FIX [VALSinglePromptSecureEnclaveValet containsObjectForKey] on TouchID fingerprints changes #116
Conversation
…ning YES after the key has been removed from the Keychain due to TouchIDCurrentSet changed - Do not query the Keychain using cached LAContext. Do not override containsObjectForKey from VALSinglePromptSecureEnclaveValet
…om the Keychain, not when adding or removing keys
Great find! We'll need to make sure to adopt similar changes in #80.
Fascinating! Do you have documentation to support this? I'm going to run this change though its paces in our TouchIDTest app. If it looks good, I'll merge and release an update :) |
|
This looks good! Will merge when CI goes green. Updating #80 now. Thanks again for this fix!! |
|
2.4.2 has been published with this change. Thanks again! |
|
Thank you for the quick reply!
I haven't found documentation to support this, just my testing and this transcript from a WWDC Session http://asciiwwdc.com/2014/sessions/711
Official docs are ambiguous, i.e. for kSecAccessControlTouchIDCurrentSet they say "Constraint to access an item with Touch ID for currently enrolled fingers" |
juantrias
deleted the
fix-VALSinglePromtSecureEnclaveValet-containsObject
branch
[VALSinglePromptSecureEnclaveValet containsObjectForKey]is returningYESafter the key has been removed from the Keychain due to TouchID fingerprints changes, after adding or removing a fingerprint. The reason is that theLAContextinstance kept byVALSinglePromptSecureEnclaveValethas the key cached. So, forcontainsObjectForKey, we need to query the Keychain without using this instance, as in regularVALSecureEnclaveValet.Additionally, although this does not affect the functionality, we only need to pass the
LAContextinstance when reading keys from the Keychain, not when adding or removing keys