OSStatus代码-1009，com.apple.LocalAuthentication

Question

我正在尝试使用iOS密钥链测试加密。

Domain=com.apple.LocalAuthentication Code=-1009 "ACL operation is not allowed: 'od'" UserInfo={NSLocalizedDescription=ACL operation is not allowed: 'od'}

这是我的测试代码：

func testEncrpytKeychain() {

    let promise = expectation(description: "Unlock")
    let data: Data! = self.sampleData
    let text: String! = self.sampleText
    wait(for: [promise], timeout: 30)
    let chain = Keychain(account: "tester", serviceName: "testing2", access: .whenPasscodeSetThisDeviceOnly, accessGroup: nil)
    chain.unlockChain { reply, error in
        defer {
            promise.fulfill()
        }
        guard error == nil else {
            // ** FAILS ON THIS LINE WITH OSSTATUS ERROR **
            XCTAssert(false, "Error: \(String(describing: error))")
            return
        }

        guard let cipherData = try? chain.encrypt(data) else {
            XCTAssert(false, "Cipher Data not created")
            return
        }
        XCTAssertNotEqual(cipherData, data)

        guard let clearData = try? chain.decrypt(cipherData) else {
            XCTAssert(false, "Clear Data not decrypted")
            return
        }
        XCTAssertEqual(clearData, data)

        let clearText = String(data: clearData, encoding: .utf8)
        XCTAssertEqual(clearText, text)
    }
}

下面是异步unlockChain的底层代码：

// context is a LAContext
func unlockChain(_ callback: @escaping (Bool, Error?) -> Void) {
    var error: NSError? = nil
    guard context.canEvaluatePolicy(.deviceOwnerAuthentication, error: &error) else {
        callback(false, error)
        return
    }

    context.evaluateAccessControl(control, operation: .createItem, localizedReason: "Access your Account") { (reply, error) in
        self.context.evaluateAccessControl(self.control, operation: .useItem, localizedReason: "Access your Account") { (reply, error) in
            self.unlocked = reply
            callback(reply, error)
        }
    }
}

下面是上下文和控件对象的创建方式

 init(account: String, serviceName: String = (Bundle.main.bundleIdentifier ?? ""),  access: Accessibility = .whenUnlocked, accessGroup: String? = nil) {
    self.account = account
    self.serviceName = serviceName
    self.accessGroup = accessGroup
    self.access = access
    var error: Unmanaged<CFError>? = nil
    self.control = SecAccessControlCreateWithFlags(kCFAllocatorDefault,
                                                   access.attrValue,
                                                   [.privateKeyUsage],
                                                   &error)
    if let e: Error = error?.takeRetainedValue() {
        Log.error(e)
    }
    self.context = LAContext()
}

我找不到任何关于这个错误的信息：

Domain=com.apple.LocalAuthentication Code=-1009 

the OSStatus Code site doesn't contain anything for it either

感谢您的帮助，谢谢。

Answer 1

我解决了同样的问题，在创建新的私钥之前删除了以前的私钥。

我猜在iOS10上(11没有显示错误)，当你使用相同的标签/大小但不是相同的访问设置进行SecKeyCreateRandomKey(...)时，它只会返回true，但使用旧的(感觉很奇怪，但谁知道呢)？

下面是我用来删除它的一个延迟C函数(只需记住设置你的ApplicationPrivateKeyTag

void deletePrivateKey()
{
    CFStringRef ApplicationPrivateKeyTag = CFSTR("your tag here");

    const void* keys[] = {
        kSecAttrApplicationTag,
        kSecClass,
        kSecAttrKeyClass,
        kSecReturnRef,
    };

    const void* values[] = {
        ApplicationPrivateKeyTag,
        kSecClassKey,
        kSecAttrKeyClassPrivate,
        kCFBooleanTrue,
    };

    CFDictionaryRef params = CFDictionaryCreate(kCFAllocatorDefault, keys, values, (sizeof(keys)/sizeof(void*)), NULL, NULL);

    OSStatus status = SecItemDelete(params);

    if (params) CFRelease(params);
    if (ApplicationPrivateKeyTag) CFRelease(ApplicationPrivateKeyTag);

    if (status == errSecSuccess)
        return true;
    return false;
}

FWIW:看起来苹果更新了their doc about the Security Framework and the SecureEnclave，现在更容易理解了。