]> git.saurik.com Git - apple/security.git/blobdiff - OSX/libsecurity_keychain/lib/SecItem.cpp
projects / apple / security.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Security-58286.260.20.tar.gz
[apple/security.git] / OSX / libsecurity_keychain / lib / SecItem.cpp
diff --git a/OSX/libsecurity_keychain/lib/SecItem.cpp b/OSX/libsecurity_keychain/lib/SecItem.cpp
index 6dad3d2e3aa0165e387e294901bfa7ea5c9d415b..ad88d453afc834ecf5df225ce809a9e14d666af6 100644 (file)
--- a/OSX/libsecurity_keychain/lib/SecItem.cpp
+++ b/OSX/libsecurity_keychain/lib/SecItem.cpp
@@ -1,5 +1,5 @@
 /*
 /*
- * Copyright (c) 2006-2015 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2006-2017 Apple Inc. All Rights Reserved.
  *
  * @APPLE_LICENSE_HEADER_START@
  *
  *
  * @APPLE_LICENSE_HEADER_START@
  *
@@ -28,6 +28,7 @@
 #include <Security/SecBase.h>
 #include <Security/SecKeychainItem.h>
 #include <Security/SecCertificate.h>
 #include <Security/SecBase.h>
 #include <Security/SecKeychainItem.h>
 #include <Security/SecCertificate.h>
+#include <Security/SecCertificatePriv.h>
 #include <sys/param.h>
 #include "cssmdatetime.h"
 #include "SecItem.h"
 #include <sys/param.h>
 #include "cssmdatetime.h"
 #include "SecItem.h"
@@ -35,7 +36,6 @@
 #include "SecIdentitySearchPriv.h"
 #include "SecKeychainPriv.h"
 #include "SecCertificatePriv.h"
 #include "SecIdentitySearchPriv.h"
 #include "SecKeychainPriv.h"
 #include "SecCertificatePriv.h"
-#include "SecCertificatePrivP.h"
 #include "TrustAdditions.h"
 #include "TrustSettingsSchema.h"
 #include <Security/SecTrustPriv.h>
 #include "TrustAdditions.h"
 #include "TrustSettingsSchema.h"
 #include <Security/SecTrustPriv.h>
@@ -53,6 +53,8 @@
 
 #include <login/SessionAgentCom.h>
 #include <login/SessionAgentStatusCom.h>
 
 #include <login/SessionAgentCom.h>
 #include <login/SessionAgentStatusCom.h>
+#include <os/activity.h>
+#include <CoreFoundation/CFPriv.h>
 
 
 const uint8_t kUUIDStringLength = 36;
 
 
 const uint8_t kUUIDStringLength = 36;
@@ -73,9 +75,13 @@ OSStatus SecItemUpdateTokenItems_ios(CFTypeRef tokenID, CFArrayRef tokenItemsAtt
 OSStatus SecItemValidateAppleApplicationGroupAccess(CFStringRef group);
 CFDictionaryRef SecItemCopyTranslatedAttributes(CFDictionaryRef inOSXDict, CFTypeRef itemClass,
        bool iOSOut, bool pruneMatch, bool pruneSync, bool pruneReturn, bool pruneData, bool pruneAccess);
 OSStatus SecItemValidateAppleApplicationGroupAccess(CFStringRef group);
 CFDictionaryRef SecItemCopyTranslatedAttributes(CFDictionaryRef inOSXDict, CFTypeRef itemClass,
        bool iOSOut, bool pruneMatch, bool pruneSync, bool pruneReturn, bool pruneData, bool pruneAccess);
+    
+bool _SecItemParsePersistentRef(CFDataRef persistent_ref, CFStringRef *return_class,
+                                long long int *return_rowid, CFDictionaryRef *return_token_attrs);
 }
 
 static Boolean SecItemSynchronizable(CFDictionaryRef query);
 }
 
 static Boolean SecItemSynchronizable(CFDictionaryRef query);
+static CFArrayRef _CopyMatchingIssuers(CFArrayRef issuers);
 
 static void secitemlog(int priority, const char *format, ...)
 {
 
 static void secitemlog(int priority, const char *format, ...)
 {
@@ -542,13 +548,10 @@ _ConvertNewFormatToOldFormat(
 
        // make storage to extract the dictionary items
        CFIndex itemsInDictionary = CFDictionaryGetCount(dictionaryRef);
 
        // make storage to extract the dictionary items
        CFIndex itemsInDictionary = CFDictionaryGetCount(dictionaryRef);
-       CFTypeRef keys[itemsInDictionary];
-       CFTypeRef values[itemsInDictionary];
+       std::vector<CFTypeRef> keys(itemsInDictionary);
+       std::vector<CFTypeRef> values(itemsInDictionary);
 
 
-       CFTypeRef *keysPtr = keys;
-       CFTypeRef *valuesPtr = values;
-
-       CFDictionaryGetKeysAndValues(dictionaryRef, keys, values);
+       CFDictionaryGetKeysAndValues(dictionaryRef, keys.data(), values.data());
 
        // count the number of items we are interested in
        CFIndex count = 0;
 
        // count the number of items we are interested in
        CFIndex count = 0;
@@ -556,12 +559,12 @@ _ConvertNewFormatToOldFormat(
 
        // since this is one of those nasty order n^2 loops, we cache as much stuff as possible so that
        // we don't pay the price for this twice
 
