CFHipsterRef Low-Level Programming on iOS & Mac OS X
Introduction
1. Kernel
2. Objective-C Runtime
- 2.1. libobjc
- 2.2. Message Sending
- 2.3. Metaprogramming with Properties
- 2.4. Associated Objects
- 2.5. Dynamically Adding a Method
- 2.6. Method Swizzling
- 2.7. Dynamically Creating a Class
3. Clang
- 3.1. libclang
- 3.2. Translation Units
- 3.3. AST
- 3.4. Tokens
- 3.5. Diagnostics
- 3.6. Fix-Its
- 3.7. Clang CLI
- 3.8. Static Analyzer
4. OSAtomic
5. Grand Central Dispatch
6. Inter-Process Communication
7. Core Services
8. ImageIO
- 8.1. Supported Image Types
- 8.2. Writing to a File
- 8.3. Reading from a File
- 8.4. Incrementally Reading an Image
- 8.5. Image Metadata
9. Accelerate
- 9.1. Benchmarking Performance
- 9.2. vecLib
- 9.3. vImage
10. Security
- 10.1. Keychain Services
- 10.2. Cryptographic Message Syntax
- 10.3. Certificate, Key, and Trust Services
- 10.4. Security Transform Services
- 10.5. Randomization Services
- 10.6. CommonCrypto
11. System Configuration
- 11.1. Determining Network Reachability Synchronously
- 11.2. Determining Network Reachability Asynchronously
12. International Components for Unicode
13. Dictionary Services
14. Xcode Toolchain
15. Third-Party Tools
16. CocoaPods

CFHipsterRef Low-Level Programming on iOS & Mac OS X

Keychain Services

Keychain is the password management system on iOS & OS X. It stores certificates and private keys, as well as passwords for websites, servers, wireless networks, and other encrypted volumes.

Interactions with the Keychain are mediated through queries, rather than direct manipulation. The queries themselves can be quite complicated, and cumbersome with a C API.

A query is a dictionary consisting of the following components:

The class of item to search for, either "Generic Password", "Internet Password", "Certificate", "Key", or "Identity".
The return type for the query, either "Data", "Attributes", "Reference", or "Persistent Reference".
One or more attribute key-value pairs to match on.
One or more search key-value pairs to further refine the results, such as whether to match strings with case sensitivity, only match trusted certificates, or limit to just one result or return all.

Getting Keychain Items

NSString *service = @"com.example.app";
NSString *account = @"username";
NSDictionary *query =
@{
    (__bridge id)kSecClass: (__bridge id)kSecClassGenericPassword, (__bridge id)kSecAttrService: service,
    (__bridge id)kSecAttrAccount: key,
    (__bridge id)kSecMatchLimit: kSecMatchLimitOne,
};

CFTypeRef result;
OSStatus status =
SecItemCopyMatching((__bridge CFDictionaryRef)query, &result);

In this example, the query tells the keychain to find all generic password items for the service com.example.app with the matching username. kSecAttrService defines the scope of credentials, while kSecAttrAccount acts as a unique identifier. e search option kSecMatchLimitOne is passed to ensure that only the first match is returned, if any.

If status is equal to errSecSuccess (0), then result should be populated with the matching credential.

Adding and Updating Keychain Items

NSData *data = ...;

if (status == errSecSuccess)
{
    NSDictionary *updatedAttributes = @{(__bridge id)kSecValueData: data};

    SecItemUpdate((__bridge CFDictionaryRef)query, (__bridge CFDictionaryRef)updatedAttributes);
}
else
{
    NSMutableDictionary *attributes = [query mutableCopy];
    attributes[(__bridge id)kSecValueData] = data;
    attributes[(__bridge id)kSecAttrAccessible] = (__bridge id)kSecAttrAccessibleAfterFirstUnlock;
    SecItemAdd((__bridge CFDictionaryRef)attributes, NULL);
}