是什么让钥匙串项目独一无二(在iOS中)? [英] What makes a keychain item unique (in iOS)?
问题描述
我的问题涉及iOS(iPhone,iPad,...)中的钥匙串。我认为(但不确定)Mac OS X下的钥匙串的实现会以相同的答案提出相同的问题。
My question concerns keychains in iOS (iPhone, iPad, ...). I think (but am not sure) that the implementation of keychains under Mac OS X raises the same question with the same answer.
iOS提供五种类型(类)的钥匙串项。您必须为键 kSecClass
选择这五个值中的一个来确定类型:
iOS provides five types (classes) of keychain items. You must chose one of those five values for the key kSecClass
to determine the type:
kSecClassGenericPassword used to store a generic password
kSecClassInternetPassword used to store an internet password
kSecClassCertificate used to store a certificate
kSecClassKey used to store a kryptographic key
kSecClassIdentity used to store an identity (certificate + private key)
经过长时间阅读苹果文档,博客和论坛 - 条目,我发现了该类型的钥匙串项目 kSecClassGenericPassword
从属性获取其独特性 kSecAttrAccessGroup
, kSecAttrAccount
和 kSecAttrService
。
After long time of reading apples documentation, blogs and forum-entries, I found out that a keychain item of type kSecClassGenericPassword
gets its uniqueness from the attributes kSecAttrAccessGroup
, kSecAttrAccount
and kSecAttrService
.
如果请求1中的这三个属性是与请求2中的相同,无论其他任何属性如何,您都会收到相同的通用密码keychain项。如果此属性中的一个(或两个或全部)更改其值,则会获得不同的项目。
If those three attributes in request 1 are the same as in request 2, then you receive the same generic password keychain item, regardless of any other attributes. If one (or two or all) of this attributes changes its value, then you get different items.
但 kSecAttrService
仅适用于 kSecClassGenericPassword
类型的项目,因此它不能是任何其他类型的项目的唯一键的一部分,并且似乎没有文档,明确指出哪些属性唯一确定一个钥匙串项。
But kSecAttrService
is only available for items of type kSecClassGenericPassword
, so it can't be part of the "unique key" of an item of any other type, and there seems to be no documentation that points out clearly which attributes uniquely determine a keychain item.
GenericKeychain类KeychainItemWrapper中的示例代码使用属性 kSecAttrGeneric
使项目唯一,但这是一个错误。此示例中的两个条目仅存储为两个不同的条目,因为它们的 kSecAttrAccessGroup
不同(一个设置了访问组,另一个允许它自由)。如果您尝试添加没有访问组的第二个密码,使用Apple的 KeychainItemWrapper
,您将失败。
The sample code in the class "KeychainItemWrapper" of "GenericKeychain" uses the attribute kSecAttrGeneric
to make an item unique, but this is a bug. The two entries in this example only are stored as two distinct entries, because their kSecAttrAccessGroup
is different (one has the access group set, the other lets it free). If you try to add a 2nd password without an access group, using Apple's KeychainItemWrapper
, you will fail.
所以,请回答我的问题:
- 这是不是
的组合kSecAttrAccessGroup
,kSecAttrAccount
和kSecAttrService
是kSecClass的钥匙串项的唯一键是kSecClassGenericPassword
? - 如果
kSecClass 不是 kSecClassGenericPassword
,哪些属性会使钥匙串项唯一?
- Is it true, that the combination of
kSecAttrAccessGroup
,kSecAttrAccount
andkSecAttrService
is the "unique key" of a keychain item whose kSecClass iskSecClassGenericPassword
? - Which attributes makes a keychain item unique if its
kSecClass
is notkSecClassGenericPassword
?
推荐答案
主键如下(源自Apple的开源文件,请参阅 Schema.m4 , KeySchema.m4 和 SecItem.cpp ):
The primary keys are as follows (derived from open source files from Apple, see Schema.m4, KeySchema.m4 and SecItem.cpp):
- 对于类
kSecClassGenericPassword
的钥匙串项,主键是
kSecAttrAccount $ c $的组合c>和
kSecAttrService
。 - 对于类
k的钥匙串项SecClassInternetPassword
,主键是kSecAttrAccount
,kSecAttrSecurityDomain
,<$ c $的组合c> kSecAttrServer ,kSecAttrProtocol
,kSecAttrAuthenticationType
,kSecAttrPort
和kSecAttrPath
。 - 对于类
的钥匙串项目,kSecClassCertificate
,主键是kSecAttrCertificateType
,kSecAttrIssuer
和kSecAttrSerialNumber $的组合c $ c>。
- 对于类
kSecClassKey
的钥匙串项,主键是的组合kSecAttrApplicationLabel
,kSecAttrApplicationTag
,kSecAttrKeyType
,
kSecAttrKeySizeInBits
,kSecAttrEffectiveKeySize
,以及SecItem尚未公开的创建者,开始日期和结束日期。 - 对于类
kSecClassIdentity
的钥匙串项目,我还没有找到关于prima的信息在开源文件中的关键字段,但由于标识是私钥和证书的组合,我假设主键是kSecClassKey $ c $的主键字段的组合c>和
kSecClassCertificate
。
- For a keychain item of class
kSecClassGenericPassword
, the primary key is the combination ofkSecAttrAccount
andkSecAttrService
. - For a keychain item of class
kSecClassInternetPassword
, the primary key is the combination ofkSecAttrAccount
,kSecAttrSecurityDomain
,kSecAttrServer
,kSecAttrProtocol
,kSecAttrAuthenticationType
,kSecAttrPort
andkSecAttrPath
. - For a keychain item of class
kSecClassCertificate
, the primary key is the combination ofkSecAttrCertificateType
,kSecAttrIssuer
andkSecAttrSerialNumber
. - For a keychain item of class
kSecClassKey
, the primary key is the combination ofkSecAttrApplicationLabel
,kSecAttrApplicationTag
,kSecAttrKeyType
,kSecAttrKeySizeInBits
,kSecAttrEffectiveKeySize
, and the creator, start date and end date which are not exposed by SecItem yet. - For a keychain item of class
kSecClassIdentity
I haven't found info on the primary key fields in the open source files, but as an identity is the combination of a private key and a certificate, I assume the primary key is the combination of the primary key fields forkSecClassKey
andkSecClassCertificate
.
由于每个钥匙串项属于钥匙串访问权限组,感觉就像钥匙串访问组(字段 kSecAttrAccessGroup
)是所有这些主键的添加字段。
As each keychain item belongs to a keychain access group, it feels like the keychain access group (field kSecAttrAccessGroup
) is an added field to all these primary keys.
这篇关于是什么让钥匙串项目独一无二(在iOS中)?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!