Geek Answers Handbook

OSStatus Code -1009, com.apple.LocalAuthentication

I am trying to verify encryption using keychain iOS.

Domain=com.apple.LocalAuthentication Code=-1009 "ACL operation is not allowed: 'od'" UserInfo={NSLocalizedDescription=ACL operation is not allowed: 'od'}

This is my test code:

 func testEncrpytKeychain() { let promise = expectation(description: "Unlock") let data: Data! = self.sampleData let text: String! = self.sampleText wait(for: [promise], timeout: 30) let chain = Keychain(account: "tester", serviceName: "testing2", access: .whenPasscodeSetThisDeviceOnly, accessGroup: nil) chain.unlockChain { reply, error in defer { promise.fulfill() } guard error == nil else { // ** FAILS ON THIS LINE WITH OSSTATUS ERROR ** XCTAssert(false, "Error: \(String(describing: error))") return } guard let cipherData = try? chain.encrypt(data) else { XCTAssert(false, "Cipher Data not created") return } XCTAssertNotEqual(cipherData, data) guard let clearData = try? chain.decrypt(cipherData) else { XCTAssert(false, "Clear Data not decrypted") return } XCTAssertEqual(clearData, data) let clearText = String(data: clearData, encoding: .utf8) XCTAssertEqual(clearText, text) } }

And this is the async unlockChain base code:

 // context is a LAContext func unlockChain(_ callback: @escaping (Bool, Error?) -> Void) { var error: NSError? = nil guard context.canEvaluatePolicy(.deviceOwnerAuthentication, error: &error) else { callback(false, error) return } context.evaluateAccessControl(control, operation: .createItem, localizedReason: "Access your Account") { (reply, error) in self.context.evaluateAccessControl(self.control, operation: .useItem, localizedReason: "Access your Account") { (reply, error) in self.unlocked = reply callback(reply, error) } } }

Here's how to create context and control objects

  init(account: String, serviceName: String = (Bundle.main.bundleIdentifier ?? ""), access: Accessibility = .whenUnlocked, accessGroup: String? = nil) { self.account = account self.serviceName = serviceName self.accessGroup = accessGroup self.access = access var error: Unmanaged<CFError>? = nil self.control = SecAccessControlCreateWithFlags(kCFAllocatorDefault, access.attrValue, [.privateKeyUsage], &error) if let e: Error = error?.takeRetainedValue() { Log.error(e) } self.context = LAContext() }

I can not find any bits of information about this error:

 Domain=com.apple.LocalAuthentication Code=-1009

The OSStatus Code website does not contain anything for him

any help is appreciated, thanks.

+5
source share
1 answer

I solved the same problem by deleting the previous private key before creating a new one.

I would suggest that on iOS10 (11 there was no error), when you SecKeyCreateRandomKey(...) with the same tag / size, but not with the same access settings, it would just return true , but would use the old one (feels strange, but who knows)?

Here is the lazy C function I just made to remove it (just remember to set ApplicationPrivateKeyTag :

 void deletePrivateKey() { CFStringRef ApplicationPrivateKeyTag = CFSTR("your tag here"); const void* keys[] = { kSecAttrApplicationTag, kSecClass, kSecAttrKeyClass, kSecReturnRef, }; const void* values[] = { ApplicationPrivateKeyTag, kSecClassKey, kSecAttrKeyClassPrivate, kCFBooleanTrue, }; CFDictionaryRef params = CFDictionaryCreate(kCFAllocatorDefault, keys, values, (sizeof(keys)/sizeof(void*)), NULL, NULL); OSStatus status = SecItemDelete(params); if (params) CFRelease(params); if (ApplicationPrivateKeyTag) CFRelease(ApplicationPrivateKeyTag); if (status == errSecSuccess) return true; return false; }

FWIW: it looks like apple has updated their document on Security Framework and SecureEnclave , now it is a little easier to understand.

0
source

More articles:


All Articles