KeychainMinder XPC Service to Autofill passwords

[tburgin]

I have a very basic proof of concept here:

https://github.com/tburgin/macops/commit/96fe9415ddfe246a8117751f407003e718aea1af

Works well under 10.11

Under 10.10, not so much. I can't seem to get the AuthorizationPlugin to send messages to the KeychainMinderAgent. I can connect but every time I send a message I receive a connection invalidated error.

Oct 28 12:52:15 burgindev SecurityAgent[2089]: Error Domain=NSCocoaErrorDomain Code=4099 "Couldn’t communicate with a helper application." (The connection to service named com.google.corp.KeychainMinderAgent was invalidated.) UserInfo=0x7fe58c300000 {NSDebugDescription=The connection to service named com.google.corp.KeychainMinderAgent was invalidated.}

I am thinking it is some type of code signing issue. Any ideas? More investigation is required.

[tburgin]

Ah, success! The key was actually running the agent as a LaunchDaemon. This also removes the requirement for the extra mechanism in the plugin. Makes things simpler.

Oct 29 13:04:05 burgindev authorizationhost[14947]: KeychainMinder: Check
Oct 29 13:04:05 burgindev authorizationhost[14947]: KeychainMinder: XPC
Oct 29 13:04:05 burgindev authorizationhost[14947]: KeychainMinder: setPassword
Oct 29 13:04:05 burgindev SecurityAgent[14946]: KeychainMinder: Agent
Oct 29 13:04:05 burgindev KeychainMinderAgent[14949]: KeychainMinderAgent: New newConnection [14947]
Oct 29 13:04:05 burgindev authorizationhost[14947]: setPassword [1]
Oct 29 13:04:06 burgindev KeychainMinderGUI[14951]: KeychainMinder launched for burgintj
Oct 29 13:04:09 burgindev KeychainMinderAgent[14949]: KeychainMinderAgent: New newConnection [14951]

[tburgin]

@russellhancox Now to secure it. Would you suggest using MOLCodesignChecker like you do with Santa?

[russellhancox]

That would probably be the easiest and shouldn't be much work to change over to.

[tburgin]

Cool, when I get a chance I will update my fork with the changes. We can discuss more then.

[tburgin]

Interesting, the plugin code actually runs under authorizationhost.xpc with Apple's code signing. So we will need to make an exemption for agent connections. Either the binary path of the authorizationhost.xpc or the use of Apple's Software Signing CA could be used a qualifiers.

The binary path for authorizationhost.xpc changed from 10.10 --> 10.11. Have you noticed consistency with Apple's code signing CA?

Oct 31 12:58:31 burgindev KeychainMinderAgent[31195]: newConnection [31193]
Oct 31 12:58:31 burgindev KeychainMinderAgent[31195]: selfCS /Library/Security/SecurityAgentPlugins/KeychainMinder.bundle/Contents/Resources/KeychainMinderAgent
Oct 31 12:58:31 burgindev KeychainMinderAgent[31195]: selfCS (
        "/O=NATIONAL INSTITUTE OF MENTAL HEALTH/OU=QZQALU4M8H/CN=Developer ID Application: NATIONAL INSTITUTE OF MENTAL HEALTH (QZQALU4M8H)",
        "/O=Apple Inc./OU=Apple Certification Authority/CN=Developer ID Certification Authority",
        "/O=Apple Inc./OU=Apple Certification Authority/CN=Apple Root CA"
    )
Oct 31 12:58:31 burgindev KeychainMinderAgent[31195]: otherCS /System/Library/Frameworks/Security.framework/Versions/A/XPCServices/authorizationhost.xpc
Oct 31 12:58:31 burgindev KeychainMinderAgent[31195]: otherCS (
        "/O=Apple Inc./OU=Apple Software/CN=Software Signing",
        "/O=Apple Inc./OU=Apple Certification Authority/CN=Apple Code Signing Certification Authority",
        "/O=Apple Inc./OU=Apple Certification Authority/CN=Apple Root CA"
    )
Oct 31 12:58:31 burgindev authorizationhost[31193]: Error Domain=NSCocoaErrorDomain Code=4097 "Couldn’t communicate with a helper application." (connection to service named com.google.corp.KeychainMinderAgent) UserInfo=0x7fcb29502260 {NSDebugDescription=connection to service named com.google.corp.KeychainMinderAgent}

[tburgin]

Updated my fork with what I have so far. https://github.com/tburgin/macops/commits/master The last commit is all my site specific and debug settings. What do you suggest for a authorizationhost.xpc code sign exemption?

[tburgin]

The signing on /System/Library/Frameworks/Security.framework is the same as the the nested authorizationhost.xpc respectively with both OS X 10.10 and 10.11. This seems to me like a dynamic enough approach.