        // since this is one of those nasty order n^2 loops, we cache as much stuff as possible so that
        // we don't pay the price for this twice
-       SecKeychainAttrType tags[itemsInDictionary];
-       ItemRepresentation types[itemsInDictionary];
+       std::vector<SecKeychainAttrType> tags(itemsInDictionary);
+       std::vector<ItemRepresentation> types(itemsInDictionary);
 
        for (i = 0; i < itemsInDictionary; ++i)
        {
 
        for (i = 0; i < itemsInDictionary; ++i)
        {
-               CFTypeRef key = keysPtr[i];
+               CFTypeRef key = keys[i];
 
                int j;
                for (j = 0; j < infoNumItems; ++j)
 
                int j;
                for (j = 0; j < infoNumItems; ++j)
@@ -578,13 +581,13 @@ _ConvertNewFormatToOldFormat(
                if (j >= infoNumItems)
                {
                        // if we got here, we aren't interested in this item.
                if (j >= infoNumItems)
                {
                        // if we got here, we aren't interested in this item.
-                       valuesPtr[i] = NULL;
+                       values[i] = NULL;
                }
        }
 
        // now we can make the result array
        attrList->count = (UInt32)count;
                }
        }
 
        // now we can make the result array
        attrList->count = (UInt32)count;
-       attrList->attr = (SecKeychainAttribute*) malloc(sizeof(SecKeychainAttribute) * count);
+    attrList->attr = (count > 0) ? (SecKeychainAttribute*) malloc(sizeof(SecKeychainAttribute) * count) : NULL;
 
        // fill out the array
        int resultPointer = 0;
 
        // fill out the array
        int resultPointer = 0;
@@ -596,7 +599,7 @@ _ConvertNewFormatToOldFormat(
 
                        // we have to clone the data pointer.  The caller will need to make sure to throw these away
                        // with _FreeAttrList when it is done...
 
                        // we have to clone the data pointer.  The caller will need to make sure to throw these away
                        // with _FreeAttrList when it is done...
-                       attrList->attr[resultPointer].data = CloneDataByType(types[i], valuesPtr[i], attrList->attr[resultPointer].length);
+                       attrList->attr[resultPointer].data = CloneDataByType(types[i], values[i], attrList->attr[resultPointer].length);
                        resultPointer += 1;
                }
        }
                        resultPointer += 1;
                }
        }
@@ -663,6 +666,7 @@ _ConvertOldFormatToNewFormat(
                                                        break;
                                                default:
                                                        stringRef = CFStringCreateWithFormat(allocator, NULL, CFSTR("%d"), keyRecordValue);
                                                        break;
                                                default:
                                                        stringRef = CFStringCreateWithFormat(allocator, NULL, CFSTR("%d"), keyRecordValue);
+                            retainString = false;
                                                        break;
                                        }
                                        if (stringRef) {
                                                        break;
                                        }
                                        if (stringRef) {
@@ -869,7 +873,7 @@ _CreateAttributesDictionaryFromKeyItem(
 
        CFMutableDictionaryRef dict = CFDictionaryCreateMutable(allocator, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
        unsigned int ix;
 
        CFMutableDictionaryRef dict = CFDictionaryCreateMutable(allocator, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
        unsigned int ix;
-       SecItemClass itemClass = 0;
+       SecItemClass itemClass = (SecItemClass) 0;
        UInt32 itemID;
        SecKeychainAttributeList *attrList = NULL;
        SecKeychainAttributeInfo *info = NULL;
        UInt32 itemID;
        SecKeychainAttributeList *attrList = NULL;
        SecKeychainAttributeInfo *info = NULL;
@@ -949,6 +953,7 @@ _CreateAttributesDictionaryFromKeyItem(
                                                        break;
                                                default:
                                                        stringRef = CFStringCreateWithFormat(allocator, NULL, CFSTR("%u"), (unsigned int)keyRecordValue);
                                                        break;
                                                default:
                                                        stringRef = CFStringCreateWithFormat(allocator, NULL, CFSTR("%u"), (unsigned int)keyRecordValue);
+                            retainString = false;
                                                        break;
                                        }
                                        if (stringRef) {
                                                        break;
                                        }
                                        if (stringRef) {
@@ -1187,7 +1192,7 @@ _CreateAttributesDictionaryFromInternetPasswordItem(
        // add kSecAttrAuthenticationType
        if ( attrList.attr[6].length > 0 ) {
                keys[numValues] = kSecAttrAuthenticationType;
        // add kSecAttrAuthenticationType
        if ( attrList.attr[6].length > 0 ) {
                keys[numValues] = kSecAttrAuthenticationType;
-               values[numValues] = _SecAttrAuthenticationTypeForSecAuthenticationType(*(SecProtocolType*)attrList.attr[6].data);
+               values[numValues] = _SecAttrAuthenticationTypeForSecAuthenticationType( (SecAuthenticationType) (*(SecProtocolType*)attrList.attr[6].data));
                if ( values[numValues] != NULL ) {
                        CFRetain(values[numValues]);
                        ++numValues;
                if ( values[numValues] != NULL ) {
                        CFRetain(values[numValues]);
                        ++numValues;
@@ -2005,7 +2010,7 @@ _CreateSecKeychainAttributeListFromDictionary(
  * _AppNameFromSecTrustedApplication attempts to pull the name of the
  * application/tool from the SecTrustedApplicationRef.
  */
  * _AppNameFromSecTrustedApplication attempts to pull the name of the
  * application/tool from the SecTrustedApplicationRef.
  */
-static CFStringRef
+static CFStringRef CF_RETURNS_RETAINED
 _AppNameFromSecTrustedApplication(
        CFAllocatorRef alloc,
        SecTrustedApplicationRef appRef)
 _AppNameFromSecTrustedApplication(
        CFAllocatorRef alloc,
        SecTrustedApplicationRef appRef)
@@ -2233,7 +2238,7 @@ _SafeSecKeychainItemDelete(
                }
 
