0xmachos/Keychain.md

Last active February 19, 2024 06:50

Star 40 You must be signed in to star a gist
Fork 6 You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/0xmachos/5bcf2ad0085e09f3b553a88bb0e0574d.js"></script>
Save 0xmachos/5bcf2ad0085e09f3b553a88bb0e0574d to your computer and use it in GitHub Desktop.

Download ZIP

Useful resources for working with iOS/ macOS Keychain API

Raw

Keychain.md

Keychain API

kSecAttrAccessible Mapping

Protection Domain (pdmn)	Keychain Accessibility Values
`ck`	`kSecAttrAccessibleAfterFirstUnlock`
`cku`	`kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly`
`dk`	`kSecAttrAccessibleAlways`
`akpu`	`kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly`
`dku`	`kSecAttrAccessibleAlwaysThisDeviceOnly`
`ak`	`kSecAttrAccessibleWhenUnlocked`
`aku`	`kSecAttrAccessibleWhenUnlockedThisDeviceOnly`

Source(s):

Database (keychain-2.db) Structure

In the iOS keychain, all the keychain items are stored in 4 tables

Table	kSecClass
`genp`	`kSecClassGenericPassword`
`inet`	`kSecClassInternetPassword`
`cert`	`kSecClassCertificate`
`key`	`kSecClassKey`

kSecClassIdentity = kSecClassCertificate + kSecClassKey

Keychain tables column names mapped to the corresponding keychain item class attributes

Column	Attribute	Description
`cdat`	`kSecAttrCreationDate`	Item creation date in Unix epoch time format
`mdat`	`kSecAttrModificationDate`	Item modification date in Unix epoch time format
`desc`	`kSecAttrDescription`	User visible string that describes the item
`icmt`	`kSecAttrComment`	User editable comment for the item
`crtr`	`kSecAttrCreator`	Application created (4 char) code
`type`	`kSecAttrType`	Item type
`scrp`	`kSecAttrScriptCode`	String script code (such as encoding type)
`labl`	`kSecAttrLabel`	Label to be displayed to the user (print name)
`alis`	`kSecAttrAlias`	Item alias
`invi`	`kSecAttrIsInvisible`	Invisible
`nega`	`kSecAttrIsNegative`	Invalid item
`cusi`	`kSecAttrHasCustomIcon`	Existence of application specific icon (Boolean)
`prot`	`kSecProtectedDataItemAttr`	? Item’s data is protected (Boolean)
`acct`	`kSecAttrAccount`	Account key (such as user id)
`svce`	`kSecAttrService`	Service name (such as Application identifier)
`gena`	`kSecAttrGeneric`	User defined attribute
`data`	`kSecValueData`	Actual data (such as password, crypto key…)
`agrp`	`kSecAttrAccessGroup`	Keychain access group
`pdmn`	`kSecAttrAccessible`	Access restrictions (Data protection classes)

Source(s):

Apple Material

Keychain Services Documentation
- Keychain Items Documentation
Security and Your Apps (WWDC 2015) 32:30 onwards

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment