Security-59754.80.3.tar.gz

[apple/security.git] / OSX / libsecurity_keychain / lib / SecKeychain.cpp
diff --git a/OSX/libsecurity_keychain/lib/SecKeychain.cpp b/OSX/libsecurity_keychain/lib/SecKeychain.cpp

index c6427967162acf6cd4310538a67fa3b0d464afc8..ca80c80b0a322530139cbda1a3f5b8a3217718f2 100644 (file)
--- a/OSX/libsecurity_keychain/lib/SecKeychain.cpp
+++ b/OSX/libsecurity_keychain/lib/SecKeychain.cpp
@@ -39,12 +39,18 @@
  #include <Security/AuthorizationTagsPriv.h>
  #include <Security/Authorization.h>
  #include "TokenLogin.h"
  #include <Security/AuthorizationTagsPriv.h>
  #include <Security/Authorization.h>
  #include "TokenLogin.h"
+#include "LegacyAPICounts.h"
+
+extern "C" {
+#include "ctkloginhelper.h"
+}
  
  OSStatus
  SecKeychainMDSInstall()
  {
      BEGIN_SECAPI
  
  OSStatus
  SecKeychainMDSInstall()
  {
      BEGIN_SECAPI
-    os_activity_t activity = os_activity_create("SecKeychainMDSInstall", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
+
+          os_activity_t activity = os_activity_create("SecKeychainMDSInstall", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
      os_activity_scope(activity);
      os_release(activity);
  
      os_activity_scope(activity);
      os_release(activity);
  
@@ -68,6 +74,7 @@ SecKeychainGetTypeID(void)
  OSStatus
  SecKeychainGetVersion(UInt32 *returnVers)
  {
  OSStatus
  SecKeychainGetVersion(UInt32 *returnVers)
  {
+    COUNTLEGACYAPI
      if (!returnVers)
                 return errSecSuccess;
  
      if (!returnVers)
                 return errSecSuccess;
  
@@ -80,47 +87,23 @@ OSStatus
  SecKeychainOpen(const char *pathName, SecKeychainRef *keychainRef)
  {
      BEGIN_SECAPI
  SecKeychainOpen(const char *pathName, SecKeychainRef *keychainRef)
  {
      BEGIN_SECAPI
-    os_activity_t activity = os_activity_create("SecKeychainOpen", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
-    os_activity_scope(activity);
-    os_release(activity);
-
-       RequiredParam(keychainRef)=globals().storageManager.make(pathName, false)->handle();
-
-       END_SECAPI
-}
  
  
-
-OSStatus
-SecKeychainOpenWithGuid(const CSSM_GUID *guid, uint32 subserviceId, uint32 subserviceType, const char* dbName,
-                                               const CSSM_NET_ADDRESS *dbLocation, SecKeychainRef *keychain)
-{
-    BEGIN_SECAPI
-    os_activity_t activity = os_activity_create("SecKeychainOpenWithGuid", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
+          os_activity_t activity = os_activity_create("SecKeychainOpen", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
      os_activity_scope(activity);
      os_release(activity);
  
      os_activity_scope(activity);
      os_release(activity);
  
-       // range check parameters
-       RequiredParam (guid);
-       RequiredParam (dbName);
-       
-       // create a DLDbIdentifier that describes what should be opened
-    const CSSM_VERSION *version = NULL;
-    const CssmSubserviceUid ssuid(*guid, version, subserviceId, subserviceType);
-       DLDbIdentifier dLDbIdentifier(ssuid, dbName, dbLocation);
-       
-       // make a keychain from the supplied info
-       RequiredParam(keychain) = globals().storageManager.makeKeychain(dLDbIdentifier, false, false)->handle ();
+       RequiredParam(keychainRef)=globals().storageManager.make(pathName, false)->handle();
  
         END_SECAPI
  }
  
  
         END_SECAPI
  }
  
-
  OSStatus
  SecKeychainCreate(const char *pathName, UInt32 passwordLength, const void *password,
         Boolean promptUser, SecAccessRef initialAccess, SecKeychainRef *keychainRef)
  {
      BEGIN_SECAPI
  OSStatus
  SecKeychainCreate(const char *pathName, UInt32 passwordLength, const void *password,
         Boolean promptUser, SecAccessRef initialAccess, SecKeychainRef *keychainRef)
  {
      BEGIN_SECAPI
-    os_activity_t activity = os_activity_create("SecKeychainCreate", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
+
+          os_activity_t activity = os_activity_create("SecKeychainCreate", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
      os_activity_scope(activity);
      os_release(activity);
      
      os_activity_scope(activity);
      os_release(activity);
      
@@ -147,7 +130,8 @@ OSStatus
  SecKeychainDelete(SecKeychainRef keychainOrArray)
  {
      BEGIN_SECAPI
  SecKeychainDelete(SecKeychainRef keychainOrArray)
  {
      BEGIN_SECAPI
-    os_activity_t activity = os_activity_create("SecKeychainDelete", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
+
+          os_activity_t activity = os_activity_create("SecKeychainDelete", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
      os_activity_scope(activity);
      os_release(activity);
  
      os_activity_scope(activity);
      os_release(activity);
  
@@ -165,7 +149,8 @@ OSStatus
  SecKeychainSetSettings(SecKeychainRef keychainRef, const SecKeychainSettings *newSettings)
  {
      BEGIN_SECAPI
  SecKeychainSetSettings(SecKeychainRef keychainRef, const SecKeychainSettings *newSettings)
  {
      BEGIN_SECAPI
-    os_activity_t activity = os_activity_create("SecKeychainSetSettings", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
+
+          os_activity_t activity = os_activity_create("SecKeychainSetSettings", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
      os_activity_scope(activity);
      os_release(activity);
  
      os_activity_scope(activity);
      os_release(activity);
  
@@ -185,7 +170,8 @@ OSStatus
  SecKeychainCopySettings(SecKeychainRef keychainRef, SecKeychainSettings *outSettings)
  {
      BEGIN_SECAPI
  SecKeychainCopySettings(SecKeychainRef keychainRef, SecKeychainSettings *outSettings)
  {
      BEGIN_SECAPI
-    os_activity_t activity = os_activity_create("SecKeychainCopySettings", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
+
+          os_activity_t activity = os_activity_create("SecKeychainCopySettings", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
      os_activity_scope(activity);
      os_release(activity);
  
      os_activity_scope(activity);
      os_release(activity);
  
@@ -208,7 +194,8 @@ OSStatus
  SecKeychainUnlock(SecKeychainRef keychainRef, UInt32 passwordLength, const void *password, Boolean usePassword)
  {
         BEGIN_SECAPI
  SecKeychainUnlock(SecKeychainRef keychainRef, UInt32 passwordLength, const void *password, Boolean usePassword)
  {
         BEGIN_SECAPI
-    os_activity_t activity = os_activity_create("SecKeychainUnlock", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
+
+          os_activity_t activity = os_activity_create("SecKeychainUnlock", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
      os_activity_scope(activity);
      os_release(activity);
  
      os_activity_scope(activity);
      os_release(activity);
  
@@ -227,7 +214,8 @@ OSStatus
  SecKeychainLock(SecKeychainRef keychainRef)
  {
         BEGIN_SECAPI
  SecKeychainLock(SecKeychainRef keychainRef)
  {
         BEGIN_SECAPI
-    os_activity_t activity = os_activity_create("SecKeychainLock", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
+
+          os_activity_t activity = os_activity_create("SecKeychainLock", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
      os_activity_scope(activity);
      os_release(activity);
  
      os_activity_scope(activity);
      os_release(activity);
  
@@ -242,7 +230,8 @@ OSStatus
  SecKeychainLockAll(void)
  {
         BEGIN_SECAPI
  SecKeychainLockAll(void)
  {
         BEGIN_SECAPI
-    os_activity_t activity = os_activity_create("SecKeychainLockAll", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
+
+          os_activity_t activity = os_activity_create("SecKeychainLockAll", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
      os_activity_scope(activity);
      os_release(activity);
  
      os_activity_scope(activity);
      os_release(activity);
  
@@ -255,7 +244,8 @@ SecKeychainLockAll(void)
  OSStatus SecKeychainResetLogin(UInt32 passwordLength, const void* password, Boolean resetSearchList)
  {
         BEGIN_SECAPI
  OSStatus SecKeychainResetLogin(UInt32 passwordLength, const void* password, Boolean resetSearchList)
  {
         BEGIN_SECAPI
-    os_activity_t activity = os_activity_create("SecKeychainResetLogin", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
+
+          os_activity_t activity = os_activity_create("SecKeychainResetLogin", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
      os_activity_scope(activity);
      os_release(activity);
          //
      os_activity_scope(activity);
      os_release(activity);
          //
@@ -273,10 +263,12 @@ OSStatus SecKeychainResetLogin(UInt32 passwordLength, const void* password, Bool
              endpwent();
          }
          if ( userName.length() == 0 )  // did we ultimately get one?
              endpwent();
          }
          if ( userName.length() == 0 )  // did we ultimately get one?
+        {
              MacOSError::throwMe(errAuthorizationInternal);
              MacOSError::throwMe(errAuthorizationInternal);
+        }
  
          SecurityServer::ClientSession().resetKeyStorePassphrase(password ? CssmData(const_cast<void *>(password), passwordLength) : CssmData());
  
          SecurityServer::ClientSession().resetKeyStorePassphrase(password ? CssmData(const_cast<void *>(password), passwordLength) : CssmData());
-
+        secwarning("SecKeychainResetLogin: reset AKS passphrase");
                 if (password)
                 {
                         // Clear the plist and move aside (rename) the existing login.keychain
                 if (password)
                 {
                         // Clear the plist and move aside (rename) the existing login.keychain
@@ -295,11 +287,13 @@ OSStatus SecKeychainResetLogin(UInt32 passwordLength, const void* password, Bool
                         // (implicitly calls resetKeychain, login, and defaultKeychain)
                         globals().storageManager.makeLoginAuthUI(NULL, true);
                 }
                         // (implicitly calls resetKeychain, login, and defaultKeychain)
                         globals().storageManager.makeLoginAuthUI(NULL, true);
                 }
+        secwarning("SecKeychainResetLogin: reset osx keychain");
  
                 // Post a "list changed" event after a reset, so apps can refresh their list.
                 // Make sure we are not holding mLock when we post this event.
                 KCEventNotifier::PostKeychainEvent(kSecKeychainListChangedEvent);
  
  
                 // Post a "list changed" event after a reset, so apps can refresh their list.
                 // Make sure we are not holding mLock when we post this event.
                 KCEventNotifier::PostKeychainEvent(kSecKeychainListChangedEvent);
  
+
         END_SECAPI
  }
  
         END_SECAPI
  }
  
@@ -318,7 +312,8 @@ OSStatus
  SecKeychainSetDefault(SecKeychainRef keychainRef)
  {
         BEGIN_SECAPI
  SecKeychainSetDefault(SecKeychainRef keychainRef)
  {
         BEGIN_SECAPI
-    os_activity_t activity = os_activity_create("SecKeychainSetDefault", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
+
+          os_activity_t activity = os_activity_create("SecKeychainSetDefault", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
      os_activity_scope(activity);
      os_release(activity);
  
      os_activity_scope(activity);
      os_release(activity);
  
@@ -330,7 +325,8 @@ SecKeychainSetDefault(SecKeychainRef keychainRef)
  OSStatus SecKeychainCopySearchList(CFArrayRef *searchList)
  {
         BEGIN_SECAPI
  OSStatus SecKeychainCopySearchList(CFArrayRef *searchList)
  {
         BEGIN_SECAPI
-    os_activity_t activity = os_activity_create("SecKeychainCopySearchList", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
+
+          os_activity_t activity = os_activity_create("SecKeychainCopySearchList", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
      os_activity_scope(activity);
      os_release(activity);
  
      os_activity_scope(activity);
      os_release(activity);
  
@@ -346,7 +342,8 @@ OSStatus SecKeychainCopySearchList(CFArrayRef *searchList)
  OSStatus SecKeychainSetSearchList(CFArrayRef searchList)
  {
         BEGIN_SECAPI
  OSStatus SecKeychainSetSearchList(CFArrayRef searchList)
  {
         BEGIN_SECAPI
-    os_activity_t activity = os_activity_create("SecKeychainSetSearchList", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
+
+          os_activity_t activity = os_activity_create("SecKeychainSetSearchList", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
      os_activity_scope(activity);
      os_release(activity);
  
      os_activity_scope(activity);
      os_release(activity);
  
@@ -362,7 +359,8 @@ OSStatus SecKeychainSetSearchList(CFArrayRef searchList)
  OSStatus SecKeychainCopyDomainDefault(SecPreferencesDomain domain, SecKeychainRef *keychainRef)
  {
         BEGIN_SECAPI
  OSStatus SecKeychainCopyDomainDefault(SecPreferencesDomain domain, SecKeychainRef *keychainRef)
  {
         BEGIN_SECAPI
-    os_activity_t activity = os_activity_create("SecKeychainCopyDomainDefault", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
+
+          os_activity_t activity = os_activity_create("SecKeychainCopyDomainDefault", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
      os_activity_scope(activity);
      os_release(activity);
  
      os_activity_scope(activity);
      os_release(activity);
  
@@ -374,7 +372,8 @@ OSStatus SecKeychainCopyDomainDefault(SecPreferencesDomain domain, SecKeychainRe
  OSStatus SecKeychainSetDomainDefault(SecPreferencesDomain domain, SecKeychainRef keychainRef)
  {
         BEGIN_SECAPI
  OSStatus SecKeychainSetDomainDefault(SecPreferencesDomain domain, SecKeychainRef keychainRef)
  {
         BEGIN_SECAPI
-    os_activity_t activity = os_activity_create("SecKeychainSetDomainDefault", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
+
+          os_activity_t activity = os_activity_create("SecKeychainSetDomainDefault", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
      os_activity_scope(activity);
      os_release(activity);
  
      os_activity_scope(activity);
      os_release(activity);
  
@@ -399,7 +398,8 @@ OSStatus SecKeychainCopyDomainSearchList(SecPreferencesDomain domain, CFArrayRef
  OSStatus SecKeychainSetDomainSearchList(SecPreferencesDomain domain, CFArrayRef searchList)
  {
         BEGIN_SECAPI
  OSStatus SecKeychainSetDomainSearchList(SecPreferencesDomain domain, CFArrayRef searchList)
  {
         BEGIN_SECAPI
-    os_activity_t activity = os_activity_create("SecKeychainSetDomainSearchList", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
+
+          os_activity_t activity = os_activity_create("SecKeychainSetDomainSearchList", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
      os_activity_scope(activity);
      os_release(activity);
  
      os_activity_scope(activity);
      os_release(activity);
  
@@ -415,7 +415,8 @@ OSStatus SecKeychainSetDomainSearchList(SecPreferencesDomain domain, CFArrayRef
  OSStatus SecKeychainSetPreferenceDomain(SecPreferencesDomain domain)
  {
         BEGIN_SECAPI
  OSStatus SecKeychainSetPreferenceDomain(SecPreferencesDomain domain)
  {
         BEGIN_SECAPI
-    os_activity_t activity = os_activity_create("SecKeychainSetPreferenceDomain", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
+
+          os_activity_t activity = os_activity_create("SecKeychainSetPreferenceDomain", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
      os_activity_scope(activity);
      os_release(activity);
  
      os_activity_scope(activity);
      os_release(activity);
  
@@ -427,7 +428,8 @@ OSStatus SecKeychainSetPreferenceDomain(SecPreferencesDomain domain)
  OSStatus SecKeychainGetPreferenceDomain(SecPreferencesDomain *domain)
  {
         BEGIN_SECAPI
  OSStatus SecKeychainGetPreferenceDomain(SecPreferencesDomain *domain)
  {
         BEGIN_SECAPI
-    os_activity_t activity = os_activity_create("SecKeychainGetPreferenceDomain", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
+
+          os_activity_t activity = os_activity_create("SecKeychainGetPreferenceDomain", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
      os_activity_scope(activity);
      os_release(activity);
         
      os_activity_scope(activity);
      os_release(activity);
         
@@ -474,7 +476,7 @@ SecKeychainGetKeychainVersion(SecKeychainRef keychainRef, UInt32* version)
  {
      BEGIN_SECAPI
  
  {
      BEGIN_SECAPI
  
-    RequiredParam(version);
+          RequiredParam(version);
  
      *version = Keychain::optional(keychainRef)->database()->dbBlobVersion();
  
  
      *version = Keychain::optional(keychainRef)->database()->dbBlobVersion();
  
@@ -485,7 +487,8 @@ OSStatus
  SecKeychainAttemptMigrationWithMasterKey(SecKeychainRef keychain, UInt32 version, const char* masterKeyFilename)
  {
      BEGIN_SECAPI
  SecKeychainAttemptMigrationWithMasterKey(SecKeychainRef keychain, UInt32 version, const char* masterKeyFilename)
  {
      BEGIN_SECAPI
-    os_activity_t activity = os_activity_create("SecKeychainAttemptMigrationWithMasterKey", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
+
+          os_activity_t activity = os_activity_create("SecKeychainAttemptMigrationWithMasterKey", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
      os_activity_scope(activity);
      os_release(activity);
  
      os_activity_scope(activity);
      os_release(activity);
  
@@ -583,7 +586,8 @@ pascal OSStatus
  SecKeychainAddCallback(SecKeychainCallback callbackFunction, SecKeychainEventMask eventMask, void* userContext)
  {
      BEGIN_SECAPI
  SecKeychainAddCallback(SecKeychainCallback callbackFunction, SecKeychainEventMask eventMask, void* userContext)
  {
      BEGIN_SECAPI
-    os_activity_t activity = os_activity_create("SecKeychainAddCallback", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
+
+          os_activity_t activity = os_activity_create("SecKeychainAddCallback", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
      os_activity_scope(activity);
      os_release(activity);
  
      os_activity_scope(activity);
      os_release(activity);
  
@@ -598,7 +602,8 @@ OSStatus
  SecKeychainRemoveCallback(SecKeychainCallback callbackFunction)
  {
      BEGIN_SECAPI
  SecKeychainRemoveCallback(SecKeychainCallback callbackFunction)
  {
      BEGIN_SECAPI
-    os_activity_t activity = os_activity_create("SecKeychainRemoveCallback", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
+
+          os_activity_t activity = os_activity_create("SecKeychainRemoveCallback", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
      os_activity_scope(activity);
      os_release(activity);
  
      os_activity_scope(activity);
      os_release(activity);
  
@@ -612,7 +617,8 @@ OSStatus
  SecKeychainAddInternetPassword(SecKeychainRef keychainRef, UInt32 serverNameLength, const char *serverName, UInt32 securityDomainLength, const char *securityDomain, UInt32 accountNameLength, const char *accountName, UInt32 pathLength, const char *path, UInt16 port, SecProtocolType protocol, SecAuthenticationType authenticationType, UInt32 passwordLength, const void *passwordData, SecKeychainItemRef *itemRef)
  {
      BEGIN_SECAPI
  SecKeychainAddInternetPassword(SecKeychainRef keychainRef, UInt32 serverNameLength, const char *serverName, UInt32 securityDomainLength, const char *securityDomain, UInt32 accountNameLength, const char *accountName, UInt32 pathLength, const char *path, UInt16 port, SecProtocolType protocol, SecAuthenticationType authenticationType, UInt32 passwordLength, const void *passwordData, SecKeychainItemRef *itemRef)
  {
      BEGIN_SECAPI
-    os_activity_t activity = os_activity_create("SecKeychainAddInternetPassword", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
+
+          os_activity_t activity = os_activity_create("SecKeychainAddInternetPassword", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
      os_activity_scope(activity);
      os_release(activity);
  
      os_activity_scope(activity);
      os_release(activity);
  
@@ -674,7 +680,8 @@ SecKeychainFindInternetPassword(CFTypeRef keychainOrArray, UInt32 serverNameLeng
                                                                                                 
  {
      BEGIN_SECAPI
                                                                                                 
  {
      BEGIN_SECAPI
-    os_activity_t activity = os_activity_create("SecKeychainFindInternetPassword", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
+
+          os_activity_t activity = os_activity_create("SecKeychainFindInternetPassword", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
      os_activity_scope(activity);
      os_release(activity);
  
      os_activity_scope(activity);
      os_release(activity);
  
@@ -753,7 +760,8 @@ OSStatus
  SecKeychainAddGenericPassword(SecKeychainRef keychainRef, UInt32 serviceNameLength, const char *serviceName, UInt32 accountNameLength, const char *accountName, UInt32 passwordLength, const void *passwordData, SecKeychainItemRef *itemRef)
  {
         BEGIN_SECAPI
  SecKeychainAddGenericPassword(SecKeychainRef keychainRef, UInt32 serviceNameLength, const char *serviceName, UInt32 accountNameLength, const char *accountName, UInt32 passwordLength, const void *passwordData, SecKeychainItemRef *itemRef)
  {
         BEGIN_SECAPI
-    os_activity_t activity = os_activity_create("SecKeychainAddGenericPassword", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
+
+          os_activity_t activity = os_activity_create("SecKeychainAddGenericPassword", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
      os_activity_scope(activity);
      os_release(activity);
  
      os_activity_scope(activity);
      os_release(activity);
  
@@ -802,7 +810,8 @@ SecKeychainFindGenericPassword(CFTypeRef keychainOrArray, UInt32 serviceNameLeng
                                                                                                                                                            
  {
      BEGIN_SECAPI
                                                                                                                                                            
  {
      BEGIN_SECAPI
-    os_activity_t activity = os_activity_create("SecKeychainFindGenericPassword", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
+
+          os_activity_t activity = os_activity_create("SecKeychainFindGenericPassword", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
      os_activity_scope(activity);
      os_release(activity);
  
      os_activity_scope(activity);
      os_release(activity);
  
@@ -874,7 +883,8 @@ OSStatus
  SecKeychainGetDLDBHandle(SecKeychainRef keychainRef, CSSM_DL_DB_HANDLE *dldbHandle)
  {
      BEGIN_SECAPI
  SecKeychainGetDLDBHandle(SecKeychainRef keychainRef, CSSM_DL_DB_HANDLE *dldbHandle)
  {
      BEGIN_SECAPI
-    os_activity_t activity = os_activity_create("SecKeychainGetDLDBHandle", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
+
+          os_activity_t activity = os_activity_create("SecKeychainGetDLDBHandle", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
      os_activity_scope(activity);
      os_release(activity);
  
      os_activity_scope(activity);
      os_release(activity);
  
@@ -886,8 +896,8 @@ SecKeychainGetDLDBHandle(SecKeychainRef keychainRef, CSSM_DL_DB_HANDLE *dldbHand
      END_SECAPI
  }
  
      END_SECAPI
  }
  
-static ModuleNexus<Mutex> gSecReturnedKeyCSPsMutex;
-static std::set<CssmClient::CSP> gSecReturnedKeychainCSPs;
+static ModuleNexus<Mutex> gSecReturnedKeychainCSPsMutex;
+static ModuleNexus<std::set<CssmClient::CSP>> gSecReturnedKeychainCSPs;
  
  OSStatus
  SecKeychainGetCSPHandle(SecKeychainRef keychainRef, CSSM_CSP_HANDLE *cspHandle)
  
  OSStatus
  SecKeychainGetCSPHandle(SecKeychainRef keychainRef, CSSM_CSP_HANDLE *cspHandle)
@@ -902,8 +912,8 @@ SecKeychainGetCSPHandle(SecKeychainRef keychainRef, CSSM_CSP_HANDLE *cspHandle)
      // Keep a global pointer to it to force the CSP to stay live forever.
      CssmClient::CSP returnedKeychainCSP = keychain->csp();
      {
      // Keep a global pointer to it to force the CSP to stay live forever.
      CssmClient::CSP returnedKeychainCSP = keychain->csp();
      {
-        StLock<Mutex> _(gSecReturnedKeyCSPsMutex());
-        gSecReturnedKeychainCSPs.insert(returnedKeychainCSP);
+        StLock<Mutex> _(gSecReturnedKeychainCSPsMutex());
+        gSecReturnedKeychainCSPs().insert(returnedKeychainCSP);
      }
         *cspHandle = returnedKeychainCSP->handle();
  
      }
         *cspHandle = returnedKeychainCSP->handle();
  
@@ -940,7 +950,8 @@ OSStatus
  SecKeychainChangePassword(SecKeychainRef keychainRef, UInt32 oldPasswordLength, const void *oldPassword,  UInt32 newPasswordLength, const void *newPassword)
  {
      BEGIN_SECAPI
  SecKeychainChangePassword(SecKeychainRef keychainRef, UInt32 oldPasswordLength, const void *oldPassword,  UInt32 newPasswordLength, const void *newPassword)
  {
      BEGIN_SECAPI
-    os_activity_t activity = os_activity_create("SecKeychainChangePassword", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
+
+          os_activity_t activity = os_activity_create("SecKeychainChangePassword", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
      os_activity_scope(activity);
      os_release(activity);
  
      os_activity_scope(activity);
      os_release(activity);
  
@@ -955,7 +966,8 @@ OSStatus
  SecKeychainCopyLogin(SecKeychainRef *keychainRef)
  {
      BEGIN_SECAPI
  SecKeychainCopyLogin(SecKeychainRef *keychainRef)
  {
      BEGIN_SECAPI
-    os_activity_t activity = os_activity_create("SecKeychainCopyLogin", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
+
+          os_activity_t activity = os_activity_create("SecKeychainCopyLogin", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
      os_activity_scope(activity);
      os_release(activity);
  
      os_activity_scope(activity);
      os_release(activity);
  
@@ -969,7 +981,8 @@ OSStatus
  SecKeychainLogin(UInt32 nameLength, const void* name, UInt32 passwordLength, const void* password)
  {
      BEGIN_SECAPI
  SecKeychainLogin(UInt32 nameLength, const void* name, UInt32 passwordLength, const void* password)
  {
      BEGIN_SECAPI
-    os_activity_t activity = os_activity_create("SecKeychainLogin", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
+
+          os_activity_t activity = os_activity_create("SecKeychainLogin", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
      os_activity_scope(activity);
      os_release(activity);
  
      os_activity_scope(activity);
      os_release(activity);
  
@@ -1005,7 +1018,8 @@ SecKeychainLogin(UInt32 nameLength, const void* name, UInt32 passwordLength, con
  OSStatus SecKeychainStash()
  {
      BEGIN_SECAPI
  OSStatus SecKeychainStash()
  {
      BEGIN_SECAPI
-    os_activity_t activity = os_activity_create("SecKeychainStash", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
+
+          os_activity_t activity = os_activity_create("SecKeychainStash", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
      os_activity_scope(activity);
      os_release(activity);
      
      os_activity_scope(activity);
      os_release(activity);
      
@@ -1032,7 +1046,8 @@ OSStatus
  SecKeychainLogout()
  {
      BEGIN_SECAPI
  SecKeychainLogout()
  {
      BEGIN_SECAPI
-    os_activity_t activity = os_activity_create("SecKeychainLogout", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
+
+          os_activity_t activity = os_activity_create("SecKeychainLogout", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
      os_activity_scope(activity);
      os_release(activity);
  
      os_activity_scope(activity);
      os_release(activity);
  