                // create SecTrustedApplicationRef for current application/tool
                }
 
                // create SecTrustedApplicationRef for current application/tool
-               CFReleaseSafe(currentAppRef);
+               CFReleaseNull(currentAppRef);
                status = SecTrustedApplicationCreateFromPath(NULL, &currentAppRef);
                require_noerr(status, finish);
                require_quiet(currentAppRef != NULL, finish);
                status = SecTrustedApplicationCreateFromPath(NULL, &currentAppRef);
                require_noerr(status, finish);
                require_quiet(currentAppRef != NULL, finish);
@@ -2356,19 +2361,6 @@ _ReplaceKeychainItem(
        for (i=0, newCount=0; i < attrList->count; i++) {
                if (attrList->attr[i].length > 0) {
                        newAttrList.attr[newCount++] = attrList->attr[i];
        for (i=0, newCount=0; i < attrList->count; i++) {
                if (attrList->attr[i].length > 0) {
                        newAttrList.attr[newCount++] = attrList->attr[i];
-               #if 0
-                       // debugging code to log item attributes
-                       SecKeychainAttrType tag = attrList->attr[i].tag;
-                       SecKeychainAttrType htag=(SecKeychainAttrType)OSSwapConstInt32(tag);
-                       char tmp[sizeof(SecKeychainAttrType) + 1];
-                       char tmpdata[attrList->attr[i].length + 1];
-                       memcpy(tmp, &htag, sizeof(SecKeychainAttrType));
-                       tmp[sizeof(SecKeychainAttrType)]=0;
-                       memcpy(tmpdata, attrList->attr[i].data, attrList->attr[i].length);
-                       tmpdata[attrList->attr[i].length]=0;
-                       secitemlog(priority, "item attr '%s' = %d bytes: \"%s\"",
-                               tmp, (int)attrList->attr[i].length, tmpdata);
-               #endif
                }
        }
        newAttrList.count = newCount;
                }
        }
        newAttrList.count = newCount;
@@ -2420,7 +2412,7 @@ _UpdateKeychainItem(CFTypeRef item, CFDictionaryRef changedAttributes)
                return errSecParam;
        }
 
                return errSecParam;
        }
 
-       SecItemClass itemClass;
+       SecItemClass itemClass = (SecItemClass) 0;
        SecAccessRef access = NULL;
        SecKeychainAttributeList *changeAttrList = NULL;
        SecKeychainItemRef itemToUpdate = NULL;
        SecAccessRef access = NULL;
        SecKeychainAttributeList *changeAttrList = NULL;
        SecKeychainItemRef itemToUpdate = NULL;
@@ -2492,6 +2484,13 @@ _UpdateKeychainItem(CFTypeRef item, CFDictionaryRef changedAttributes)
                        status = _CreateSecKeychainKeyAttributeListFromDictionary(changedAttributes, &changeAttrList);
                        require_noerr(status, update_failed);
                }
                        status = _CreateSecKeychainKeyAttributeListFromDictionary(changedAttributes, &changeAttrList);
                        require_noerr(status, update_failed);
                }
+               break;
+               case kSecAppleSharePasswordItemClass:
+               {
+                       // do nothing (legacy behavior).
+               }
+               break;
+
        }
 
        // get the password
        }
 
        // get the password
@@ -2502,7 +2501,7 @@ _UpdateKeychainItem(CFTypeRef item, CFDictionaryRef changedAttributes)
        }
        // update item
        status = SecKeychainItemModifyContent(itemToUpdate,
        }
        // update item
        status = SecKeychainItemModifyContent(itemToUpdate,
-                               (changeAttrList->count == 0) ? NULL : changeAttrList,
+                               (!changeAttrList || changeAttrList->count == 0) ? NULL : changeAttrList,
                                (theData != NULL) ? (UInt32)CFDataGetLength(theData) : 0,
                                (theData != NULL) ? CFDataGetBytePtrVoid(theData) : NULL);
        require_noerr(status, update_failed);
                                (theData != NULL) ? (UInt32)CFDataGetLength(theData) : 0,
                                (theData != NULL) ? CFDataGetBytePtrVoid(theData) : NULL);
        require_noerr(status, update_failed);
@@ -2517,7 +2516,7 @@ update_failed:
                (itemClass == kSecInternetPasswordItemClass || itemClass == kSecGenericPasswordItemClass)) {
                // if we got a cryptographic failure updating a password item, it needs to be replaced
                status = _ReplaceKeychainItem(itemToUpdate,
                (itemClass == kSecInternetPasswordItemClass || itemClass == kSecGenericPasswordItemClass)) {
                // if we got a cryptographic failure updating a password item, it needs to be replaced
                status = _ReplaceKeychainItem(itemToUpdate,
-                                       (changeAttrList->count == 0) ? NULL : changeAttrList,
+                                       (!changeAttrList ||  changeAttrList->count == 0) ? NULL : changeAttrList,
                                        theData);
        }
        if (itemToUpdate)
                                        theData);
        }
        if (itemToUpdate)
@@ -2739,7 +2738,7 @@ _ItemClassFromItemList(CFArrayRef itemList)
        // Given a list of items (standard or persistent references),
        // determine whether they all have the same item class. Returns
        // the item class, or 0 if multiple classes in list.
        // Given a list of items (standard or persistent references),
        // determine whether they all have the same item class. Returns
        // the item class, or 0 if multiple classes in list.
-       SecItemClass result = 0;
+       SecItemClass result = (SecItemClass) 0;
        CFIndex index, count = (itemList) ? CFArrayGetCount(itemList) : 0;
        for (index=0; index < count; index++) {
                CFTypeRef item = (CFTypeRef) CFArrayGetValueAtIndex(itemList, index);
        CFIndex index, count = (itemList) ? CFArrayGetCount(itemList) : 0;
        for (index=0; index < count; index++) {
                CFTypeRef item = (CFTypeRef) CFArrayGetValueAtIndex(itemList, index);
@@ -2754,7 +2753,7 @@ _ItemClassFromItemList(CFArrayRef itemList)
                                itemRef = (SecKeychainItemRef) CFRetain(item);
                        }
                        if (itemRef) {
                                itemRef = (SecKeychainItemRef) CFRetain(item);
                        }
                        if (itemRef) {
-                               SecItemClass itemClass = 0;
+                               SecItemClass itemClass = (SecItemClass) 0;
                                CFTypeID itemTypeID = CFGetTypeID(itemRef);
                                if (itemTypeID == SecIdentityGetTypeID() || itemTypeID == SecCertificateGetTypeID()) {
                                        // Identities and certificates have the same underlying item class
                                CFTypeID itemTypeID = CFGetTypeID(itemRef);
                                if (itemTypeID == SecIdentityGetTypeID() || itemTypeID == SecCertificateGetTypeID()) {
                                        // Identities and certificates have the same underlying item class
@@ -2781,7 +2780,7 @@ _ItemClassFromItemList(CFArrayRef itemList)
                                CFRelease(itemRef);
                                if (itemClass != 0) {
                                        if (result != 0 && result != itemClass) {
                                CFRelease(itemRef);
                                if (itemClass != 0) {
                                        if (result != 0 && result != itemClass) {
-                                               return 0; // different item classes in list; bail out
+                                               return (SecItemClass) 0; // different item classes in list; bail out
                                        }
                                        result = itemClass;
                                }
                                        }
                                        result = itemClass;
                                }
@@ -2821,6 +2820,7 @@ struct SecItemParams {
        CFTypeRef keyClass;                                     // value for kSecAttrKeyClass (may be NULL)
        CFTypeRef service;                                      // value for kSecAttrService (may be NULL)
        CFTypeRef issuer;                                       // value for kSecAttrIssuer (may be NULL)
        CFTypeRef keyClass;                                     // value for kSecAttrKeyClass (may be NULL)
        CFTypeRef service;                                      // value for kSecAttrService (may be NULL)
        CFTypeRef issuer;                                       // value for kSecAttrIssuer (may be NULL)
+       CFTypeRef matchIssuers;                                 // value for kSecMatchIssuers (may be NULL)
        CFTypeRef serialNumber;                         // value for kSecAttrSerialNumber (may be NULL)
        CFTypeRef search;                                       // search reference for this query (SecKeychainSearchRef or SecIdentitySearchRef)
        CFTypeRef assumedKeyClass;                      // if no kSecAttrKeyClass provided, holds the current class we're searching for
        CFTypeRef serialNumber;                         // value for kSecAttrSerialNumber (may be NULL)
        CFTypeRef search;                                       // search reference for this query (SecKeychainSearchRef or SecIdentitySearchRef)
        CFTypeRef assumedKeyClass;                      // if no kSecAttrKeyClass provided, holds the current class we're searching for
@@ -2932,6 +2932,7 @@ _FreeSecItemParams(SecItemParams *itemParams)
        if (itemParams->keyClass) CFRelease(itemParams->keyClass);
        if (itemParams->service) CFRelease(itemParams->service);
        if (itemParams->issuer) CFRelease(itemParams->issuer);
        if (itemParams->keyClass) CFRelease(itemParams->keyClass);
        if (itemParams->service) CFRelease(itemParams->service);
        if (itemParams->issuer) CFRelease(itemParams->issuer);
+       if (itemParams->matchIssuers) CFRelease(itemParams->matchIssuers);
        if (itemParams->serialNumber) CFRelease(itemParams->serialNumber);
        if (itemParams->search) CFRelease(itemParams->search);
        if (itemParams->access) CFRelease(itemParams->access);
        if (itemParams->serialNumber) CFRelease(itemParams->serialNumber);
        if (itemParams->search) CFRelease(itemParams->search);
        if (itemParams->access) CFRelease(itemParams->access);
@@ -2950,6 +2951,7 @@ _CreateSecItemParamsFromDictionary(CFDictionaryRef dict, OSStatus *error)
 {
        OSStatus status;
        CFTypeRef value = NULL;
 {
        OSStatus status;
        CFTypeRef value = NULL;
+    CFDictionaryRef policyDict = NULL;
        SecItemParams *itemParams = (SecItemParams *)calloc(1, sizeof(struct SecItemParams));
 
        require_action(itemParams != NULL, error_exit, status = errSecAllocate);
        SecItemParams *itemParams = (SecItemParams *)calloc(1, sizeof(struct SecItemParams));
 
        require_action(itemParams != NULL, error_exit, status = errSecAllocate);
@@ -3058,6 +3060,33 @@ _CreateSecItemParamsFromDictionary(CFDictionaryRef dict, OSStatus *error)
                require_action(!(itemParams->itemClass == 0 && !itemParams->useItems), error_exit, status = errSecItemClassMissing);
        }
 
                require_action(!(itemParams->itemClass == 0 && !itemParams->useItems), error_exit, status = errSecItemClassMissing);
        }
 
+    // kSecMatchIssuers is only permitted with identities or certificates.
+    // Convert the input issuers to normalized form.
+    require_noerr(status = _ValidateDictionaryEntry(dict, kSecMatchIssuers, (const void **)&itemParams->matchIssuers, CFArrayGetTypeID(), NULL), error_exit);
+    if (itemParams->matchIssuers) {
+        CFTypeRef allowCerts = CFDictionaryGetValue(itemParams->query, kSecUseCertificatesWithMatchIssuers);
+        require_action(itemParams->returnIdentity || (allowCerts && CFEqual(allowCerts, kCFBooleanTrue)), error_exit, status = errSecParam);
+        CFMutableArrayRef canonical_issuers = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
+        CFArrayRef issuers = (CFArrayRef)itemParams->matchIssuers;
+        if (canonical_issuers) {
+            CFIndex i, count = CFArrayGetCount(issuers);
+            for (i = 0; i < count; i++) {
+                CFTypeRef issuer_data = CFArrayGetValueAtIndex(issuers, i);
+                CFDataRef issuer_canonical = NULL;
+                if (CFDataGetTypeID() == CFGetTypeID(issuer_data))
+                    issuer_canonical = SecDistinguishedNameCopyNormalizedSequence((CFDataRef)issuer_data);
+                if (issuer_canonical) {
+                    CFArrayAppendValue(canonical_issuers, issuer_canonical);
+                    CFRelease(issuer_canonical);
+                }
+            }
+            if (CFArrayGetCount(canonical_issuers) > 0) {
+                CFAssignRetained(itemParams->matchIssuers, canonical_issuers);
+            } else
+                CFRelease(canonical_issuers);
+        }
+    }
+
        itemParams->keyUsage = _CssmKeyUsageFromQuery(dict);
        itemParams->trustedOnly = CFDictionaryGetValueIfPresent(dict, kSecMatchTrustedOnly, (const void **)&value) && value && CFEqual(kCFBooleanTrue, value);
        itemParams->issuerAndSNToMatch = (itemParams->issuer != NULL && itemParams->serialNumber != NULL);
        itemParams->keyUsage = _CssmKeyUsageFromQuery(dict);
        itemParams->trustedOnly = CFDictionaryGetValueIfPresent(dict, kSecMatchTrustedOnly, (const void **)&value) && value && CFEqual(kCFBooleanTrue, value);
        itemParams->issuerAndSNToMatch = (itemParams->issuer != NULL && itemParams->serialNumber != NULL);
@@ -3106,12 +3135,18 @@ _CreateSecItemParamsFromDictionary(CFDictionaryRef dict, OSStatus *error)
                require_noerr(status, error_exit);
        }
 
                require_noerr(status, error_exit);
        }
 
-       // if we already have an item list (to add or find items in), we don't need an item class, attribute list or a search reference
+    // if we already have an item list (to add or find items in), we don't need a search reference
        if (itemParams->useItems) {
                if (itemParams->itemClass == 0) {
                        itemParams->itemClass = _ItemClassFromItemList(itemParams->useItems);
                }
        if (itemParams->useItems) {
                if (itemParams->itemClass == 0) {
                        itemParams->itemClass = _ItemClassFromItemList(itemParams->useItems);
                }
-               status = errSecSuccess;
+
+        // build a SecKeychainAttributeList from the query dictionary for the specified item class
+        if (itemParams->itemClass != 0) {
+            status = _CreateSecKeychainAttributeListFromDictionary(dict, itemParams->itemClass, &itemParams->attrList);
+        } else {
+            status = errSecSuccess;
+        }
                goto error_exit; // all done here
        }
 
                goto error_exit; // all done here
        }
 
@@ -3120,12 +3155,12 @@ _CreateSecItemParamsFromDictionary(CFDictionaryRef dict, OSStatus *error)
        
     // if policy is a SMIME policy, copy email address in policy into emailAddrToMatch parameter
     if(itemParams->policy) {
        
     // if policy is a SMIME policy, copy email address in policy into emailAddrToMatch parameter
     if(itemParams->policy) {
-        CFDictionaryRef policyDict = SecPolicyCopyProperties(itemParams->policy);
+        policyDict = SecPolicyCopyProperties(itemParams->policy);
         CFStringRef oidStr = (CFStringRef) CFDictionaryGetValue(policyDict, kSecPolicyOid);
         if(oidStr && CFStringCompare(kSecPolicyAppleSMIME,oidStr,0) == 0) {
             require_noerr(status = _ValidateDictionaryEntry(policyDict, kSecPolicyName, (const void **)&itemParams->emailAddrToMatch, CFStringGetTypeID(), NULL), error_exit);
         }
         CFStringRef oidStr = (CFStringRef) CFDictionaryGetValue(policyDict, kSecPolicyOid);
         if(oidStr && CFStringCompare(kSecPolicyAppleSMIME,oidStr,0) == 0) {
             require_noerr(status = _ValidateDictionaryEntry(policyDict, kSecPolicyName, (const void **)&itemParams->emailAddrToMatch, CFStringGetTypeID(), NULL), error_exit);
         }
-        CFRelease(policyDict);
+        CFReleaseNull(policyDict);
     }
 
        // create a search reference (either a SecKeychainSearchRef or a SecIdentitySearchRef)
     }
 
        // create a search reference (either a SecKeychainSearchRef or a SecIdentitySearchRef)
@@ -3174,6 +3209,7 @@ _CreateSecItemParamsFromDictionary(CFDictionaryRef dict, OSStatus *error)
        }
 
 error_exit:
        }
 
 error_exit:
+    CFReleaseNull(policyDict);
        if (status) {
                _FreeSecItemParams(itemParams);
                itemParams = NULL;
        if (status) {
                _FreeSecItemParams(itemParams);
                itemParams = NULL;
@@ -3226,31 +3262,6 @@ _ImportKey(
        END_SECAPI
 }
 
        END_SECAPI
 }
 
-#if !SECTRUST_OSX
-static Boolean
-_CanIgnoreLeafStatusCodes(CSSM_TP_APPLE_EVIDENCE_INFO *evidence)
-{
-       /* Check for ignorable status codes in leaf certificate's evidence */
-       Boolean result = true;
-       unsigned int i;
-       for (i=0; i < evidence->NumStatusCodes; i++) {
-               CSSM_RETURN scode = evidence->StatusCodes[i];
-               if (scode == CSSMERR_APPLETP_INVALID_CA) {
-                       // the TP has rejected this CA cert because it's in the leaf position
-                       result = true;
-               }
-               else if (ignorableRevocationStatusCode(scode)) {
-                       result = true;
-               }
-               else {
-                       result = false;
-                       break;
-               }
-       }
-       return result;
-}
-#endif
-
 static OSStatus
 _FilterWithPolicy(SecPolicyRef policy, CFDateRef date, SecCertificateRef cert)
 {
 static OSStatus
 _FilterWithPolicy(SecPolicyRef policy, CFDateRef date, SecCertificateRef cert)
 {
@@ -3262,9 +3273,6 @@ _FilterWithPolicy(SecPolicyRef policy, CFDateRef date, SecCertificateRef cert)
        SecTrustRef trust = NULL;
 
        SecTrustResultType      trustResult;
        SecTrustRef trust = NULL;
 
        SecTrustResultType      trustResult;
-#if !SECTRUST_OSX
-       CSSM_TP_APPLE_EVIDENCE_INFO *evidence = NULL;
-#endif
        Boolean needChain = false;
        OSStatus status;
        if (!policy || !cert) return errSecParam;
        Boolean needChain = false;
        OSStatus status;
        if (!policy || !cert) return errSecParam;
@@ -3290,41 +3298,11 @@ _FilterWithPolicy(SecPolicyRef policy, CFDateRef date, SecCertificateRef cert)
        }
 
        if (!needChain) {
        }
 
        if (!needChain) {
-#if !SECTRUST_OSX
-               /* To make the evaluation as lightweight as possible, specify an empty array
-                * of keychains which will be searched for certificates.
-                */
-               keychains = CFArrayCreate(NULL, NULL, 0, &kCFTypeArrayCallBacks);
-               status = SecTrustSetKeychains(trust, keychains);
-               if(status) goto cleanup;
-
-               /* To make the evaluation as lightweight as possible, specify an empty array
-                * of trusted anchors.
-                */
-               anchors = CFArrayCreate(NULL, NULL, 0, &kCFTypeArrayCallBacks);
-               status = SecTrustSetAnchorCertificates(trust, anchors);
-               if(status) goto cleanup;
-#else
                status = SecTrustEvaluateLeafOnly(trust, &trustResult);
        } else {
                status = SecTrustEvaluate(trust, &trustResult);
                status = SecTrustEvaluateLeafOnly(trust, &trustResult);
        } else {
                status = SecTrustEvaluate(trust, &trustResult);
-#endif
        }
 
        }
 
-#if !SECTRUST_OSX
-       /* All parameters are locked and loaded, ready to evaluate! */
-       status = SecTrustEvaluate(trust, &trustResult);
-       if(status) goto cleanup;
-
-       /* If we didn't provide trust anchors or a way to look for them,
-        * the evaluation will fail with kSecTrustResultRecoverableTrustFailure.
-        * However, we can tell whether the policy evaluation succeeded by
-        * looking at the per-cert status codes in the returned evidence.
-        */
-       status = SecTrustGetResult(trust, &trustResult, &chain, &evidence);
-       if(status) goto cleanup;
-#endif
-
        if (!(trustResult == kSecTrustResultProceed ||
                  trustResult == kSecTrustResultUnspecified ||
                  trustResult == kSecTrustResultRecoverableTrustFailure)) {
        if (!(trustResult == kSecTrustResultProceed ||
                  trustResult == kSecTrustResultUnspecified ||
                  trustResult == kSecTrustResultRecoverableTrustFailure)) {
@@ -3336,18 +3314,8 @@ _FilterWithPolicy(SecPolicyRef policy, CFDateRef date, SecCertificateRef cert)
        /* If there are no per-cert policy status codes,
         * and the cert has not expired, consider it valid for the policy.
         */
        /* If there are no per-cert policy status codes,
         * and the cert has not expired, consider it valid for the policy.
         */
-#if SECTRUST_OSX
        if (true) {
                (void)SecTrustGetCssmResultCode(trust, &status);
        if (true) {
                (void)SecTrustGetCssmResultCode(trust, &status);
-#else
-       if((evidence != NULL) && _CanIgnoreLeafStatusCodes(evidence) &&
-          ((evidence[0].StatusBits & CSSM_CERT_STATUS_EXPIRED) == 0) &&
-          ((evidence[0].StatusBits & CSSM_CERT_STATUS_NOT_VALID_YET) == 0)) {
-               status = errSecSuccess;
-#endif
-       }
-       else {
-               status = errSecCertificateCannotOperate;
        }
 
 cleanup:
        }
 
 cleanup:
@@ -3418,6 +3386,77 @@ _FilterWithTrust(Boolean trustedOnly, SecCertificateRef cert)
        return status;
 }
 
