SecItemCopyMatching() ignores kSecAttrSubjectKeyID when searching for Identities
| Originator: | wiml | ||
| Number: | rdar://18142578 | Date Originated: | 26-Aug-2014 |
| Status: | Open | Resolved: | |
| Product: | OS X | Product Version: | 10.9.4/13E28 |
| Classification: | Reproducible: | Always |
As the documentation says, an Identity is a combination of a certificate and a secret key, and the documentation for searching says "kSecClassIdentity item attributes: Since an identity is the combination of a private key and a certificate, this class shares attributes of both kSecClassKey and kSecClassCertificate". However, the kSecAttrSubjectKeyID search key, which works when searching for certificate refs, is ignored when searching for identities. Steps to Reproduce: 1. Create a query dictionary containing a subject key identifier under kSecAttrSubjectKeyID, and other attributes to perform an identity search (kSecClass=kSecClassCertificate, kSecAttrCanDecrypt=kCFBooleanTrue, kSecReturnRef=kCFBooleanTrue) 2. Call SecItemCopyMatching() 3. Observe that the returned identity (or identities, if kSecMatchLimit=kSecMatchLimitAll) does not match the provided subject key identifier. In fact, if you're using kSecMatchLimitAll, you just get all of the identities in your keychains. A simple test program is attached. Expected Results: The search keys for identities should be the combination of those for certificates and keys. Actual Results: The search keys are some undocumented subset. Version: 10.9.4/13E28 Notes: Configuration: Attachments: 'skidIgnored.c' was successfully uploaded.
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!