2 * Copyright (c) 2018 Apple Inc. All Rights Reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
21 * @APPLE_LICENSE_HEADER_END@
24 #import <Security/Security.h>
25 #import <Security/SecItemPriv.h>
27 #import "KeychainXCTest.h"
30 @interface KeychainEntitlementsTest : KeychainXCTest
33 @implementation KeychainEntitlementsTest
35 - (void)testNoEntitlements {
36 NSDictionary *params = @{ (id)kSecUseDataProtectionKeychain: @YES,
37 (id)kSecClass: (id)kSecClassGenericPassword, (id)kSecAttrLabel: @"label", };
39 // Application with no keychain-related entitlements at all, but CopyMatching must work in order to support
40 // backward compatibility with smart-card-enabled macos applications (com.apple.token AG is added automatically in this case).
41 [self setEntitlements:@{} validated:false];
42 XCTAssertEqual(SecItemCopyMatching((CFDictionaryRef)params, NULL), errSecItemNotFound);
44 // However, write access is declined for such application.
45 XCTAssertEqual(SecItemAdd((CFDictionaryRef)params, NULL), errSecMissingEntitlement);
46 XCTAssertEqual(SecItemDelete((CFDictionaryRef)params), errSecMissingEntitlement);
50 - (void)testInvalidEntitlementsAppID {
52 params = @{ (id)kSecUseDataProtectionKeychain: @YES,
53 (id)kSecClass: (id)kSecClassGenericPassword,
54 (id)kSecAttrLabel: @"label", };
56 // Un-validated app-identifier entitlements must disallow any access to the keychain.
57 [self setEntitlements:@{ @"com.apple.application-identifier": @"com.apple.test-app-identifier" } validated:NO];
58 XCTAssertEqual(SecItemCopyMatching((CFDictionaryRef)params, NULL), errSecMissingEntitlement);
59 XCTAssertEqual(SecItemAdd((CFDictionaryRef)params, NULL), errSecMissingEntitlement);
60 XCTAssertEqual(SecItemDelete((CFDictionaryRef)params), errSecMissingEntitlement);
62 // However, keychain-access-groups entitlements should work even if not validated, AMFI will take care
63 // about cases when keychain-access-groups is not correctly used and we have to support cases when
64 // process contains application-groups entitlement but that entitlement is not present in provisioned profile, thus
65 // failing entitlement validation test.
66 [self setEntitlements:@{ @"keychain-access-groups": @[@"com.apple.test-app-identifier"] } validated:NO];
67 XCTAssertEqual(SecItemCopyMatching((CFDictionaryRef)params, NULL), errSecItemNotFound);
68 XCTAssertEqual(SecItemAdd((CFDictionaryRef)params, NULL), errSecSuccess);
69 XCTAssertEqual(SecItemDelete((CFDictionaryRef)params), errSecSuccess);
71 #endif // TARGET_OS_OSX
73 - (void)testValidEntitlementsAppID {
75 params = @{ (id)kSecUseDataProtectionKeychain: @YES,
76 (id)kSecClass: (id)kSecClassGenericPassword,
77 (id)kSecAttrLabel: @"label",
78 (id)kSecAttrAccessGroup: @"com.apple.test-app-identifier", };
80 [self setEntitlements:@{ @"com.apple.application-identifier": @"com.apple.test-app-identifier" } validated:YES];
82 [self setEntitlements:@{ @"application-identifier": @"com.apple.test-app-identifier" } validated:YES];
84 XCTAssertEqual(SecItemCopyMatching((CFDictionaryRef)params, NULL), errSecItemNotFound);
85 XCTAssertEqual(SecItemAdd((CFDictionaryRef)params, NULL), errSecSuccess);
86 XCTAssertEqual(SecItemDelete((CFDictionaryRef)params), errSecSuccess);
89 - (void)testEntitlementsAssociatedAppID {
90 NSMutableDictionary *params = [@{(id)kSecUseDataProtectionKeychain: @YES,
91 (id)kSecClass: (id)kSecClassGenericPassword,
92 (id)kSecAttrLabel: @"label" } mutableCopy];
94 [self setEntitlements:@{
96 @"com.apple.application-identifier": @"com.apple.test-app-identifier",
98 @"application-identifier": @"com.apple.test-app-identifier",
100 @"com.apple.developer.associated-application-identifier": @[ @"com.apple.test-associated-app-identifier" ]
103 XCTAssertEqual(SecItemCopyMatching((CFDictionaryRef)params, NULL), errSecItemNotFound);
105 // The associated app identifier is preferred over the 'regular' app identifier (in practice this is only relevant on macOS)
106 XCTAssertEqual(SecItemAdd((CFDictionaryRef)params, NULL), errSecSuccess);
107 params[(id)kSecReturnAttributes] = @(YES);
108 CFTypeRef result = NULL;
109 XCTAssertEqual(SecItemCopyMatching((__bridge CFDictionaryRef)params, &result), errSecSuccess);
110 XCTAssertTrue(CFEqual(CFDictionaryGetValue(result, kSecAttrAccessGroup), CFSTR("com.apple.test-associated-app-identifier")));
111 CFReleaseNull(result);
112 XCTAssertEqual(SecItemDelete((CFDictionaryRef)params), errSecSuccess);
115 - (void)testDisallowTokenGroupWrite {
116 NSDictionary *params;
118 // Explicit com.apple.token agrp is not acceptable for writing operations, but acceptable for reading.
119 params = @{ (id)kSecUseDataProtectionKeychain: @YES,
120 (id)kSecClass: (id)kSecClassGenericPassword,
121 (id)kSecAttrLabel: @"label",
122 (id)kSecAttrAccessGroup: (id)kSecAttrAccessGroupToken, };
123 [self setEntitlements:@{ @"com.apple.application-identifier": (id)kSecAttrAccessGroupToken } validated:YES];
124 XCTAssertEqual(SecItemCopyMatching((CFDictionaryRef)params, NULL), errSecItemNotFound);
125 XCTAssertEqual(SecItemAdd((CFDictionaryRef)params, NULL), errSecMissingEntitlement);
126 XCTAssertEqual(SecItemDelete((CFDictionaryRef)params), errSecMissingEntitlement);
130 - (void)testInvalidAppGroups {
131 NSDictionary *params;
132 params = @{ (id)kSecUseDataProtectionKeychain: @YES,
133 (id)kSecClass: (id)kSecClassGenericPassword,
134 (id)kSecAttrLabel: @"label", };
135 [self setEntitlements:@{ @"com.apple.security.application-groups": @[@"com.apple.test-app-groups"] } validated:NO];
137 // Invalid access group entitlement should still allow querying com.apple.token
138 XCTAssertEqual(SecItemCopyMatching((CFDictionaryRef)params, NULL), errSecItemNotFound);
140 // But write-access is forbidden,
141 XCTAssertEqual(SecItemAdd((CFDictionaryRef)params, NULL), errSecMissingEntitlement);
142 XCTAssertEqual(SecItemDelete((CFDictionaryRef)params), errSecMissingEntitlement);
144 // Similarly as explicitly referring to AG specified in unverified entitlements.
145 params = @{ (id)kSecUseDataProtectionKeychain: @YES,
146 (id)kSecClass: (id)kSecClassGenericPassword,
147 (id)kSecAttrLabel: @"label",
148 (id)kSecAttrAccessGroup: @"com.apple.test-app-groups", };
149 XCTAssertEqual(SecItemCopyMatching((CFDictionaryRef)params, NULL), errSecMissingEntitlement);
150 XCTAssertEqual(SecItemAdd((CFDictionaryRef)params, NULL), errSecMissingEntitlement);
151 XCTAssertEqual(SecItemDelete((CFDictionaryRef)params), errSecMissingEntitlement);
153 // Explicitly referring to com.apple.token should work fine too.
154 params = @{ (id)kSecUseDataProtectionKeychain: @YES,
155 (id)kSecClass: (id)kSecClassGenericPassword,
156 (id)kSecAttrLabel: @"label",
157 (id)kSecAttrAccessGroup: (id)kSecAttrAccessGroupToken, };
158 XCTAssertEqual(SecItemCopyMatching((CFDictionaryRef)params, NULL), errSecItemNotFound);
160 #endif // TARGET_OS_OSX
162 - (void)testTokenItemsGroup {
163 NSDictionary *params;
165 // Add token items for testing into the keychain.
166 NSArray *tokenItems = @[ @{
167 (id)kSecClass: (id)kSecClassGenericPassword,
168 (id)kSecAttrAccessGroup: (id)kSecAttrAccessGroupToken,
169 (id)kSecAttrLabel: @"label",
171 XCTAssertEqual(SecItemUpdateTokenItems(@"com.apple.testtoken", (__bridge CFArrayRef)tokenItems), errSecSuccess);
173 [self setEntitlements:@{ @"com.apple.application-identifier": @"com.apple.test-app-identifier" } validated:YES];
175 // Query without explicit access group, should find item on macOS and not find it on iOS.
176 params = @{ (id)kSecUseDataProtectionKeychain: @YES,
177 (id)kSecClass: (id)kSecClassGenericPassword,
178 (id)kSecAttrLabel: @"label", };
180 XCTAssertEqual(SecItemCopyMatching((CFDictionaryRef)params, NULL), errSecItemNotFound);
182 XCTAssertEqual(SecItemCopyMatching((CFDictionaryRef)params, NULL), errSecSuccess);
185 // Query with explicit AG should work the same on both platforms.
186 params = @{ (id)kSecUseDataProtectionKeychain: @YES,
187 (id)kSecClass: (id)kSecClassGenericPassword,
188 (id)kSecAttrLabel: @"label",
189 (id)kSecAttrAccessGroup: (id)kSecAttrAccessGroupToken, };
190 XCTAssertEqual(SecItemCopyMatching((CFDictionaryRef)params, NULL), errSecSuccess);
192 // Delete all test token items.
193 SecItemUpdateTokenItems(@"com.apple.testtoken", (__bridge CFArrayRef)@[]);
196 - (void)testEntitlementForExplicitAccessGroupLacking {
197 [self setEntitlements:@{@"com.apple.application-identifier": @"com.apple.test-app-identifier", @"application-identifier": @"com.apple.test-app-identifier"} validated:YES];
199 NSMutableDictionary* query = [@{(id)kSecClass : (id)kSecClassGenericPassword,
200 (id)kSecUseDataProtectionKeychain : @YES,
201 (id)kSecAttrAccount : @"TestAccount",
202 (id)kSecAttrLabel : @"TestLabel",
203 (id)kSecAttrAccessGroup : @"com.apple.test.myaccessgroup",
204 (id)kSecValueData : [@"passwd" dataUsingEncoding:NSUTF8StringEncoding],
206 NSMutableDictionary* update = [@{(id)kSecAttrLabel : @"NewLabel"} mutableCopy];
208 XCTAssertEqual(SecItemAdd((__bridge CFDictionaryRef)query, NULL), errSecMissingEntitlement);
209 query[(id)kSecValueData] = nil;
210 XCTAssertEqual(SecItemCopyMatching((__bridge CFDictionaryRef)query, NULL), errSecMissingEntitlement);
211 XCTAssertEqual(SecItemUpdate((__bridge CFDictionaryRef)query, (__bridge CFDictionaryRef)update), errSecMissingEntitlement);
212 XCTAssertEqual(SecItemDelete((__bridge CFDictionaryRef)query), errSecMissingEntitlement);
214 [self setEntitlements:@{@"com.apple.application-identifier": @"com.apple.test-app-identifier", @"application-identifier": @"com.apple.test-app-identifier", @"keychain-access-groups": @[@"com.apple.test.myaccessgroup"]} validated:YES];
215 query[(id)kSecValueData] = [@"secret" dataUsingEncoding:NSUTF8StringEncoding];
