This function writes to the keychain properly when testing on both the simulator and the device. It does not work when installed with an enterprise Signing Identity.
It is worth mentioning Keychain Sharing is enabled in the app and the app's extension.
Please note it works perfectly on the device when building with the development profile.
Additionally no errors are logged in the operation (see below) so there isn't any information as to why it failed.
public class func setToken(token: String, account: String, service: String = "APIrev1") {
var log = XCGLogger.defaultInstance()
log.info("Attempting to set token \(token) to account \(account)")
var secret: NSData = token.dataUsingEncoding(NSUTF8StringEncoding, allowLossyConversion: false)!
let objects: Array = [secClassGenericPassword(), service, account, secret]
let keys: Array = [secClass(), secAttrService(), secAttrAccount(), secValueData()]
let query = NSDictionary(objects: objects, forKeys: keys)
var p1 = SecItemDelete(query as CFDictionaryRef)
if (p1 != noErr) {
log.info("SecItemDelete, key not present to delete")
}
var p2 = SecItemAdd(query as CFDictionaryRef, nil)
if (p2 != noErr) {
log.error("SecItemAdd write of token \(token) to account \(account) failed")
}
}
I believe this is a bug in Swift iOS that only occurs in 64 bit devices. This solution worked but I have filed a report:
https://stackoverflow.com/a/27721235/737470
Related
------LE: We ended up removing the encryption of the database because with realm team suggestions it got worse - all we could do was to remove the database and loose all stored info. Now we encrypt in keychain only the fields we need.------
I have an app released in store and after updating their iOS version to 14+, users started to complain about info not being populated from database. Not all users with iOS 14+ have this issue, it appears randomly on some devices.
The issue goes away for awhile if they reinstall the app or after they update it to another version, but after using it for a few minutes it happens again.
My database uses encryption as documented here.
The store version of my app uses Realm 5.4.8, but I tested their last version (10.0.0) and the issue is still present.
I checked this issue but it's not the case for me, I don't have a shared app group container or a share extension.
Here's how the initialisation of realm looks like:
override init() {
super.init()
do {
guard let config = getMigrationAndEncryptionConfiguration() else {
realmConfigured = try Realm()
return
}
realmConfigured = try Realm(configuration: config)
} catch let error as NSError {
// this is where I got the error:
//"Encrypted interprocess sharing is currently unsupported.DB has been opened by pid: 4848. Current pid is 5806."
}
}
func getMigrationAndEncryptionConfiguration() -> Realm.Configuration? {
let currentSchemaVersion: UInt64 = 19
if Keychain.getData(for: .realmEncryptionKey) == nil {
var key = Data(count: 64)
_ = key.withUnsafeMutableBytes { bytes in
SecRandomCopyBytes(kSecRandomDefault, 64, bytes)
}
Keychain.save(data: key, for: .realmEncryptionKey)
}
guard let key = Keychain.getData(for: .realmEncryptionKey) else {
return nil
}
let fileUrl = Realm.Configuration().fileURL!.deletingLastPathComponent()
.appendingPathComponent("Explorer.realm")
var config = Realm.Configuration(fileURL: fileUrl,
encryptionKey: key,
schemaVersion: currentSchemaVersion, migrationBlock: { (migration, oldVersion) in
if oldVersion != currentSchemaVersion {
print("we need migration!")
}
})
return config
}
I had another question opened for the same issue on SO, but it was closed because I didn't have enough details. After another release of my app with more logs, I could find the error that appears at initialisation of realm:
"Encrypted interprocess sharing is currently unsupported.DB has been opened by pid: 4848. Current pid is 5806. "
This appears after the app goes to background, it gets terminated (crash or closed by the system/user) and when the users opens it again, realm fails to init.
I read all about encrypted realm not being supported in app groups or in a share extension, but I didn't implement any of that in my app, is there any other reason why this error happens?
I also removed Firebase Performance from my app because I read that this module could generate issues on realm database, but it didn't help.
I opened an issue on realm github page, but I got no answer yet.
Does anyone have any idea how to fix this or why is this happening?
Thank you.
I've just create a project in Xcode 9 beta 6 and add this code:
let privateDB = CKContainer.default().privateCloudDatabase
let greatID = CKRecordID(recordName: "GreatPlace")
let place = CKRecord(recordType: "Place", recordID: greatID)
privateDB.save(place) { (record, error) in
if error != nil {
let er = (error as! CKError).errorUserInfo
print("Error: \n")
print("CKErrorDescription: \(er["CKErrorDescription"]!)\n")
print("ContainerID: \(er["ContainerID"]!)\n")
print("NSDebugDescription: \(er["NSDebugDescription"]!)\n")
print("NSUnderlyingError: \(er["NSUnderlyingError"]!)\n")
print("NSLocalizedDescription: \(er["NSLocalizedDescription"]!)\n")
print("ServerErrorDescription: \(er["ServerErrorDescription"]!)\n")
}
if record != nil {
print("record: \(record!)")
}
}
and add this capabilities:
and when I run the code I receive this error message:
What I am doing wrong ?
There was a bug causing some associations to be missed. That bug has been fixed and we automatically fixed the container/app associations that were broken during that time.
If for some reason you still need to redo an association you can either use the Capabilities pane in Xcode or use developer.apple.com -> Certificates, Identifiers & Profiles -> App IDs -> pick the ID -> Edit -> Edit under iCloud -> check the box for the container to disassociate, save, then re-associate.
If you're still stuck please email cloudkit[at]apple.com
My friend and I are having the same issue. We made 2 different projects and both of them had the same error message "Invalid bundle ID for container" which is CKError case 10 .
We are calling our fetch function to get the default "Users" record in the viewDidLoad.
func fetchWorkoutCompleted(completion: #escaping (Error?) -> Void = { _ in }) {
cloudKitManager.fetchRecord(ofType: "Users", sortDescriptors: nil) { (records, error) in
if let error = error {
print(error.localizedDescription)
completion(error)
return
}
guard let records = records else { completion(nil); return }
completion(nil)
}
}
Using Xamarin.IOS, I had to select manual provisioning rather than automatic provisioning in the info.plist file.
Had the same issue. what worked for me was changing the iCloud group name.
Before it was something like this: iCloud.com.companyName.appName.randomString
After changing to: iCloud.com.companyName.randomString it started working and synchronising.
If after adding the new container it's red press the refresh button(from under the groups) and try a clean install on your phone and it should work
Thanks to Dave Browning, this is based on his answer.
Following worked for me:
Check the container id
Check the container id used for initialisation of CKContainer
Note: If you are using NSPersistentCloudKitContainer we wouldn't be using the container id directly would be picked automatically from the entitlements file.
Try to disable and enable iCloud on the App ID
Disable and Enable iCloud on App ID
Go to https://developer.apple.com and sign in
Select Certificates, Identifiers & Profiles
Select Identifiers (App IDs)
Edit App ID for the app
Uncheck iCloud
Save
Check iCloud
Quit Xcode and Clear DerivedData
Run app
I am trying to create a user login system for an iOS application written Swift 3. With the code below I get the unique Cognito Identity ID for the user in my User Pool but I am not sure what to do with this ID. Can I link it to the user and get the attributes associated with that user?
Code:
#IBAction func loginPressed(_ sender: Any) {
user = self.pool!.getUser(usernameTextField.text!)
user?.getSession(usernameTextField.text!, password: passwordTextField.text!, validationData: nil).continue({ task in
if let err = task.error { // some sort of error
print("LOGIN FAILED")
print(err)
//print(err.userInfo["message"] as! String)
}
else { //Successful login!
// this gets our token from the User Pool
let ret = task.result! as AWSCognitoIdentityUserSession
let myToken = ret.idToken?.tokenString;
print("Token: ", myToken);
let customcedentialProvider = AWSCustomIdentityProvider(tokens: [AWSCustomIdentityProvider.CognitoTokenKey : myToken!])
let credentialsProvider = AWSCognitoCredentialsProvider(regionType: CognitoConstants.COGNITO_REGIONTYPE, identityPoolId: CognitoConstants.COGNITO_IDENTITY_POOL_ID, identityProviderManager: customcedentialProvider)
let configuration = AWSServiceConfiguration(region: CognitoConstants.COGNITO_REGIONTYPE, credentialsProvider:credentialsProvider)
AWSServiceManager.default().defaultServiceConfiguration = configuration
// wipe cached creds
credentialsProvider.clearKeychain()
credentialsProvider.clearCredentials()
// hit it
credentialsProvider.getIdentityId().continue({ (task: AWSTask!) -> AnyObject! in
if (task.error != nil) {
print("Error: ")
} else {
// the task result will contain the identity id
let UserIdentityID = task.result as String? // Im saving user identity id in constant variable called "kUserIdentityID"
print(UserIdentityID)// my identityID
print(credentialsProvider.identityId)// my identityID
}
return nil
})
}
return nil
})
}
Output (Identity ID):
Optional("us-east-1:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX")
Thanks!
Cognito UserPool is an "identity provider" like Facebook, Google etc. Whereas Cognito Federated Identity helps to keep the mappings between different logins to one unique id, which is often called "Cognito Identity ID". Typically you store and retrieve data inside datasets under Cognito Federated identity. And sync those for multiple logins. If I understand your question, you may want to store the userpool "username" in the above mentioned dataset so that you can retrieve it and query the userpool
The self.pool refers to your Cognito User Pool. User pools have at least a username and password, but usually also other attributes, which you can fetch using user.getDetails. A user pool is an IdP (an Identity Provider).
The identityId is a Cognito Identity concept which primarily has the purpose of providing a unique id for one or more identities from IdP's.
Don't worry about being confused. Cognito is very confusing, I found it so confusing that I wrote up a little powerpoint presentation from my notes. Here is a link to a diagram that should help you.Diagram of Cognito
Also, I would like to suggest that you use the AWS Mobile Hub Helper as a starting point. It will download a swift code sample app. And the sample code uses the aws-mobilehub-helper-ios wrapper which simplifies a lot of the SDK and makes it more rational. The downloaded code is Swift2 but it is not too hard to get running in swift 3.
I have nearly completed the process for a developer authenticated sign in using AWS. I cannot seem to authenticate the back-end token that I receive and cannot seem to find any current implementations that are performing developer authentication via a third-party back-end. The error that I get is listed below.
As of right now my code looks like this:
Class containing Custom identity provider:
import Foundation
import AWSCognitoIdentityProvider
class CustomIdentityProvider: NSObject, AWSIdentityProviderManager {
var tokens: [NSString: NSString]?
init(tokens: [NSString: NSString]) {
self.tokens = tokens
}
#objc func logins() -> AWSTask<NSDictionary> {
return AWSTask(result: tokens! as NSDictionary)
}
}
AWS-APIManager.swift {snippet}
/* obtained cognito token from my back-end via getOpenIdTokenForDeveloperIdentity*/
/* From here I my app receives an IdentityId and Token */
let client_cognito_id = String(describing: valid_response)
let session_token = json.dictionaryValue["Token"]!
let login_with_amazon = NSString(string: "cognito-identity.amazonaws.com")
let token = NSString(string: String(describing: session_token))
let customProviderManager = CustomIdentityProvider(tokens: [login_with_amazon: token])
let credentialsProvider = AWSCognitoCredentialsProvider(
regionType: self.AWS_REGION,
identityPoolId: "us-east-1:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
identityProviderManager: customProviderManager
)
credentialsProvider.setIdentityProviderManagerOnce(customProviderManager)
credentialsProvider.getIdentityId().continue ({ (task: AWSTask!) -> AnyObject! in
if (task.error != nil) {
print("Error!!!: " + (task.error?.localizedDescription)!)
} else {
// the task result will contain the identity id
let cognitoId = task.result
print(cognitoId)
print("SUCCESS!!!")
}
return nil
})
}
For some odd reason odd reason I can cannot authenticate the token that I have received. I get an error "Invalid login token. Can't pass in a Cognito token.". I've tried to follow the documentation and piece together working code that I have found literally hundreds of sources and cannot seem to be able to move past this part of the authentication process. Any help would be greatly appreciated. Thanks!
