Feedback: Unable to query for identity inserted as a CTK token on VisionOS

Created On
Last Updated On
byTimothy Perfitt
You are here:

FB13599689 — visionOS

FB13599689

2/8/24, 8:07:38 PM CST

Unable to query for identity inserted as a CTK token on VisionOS

FB13599689 — visionOS

Basic Information

Please provide a descriptive title for your feedback:

Unable to query for identity inserted as a CTK token on VisionOS

Which area are you seeing an issue with?

Security

What type of feedback are you reporting?

Incorrect/Unexpected Behavior

Details

What does the Security issue you are seeing involve?

Crash/Hang

Description

Please describe the issue and what steps we can take to reproduce it:

SecItemCopyMatching never returns when CTK token inserted  and kSecReturnRef is true

After inserting an token with addTokenConfiguration(for: configName) on the Apple Vision Pro, any app trying to find the identity blocks at the query with SecItemCopyMatching.

To replicate:

Sample project here:

https://bitbucket.org/twocanoes/isigningapp/src/master/

The app uses a P12 to insert a persistent token from a p12 and then displays the inserted tokens. After inserting the token with addTokenConfiguration(for: configName) and newConfig.keychainItems = keyItems, any app (or the same app) that queries for the token will block on SecItemCopyMatching:

let query = [kSecClass: kSecClassIdentity,

kSecMatchLimit: kSecMatchLimitAll,

kSecReturnRef: kCFBooleanTrue as Any,

kSecReturnAttributes: kCFBooleanFalse as Any] as [CFString : Any]

let sanityCheck = SecItemCopyMatching(query as CFDictionary,&item)

If kSecReturnRef: kCFBooleanTrue is changed to kSecReturnRef: kCFBooleanFalse, it will return and not block:

let query = [kSecClass: kSecClassIdentity,

kSecMatchLimit: kSecMatchLimitAll,

kSecReturnRef: kCFBooleanFalse as Any,

kSecReturnAttributes: kCFBooleanFalse as Any] as [CFString : Any]

let sanityCheck = SecItemCopyMatching(query as CFDictionary,&item)

Also, if you request attributes but not the reference, it returns correctly:

let query = [kSecClass: kSecClassIdentity,

kSecMatchLimit: kSecMatchLimitAll,

kSecReturnRef: kCFBooleanFalse as Any,

kSecReturnAttributes: kCFBooleanTrue as Any] as [CFString : Any]

let sanityCheck = SecItemCopyMatching(query as CFDictionary,&item)

Without a reference to the identity, it cannot be used for crypto operations. Also, it prevents our app from showing inserted tokens/certificates and removes the required functionality.

Also, after inserting the token, Safari is able to use the identity for mTLS on a website. 

In the log, query happens around 2024-02-08 18:57:20.305324-0600.

Files

com.apple.DiagnosticExtensions.sysdiagnose.tar.gz

Tags: