error 25299 when trying to store values with access mode kSecAttrAccessibleAlways
tompson opened this issue · 3 comments
the library https://github.com/p2/OAuth2 uses SwiftKeychain to store Oauth2 tokens in the keychain, it does this with the default setting kSecAttrAccessibleWhenUnlocked
As soon as I try to use kSecAttrAccessibleAlways I get the error
Failed to store to keychain: The process could not be completed. (swift.keychain.error.domain-Fehler -25299.)
found out the reason for this: when you try to add an entry with a different access mode it can not be stored because it is not unique
the problem is that access mode is not considered for uniqueness but considered for query, so the remove request did not remove the entry
+1
I ran into this problem too, except with the the scenario of using "onFirstUnlock", which by the way if you are storing login credentials is the safest and most secure. If you store as "always", it is stores unencrypted in the keychain, with the first unlock, it is accessible by the time you application opens after its been unlocked by the user, and is encrypted with the built in hardware encryption key. Since we need to use the access token while the application is in the background, you must use "Always" or "On first Unlock". I'd strongly recommend to the project admins to move the default to be "OnFirstUnlock" from "Unlock" since unlock is only available while the application is in the foreground, so if you application makes use of ANY extensions, or runs in the background for any amount of time, that token is not available, since it is in the background.
If you have a previously stored key, that key has the access control defined as "OnUnlock", so it is not found in the query, so you get a -25300, on the OSStatus response. Then when you go to insert it with the new value, there is an error on the insert getting the -25299, duplicate found, since there is in fact a keychain item there. When you respond on the errSecDuplicateItem (-25299), the delete fails with a -25300 since it can not find that item to delete. Then it gets re added, and fails for the same reason the initial failure occurred:
The solution i found was to change:
public func insertItemWithAttributes(attributes: [String: AnyObject]) throws {
var statusCode = SecItemAdd(attributes, nil)
if statusCode == errSecDuplicateItem {
SecItemDelete(attributes)
statusCode = SecItemAdd(attributes, nil)
}
if statusCode != errSecSuccess {
throw errorForStatusCode(statusCode)
}
}
to
public func insertItemWithAttributes(attributes: [String: AnyObject]) throws {
var statusCode = SecItemAdd(attributes, nil)
if statusCode == errSecDuplicateItem {
var removeAttributes = attributes
removeAttributes.removeValueForKey(String(kSecAttrAccessible))
SecItemDelete(removeAttributes)
statusCode = SecItemAdd(attributes, nil)
}
if statusCode != errSecSuccess {
throw errorForStatusCode(statusCode)
}
}
and to also change the removeItem in a similar way to ensure it is removed, on say logout:
public func removeItemWithAttributes(attributes: [String: AnyObject]) throws {
var removeAttributes = attributes
removeAttributes.removeValueForKey(String(kSecAttrAccessible))
let statusCode = SecItemDelete(removeAttributes)
if statusCode != errSecSuccess {
throw errorForStatusCode(statusCode)
}
}
I've tested this in local code, but have not yet forked, and done a PR for it, but it appears to solve the issue.