search

jfitzell / mozilla-keychain

Store your Firefox website usernames and passwords in Apple's Keychain Services, just like Safari and other browsers do on OS X.
55 stars 9 forks source link

Enable iCloud Keychain Access #62

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
Enhancement request:

Please add support for storage and retrieval of passwords stored in iCloud 
Keychain Access. Currently passwords stored in iCloud via an iOS device do not 
automatically carry over to Firefox on Mac OSX Mavericks. Same for passwords 
stored form OSX, they do not carry over to iOS through the iCloud feature.

Original issue reported on code.google.com by golp...@gmail.com on 31 Oct 2013 at 6:13

GoogleCodeExporter commented 9 years ago 
I've investigated this issue. This is what I found out yet:

Apple introduced a new type of keyring items in OS X Mavericks / iOS 7 and 
calls this "iCloud Keychain". To access these items - both when querying and 
when creating them - one has to specify a new kSecAttrSynchronizable attribute. 
This explains the current behavior displayed by the Firefox extension in OS X 
Mavericks: Passwords are created and found in the login keyring, not in the 
synchronized iCloud keyring. This is the expected backward compatible behavior.

After taking a look in the source code of the extension, it seems that it uses 
the SecKeychain API to access keychain items. Apple provides and endorses 
another API that is called SecItem for the same purpose. All examples provided 
by Apple that demonstrate how you can access items in the synchronized keyring 
use this new API.

To me, it is not clear whether the old API supports accessing the synchronized 
items at all. If not, it seems necessary to migrate the Firefox extension to 
the new SecItem API.

Original comment by sebastia...@gmail.com on 5 Jan 2014 at 8:02

GoogleCodeExporter commented 9 years ago 
I played around with this a bit tonight. I can get SecItemAdd working, but if I 
try setting kSecAttrSynchronizable to true, I get error -34018, which is 
errSecMissingEntitlement: "Internal error when a required entitlement isn't 
present."

According to 
[https://developer.apple.com/library/mac/documentation/Miscellaneous/Reference/E
ntitlementKeyReference/Chapters/EnablingiCloud.html#//apple_ref/doc/uid/TP400111
95-CH2-SW1 this page] it looks like Mozilla would have to specify an iCloud 
entitlement when building Firefox 

Worse, I don't fully understand entitlements yet, but it looks like (e.g. 
[http://blog.loganscollins.com/entries/2012/mar/24/icloud-members-only-club/ 
here]) you may not be able to get an iCloud entitlement unless your app is 
installed from the App Store.

This may not be doable any time soon. Do you know enough to confirm any of the 
above?

Original comment by jfitz...@gmail.com on 8 Jan 2014 at 1:21

GoogleCodeExporter commented 9 years ago 
Issue 64 has been merged into this issue.

Original comment by jfitz...@gmail.com on 8 Jan 2014 at 1:24

GoogleCodeExporter commented 9 years ago 
I have created a pure OS X mini-application that tries to access the 
synchronised keychain items using the SecItem API and ran into the same issue 
(missing entitlement).

From what I know (referring to WWDC 2013 Session 709 on Keychains), your 
statements on entitlements and required code signing are correct.

Original comment by sebastia...@gmail.com on 8 Jan 2014 at 4:37

GoogleCodeExporter commented 9 years ago 
Dependent on Mozilla build and distribution changes that are highly unlikely.

Original comment by jfitz...@gmail.com on 3 Feb 2014 at 10:47

GoogleCodeExporter commented 9 years ago 
Issue 74 has been merged into this issue.

Original comment by jfitz...@gmail.com on 31 Oct 2014 at 9:06