是什么让钥匙串项目独一无二(在 iOS 中)? [英] What makes a keychain item unique (in iOS)?

问题描述

我的问题涉及 iOS(iPhone、iPad 等)中的钥匙串.我认为(但不确定)Mac OS X 下钥匙串的实现提出了同样的问题和同样的答案.

My question concerns keychains in iOS (iPhone, iPad, ...). I think (but am not sure) that the implementation of keychains under Mac OS X raises the same question with the same answer.

iOS 提供了五种类型(类)的钥匙串项目.您必须为键 kSecClass 选择这五个值之一来确定类型:

iOS provides five types (classes) of keychain items. You must chose one of those five values for the key kSecClass to determine the type:

kSecClassGenericPassword  used to store a generic password
kSecClassInternetPassword used to store an internet password
kSecClassCertificate      used to store a certificate
kSecClassKey              used to store a kryptographic key
kSecClassIdentity         used to store an identity (certificate + private key)

长时间阅读苹果文档、博客和论坛条目后，我发现 kSecClassGenericPassword 类型的钥匙串项从属性 kSecAttrAccessGroup、<代码>kSecAttrAccount 和 kSecAttrService.

After long time of reading apples documentation, blogs and forum-entries, I found out that a keychain item of type kSecClassGenericPassword gets its uniqueness from the attributes kSecAttrAccessGroup, kSecAttrAccount and kSecAttrService.

如果请求 1 中的这三个属性与请求 2 中的相同，那么您将收到相同的通用密码钥匙串项目，而不管其他任何属性.如果此属性中的一个(或两个或全部)更改了其值，那么您将获得不同的项目.

If those three attributes in request 1 are the same as in request 2, then you receive the same generic password keychain item, regardless of any other attributes. If one (or two or all) of this attributes changes its value, then you get different items.

但是 kSecAttrService 仅适用于 kSecClassGenericPassword 类型的项目，因此它不能成为任何其他类型项目的唯一键"的一部分，并且似乎没有文档明确指出哪些属性唯一地确定了钥匙串项目.

But kSecAttrService is only available for items of type kSecClassGenericPassword, so it can't be part of the "unique key" of an item of any other type, and there seems to be no documentation that points out clearly which attributes uniquely determine a keychain item.

GenericKeychain"的KeychainItemWrapper"类中的示例代码使用属性kSecAttrGeneric来使项目唯一，但这是一个错误.此示例中的两个条目仅存储为两个不同的条目，因为它们的 kSecAttrAccessGroup 不同(一个设置了访问组，另一个让它自由).如果您尝试使用 Apple 的 KeychainItemWrapper 在没有访问组的情况下添加第二个密码，则会失败.

The sample code in the class "KeychainItemWrapper" of "GenericKeychain" uses the attribute kSecAttrGeneric to make an item unique, but this is a bug. The two entries in this example only are stored as two distinct entries, because their kSecAttrAccessGroup is different (one has the access group set, the other lets it free). If you try to add a 2nd password without an access group, using Apple's KeychainItemWrapper, you will fail.

那么，请回答我的问题:

• 是吗，kSecAttrAccessGroup、kSecAttrAccount 和 kSecAttrService 的组合是 kSecClass 为kSecClassGenericPassword?
• 如果 kSecClass 不是 kSecClassGenericPassword，哪些属性使钥匙串项目独一无二?

• Is it true, that the combination of kSecAttrAccessGroup, kSecAttrAccount and kSecAttrService is the "unique key" of a keychain item whose kSecClass is kSecClassGenericPassword?
• Which attributes makes a keychain item unique if its kSecClass is not kSecClassGenericPassword?

推荐答案

主键如下(派生自苹果开源文件，见Schema.m4，KeySchema.m4 和 SecItem.cpp):

The primary keys are as follows (derived from open source files from Apple, see Schema.m4, KeySchema.m4 and SecItem.cpp):

• 对于 kSecClassGenericPassword 类的钥匙串项，主键是kSecAttrAccount 和 kSecAttrService.
• 对于kSecClassInternetPassword类的keychain项，主键是kSecAttrAccount、kSecAttrSecurityDomain、kSecAttrServer、kSecAttrProtocol、kSecAttrAuthenticationType、kSecAttrPort 和 kSecAttrPath.
• 对于kSecClassCertificate类的keychain项，主键是kSecAttrCertificateType、kSecAttrIssuer和kSecAttrSerialNumber.
• 对于kSecClassKey类的keychain item，主键是kSecAttrApplicationLabel、kSecAttrApplicationTag、kSecAttrKeyType的组合>,kSecAttrKeySizeInBits、kSecAttrEffectiveKeySize，以及SecItem尚未公开的创建者、开始日期和结束日期.
• 对于 kSecClassIdentity 类的钥匙串项目，我没有在开源文件中找到有关主键字段的信息，但由于身份是私钥和证书的组合，我假设主键是 kSecClassKey 和 kSecClassCertificate 的主键字段的组合.

• For a keychain item of class kSecClassGenericPassword, the primary key is the combination of kSecAttrAccount and kSecAttrService.
• For a keychain item of class kSecClassInternetPassword, the primary key is the combination of kSecAttrAccount, kSecAttrSecurityDomain, kSecAttrServer, kSecAttrProtocol, kSecAttrAuthenticationType, kSecAttrPort and kSecAttrPath.
• For a keychain item of class kSecClassCertificate, the primary key is the combination of kSecAttrCertificateType, kSecAttrIssuer and kSecAttrSerialNumber.
• For a keychain item of class kSecClassKey, the primary key is the combination of kSecAttrApplicationLabel, kSecAttrApplicationTag, kSecAttrKeyType, kSecAttrKeySizeInBits, kSecAttrEffectiveKeySize, and the creator, start date and end date which are not exposed by SecItem yet.
• For a keychain item of class kSecClassIdentity I haven't found info on the primary key fields in the open source files, but as an identity is the combination of a private key and a certificate, I assume the primary key is the combination of the primary key fields for kSecClassKey and kSecClassCertificate.

由于每个钥匙串项都属于一个钥匙串访问组，所以感觉钥匙串访问组(字段 kSecAttrAccessGroup)是所有这些主键的附加字段.

As each keychain item belongs to a keychain access group, it feels like the keychain access group (field kSecAttrAccessGroup) is an added field to all these primary keys.

这篇关于是什么让钥匙串项目独一无二(在 iOS 中)?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！