Keychain and Touch ID
keychain結構
keychain結構.png
注意
1 kSecClass Key 定義屬于哪一種字典結構
2 不同類型包含不同的Attribute撞秋,這些attributes定義了這個item的具體信息
3 每個item可以包含一個密碼項來存儲對應的密碼
keychain 四個方法
增刪改查
OSStatus SecItemAdd(CFDictionaryRef attributes, CFTypeRef *result)
SecItemAdd表示往Keychain 里增加一條數據畏腕,第一個參數表示數據箕肃,第二個參數表示執(zhí)行該操作后,指向剛添加的這個數據的引用咽安,如果不需要用到這條數據捍歪,可以傳入NULL(翻譯自apple文檔)
OSStatus SecItemCopyMatching(CFDictionaryRef query, CFTypeRef *result)
SecItemCopyMatching表示查詢Keychain里是否有符號條件的記錄。第一個參數查詢條件咒钟,第二個查詢到結果的引用。
OSStatus SecItemUpdate(CFDictionaryRef query, CFDictionaryRef attributesToUpdate)
SecItemUpdate更新Keychain里的記錄若未。第一個參數表示查詢條件朱嘴,第二個表示當根據第一個查詢條件后,用于更新的值粗合。
OSStatus SecItemDelete(CFDictionaryRef query)
SecItemDelete刪除符號查詢條件的記錄腕够。參數表示查詢條件
添加 Add
- (IBAction)add:(id)sender {
if (nameField.text.length > 0 && passwordField.text.length > 0) {
// 一個mutable字典結構存儲item信息
NSMutableDictionary* dic = [NSMutableDictionary dictionary];
// 確定所屬的類class
[dic setObject:(id)kSecClassGenericPassword forKey:(id)kSecClass];
// 設置其他屬性attributes
[dic setObject:nameField.text forKey:(id)kSecAttrAccount];
// 添加密碼 secValue 注意是object 是 NSData
[dic setObject:[passwordField.text dataUsingEncoding:NSUTF8StringEncoding] forKey:(id)kSecValueData];
// SecItemAdd
OSStatus s = SecItemAdd((CFDictionaryRef)dic, NULL);
NSLog(@"add : %ld",s);
}
}
查找
// 查找全部
- (IBAction)sel:(id)sender {
NSDictionary* query = [NSDictionary dictionaryWithObjectsAndKeys:kSecClassGenericPassword,kSecClass,
kSecMatchLimitAll,kSecMatchLimit,
kCFBooleanTrue,kSecReturnAttributes,nil];
CFTypeRef result = nil;
OSStatus s = SecItemCopyMatching((CFDictionaryRef)query, &result);
NSLog(@"select all : %ld",s);
NSLog(@"%@",result);
}
// 按名稱查找
- (IBAction)sname:(id)sender {
if (nameField.text.length >0) {
// 查找條件:1.class 2.attributes 3.search option
NSDictionary* query = [NSDictionary dictionaryWithObjectsAndKeys:kSecClassGenericPassword,kSecClass,
nameField.text,kSecAttrAccount,
kCFBooleanTrue,kSecReturnAttributes,nil];
CFTypeRef result = nil;
// 先找到一個item
OSStatus s = SecItemCopyMatching((CFDictionaryRef)query, &result);
NSLog(@"select name : %ld",s); // errSecItemNotFound 就是找不到
NSLog(@"%@",result);
if (s == noErr) {
// 繼續(xù)查找item的secValue
NSMutableDictionary* dic = [NSMutableDictionary dictionaryWithDictionary:result];
// 存儲格式
[dic setObject:(id)kCFBooleanTrue forKey:kSecReturnData];
// 確定class
[dic setObject:[query objectForKey:kSecClass] forKey:kSecClass];
NSData* data = nil;
// 查找secValue
if (SecItemCopyMatching((CFDictionaryRef)dic, (CFTypeRef*)&data) == noErr) {
if (data.length)
NSLog(@"%@",[[[NSString alloc] initWithData:data encoding:NSUTF8StringEncoding] autorelease]);
}
}
}
}
# 修改
- (IBAction)update:(id)sender {
if (nameField.text.length >0 && passwordField.text.length > 0) {
// 先查找看看有沒有
NSDictionary* query = [NSDictionary dictionaryWithObjectsAndKeys:kSecClassGenericPassword,kSecClass,