        return status;
 }
 
+static bool items_matching_issuer_parent(CFDataRef issuer, CFArrayRef issuers, int recurse) {
+    if (!issuers || CFArrayGetCount(issuers) == 0) { return false; }
+
+    /* We found a match, we're done. */
+    if (CFArrayContainsValue(issuers, CFRangeMake(0, CFArrayGetCount(issuers)), issuer)) { return true; }
+
+    /* Prevent infinite recursion */
+    if (recurse <= 0) { return false; }
+    recurse--;
+
+    /* Query for parents */
+    CFMutableDictionaryRef query = NULL;
+    CFTypeRef parents = NULL;
+    bool found = false;
+
+    require_quiet(query = CFDictionaryCreateMutable(kCFAllocatorDefault, 4, &kCFTypeDictionaryKeyCallBacks,
+                                      &kCFTypeDictionaryValueCallBacks), out);
+    CFDictionaryAddValue(query, kSecClass, kSecClassCertificate);
+    CFDictionaryAddValue(query, kSecReturnRef, kCFBooleanTrue);
+    CFDictionaryAddValue(query, kSecAttrSubject, issuer);
+    CFDictionaryAddValue(query, kSecMatchLimit, kSecMatchLimitAll);
+    require_noerr_quiet(SecItemCopyMatching(query, &parents), out);
+
+    if (parents && CFArrayGetTypeID() == CFGetTypeID(parents)) {
+        CFIndex i, count = CFArrayGetCount((CFArrayRef)parents);
+        for (i = 0; i < count; i++) {
+            SecCertificateRef cert = (SecCertificateRef)CFArrayGetValueAtIndex((CFArrayRef)parents, i);
+            CFDataRef cert_issuer = SecCertificateCopyNormalizedIssuerSequence(cert);
+            if (CFEqual(cert_issuer, issuer)) {
+                // Self-issued cert, don't look for parents.
+                CFReleaseNull(cert_issuer);
+                continue;
+            }
+            found = items_matching_issuer_parent(cert_issuer, issuers, recurse);
+            CFReleaseNull(cert_issuer);
+            if (found) { break; }
+        }
+    } else if (parents && SecCertificateGetTypeID() == CFGetTypeID(parents)) {
+        SecCertificateRef cert = (SecCertificateRef)parents;
+        CFDataRef cert_issuer = SecCertificateCopyNormalizedIssuerSequence(cert);
+        require_action_quiet(!CFEqual(cert_issuer, issuer), out, CFReleaseNull(cert_issuer));
+        found = items_matching_issuer_parent(cert_issuer, issuers, recurse);
+        CFReleaseNull(cert_issuer);
+    }
+
+out:
+    CFReleaseNull(query);
+    CFReleaseNull(parents);
+    return found;
+}
+
+static OSStatus
+_FilterWithIssuers(CFArrayRef issuers, SecCertificateRef cert)
+{
+    if (!issuers || CFArrayGetCount(issuers) == 0) return errSecParam;
+    if (!cert) return errSecParam;
+
+    OSStatus status = errSecInternalError;
+
+    /* kSecMatchIssuers matches certificates where ANY certificate in the chain has this issuer.
+     * So we now need to recursively query the keychain for this cert's parents to determine if
+     * they match. (This is why we limited the use of this key in _CreateSecItemParamsFromDictionary.) */
+    CFDataRef issuer = SecCertificateCopyNormalizedIssuerSequence(cert);
+    if (items_matching_issuer_parent(issuer, issuers, 10)) {
+        status = errSecSuccess;
+    }
+
+    CFReleaseNull(issuer);
+    return status;
+}
+
 static SecKeychainItemRef
 CopyResolvedKeychainItem(CFTypeRef item)
 {
 static SecKeychainItemRef
 CopyResolvedKeychainItem(CFTypeRef item)
 {
@@ -3526,16 +3565,17 @@ SecItemSearchCopyNext(SecItemParams *params, CFTypeRef *item)
        OSStatus status;
        CFTypeRef search = (params) ? params->search : NULL;
        CFTypeID typeID = (search) ? CFGetTypeID(search) : 0;
        OSStatus status;
        CFTypeRef search = (params) ? params->search : NULL;
        CFTypeID typeID = (search) ? CFGetTypeID(search) : 0;
-       if (typeID == SecIdentitySearchGetTypeID()) {
+
+       if (search && typeID == SecIdentitySearchGetTypeID()) {
                status = SecIdentitySearchCopyNext((SecIdentitySearchRef)search, (SecIdentityRef*)item);
        }
                status = SecIdentitySearchCopyNext((SecIdentitySearchRef)search, (SecIdentityRef*)item);
        }
-       else if (typeID == SecKeychainSearchGetTypeID()) {
+       else if (search && typeID == SecKeychainSearchGetTypeID()) {
                status = SecKeychainSearchCopyNext((SecKeychainSearchRef)search, (SecKeychainItemRef*)item);
                // Check if we need to refresh the search for the next key class
                while (status == errSecItemNotFound && params->assumedKeyClass != NULL)
                        status = UpdateKeychainSearchAndCopyNext(params, item);
        }
                status = SecKeychainSearchCopyNext((SecKeychainSearchRef)search, (SecKeychainItemRef*)item);
                // Check if we need to refresh the search for the next key class
                while (status == errSecItemNotFound && params->assumedKeyClass != NULL)
                        status = UpdateKeychainSearchAndCopyNext(params, item);
        }
-       else if (typeID == 0 && (params->useItems || params->itemList)) {
+       else if (typeID == 0 && params && (params->useItems || params->itemList)) {
                // No search available, but there is an item list available.
                // Return the next candidate item from the caller's item list
                CFArrayRef itemList = (params->useItems) ? params->useItems : params->itemList;
                // No search available, but there is an item list available.
                // Return the next candidate item from the caller's item list
                CFArrayRef itemList = (params->useItems) ? params->useItems : params->itemList;
@@ -3660,6 +3700,11 @@ FilterCandidateItem(CFTypeRef *item, SecItemParams *itemParams, SecIdentityRef *
                        }
                        // certificate item is trusted on this system
                }
                        }
                        // certificate item is trusted on this system
                }
+        if (itemParams->matchIssuers) {
+            status = _FilterWithIssuers((CFArrayRef)itemParams->matchIssuers, (SecCertificateRef) *item);
+            if (status) goto filterOut;
+            // certificate item has one of the issuers
+        }
        }
        if (itemParams->itemList) {
                Boolean foundMatch = FALSE;
        }
        if (itemParams->itemList) {
                Boolean foundMatch = FALSE;
@@ -3956,10 +4001,7 @@ static Boolean SecItemSynchronizable(CFDictionaryRef query)
 static Boolean SecItemIsIOSPersistentReference(CFTypeRef value)
 {
        if (value) {
 static Boolean SecItemIsIOSPersistentReference(CFTypeRef value)
 {
        if (value) {
-               /* Synchronizable persistent ref consists of the sqlite rowid and 4-byte class value */
-               const CFIndex kSynchronizablePersistentRefLength = sizeof(int64_t) + 4;
-               return (CFGetTypeID(value) == CFDataGetTypeID() &&
-                               CFDataGetLength((CFDataRef)value) == kSynchronizablePersistentRefLength);
+        return ::_SecItemParsePersistentRef((CFDataRef)value, NULL, NULL, NULL);
        }
        return false;
 }
        }
        return false;
 }
@@ -3975,15 +4017,23 @@ static OSStatus SecItemCategorizeQuery(CFDictionaryRef query, bool &can_target_i
        can_target_osx = can_target_ios = true;
 
