Keychain and Touch ID
keychain结构
keychain结构.png
注意
1 kSecClass Key 定义属于哪一种字典结构
2 不同类型包含不同的Attribute,这些attributes定义了这个item的具体信息
3 每个item可以包含一个密码项来存储对应的密码
keychain 四个方法
增删改查
OSStatus SecItemAdd(CFDictionaryRef attributes, CFTypeRef *result)
SecItemAdd表示往Keychain 里增加一条数据,第一个参数表示数据,第二个参数表示执行该操作后,指向刚添加的这个数据的引用,如果不需要用到这条数据,可以传入NULL(翻译自apple文档)
OSStatus SecItemCopyMatching(CFDictionaryRef query, CFTypeRef *result)
SecItemCopyMatching表示查询Keychain里是否有符号条件的记录。第一个参数查询条件,第二个查询到结果的引用。
OSStatus SecItemUpdate(CFDictionaryRef query, CFDictionaryRef attributesToUpdate)
SecItemUpdate更新Keychain里的记录。第一个参数表示查询条件,第二个表示当根据第一个查询条件后,用于更新的值。
OSStatus SecItemDelete(CFDictionaryRef query)
SecItemDelete删除符号查询条件的记录。参数表示查询条件
添加 Add
- (IBAction)add:(id)sender {
if (nameField.text.length > 0 && passwordField.text.length > 0) {
// 一个mutable字典结构存储item信息
NSMutableDictionary* dic = [NSMutableDictionary dictionary];
// 确定所属的类class
[dic setObject:(id)kSecClassGenericPassword forKey:(id)kSecClass];
// 设置其他属性attributes
[dic setObject:nameField.text forKey:(id)kSecAttrAccount];
// 添加密码 secValue 注意是object 是 NSData
[dic setObject:[passwordField.text dataUsingEncoding:NSUTF8StringEncoding] forKey:(id)kSecValueData];
// SecItemAdd
OSStatus s = SecItemAdd((CFDictionaryRef)dic, NULL);
NSLog(@"add : %ld",s);
}
}
查找
// 查找全部
- (IBAction)sel:(id)sender {
NSDictionary* query = [NSDictionary dictionaryWithObjectsAndKeys:kSecClassGenericPassword,kSecClass,
kSecMatchLimitAll,kSecMatchLimit,
kCFBooleanTrue,kSecReturnAttributes,nil];
CFTypeRef result = nil;
OSStatus s = SecItemCopyMatching((CFDictionaryRef)query, &result);
NSLog(@"select all : %ld",s);
NSLog(@"%@",result);
}
// 按名称查找
- (IBAction)sname:(id)sender {
if (nameField.text.length >0) {
// 查找条件:1.class 2.attributes 3.search option
NSDictionary* query = [NSDictionary dictionaryWithObjectsAndKeys:kSecClassGenericPassword,kSecClass,
nameField.text,kSecAttrAccount,
kCFBooleanTrue,kSecReturnAttributes,nil];
CFTypeRef result = nil;
// 先找到一个item
OSStatus s = SecItemCopyMatching((CFDictionaryRef)query, &result);
NSLog(@"select name : %ld",s); // errSecItemNotFound 就是找不到
NSLog(@"%@",result);
if (s == noErr) {
// 继续查找item的secValue
NSMutableDictionary* dic = [NSMutableDictionary dictionaryWithDictionary:result];
// 存储格式
[dic setObject:(id)kCFBooleanTrue forKey:kSecReturnData];
// 确定class
[dic setObject:[query objectForKey:kSecClass] forKey:kSecClass];
NSData* data = nil;
// 查找secValue
if (SecItemCopyMatching((CFDictionaryRef)dic, (CFTypeRef*)&data) == noErr) {
if (data.length)
NSLog(@"%@",[[[NSString alloc] initWithData:data encoding:NSUTF8StringEncoding] autorelease]);
}
}
}
}
# 修改
- (IBAction)update:(id)sender {
if (nameField.text.length >0 && passwordField.text.length > 0) {
// 先查找看看有没有
NSDictionary* query = [NSDictionary dictionaryWithObjectsAndKeys:kSecClassGenericPassword,kSecClass,
nameField.text,kSecAttrAccount,
kCFBooleanTrue,kSecReturnAttributes,nil];
CFTypeRef result = nil;
if (SecItemCopyMatching((CFDictionaryRef)query, &result) == noErr)
{
// 更新后的数据,基础是搜到的result
NSMutableDictionary* update = [NSMutableDictionary dictionaryWithDictionary:(NSDictionary*)result];
// 修改要跟新的项 注意先加后删的class项
[update setObject:[query objectForKey:kSecClass] forKey:kSecClass];
[update setObject:[passwordField.text dataUsingEncoding:NSUTF8StringEncoding] forKey:kSecValueData];
[update removeObjectForKey:kSecClass];
#if TARGET_IPHONE_SIMULATOR
// 模拟器的都有个默认的组“test”,删了,不然会出错
[update removeObjectForKey:(id)kSecAttrAccessGroup];
#endif
// 得到要修改的item,根据result,但要添加class
NSMutableDictionary* updateItem = [NSMutableDictionary dictionaryWithDictionary:result];
[updateItem setObject:[query objectForKey:(id)kSecClass] forKey:(id)kSecClass];
// SecItemUpdate
OSStatus status = SecItemUpdate((CFDictionaryRef)updateItem, (CFDictionaryRef)update);
NSLog(@"update:%ld",status);
删除
- (IBAction)del:(id)sender {
if (nameField.text.length >0) {
// 删除的条件
NSDictionary* query = [NSDictionary dictionaryWithObjectsAndKeys:kSecClassGenericPassword,kSecClass,
nameField.text,kSecAttrAccount,nil];
// SecItemDelete
OSStatus status = SecItemDelete((CFDictionaryRef)query);
NSLog(@"delete:%ld",status); // errSecItemNotFound 就是没有
}
}
注意
区别(标识)一个item要用kSecAttrAccount和kSecAttrService
Apple 官方Sample code
- (void)addItemAsync {
CFErrorRef error = NULL;
// Should be the secret invalidated when passcode is removed? If not then use kSecAttrAccessibleWhenUnlocked
SecAccessControlRef sacObject = SecAccessControlCreateWithFlags(kCFAllocatorDefault,
kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly,
kSecAccessControlUserPresence, &error);
if (sacObject == NULL || error != NULL) {
NSString *errorString = [NSString stringWithFormat:@"SecItemAdd can't create sacObject: %@", error];
self.textView.text = [self.textView.text stringByAppendingString:errorString];
return;
}
// we want the operation to fail if there is an item which needs authentication so we will use
// kSecUseNoAuthenticationUI
NSDictionary *attributes = @{
(__bridge id)kSecClass: (__bridge id)kSecClassGenericPassword,
(__bridge id)kSecAttrService: @"SampleService",
(__bridge id)kSecValueData: [@"SECRET_PASSWORD_TEXT" dataUsingEncoding:NSUTF8StringEncoding],
(__bridge id)kSecUseNoAuthenticationUI: @YES,
(__bridge id)kSecAttrAccessControl: (__bridge_transfer id)sacObject
};
dispatch_async(dispatch_get_global_queue( DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^{
OSStatus status = SecItemAdd((__bridge CFDictionaryRef)attributes, nil);
NSString *errorString = [self keychainErrorToString:status];
NSString *message = [NSString stringWithFormat:@"SecItemAdd status: %@", errorString];
[self printMessage:message inTextView:self.textView];
});
}
Touch ID
LAContext: Represents an authentication context.