nameField.text,kSecAttrAccount,
kCFBooleanTrue,kSecReturnAttributes,nil];
CFTypeRef result = nil;
if (SecItemCopyMatching((CFDictionaryRef)query, &result) == noErr)
{
// 更新后的數據,基礎是搜到的result
NSMutableDictionary* update = [NSMutableDictionary dictionaryWithDictionary:(NSDictionary*)result];
// 修改要跟新的項 注意先加后刪的class項
[update setObject:[query objectForKey:kSecClass] forKey:kSecClass];
[update setObject:[passwordField.text dataUsingEncoding:NSUTF8StringEncoding] forKey:kSecValueData];
[update removeObjectForKey:kSecClass];
#if TARGET_IPHONE_SIMULATOR
// 模擬器的都有個默認的組“test”舌劳,刪了,不然會出錯
[update removeObjectForKey:(id)kSecAttrAccessGroup];
#endif
// 得到要修改的item玫荣,根據result甚淡,但要添加class
NSMutableDictionary* updateItem = [NSMutableDictionary dictionaryWithDictionary:result];
[updateItem setObject:[query objectForKey:(id)kSecClass] forKey:(id)kSecClass];
// SecItemUpdate
OSStatus status = SecItemUpdate((CFDictionaryRef)updateItem, (CFDictionaryRef)update);
NSLog(@"update:%ld",status);
刪除
- (IBAction)del:(id)sender {
if (nameField.text.length >0) {
// 刪除的條件
NSDictionary* query = [NSDictionary dictionaryWithObjectsAndKeys:kSecClassGenericPassword,kSecClass,
nameField.text,kSecAttrAccount,nil];
// SecItemDelete
OSStatus status = SecItemDelete((CFDictionaryRef)query);
NSLog(@"delete:%ld",status); // errSecItemNotFound 就是沒有
}
}
注意
區(qū)別(標識)一個item要用kSecAttrAccount和kSecAttrService
Apple 官方Sample code
- (void)addItemAsync {
CFErrorRef error = NULL;
// Should be the secret invalidated when passcode is removed? If not then use kSecAttrAccessibleWhenUnlocked
SecAccessControlRef sacObject = SecAccessControlCreateWithFlags(kCFAllocatorDefault,
kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly,
kSecAccessControlUserPresence, &error);
if (sacObject == NULL || error != NULL) {
NSString *errorString = [NSString stringWithFormat:@"SecItemAdd can't create sacObject: %@", error];
self.textView.text = [self.textView.text stringByAppendingString:errorString];
return;
}
// we want the operation to fail if there is an item which needs authentication so we will use
// kSecUseNoAuthenticationUI
NSDictionary *attributes = @{
(__bridge id)kSecClass: (__bridge id)kSecClassGenericPassword,
(__bridge id)kSecAttrService: @"SampleService",
(__bridge id)kSecValueData: [@"SECRET_PASSWORD_TEXT" dataUsingEncoding:NSUTF8StringEncoding],
(__bridge id)kSecUseNoAuthenticationUI: @YES,
(__bridge id)kSecAttrAccessControl: (__bridge_transfer id)sacObject
};
dispatch_async(dispatch_get_global_queue( DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^{
OSStatus status = SecItemAdd((__bridge CFDictionaryRef)attributes, nil);
NSString *errorString = [self keychainErrorToString:status];
NSString *message = [NSString stringWithFormat:@"SecItemAdd status: %@", errorString];
[self printMessage:message inTextView:self.textView];
});
}
Touch ID
LAContext: Represents an authentication context.
LAContext *myContext = [[LAContext alloc] init];
NSError *authError = nil;
NSString *myLocalizedReasonString = <#String explaining why app needs authentication#>;
if ([myContext canEvaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics error:&authError]) {
[myContext evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics
localizedReason:myLocalizedReasonString
reply:^(BOOL success, NSError *error) {
if (success) {
// User authenticated successfully, take appropriate action
} else {
// User did not authenticate successfully, look at error and take appropriate action
}
}];
} else {
// Could not evaluate policy; look at authError and present an appropriate message to user
}
判斷是否支持touchID
- (void)canEvaluatePolicy {
LAContext *context = [[LAContext alloc] init];
__block NSString *message;
NSError *error;
BOOL success;
// test if we can evaluate the policy, this test will tell us if Touch ID is available and enrolled
success = [context canEvaluatePolicy: LAPolicyDeviceOwnerAuthenticationWithBiometrics error:&error];
if (success) {
message = [NSString stringWithFormat:@"Touch ID is available"];
}
else {
message = [NSString stringWithFormat:@"Touch ID is not available"];
}
[super printMessage:message inTextView:self.textView];
}
使用默認的方式進行指紋識別
- (void)evaluatePolicy {
LAContext *context = [[LAContext alloc] init];
__block NSString *message;
// Show the authentication UI with our reason string.
[context evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics localizedReason:@"Unlock access to locked feature" reply:^(BOOL success, NSError *authenticationError) {
if (success) {
message = @"evaluatePolicy: succes";
}
else {
message = [NSString stringWithFormat:@"evaluatePolicy: %@", authenticationError.localizedDescription];
}
[self printMessage:message inTextView:self.textView];
}];
}
定制UI進行指紋識別
- (void)evaluatePolicy2 {
LAContext *context = [[LAContext alloc] init];
__block NSString *message;
// Set text for the localized fallback button.
context.localizedFallbackTitle = @"Enter PIN";
// Show the authentication UI with our reason string.
[context evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics localizedReason:@"Unlock access to locked feature" reply:^(BOOL success, NSError *authenticationError) {
if (success) {
message = @"evaluatePolicy: succes";
}
else {
message = [NSString stringWithFormat:@"evaluatePolicy: %@", authenticationError.localizedDescription];
}
[self printMessage:message inTextView:self.textView];
}];
}
定制Demo
LAContext *myContext = [[LAContext alloc] init];
NSError *authError = nil;
NSString *myLocalizedReasonString = <#String explaining why app needs authentication#>;
if ([myContext canEvaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics error:&authError]) {
[myContext evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics
localizedReason:myLocalizedReasonString
reply:^(BOOL success, NSError *error) {
if (success) {
// User authenticated successfully, take appropriate action
dispatch_async(dispatch_get_main_queue(), ^{
// write all your code here
});
} else {
// User did not authenticate successfully, look at error and take appropriate action
switch (error.code) {
case LAErrorAuthenticationFailed:
NSLog(@"Authentication Failed");
break;
case LAErrorUserCancel:
NSLog(@"User pressed Cancel button");
break;
case LAErrorUserFallback:
NSLog(@"User pressed \"Enter Password\"");
break;
default:
NSLog(@"Touch ID is not configured");
break;
}
NSLog(@"Authentication Fails");
}
}];
} else {
// Could not evaluate policy; look at authError and present an appropriate message to user
}
keyChain 不是絕對的安全
keychain的幾個特點
- app保持的信息是用一個app unique簽名的,只能夠自己訪問
- 不同app之間可以勇敢access_group共享
- 在不同app之間的共享捅厂,只能在一個公司內的app共享
越獄機器上keychain不安全
通過上面的幾個特點贯卦,要訪問keychain中的數據,需要一下幾點:
- 和app同樣的證書
jail break 相當于apple做簽名檢查的地方都打了不定焙贷,使得不是蘋果頒發(fā)的證書簽名的文件撵割,也能正常使用,或者偽造證書簽名的app也能夠正常使用辙芍。
- 獲取access group的名稱
- 使用keychain dumper啡彬,就可以得到所有的相關信息羹与。 但是,要在設備上執(zhí)行keychain dumper庶灿,就需要用chmod 777設置其權限纵搁,需要root權限,而jail break之后的默認密碼是:alpine往踢。
參考文獻
http://blog.csdn.net/yiyaaixuexi/article/details/18404343
http://wufawei.com/2013/11/ios-application-security-12/
http://wufawei.com/2013/06/Keychain-is-not-safe/
https://github.com/ptoomey3/Keychain-Dumper
