How to add a security identifier (certificate + private key) in iPhone keychain?

Question

How to add a security identifier (certificate + private key) in iPhone keychain?

How to add a security identifier (certificate + private key) in iPhone keychain? I have a .p12 file in the application. I can get an identity from him using SecPKCS12Import (), but when I try to do the following:

NSMutableDictionary *secIdentityParams = [[NSMutableDictionary alloc] init]; [secIdentityParams setObject:(id)kSecClassIdentity forKey:(id)kSecClass]; [secIdentityParams setObject:label forKey:(id)kSecAttrLabel]; [secIdentityParams setObject:(id)myIdentity forKey:(id)kSecValueRef]; status = SecItemAdd((CFDictionaryRef) secIdentityParams, NULL);

I get error = -25291 -> No trust results available. What am I doing wrong?

+6

security iphone

Dmitry Likhachev May 05 '10 at 12:38

source share

3 answers

Dmitry Likhachev · Answer 1 · 2010-05-07T19:10:03+0000

Just use 1 parameter in the attribute dictionary to add the identifier to the keychain:

 NSMutableDictionary *secIdentityParams = [[NSMutableDictionary alloc] init]; [secIdentityParams setObject:(id)myIdentity forKey:(id)kSecValueRef]; OSStatus status = SecItemAdd((CFDictionaryRef) secIdentityParams, NULL);

mbinna · Answer 2 · 2011-02-02T22:14:34+0000

Using kSecValueRef as the only parameter works fine. Do you know why the function does not work when other parameters, for example, kSecClass, are provided? The key binding service reference documents the first SecItemAdd() parameter as follows:

A dictionary containing a key-value element class of a pair [...] and an optional key-value pair of the attribute [...] specifying the value attribute item.

I suggested that kSecClass is a required parameter that should always be present when using SecItemAdd() oder SecItemCopyMatching() . The tasks of the certificate, key, and trusted services in iOS explain the process of adding SecIdentityRef to the keychain as follows (Listing 2-3):

 CFDataRef persistentRefForIdentity(SecIdentityRef identity) { OSStatus status; CFTypeRef identity_handle = NULL; const void *keys[] = { kSecReturnPersistentRef, kSecValueRef }; const void *values[] = { kCFBooleanTrue, identity }; CFDictionaryRef dict = CFDictionaryCreate(NULL, keys, values, 2, NULL, NULL); status = SecItemAdd(dict, &persistent_ref); if (dict) CFRelease(dict); return (CFDataRef)persistent_ref; }

Is this example incorrect?

mbinna · Answer 3 · 2011-02-04T13:25:42+0000

I managed to get Keychain services to return the Persistent Keychain Reference when adding a new SecIdentityRef via SecItemAdd() . Here is the working code:

 - (NSData *)persistentKeychainReferenceForIdentity:(SecIdentityRef)identity { NSData *persistentRef = nil; NSDictionary *attributes = [NSDictionary dictionaryWithObjectsAndKeys: (id)identity, kSecValueRef, (id)kCFBooleanTrue, kSecReturnPersistentRef, nil]; OSStatus itemAddStatus = SecItemAdd((CFDictionaryRef)attributes, (CFTypeRef *)&persistentRef); if (itemAddStatus != errSecSuccess) { return nil; } return persistentRef; }

I hope this helps others too.

How to add a security identifier (certificate + private key) in iPhone keychain?

More articles: