SecItemCopyMatching() returns items that don't match

Originator:wiml
Number:rdar://10155924 Date Originated:20-Sep-2011 02:47 PM
Status:Open Resolved:
Product:OS X Product Version:10.7.1
Classification:Serious Bug Reproducible:Always
 
20-Sep-2011 02:47 PM W Lewis:
Summary:

SecItemCopyMatching() can return items that do not match the search criteria passed to it.

Steps to Reproduce:

static SecKeyRef copyKey(SecKeychainRef keychain, NSDictionary *attributes, NSError **outError)
{
    NSMutableDictionary *query = [NSMutableDictionary dictionaryWithDictionary:attributes];
    [query setObject:(id)kSecClassKey forKey:(id)kSecClass];
    [query setObject:(id)kSecMatchLimitOne forKey:(id)kSecMatchLimit];
    [query setObject:(id)kCFBooleanTrue forKey:(id)kSecReturnRef];
    [query setObject:(id)kCFBooleanTrue forKey:(id)kSecReturnAttributes];
    CFTypeRef result = NULL;
    OSStatus err = SecItemCopyMatching((CFDictionaryRef)query, &result);
    if (err != noErr) {
        ofErrorFromOSError(outError, err, @"SecItemCopyMatching", query);
        return NULL;
    }
    NSLog(@"SecItemCopyMatching(%@) -> %@", [query description], result);
    SecKeyRef refResult = CFDictionaryGetValue(result, kSecValueRef);
    CFRetain(refResult);
    CFRelease(result);
    return refResult;
}


Expected Results:

The returned item should have attributes which match the attributes in the query.

Actual Results:

2011-09-20 14:30:59.876 otest-x86_64[49027:707] SecItemCopyMatching({
    "Digest Type" = "SHA1 Digest";
    class = keys;
    "m_Limit" = "m_LimitOne";
    "r_Attributes" = 1;
    "r_Ref" = 1;
    sign = 1;
    type = 43;
}) -> {
    bsiz = 768;
    class = keys;
    decr = 0;
    drve = 0;
    encr = 0;
    esiz = 768;
    kcls = 1;
    klbl = "<null>";
    labl = "<key>";
    perm = 1;
    sign = 1;
    type = 42;
    unwp = 0;
    "v_Ref" = "<SecKey 0x7fa607aa3510 [0x7fff7463eea0]>";
    vrfy = 0;
    wrap = 0;
}

Notes:

Note that the returned item is an RSA key, not a DSS-SHA1 key.

Attempting to sign and verify data using the key suggests that it is in fact a 768-bit RSA key.

Comments

Still broken in 10.10/14A389 and 10.9.5/13F34 --- no apparent change in behavior

By wiml at Dec. 29, 2014, 11:47 p.m. (reply...)

Still broken in 10.7.4/11E53 (not that I expected it to be fixed, but was rerunning some tests)

By wiml at July 9, 2012, 11:57 p.m. (reply...)

Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!