@@ -1055,7 +1070,8 @@ static Keychain make(const char *name)
  OSStatus SecKeychainMakeFromFullPath(const char *fullPathName, SecKeychainRef *keychainRef)
  {
      BEGIN_SECAPI
  OSStatus SecKeychainMakeFromFullPath(const char *fullPathName, SecKeychainRef *keychainRef)
  {
      BEGIN_SECAPI
-        RequiredParam(fullPathName);
+
+       RequiredParam(fullPathName);
          RequiredParam(keychainRef)=make(fullPathName)->handle();
         END_SECAPI
  }
          RequiredParam(keychainRef)=make(fullPathName)->handle();
         END_SECAPI
  }
@@ -1066,7 +1082,8 @@ OSStatus SecKeychainMakeFromFullPath(const char *fullPathName, SecKeychainRef *k
  OSStatus SecKeychainIsValid(SecKeychainRef keychainRef, Boolean* isValid)
  {
      BEGIN_SECAPI
  OSStatus SecKeychainIsValid(SecKeychainRef keychainRef, Boolean* isValid)
  {
      BEGIN_SECAPI
-        *isValid = false;
+
+       *isValid = false;
          if (KeychainImpl::optional(keychainRef)->dlDbIdentifier().ssuid().guid() == gGuidAppleCSPDL)
              *isValid = true;
         END_SECAPI
          if (KeychainImpl::optional(keychainRef)->dlDbIdentifier().ssuid().guid() == gGuidAppleCSPDL)
              *isValid = true;
         END_SECAPI
@@ -1077,7 +1094,8 @@ OSStatus SecKeychainIsValid(SecKeychainRef keychainRef, Boolean* isValid)
  OSStatus SecKeychainRemoveFromSearchList(SecKeychainRef keychainRef)
  {
      BEGIN_SECAPI
  OSStatus SecKeychainRemoveFromSearchList(SecKeychainRef keychainRef)
  {
      BEGIN_SECAPI
-    os_activity_t activity = os_activity_create("SecKeychainRemoveFromSearchList", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
+
+          os_activity_t activity = os_activity_create("SecKeychainRemoveFromSearchList", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
      os_activity_scope(activity);
      os_release(activity);
          StorageManager::KeychainList singleton;
      os_activity_scope(activity);
      os_release(activity);
          StorageManager::KeychainList singleton;
@@ -1091,7 +1109,8 @@ OSStatus SecKeychainRemoveFromSearchList(SecKeychainRef keychainRef)
  OSStatus SecKeychainCreateNew(SecKeychainRef keychainRef, UInt32 passwordLength, const char* inPassword)
  {
      BEGIN_SECAPI
  OSStatus SecKeychainCreateNew(SecKeychainRef keychainRef, UInt32 passwordLength, const char* inPassword)
  {
      BEGIN_SECAPI
-    os_activity_t activity = os_activity_create("SecKeychainCreateNew", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
+
+          os_activity_t activity = os_activity_create("SecKeychainCreateNew", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
      os_activity_scope(activity);
      os_release(activity);
          RequiredParam(inPassword);
      os_activity_scope(activity);
      os_release(activity);
          RequiredParam(inPassword);
@@ -1104,7 +1123,8 @@ OSStatus SecKeychainCreateNew(SecKeychainRef keychainRef, UInt32 passwordLength,
  OSStatus SecKeychainRecodeKeychain(SecKeychainRef keychainRef, CFArrayRef dbBlobArray, CFDataRef extraData)
  {
         BEGIN_SECAPI
  OSStatus SecKeychainRecodeKeychain(SecKeychainRef keychainRef, CFArrayRef dbBlobArray, CFDataRef extraData)
  {
         BEGIN_SECAPI
-    os_activity_t activity = os_activity_create("SecKeychainRecodeKeychain", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
+
+          os_activity_t activity = os_activity_create("SecKeychainRecodeKeychain", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
      os_activity_scope(activity);
      os_release(activity);
  
      os_activity_scope(activity);
      os_release(activity);
  
@@ -1182,7 +1202,8 @@ OSStatus SecKeychainRecodeKeychain(SecKeychainRef keychainRef, CFArrayRef dbBlob
  OSStatus SecKeychainCopySignature(SecKeychainRef keychainRef, CFDataRef *keychainSignature) 
  {
         BEGIN_SECAPI
  OSStatus SecKeychainCopySignature(SecKeychainRef keychainRef, CFDataRef *keychainSignature) 
  {
         BEGIN_SECAPI
-    os_activity_t activity = os_activity_create("SecKeychainCopySignature", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
+
+          os_activity_t activity = os_activity_create("SecKeychainCopySignature", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
      os_activity_scope(activity);
      os_release(activity);
  
      os_activity_scope(activity);
      os_release(activity);
  
@@ -1209,7 +1230,8 @@ OSStatus SecKeychainCopySignature(SecKeychainRef keychainRef, CFDataRef *keychai
  OSStatus SecKeychainCopyBlob(SecKeychainRef keychainRef, CFDataRef *dbBlob)
  {
         BEGIN_SECAPI
  OSStatus SecKeychainCopyBlob(SecKeychainRef keychainRef, CFDataRef *dbBlob)
  {
         BEGIN_SECAPI
-    os_activity_t activity = os_activity_create("SecKeychainCopyBlob", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
+
+          os_activity_t activity = os_activity_create("SecKeychainCopyBlob", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
      os_activity_scope(activity);
      os_release(activity);
  
      os_activity_scope(activity);
      os_release(activity);
  
@@ -1231,7 +1253,8 @@ OSStatus SecKeychainCopyBlob(SecKeychainRef keychainRef, CFDataRef *dbBlob)
  OSStatus SecKeychainCreateWithBlob(const char* fullPathName, CFDataRef dbBlob, SecKeychainRef *kcRef)
  {
         BEGIN_SECAPI
  OSStatus SecKeychainCreateWithBlob(const char* fullPathName, CFDataRef dbBlob, SecKeychainRef *kcRef)
  {
         BEGIN_SECAPI
-    os_activity_t activity = os_activity_create("SecKeychainCreateWithBlob", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
+
+          os_activity_t activity = os_activity_create("SecKeychainCreateWithBlob", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
      os_activity_scope(activity);
      os_release(activity);
         
      os_activity_scope(activity);
      os_release(activity);
         
@@ -1258,7 +1281,8 @@ OSStatus SecKeychainAddDBToKeychainList (SecPreferencesDomain domain, const char
                                                                                  const CSSM_GUID *guid, uint32 subServiceType)
  {
         BEGIN_SECAPI
                                                                                  const CSSM_GUID *guid, uint32 subServiceType)
  {
         BEGIN_SECAPI
-    os_activity_t activity = os_activity_create("SecKeychainAddDBToKeychainList", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
+
+          os_activity_t activity = os_activity_create("SecKeychainAddDBToKeychainList", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
      os_activity_scope(activity);
      os_release(activity);
  
      os_activity_scope(activity);
      os_release(activity);
  