I believe the issue here is that although you are supplying the token, you are not setting the identity id that you are getting from your backend. As such, it is calling GetId with a Cognito OpenIdConnectToken, which is not supported.
The simplest client implementation of Developer Authenticated Identities is to extend AWSCognitoCredentialsProviderHelper
Apologies for providing this in Objective C instead of Swift. In your implementation just override the token method.
- (AWSTask<NSString *> *)token {
//get the identity id and token from your server
//You can use AWSTaskCompletionSource if you don't have it and need to get it asynchronously.
//Once you have this information, simply set the identity id and return the token
self.identityId = identityId;
return [AWSTask taskWithResult:token];
}
I'm accessing the https webserver with certificate authentication from mac app, so I need to handle authentication and provide my certificate (URLSession -> NSURLAuthenticationMethodClientCertificate -> call SecPKCS12Import and extract identity from imported certificate -> create NSURLCredential from identity and provide it in completionHandler to the server) .
But after each https request the dialog box "MYAPP wants to sign using "privateKey" in your keychain" is displayed:
I want to avoid this message. My app is signed correctly. I think I need to set access for the certificate while importing (full access for my app), I'm trying to do it using SecAccessCreate and SecPKCS12Import options:
func extractIdentity(certData:NSData, certPassword:String) -> IdentityAndTrust {
var identityAndTrust:IdentityAndTrust!
var securityError:OSStatus = errSecSuccess
var items:CFArray?
//let certOptions:CFDictionary = [ kSecImportExportPassphrase.takeRetainedValue() as String: certPassword ];
let index: CFIndex = 2
let passwordKey = kSecImportExportPassphrase as String;
let passwordValue: CFString = "PASSWORD";
let accessKey = kSecImportExportAccess as String;
var access:SecAccessRef? = nil;
SecAccessCreate("CERTIFICATE_NAME", nil, &access);
var keys = [unsafeAddressOf(accessKey), unsafeAddressOf(passwordKey)]
var values = [unsafeAddressOf(access!), unsafeAddressOf(passwordValue)]
var keyCallbacks = kCFTypeDictionaryKeyCallBacks
var valueCallbacks = kCFTypeDictionaryValueCallBacks
let options = CFDictionaryCreate(kCFAllocatorDefault, &keys, &values, index, &keyCallbacks, &valueCallbacks)
// import certificate to read its entries
securityError = SecPKCS12Import(certData, options, &items);
if securityError == errSecSuccess {
let certItems:CFArray = items as CFArray!;
let certItemsArray:Array = certItems as Array
let dict:AnyObject? = certItemsArray.first;
if let certEntry:Dictionary = dict as? Dictionary<String, AnyObject> {
// grab the identity
let identityPointer:AnyObject? = certEntry["identity"];
let secIdentityRef:SecIdentityRef = identityPointer as! SecIdentityRef!;
// grab the trust
let trustPointer:AnyObject? = certEntry["trust"];
let trustRef:SecTrustRef = trustPointer as! SecTrustRef;
// grab the certificate chain
var certRef:SecCertificate?
SecIdentityCopyCertificate(secIdentityRef, &certRef);
let certArray:NSMutableArray = NSMutableArray();
certArray.addObject(certRef as SecCertificateRef!);
identityAndTrust = IdentityAndTrust(identityRef: secIdentityRef, trust: trustRef, certArray: certArray);
}
}
return identityAndTrust;
}
Anyway it doesn't work. How can I avoid this dialog box?
This thread How do I add authorizations to code sign an app from new keychain without any human interaction is related to importing the certificate using "security" command, and suggestion was to use -A or -T flags while importing the certificate, but can I do it programmatically without console commands?
You're probably building and running the application multiple times, which means that the cert was added to the keychain the first time, and the executable that did it was authorized to use the private key. However when you made some changes and rebuilt the project, the executable was replaced and the new executable doesn't have access to the private key (this is also an issue when your users have to update your software or reinstall for any reason).
What I found I had to do was remove the cert from the keychain after I used it, and re-add it before every use. However I've read that you can grant permission to an app identifier so that may work in your case too.
I have a code sample in my question's answer: How do I kill the popup?