Create a helper class for the Keychain

[Abhiek187]

This is very early on, but I couldn't resist learning about the Keychain! Let's spill the beans about how it works:

• Unlike the Keystore, the Keychain can store items. In fact, like Core Data, it's just a SQLite database under the hood.
• The Keychain is stored globally on the device instead of in the app's directory. Access to each item is controlled on a per-app basis.
• Most items are encrypted if viewed normally. But with the right private key, each app can decrypt the items they own.
• If an app is uninstalled, the Keychain items aren't deleted. They can be recovered if the app is reinstalled or be purged by other external factors.
• The login keychain is owned by the user, while the system keychain is owned by the root user.
• There are 5 different security classes: Key, Identity, Certificate, Generic Password, & Internet Password.
  • Under the Passwords tab, generic passwords have a pencil icon, while internet passwords have an @ icon. For storing JWTs, we'll stick with the generic password class.
  • Keys and certificates are in separate tabs. Since identities are key-cert pairs, I assume they can belong in either category?
  • Items are stored in different SQLite tables depending on the class: (Key = keys, Identity = keys/cert?, Certificate = cert, Generic Password = genp, Internet Password = inet)
• Generic passwords (aka application passwords in the Keychain UI) are uniquely identified by their account and service attributes (see https://developer.apple.com/documentation/security/errsecduplicateitem). In the UI, the name field maps to the service attribute. For our code (and most code I see online), we'll use the account attribute as the key for each item we store.
• The where field corresponds to the kSecAttrServer attribute (at least according to ChatGPT :P).
• Comments can optionally be added to explain a Keychain item.
• The actual value is stored encrypted in kSecValueData. To decrypt it, a password may be required. On iOS, you may need to use biometrics instead. I enabled this flag for better security, but we'll see how much this impacts the UX.
• kSecAttrAccessible and/or kSecAttrAccessControl control whether a passcode is required to decrypt a Keychain item.
• By default, Keychain items are only accessible by the app that created the item. To share items across multiple apps, you need to specify kSecAttrAccessGroup. The apps need to share the same team ID (signed by the same provisioning profile). The access group is prioritized as follows:
  • keychain-access-group strings requiring the Keychain Sharing capability
  • The app ID (team ID + bundle ID) (default if not specified)
  • com.apple.security.application-groups strings requiring the App Groups capability (the same IPC method to share UserDefaults between apps)
• Access groups correspond to the agrp column in the genp table, which happens to be one of the only plaintext portions of the table. So that can be used to determine if a JWT is stored in the EZ Recipes app.
• This guy has some good documentation on each column in the table.