@@ -1274,7 +1298,8 @@ OSStatus SecKeychainDBIsInKeychainList (SecPreferencesDomain domain, const char*
                                                                                 const CSSM_GUID *guid, uint32 subServiceType)
  {
         BEGIN_SECAPI
                                                                                 const CSSM_GUID *guid, uint32 subServiceType)
  {
         BEGIN_SECAPI
-       RequiredParam(dbName);
+
+          RequiredParam(dbName);
         StorageManager &smr = globals().storageManager;
         smr.isInDomainList(domain, dbName, *guid, subServiceType);
         END_SECAPI
         StorageManager &smr = globals().storageManager;
         smr.isInDomainList(domain, dbName, *guid, subServiceType);
         END_SECAPI
@@ -1285,7 +1310,8 @@ OSStatus SecKeychainRemoveDBFromKeychainList (SecPreferencesDomain domain, const
                                                                                           const CSSM_GUID *guid, uint32 subServiceType)
  {
         BEGIN_SECAPI
                                                                                           const CSSM_GUID *guid, uint32 subServiceType)
  {
         BEGIN_SECAPI
-    os_activity_t activity = os_activity_create("SecKeychainRemoveDBFromKeychainList", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
+
+          os_activity_t activity = os_activity_create("SecKeychainRemoveDBFromKeychainList", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
      os_activity_scope(activity);
      os_release(activity);
         RequiredParam(dbName);
      os_activity_scope(activity);
      os_release(activity);
         RequiredParam(dbName);
@@ -1306,7 +1332,8 @@ void SecKeychainSetServerMode()
  OSStatus SecKeychainSetBatchMode (SecKeychainRef kcRef, Boolean mode, Boolean rollback)
  {
         BEGIN_SECAPI
  OSStatus SecKeychainSetBatchMode (SecKeychainRef kcRef, Boolean mode, Boolean rollback)
  {
         BEGIN_SECAPI
-    os_activity_t activity = os_activity_create("SecKeychainSetBatchMode", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
+
+          os_activity_t activity = os_activity_create("SecKeychainSetBatchMode", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
      os_activity_scope(activity);
      os_release(activity);
         RequiredParam(kcRef);
      os_activity_scope(activity);
      os_release(activity);
         RequiredParam(kcRef);
@@ -1320,13 +1347,15 @@ OSStatus SecKeychainSetBatchMode (SecKeychainRef kcRef, Boolean mode, Boolean ro
  OSStatus SecKeychainCleanupHandles()
  {
         BEGIN_SECAPI
  OSStatus SecKeychainCleanupHandles()
  {
         BEGIN_SECAPI
-       END_SECAPI // which causes the handle cache cleanup routine to run
+
+          END_SECAPI // which causes the handle cache cleanup routine to run
  }
  
  OSStatus SecKeychainVerifyKeyStorePassphrase(uint32_t retries)
  {
      BEGIN_SECAPI
  }
  
  OSStatus SecKeychainVerifyKeyStorePassphrase(uint32_t retries)
  {
      BEGIN_SECAPI
-    os_activity_t activity = os_activity_create("SecKeychainVerifyKeyStorePassphrase", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
+
+          os_activity_t activity = os_activity_create("SecKeychainVerifyKeyStorePassphrase", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
      os_activity_scope(activity);
      os_release(activity);
      SecurityServer::ClientSession().verifyKeyStorePassphrase(retries);
      os_activity_scope(activity);
      os_release(activity);
      SecurityServer::ClientSession().verifyKeyStorePassphrase(retries);
@@ -1336,7 +1365,8 @@ OSStatus SecKeychainVerifyKeyStorePassphrase(uint32_t retries)
  OSStatus SecKeychainChangeKeyStorePassphrase()
  {
      BEGIN_SECAPI
  OSStatus SecKeychainChangeKeyStorePassphrase()
  {
      BEGIN_SECAPI
-    os_activity_t activity = os_activity_create("SecKeychainChangeKeyStorePassphrase", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
+
+          os_activity_t activity = os_activity_create("SecKeychainChangeKeyStorePassphrase", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
      os_activity_scope(activity);
      os_release(activity);
      SecurityServer::ClientSession().changeKeyStorePassphrase();
      os_activity_scope(activity);
      os_release(activity);
      SecurityServer::ClientSession().changeKeyStorePassphrase();
@@ -1346,7 +1376,8 @@ OSStatus SecKeychainChangeKeyStorePassphrase()
  static OSStatus SecKeychainGetMasterKey(SecKeychainRef userKeychainRef, CFDataRef *masterKey, CFStringRef password)
  {
      BEGIN_SECAPI
  static OSStatus SecKeychainGetMasterKey(SecKeychainRef userKeychainRef, CFDataRef *masterKey, CFStringRef password)
  {
      BEGIN_SECAPI
-    os_activity_t activity = os_activity_create("SecKeychainGetMasterKey", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
+
+          os_activity_t activity = os_activity_create("SecKeychainGetMasterKey", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
      os_activity_scope(activity);
      os_release(activity);
  
      os_activity_scope(activity);
      os_release(activity);
  
@@ -1464,6 +1495,7 @@ static bool _SASetAutologinPW(CFStringRef inAutologinPW)
  }
  
  OSStatus SecKeychainStoreUnlockKey(SecKeychainRef userKeychainRef, SecKeychainRef systemKeychainRef, CFStringRef username, CFStringRef password) {
  }
  
  OSStatus SecKeychainStoreUnlockKey(SecKeychainRef userKeychainRef, SecKeychainRef systemKeychainRef, CFStringRef username, CFStringRef password) {
+       COUNTLEGACYAPI
      SecTrustedApplicationRef itemPath;
      SecAccessRef ourAccessRef = NULL;
      
      SecTrustedApplicationRef itemPath;
      SecAccessRef ourAccessRef = NULL;
      