LAContext *myContext = [[LAContext alloc] init];
NSError *authError = nil;
NSString *myLocalizedReasonString = <#String explaining why app needs authentication#>;
if ([myContext canEvaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics error:&authError]) {
[myContext evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics
localizedReason:myLocalizedReasonString
reply:^(BOOL success, NSError *error) {
if (success) {
// User authenticated successfully, take appropriate action
} else {
// User did not authenticate successfully, look at error and take appropriate action
}
}];
} else {
// Could not evaluate policy; look at authError and present an appropriate message to user
}
判断是否支持touchID
- (void)canEvaluatePolicy {
LAContext *context = [[LAContext alloc] init];
__block NSString *message;
NSError *error;
BOOL success;
// test if we can evaluate the policy, this test will tell us if Touch ID is available and enrolled
success = [context canEvaluatePolicy: LAPolicyDeviceOwnerAuthenticationWithBiometrics error:&error];
if (success) {
message = [NSString stringWithFormat:@"Touch ID is available"];
}
else {
message = [NSString stringWithFormat:@"Touch ID is not available"];
}
[super printMessage:message inTextView:self.textView];
}
使用默认的方式进行指纹识别
- (void)evaluatePolicy {
LAContext *context = [[LAContext alloc] init];
__block NSString *message;
// Show the authentication UI with our reason string.
[context evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics localizedReason:@"Unlock access to locked feature" reply:^(BOOL success, NSError *authenticationError) {
if (success) {
message = @"evaluatePolicy: succes";
}
else {
message = [NSString stringWithFormat:@"evaluatePolicy: %@", authenticationError.localizedDescription];
}
[self printMessage:message inTextView:self.textView];
}];
}
定制UI进行指纹识别
- (void)evaluatePolicy2 {
LAContext *context = [[LAContext alloc] init];
__block NSString *message;
// Set text for the localized fallback button.
context.localizedFallbackTitle = @"Enter PIN";
// Show the authentication UI with our reason string.
[context evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics localizedReason:@"Unlock access to locked feature" reply:^(BOOL success, NSError *authenticationError) {
if (success) {
message = @"evaluatePolicy: succes";
}
else {
message = [NSString stringWithFormat:@"evaluatePolicy: %@", authenticationError.localizedDescription];
}
[self printMessage:message inTextView:self.textView];
}];
}
定制Demo
LAContext *myContext = [[LAContext alloc] init];
NSError *authError = nil;
NSString *myLocalizedReasonString = <#String explaining why app needs authentication#>;
if ([myContext canEvaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics error:&authError]) {
[myContext evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics
localizedReason:myLocalizedReasonString
reply:^(BOOL success, NSError *error) {
if (success) {
// User authenticated successfully, take appropriate action
dispatch_async(dispatch_get_main_queue(), ^{
// write all your code here
});
} else {
// User did not authenticate successfully, look at error and take appropriate action
switch (error.code) {
case LAErrorAuthenticationFailed:
NSLog(@"Authentication Failed");
break;
case LAErrorUserCancel:
NSLog(@"User pressed Cancel button");
break;
case LAErrorUserFallback:
NSLog(@"User pressed \"Enter Password\"");
break;
default:
NSLog(@"Touch ID is not configured");
break;
}
NSLog(@"Authentication Fails");
}
}];
} else {
// Could not evaluate policy; look at authError and present an appropriate message to user
}
keyChain 不是绝对的安全
keychain的几个特点
- app保持的信息是用一个app unique签名的,只能够自己访问
- 不同app之间可以勇敢access_group共享
- 在不同app之间的共享,只能在一个公司内的app共享
越狱机器上keychain不安全
通过上面的几个特点,要访问keychain中的数据,需要一下几点:
- 和app同样的证书
jail break 相当于apple做签名检查的地方都打了不定,使得不是苹果颁发的证书签名的文件,也能正常使用,或者伪造证书签名的app也能够正常使用。
- 获取access group的名称
- 使用keychain dumper,就可以得到所有的相关信息。 但是,要在设备上执行keychain dumper,就需要用chmod 777设置其权限,需要root权限,而jail break之后的默认密码是:alpine。
参考文献
http://blog.csdn.net/yiyaaixuexi/article/details/18404343
http://wufawei.com/2013/11/ios-application-security-12/
http://wufawei.com/2013/06/Keychain-is-not-safe/
https://github.com/ptoomey3/Keychain-Dumper
