Programmatically Accessing and Manipulating Multiple Keychain Items

Q: Can I sequentially access encrypted Keychain Items, avoiding multiple "Deny/Allow Once/Always Allow" confirmation dialogs?

A: No. There is currently no way to avoid the individual confirmation dialogs when using Keychain Manager or Keychain Services APIs, since the data of each retrieved item must first be decrypted before it is returned to the caller. Each item stored in your keychain is individually encrypted with its own unique key. Each of those keys has an access control list that requires the use of the confirmation dialog by default when the key is used to decrypt. Furthermore, these individual keys are themselves encrypted with a master key, which is in turn encrypted with a key derived from your passphrase.

If you don't want or need the old encrypted data content and the new data content is known to you, you can update an item without getting dialogs.

You can do this by:

  • copying the old item's attributes and access

  • deleting the old item

  • creating a new item with the new data containing the old attributes and access

To acquire the old item's attributes and access, pass NULL for the data and data length parameters of functions that return keychain item attributes, such as SecKeychainItemCopyAttributesAndData and SecKeychainItemCopyContent. You will also need to free the memory associated with the returned attributes and access. This can be done by passing the reference variables to SecKeychainItemFreeAttributesAndData.

For a listing of associated functions, check out the Keychain Services Reference.

Document Revision History

DateNotes
2006-10-03First Version

Posted: 2006-10-03

Did this document help you?
Yes: Tell us what works for you.
It’s good, but: Report typos, inaccuracies, and so forth.
It wasn’t helpful: Tell us what would have helped.