ios kSecClassCertificate yields -25303

Question

I'm trying to store p12(pfx) certificate into keychain on ios with code from keychainswift essentially, just the klass changed from password to certificate:

@discardableResult
open func setCertificate(_ value: Data, forKey key: String,
  withAccess access: KeychainSwiftAccessOptions? = nil) -> Bool {
  
  // The lock prevents the code to be run simultaneously
  // from multiple threads which may result in crashing
  lock.lock()
  defer { lock.unlock() }
  
  deleteNoLock(key) // Delete any existing key before saving it

  let accessible = access?.value ?? KeychainSwiftAccessOptions.defaultOption.value
    
  let prefixedKey = keyWithPrefix(key)
    
  var query: [String : Any] = [
    KeychainSwiftConstants.klass      : kSecClassCertificate,
    KeychainSwiftConstants.attrAccount : prefixedKey,
    KeychainSwiftConstants.valueData   : value,
    KeychainSwiftConstants.accessible  : accessible
  ]
    
  query = addAccessGroupWhenPresent(query)
  query = addSynchronizableIfRequired(query, addingItems: true)
  lastQueryParameters = query
  
  lastResultCode = SecItemAdd(query as CFDictionary, nil)
  
  return lastResultCode == noErr
}

getting -25303 (invalid attribute that is) Should I piecemeal store separetely identity, certificate chain and trust with different keys for this to work?

what's the difference between kSecClassCertificate and kSecClassPassword klasses of storage given that we have keychains sandboxes and without GUI? is this for forward compatibility with macos or something?

PS. Apple please attempt to find a tech writer who can fix the horrendous documentation around security framework. Thanks!

Answer 1

All the available attributes for a certificate are mentioned in the documentation. I believe your attrAccount is an invalid parameter and I feel, but I'm not sure that the valueData might be invalid. So remove at least the attrAccount and possibly the valueData.