Listing entries in a keychain on Mac OS X

Question

I have been playing around with Cocoa for the last couple of days and I was wondering how I would go about listing all Name/Account pairs of a keychain that I created? the little key chain access app that comes with Mac OS X does that, so it must be possible I presume? Is SecItemCopyMatching what I'm looking for? How do I specify the keychain I want to search, though? And what's a service name in this context?

...am I the only one who thinks the Keychain API in Cocoa is absolutely horrible? I have been reading the documentation up and down for the last couple of hours or so and I'm still getting nowhere :-/

Answer 1

you iterate over the items in your keychain with SecItemCopyMatching and access the password with SecKeychainFindInternetPassword or SecKeychainFindGenericPassword.

Iterate over Keychain:

// iterates over keychain and pass every item found by the query to PrintAccount.
static void IterateOverKeychain() {
    // create query
    CFMutableDictionaryRef query = CFDictionaryCreateMutable(kCFAllocatorDefault, 3, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
    CFDictionaryAddValue(query, kSecReturnAttributes, kCFBooleanTrue);
    CFDictionaryAddValue(query, kSecMatchLimit, kSecMatchLimitAll);
    CFDictionaryAddValue(query, kSecClass, kSecClassInternetPassword);

    // get search results
    CFArrayRef result = nil;
    OSStatus status = SecItemCopyMatching(query, (CFTypeRef*)&result);
    assert(status == 0);

    // do something with the result
    CFRange range = CFRangeMake(0, CFArrayGetCount(result));
    CFArrayApplyFunction(result, range, PrintAccount, nil);
}

// prints the password for a item from the keychain.
static void PrintAccount(const void *value, void *context) {
    CFDictionaryRef dict = value;
    CFStringRef acct = CFDictionaryGetValue(dict, kSecAttrAccount);
    NSLog(@"%@", acct);
}

Print Password:

static void PrintPassword() {
    const char *acct = "[email protected]";
    UInt32 acctLen = (UInt32)strlen(acct);

    const char *srvr = "calendar.google.com";
    UInt32 srvrLen = (UInt32)strlen(srvr);

    UInt32 pwLen = 0;
    void *pw = 0;

    SecKeychainFindInternetPassword(nil, srvrLen, srvr, 0, nil, acctLen, acct, 0, nil, 0, kSecProtocolTypeAny, kSecAuthenticationTypeAny, &pwLen, &pw, nil);

    CFStringRef pwString = CFStringCreateWithBytes(kCFAllocatorDefault, pw, pwLen, kCFStringEncodingUTF8, NO);
    NSLog(@"%s %@", acct, pwString);
}

Answer 2

Well, I managed to enumerate over the keychain entries, however the password field is empty. I thought if authorization was required, the program would ask for the keychain password automatically like it usually does?

NSDictionary *query = [NSDictionary dictionaryWithObjectsAndKeys:
                       (id)kSecClassInternetPassword, kSecClass,
                       (id)kCFBooleanTrue, kSecReturnData,
                       (id)kCFBooleanTrue, kSecReturnAttributes,
                       kSecMatchLimitAll, kSecMatchLimit,
                       nil];

NSArray *itemDicts = nil;
OSStatus status = SecItemCopyMatching((CFDictionaryRef)query, (CFTypeRef *)&itemDicts);
if (status)
    [MessageBox Show:(NSString*)SecCopyErrorMessageString(status, NULL)];

NSMutableArray *arr = [[NSMutableArray alloc] init];

for (NSDictionary *itemDict in itemDicts) {
    NSData *data    = [itemDict objectForKey:(id)kSecValueData];
    NSString *pwd   = [[[NSString alloc] initWithData:data encoding:NSUTF8StringEncoding] autorelease];
    NSString *acc   = [itemDict objectForKey:(id)kSecAttrAccount];
    NSString *name  = [itemDict objectForKey:(id)kSecAttrLabel];

    if(acc != nil) {
        NSArray *values = [NSArray arrayWithObjects: (id)name, (id)acc, (id)pwd, nil];

        [arr addObject:(id)values];
    }
}
[itemDicts release];

NSInteger c     = arr.count;
NSString *cnt   = [NSString stringWithFormat:@"%d", c]; 
[MessageBox Show: [arr objectAtIndex:10]];