216 XCTAssertEqual(SecItemAdd((__bridge CFDictionaryRef)query, NULL), errSecSuccess);
217 query[(id)kSecValueData] = nil;
219 XCTAssertEqual(SecItemCopyMatching((__bridge CFDictionaryRef)query, NULL), errSecSuccess);
220 [self setEntitlements:@{@"com.apple.application-identifier": @"com.apple.test-app-identifier"} validated:YES];
221 XCTAssertEqual(SecItemCopyMatching((__bridge CFDictionaryRef)query, NULL), errSecMissingEntitlement);
223 query[(id)kSecAttrAccessGroup] = nil;
224 update[(id)kSecAttrAccessGroup] = @"com.apple.test.myotheraccessgroup";
225 XCTAssertEqual(SecItemUpdate((__bridge CFDictionaryRef)query, (__bridge CFDictionaryRef)update), errSecMissingEntitlement);
227 query[(id)kSecAttrAccessGroup] = @"com.apple.test.myaccessgroup";
228 [self setEntitlements:@{@"com.apple.application-identifier": @"com.apple.test-app-identifier", @"application-identifier": @"com.apple.test-app-identifier", @"keychain-access-groups": @[@"com.apple.test.myaccessgroup"]} validated:YES];
229 XCTAssertEqual(SecItemDelete((__bridge CFDictionaryRef)query), errSecSuccess, @"keychain item not deleted after querying without entitlements");
232 - (void)testEntitlementForImplicitAccessGroupLacking {
233 NSMutableDictionary* query = [@{(id)kSecClass : (id)kSecClassGenericPassword,
234 (id)kSecUseDataProtectionKeychain : @YES,
235 (id)kSecAttrAccount : @"TestAccount",
236 (id)kSecAttrLabel : @"TestLabel",
237 (id)kSecAttrAccessGroup : @"com.apple.test.myaccessgroup",
238 (id)kSecValueData : [@"passwd" dataUsingEncoding:NSUTF8StringEncoding],
240 NSDictionary* update = @{(id)kSecAttrLabel : @"NewLabel"};
242 // Have to use explicit access group here or we just get the app identifier
243 [self setEntitlements:@{@"com.apple.application-identifier": @"com.apple.test-app-identifier", @"application-identifier": @"com.apple.test-app-identifier", @"keychain-access-groups": @[@"com.apple.test.myaccessgroup"]} validated:YES];
244 XCTAssertEqual(SecItemAdd((__bridge CFDictionaryRef)query, NULL), errSecSuccess);
246 [self setEntitlements:@{@"com.apple.application-identifier": @"com.apple.test-app-identifier", @"application-identifier": @"com.apple.test-app-identifier"} validated:YES];
247 query[(id)kSecValueData] = nil;
248 query[(id)kSecAttrAccessGroup] = nil;
250 XCTAssertEqual(SecItemCopyMatching((__bridge CFDictionaryRef)query, NULL), errSecItemNotFound);
251 XCTAssertEqual(SecItemUpdate((__bridge CFDictionaryRef)query, (__bridge CFDictionaryRef)update), errSecItemNotFound);
252 XCTAssertEqual(SecItemDelete((__bridge CFDictionaryRef)query), errSecItemNotFound);
254 [self setEntitlements:@{@"com.apple.application-identifier": @"com.apple.test-app-identifier", @"application-identifier": @"com.apple.test-app-identifier", @"keychain-access-groups": @[@"com.apple.test.myaccessgroup"]} validated:YES];
255 XCTAssertEqual(SecItemUpdate((__bridge CFDictionaryRef)query, (__bridge CFDictionaryRef)update), errSecSuccess);
256 query[(id)kSecAttrLabel] = @"NewLabel";
258 XCTAssertEqual(SecItemCopyMatching((__bridge CFDictionaryRef)query, NULL), errSecSuccess);
259 XCTAssertEqual(SecItemDelete((__bridge CFDictionaryRef)query), errSecSuccess, @"keychain item not deleted after querying without entitlements");
264 #endif // USE_KEYSTORE