@@ -1564,6 +1596,7 @@ OSStatus SecKeychainStoreUnlockKey(SecKeychainRef userKeychainRef, SecKeychainRe
  OSStatus SecKeychainGetUserPromptAttempts(uint32_t * attempts)
  {
      BEGIN_SECAPI
  OSStatus SecKeychainGetUserPromptAttempts(uint32_t * attempts)
  {
      BEGIN_SECAPI
+
      os_activity_t activity = os_activity_create("SecKeychainGetUserPromptAttempts", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
      os_activity_scope(activity);
      os_release(activity);
      os_activity_t activity = os_activity_create("SecKeychainGetUserPromptAttempts", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT);
      os_activity_scope(activity);
      os_release(activity);
@@ -1578,6 +1611,7 @@ OSStatus SecKeychainGetUserPromptAttempts(uint32_t * attempts)
  OSStatus SecKeychainStoreUnlockKeyWithPubKeyHash(CFDataRef pubKeyHash, CFStringRef tokenID, CFDataRef wrapPubKeyHash,
                                                   SecKeychainRef userKeychain, CFStringRef password)
  {
  OSStatus SecKeychainStoreUnlockKeyWithPubKeyHash(CFDataRef pubKeyHash, CFStringRef tokenID, CFDataRef wrapPubKeyHash,
                                                   SecKeychainRef userKeychain, CFStringRef password)
  {
+       COUNTLEGACYAPI
         CFRef<CFStringRef> pwd;
         OSStatus result;
  
         CFRef<CFStringRef> pwd;
         OSStatus result;
  
@@ -1591,7 +1625,6 @@ OSStatus SecKeychainStoreUnlockKeyWithPubKeyHash(CFDataRef pubKeyHash, CFStringR
  
                 AuthorizationItem myItems = {"com.apple.ctk.pair", 0, NULL, 0};
                 AuthorizationRights myRights = {1, &myItems};
  
                 AuthorizationItem myItems = {"com.apple.ctk.pair", 0, NULL, 0};
                 AuthorizationRights myRights = {1, &myItems};
-               AuthorizationRights *authorizedRights = NULL;
  
                 char pathName[PATH_MAX];
                 UInt32 pathLength = PATH_MAX;
  
                 char pathName[PATH_MAX];
                 UInt32 pathLength = PATH_MAX;
@@ -1611,16 +1644,20 @@ OSStatus SecKeychainStoreUnlockKeyWithPubKeyHash(CFDataRef pubKeyHash, CFStringR
  
                 AuthorizationEnvironment environment  = {3, envItems};
                 AuthorizationFlags flags = kAuthorizationFlagDefaults | kAuthorizationFlagInteractionAllowed | kAuthorizationFlagExtendRights;
  
                 AuthorizationEnvironment environment  = {3, envItems};
                 AuthorizationFlags flags = kAuthorizationFlagDefaults | kAuthorizationFlagInteractionAllowed | kAuthorizationFlagExtendRights;
-               result = AuthorizationCopyRights(authorizationRef, &myRights, &environment, flags, &authorizedRights);
-               if (authorizedRights)
-                       AuthorizationFreeItemSet(authorizedRights);
+               result = AuthorizationCopyRights(authorizationRef, &myRights, &environment, flags, NULL);
+        secnotice("SecKeychain", "Authorization result: %d", (int)result);
  
                 if (result == errAuthorizationSuccess) {
                         AuthorizationItemSet *items;
                         result = AuthorizationCopyInfo(authorizationRef, kAuthorizationEnvironmentPassword, &items);
  
                 if (result == errAuthorizationSuccess) {
                         AuthorizationItemSet *items;
                         result = AuthorizationCopyInfo(authorizationRef, kAuthorizationEnvironmentPassword, &items);
+            secnotice("SecKeychain", "Items copy result: %d", (int)result);
                         if (result == errAuthorizationSuccess) {
                         if (result == errAuthorizationSuccess) {
+                secnotice("SecKeychain", "Items count: %d", items->count);
                                 if (items->count > 0) {
                                         pwd = CFStringCreateWithCString(kCFAllocatorDefault, (const char *)items->items[0].value, kCFStringEncodingUTF8);
                                 if (items->count > 0) {
                                         pwd = CFStringCreateWithCString(kCFAllocatorDefault, (const char *)items->items[0].value, kCFStringEncodingUTF8);
+                    if (pwd) {
+                        secnotice("SecKeychain", "Got kcpass");
+                    }
                                 }
                                 AuthorizationFreeItemSet(items);
                         }
                                 }
                                 AuthorizationFreeItemSet(items);
                         }
@@ -1660,15 +1697,32 @@ OSStatus SecKeychainStoreUnlockKeyWithPubKeyHash(CFDataRef pubKeyHash, CFStringR
         }
  
         secnotice("SecKeychain", "SecKeychainStoreUnlockKeyWithPubKeyHash result %d", (int) result);
         }
  
         secnotice("SecKeychain", "SecKeychainStoreUnlockKeyWithPubKeyHash result %d", (int) result);
+    
+    // create SC KEK
+    // this might fail if KC password is different from user's password
+    uid_t uid = geteuid();
+    if (!uid) {
+        uid = getuid();
+    }
+    struct passwd *passwd = getpwuid(uid);
+    if (passwd) {
+        CFRef<CFStringRef> username = CFStringCreateWithCString(kCFAllocatorDefault, passwd->pw_name, kCFStringEncodingUTF8);
+        OSStatus kekRes = TKAddSecureToken(username, pwd, tokenID, wrapPubKeyHash);
+        if (kekRes != noErr) {
+            secnotice("SecKeychain", "Failed to register SC token: %d", (int) kekRes); // do not fail because KC functionality be still OK
+        }
+    } else {
+        secnotice("SecKeychain", "Unable to get name for uid %d", uid);
+    }
         return result;
  }
  
  OSStatus SecKeychainEraseUnlockKeyWithPubKeyHash(CFDataRef pubKeyHash)
  {
         return result;
  }
  
  OSStatus SecKeychainEraseUnlockKeyWithPubKeyHash(CFDataRef pubKeyHash)
  {
+       COUNTLEGACYAPI
      OSStatus result = TokenLoginDeleteUnlockData(pubKeyHash);
      if (result != errSecSuccess) {
          secnotice("SecKeychain", "Failed to erase stored wrapped unlock key: %d", (int) result);
      }
      return result;
  }
      OSStatus result = TokenLoginDeleteUnlockData(pubKeyHash);
      if (result != errSecSuccess) {
          secnotice("SecKeychain", "Failed to erase stored wrapped unlock key: %d", (int) result);
      }
      return result;
  }
-