Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Keychain dialogs

Hi John,

What you're asking for is not possible at this time. Apple doesn't usually come out and say it like that.. :)


There are a few of us who need the exact same functionality so that we may complete our projects-- a blocking callback on unlock which will allows us to do some form of key management..

File an enhancement request with Apple. It's probably the only thing you can really do right now.

-Will


At 5:33 PM -0500 1/16/06, John Cebasek wrote: 
Hi Perry:

What we're trying to do is that if someone uses "Keychain access" and adds the 'show status' in the menu bar and selects lock keychain from the menu, when they select unlock keychain from the menu, I don't want the static password dialog (which I thought was through com.apple.default.passphrase or generic-unlock). I want to display my dialog.

I get this functionality with a system keychain (or at least the keychain named 'System' and 'X509Certificates').

Is the code that displays that dialog open source? Maybe I just missed it with all the projects I was looking through.

Comments?

John


----- Original Message ----- From: "Perry The Cynic" <email@hidden>
To: "John Cebasek" <email@hidden>
Cc: <email@hidden>
Sent: Monday, January 09, 2006 1:18 PM
Subject: Re: Keychain dialogs

--On January 9, 2006 9:38:37 AM -0500 John Cebasek <email@hidden> wrote:


Hi All:

We want to protect the keychain with our one time passwords. I can handle
the system keychain, however it seems that the personal keychains aren't
handled via the authorization file. How are they handled? I was reading
the source for libsecurity_keychain, there's Keychains.cpp which appears
to contain all the code for managing the keychains and the rights they
use are generic-new-passphrase and generic-unlock.

Sadly (for you), software keychain unlock is not handled through the Authorization subsystem. It's done implicitly based on a mechanism driven through CSSM ACLs, and implemented in the securityd daemon. Libsecurity_keychain (being part of the client side code) has neither access to, nor much control over, the password used to unlock a keychain.

Keychains' security is (hard) based on their operational keys being encrypted with (a key derived from) their passphrase. Thus, the (hard) security mechanism doesn't accommodate one-time pads directly. I suppose you could cook up a daemon that somehow knows the keychain's master secret and only doles it out under certain circumstances (you *can* explicitly unlock a keychain if you know its master secret), but that begs the question on how that daemon keeps its secret - in a keychain? :-)

Cheers
 -- perry
---------------------------------------------------------------------------
Perry The Cynic email@hidden
To a blind optimist, an optimistic realist must seem like an Accursed Cynic.
---------------------------------------------------------------------------


_______________________________________________
Do not post admin requests to the list. They will be ignored.
Apple-cdsa mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/apple-cdsa/email@hidden

This email sent to email@hidden 

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Apple-cdsa mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/apple-cdsa/email@hidden

This email sent to email@hidden
References: 
 >Keychain dialogs (From: "John Cebasek" <email@hidden>)
 >Re: Keychain dialogs (From: Perry The Cynic <email@hidden>)
 >Re: Keychain dialogs (From: "John Cebasek" <email@hidden>)



Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2007 Apple Inc. All rights reserved.