keychain-swift icon indicating copy to clipboard operation
keychain-swift copied to clipboard

Published 20 hours ago verified publisher icon evgenyneu

Added item class feature

Open Oleygen opened this issue 6 years ago • 9 comments

Adding possibility to set a class for items to set/get/delete/clear. Backwards compatibility reached by using default parameter (genericPassword). Please check is this pull request is valuable for your library, and notify me if it needs any improvement or I've missed some caveats. Please note: There is missing objective-c compatibility changes, and mb some other files should be modified (you can help if specify what may I missed)

Oleygen avatar Jan 26 '19 12:01 Oleygen

Thanks for the update @Oleygen. What motivated you to add this feature?

evgenyneu avatar Jan 27 '19 01:01 evgenyneu

I'm using your lib in my app. I need to store RSA private key on a device, and I've noticed that all items are stored as password, which is not correct for my case

Oleygen avatar Jan 27 '19 11:01 Oleygen

Did you need to store your key as kSecClassCertificate?

evgenyneu avatar Jan 27 '19 11:01 evgenyneu

Yes, exactly

Oleygen avatar Jan 27 '19 11:01 Oleygen

Is saving text as kSecClassCertificate different than saving it as kSecClassGenericPassword?

evgenyneu avatar Jan 28 '19 08:01 evgenyneu

  1. It differes in a way it displays in a keychain
  2. Apple documentation notes that items stores on disk in a different way, based on its class (see https://developer.apple.com/documentation/security/keychain_services/keychain_items/item_class_keys_and_values)

Oleygen avatar Jan 30 '19 14:01 Oleygen

It differes in a way it displays in a keychain

In what "way", sorry? And why does it matter?

Apple documentation notes that items stores on disk in a different way, based on its class (see https://developer.apple.com/documentation/security/keychain_services/keychain_items/item_class_keys_and_values)

The documentation says

The item's class dictates which attributes apply and enables the system to decide whether or not the data should be encrypted on disk. For example, passwords require encryption, but certificates don't because they are not secret.

So I guess, the text stored as kSecClassCertificate won't be encrypted in the keychain. Why is it important to store things without encryption?

evgenyneu avatar Jan 30 '19 23:01 evgenyneu

here is keychain UI block: https://imgur.com/a/BNjyRNa as you can see, password, certs and keys are separated. To summarize our conversation: yes, item class is mostly about semantic

How do you think do you need this changes for your repo? Cause I'd like to be fully correct in my apps. Also I'd like to add enum swift wrapper on top of OSStatus error, will add pull request later

Oleygen avatar Feb 01 '19 09:02 Oleygen

How do you think do you need this changes for your repo?

No, sorry. While specifying keychain classes will be useful to some users of the library, I am not sure this is something that majority of users of this library care about. I don't think it is worth increasing the complexity of the library to introduce this feature. The only point of this library is to save text to keychain without caring about details. There are many alternative full-featured Keychain libraries that people can choose if they need extra features.

Also I'd like to add enum swift wrapper on top of OSStatus error, will add pull request later

Cool, could you explain what is this change about and your motivation before implementing it?

evgenyneu avatar Feb 01 '19 09:02 evgenyneu