  // Add an exemption for Apple Signed authorizationhost.xpc
  MOLCodesignChecker *appleCS = [[MOLCodesignChecker alloc] initWithBinaryPath:@"/System/Library/Frameworks/Security.framework"];

  if ([otherCS signingInformationMatches:selfCS] || [otherCS signingInformationMatches:appleCS]) {...

Seems to work well enough.

Oct 31 20:00:43 burgindev KeychainMinderAgent[32962]: newConnection [32960]
Oct 31 20:00:43 burgindev KeychainMinderAgent[32962]: selfCS /Library/Security/SecurityAgentPlugins/KeychainMinder.bundle/Contents/Resources/KeychainMinderAgent
Oct 31 20:00:43 burgindev KeychainMinderAgent[32962]: selfCS (
        "/O=NATIONAL INSTITUTE OF MENTAL HEALTH/OU=QZQALU4M8H/CN=Developer ID Application: NATIONAL INSTITUTE OF MENTAL HEALTH (QZQALU4M8H)",
        "/O=Apple Inc./OU=Apple Certification Authority/CN=Developer ID Certification Authority",
        "/O=Apple Inc./OU=Apple Certification Authority/CN=Apple Root CA"
    )
Oct 31 20:00:43 burgindev KeychainMinderAgent[32962]: otherCS /System/Library/Frameworks/Security.framework/Versions/A/XPCServices/authorizationhost.xpc
Oct 31 20:00:43 burgindev KeychainMinderAgent[32962]: otherCS (
        "/O=Apple Inc./OU=Apple Software/CN=Software Signing",
        "/O=Apple Inc./OU=Apple Certification Authority/CN=Apple Code Signing Certification Authority",
        "/O=Apple Inc./OU=Apple Certification Authority/CN=Apple Root CA"
    )
Oct 31 20:00:43 burgindev authorizationhost[32960]: setPassword [1]
Oct 31 20:00:44 burgindev KeychainMinderGUI[32964]: KeychainMinder launched for burgintj
Oct 31 20:00:45 burgindev KeychainMinderAgent[32962]: newConnection [32964]
Oct 31 20:00:45 burgindev KeychainMinderAgent[32962]: selfCS /Library/Security/SecurityAgentPlugins/KeychainMinder.bundle/Contents/Resources/KeychainMinderAgent
Oct 31 20:00:45 burgindev KeychainMinderAgent[32962]: selfCS (
        "/O=NATIONAL INSTITUTE OF MENTAL HEALTH/OU=QZQALU4M8H/CN=Developer ID Application: NATIONAL INSTITUTE OF MENTAL HEALTH (QZQALU4M8H)",
        "/O=Apple Inc./OU=Apple Certification Authority/CN=Developer ID Certification Authority",
        "/O=Apple Inc./OU=Apple Certification Authority/CN=Apple Root CA"
    )
Oct 31 20:00:45 burgindev KeychainMinderAgent[32962]: otherCS /Library/Security/SecurityAgentPlugins/KeychainMinder.bundle/Contents/Resources/KeychainMinderGUI.app
Oct 31 20:00:45 burgindev KeychainMinderAgent[32962]: otherCS (
        "/O=NATIONAL INSTITUTE OF MENTAL HEALTH/OU=QZQALU4M8H/CN=Developer ID Application: NATIONAL INSTITUTE OF MENTAL HEALTH (QZQALU4M8H)",
        "/O=Apple Inc./OU=Apple Certification Authority/CN=Developer ID Certification Authority",
        "/O=Apple Inc./OU=Apple Certification Authority/CN=Apple Root CA"
    )
Oct 31 20:01:05 burgindev KeychainMinderAgent[32962]: newConnection [32982]
Oct 31 20:01:05 burgindev KeychainMinderAgent[32962]: selfCS /Library/Security/SecurityAgentPlugins/KeychainMinder.bundle/Contents/Resources/KeychainMinderAgent
Oct 31 20:01:05 burgindev KeychainMinderAgent[32962]: selfCS (
        "/O=NATIONAL INSTITUTE OF MENTAL HEALTH/OU=QZQALU4M8H/CN=Developer ID Application: NATIONAL INSTITUTE OF MENTAL HEALTH (QZQALU4M8H)",
        "/O=Apple Inc./OU=Apple Certification Authority/CN=Developer ID Certification Authority",
        "/O=Apple Inc./OU=Apple Certification Authority/CN=Apple Root CA"
    )
Oct 31 20:01:05 burgindev KeychainMinderAgent[32962]: otherCS (null)
Oct 31 20:01:05 --- last message repeated 1 time ---
Oct 31 20:01:05 burgindev BadActor[32982]: Error Domain=NSCocoaErrorDomain Code=4097 "Couldn’t communicate with a helper application." (connection to service named com.google.corp.KeychainMinderAgent) UserInfo=0x60800006f080 {NSDebugDescription=connection to service named com.google.corp.KeychainMinderAgent}

[tburgin]

Closing this issue. Discuss in https://github.com/google/macops/issues/47.