[returnDictionary removeObjectForKey:(id)kSecReturnData]; |
|
// Add the password to the dictionary, converting from NSData to NSString. |
NSString *password = [[[NSString alloc] initWithBytes:[passwordData bytes] length:[passwordData length] |
encoding:NSUTF8StringEncoding] autorelease]; |
[returnDictionary setObject:password forKey:(id)kSecValueData]; |
} |
else |
{ |
// Don't do anything if nothing is found. |
NSAssert(NO, @"Serious error, no matching item found in the keychain.\n"); |
} |
|
[passwordData release]; |
|
return returnDictionary; |
} |
|
- (void)writeToKeychain |
{ |
NSDictionary *attributes = NULL; |
NSMutableDictionary *updateItem = NULL; |
OSStatus result; |
|
if (SecItemCopyMatching((CFDictionaryRef)genericPasswordQuery, (CFTypeRef *)&attributes) == noErr) |
{ |
// First we need the attributes from the Keychain. |
updateItem = [NSMutableDictionary dictionaryWithDictionary:attributes]; |
// Second we need to add the appropriate search key/values. |
[updateItem setObject:[genericPasswordQuery objectForKey:(id)kSecClass] forKey:(id)kSecClass]; |
|
// Lastly, we need to set up the updated attribute list being careful to remove the class. |
NSMutableDictionary *tempCheck = [self dictionaryToSecItemFormat:keychainItemData]; |
[tempCheck removeObjectForKey:(id)kSecClass]; |
|
#if TARGET_IPHONE_SIMULATOR |
// Remove the access group if running on the iPhone simulator. |
// |
// Apps that are built for the simulator aren't signed, so there's no keychain access group |
// for the simulator to check. This means that all apps can see all keychain items when run |
// on the simulator. |
// |
// If a SecItem contains an access group attribute, SecItemAdd and SecItemUpdate on the |
// simulator will return -25243 (errSecNoAccessForItem). |
// |
// The access group attribute will be included in items returned by SecItemCopyMatching, |
// which is why we need to remove it before updating the item. |
[tempCheck removeObjectForKey:(id)kSecAttrAccessGroup]; |
#endif |
|
// An implicit assumption is that you can only update a single item at a time. |
|
result = SecItemUpdate((CFDictionaryRef)updateItem, (CFDictionaryRef)tempCheck); |
NSAssert( result == noErr, @"Couldn't update the Keychain Item." ); |
} |
else |
{ |
// No previous item found; add the new one. |
result = SecItemAdd((CFDictionaryRef)[self dictionaryToSecItemFormat:keychainItemData], NULL); |
NSAssert( result == noErr, @"Couldn't add the Keychain Item." ); |
} |
} |
|
@end |