        // Check no-legacy flag.
        can_target_osx = can_target_ios = true;
 
        // Check no-legacy flag.
-    CFTypeRef value = CFDictionaryGetValue(query, kSecAttrNoLegacy);
-       if (value != NULL) {
-               can_target_ios = readNumber(value) != 0;
+    // it's iOS or bust if we're on MZ!
+    CFTypeRef noLegacy = NULL;
+    if (_CFMZEnabled()) {
+        noLegacy = kCFBooleanTrue;
+    }
+    else {
+        noLegacy = CFDictionaryGetValue(query, kSecAttrNoLegacy);
+    }
+
+       if (noLegacy != NULL) {
+               can_target_ios = readNumber(noLegacy) != 0;
                can_target_osx = !can_target_ios;
                return errSecSuccess;
        }
 
        // Check whether the query contains kSecValueRef and modify can_ flags according to the kind and type of the value.
                can_target_osx = !can_target_ios;
                return errSecSuccess;
        }
 
        // Check whether the query contains kSecValueRef and modify can_ flags according to the kind and type of the value.
-       value = CFDictionaryGetValue(query, kSecValueRef);
+       CFTypeRef value = CFDictionaryGetValue(query, kSecValueRef);
        if (value != NULL) {
                CFTypeID typeID = CFGetTypeID(value);
                if (typeID == SecKeyGetTypeID()) {
        if (value != NULL) {
                CFTypeID typeID = CFGetTypeID(value);
                if (typeID == SecKeyGetTypeID()) {
@@ -4047,6 +4097,13 @@ static OSStatus SecItemCategorizeQuery(CFDictionaryRef query, bool &can_target_i
                can_target_ios = can_target_ios && !CFDictionaryContainsKey(query, *osx_only_items[i]);
        }
 
                can_target_ios = can_target_ios && !CFDictionaryContainsKey(query, *osx_only_items[i]);
        }
 
+    // Absence of all of kSecItemClass, kSecValuePersistentRef, and kSecValueRef means that the query can't target iOS
+    if(CFDictionaryGetValue(query, kSecClass) == NULL &&
+       CFDictionaryGetValue(query, kSecValuePersistentRef) == NULL &&
+       CFDictionaryGetValue(query, kSecValueRef) == NULL) {
+        can_target_ios = false;
+    }
+
        return (can_target_ios || can_target_osx) ? errSecSuccess : errSecParam;
 }
 
        return (can_target_ios || can_target_osx) ? errSecSuccess : errSecParam;
 }
 
@@ -4188,7 +4245,7 @@ CFTypeRef
 SecItemCreateFromAttributeDictionary_osx(CFDictionaryRef refAttributes) {
        CFTypeRef ref = NULL;
        CFStringRef item_class_string = (CFStringRef)CFDictionaryGetValue(refAttributes, kSecClass);
 SecItemCreateFromAttributeDictionary_osx(CFDictionaryRef refAttributes) {
        CFTypeRef ref = NULL;
        CFStringRef item_class_string = (CFStringRef)CFDictionaryGetValue(refAttributes, kSecClass);
-       SecItemClass item_class = 0;
+       SecItemClass item_class = (SecItemClass) 0;
 
        if (CFEqual(item_class_string, kSecClassGenericPassword)) {
                item_class = kSecGenericPasswordItemClass;
 
        if (CFEqual(item_class_string, kSecClassGenericPassword)) {
                item_class = kSecGenericPasswordItemClass;
@@ -4262,24 +4319,27 @@ SecItemValidateAppleApplicationGroupAccess(CFStringRef group)
        return status;
 }
 
        return status;
 }
 
-static Mutex gParentCertCacheLock;
+static Mutex& gParentCertCacheLock() {
+    static Mutex fParentCertCacheLock;
+    return fParentCertCacheLock;
+}
 static CFMutableDictionaryRef gParentCertCache;
 static CFMutableArrayRef gParentCertCacheList;
 #define PARENT_CACHE_SIZE 100
 
 void SecItemParentCachePurge() {
 static CFMutableDictionaryRef gParentCertCache;
 static CFMutableArrayRef gParentCertCacheList;
 #define PARENT_CACHE_SIZE 100
 
 void SecItemParentCachePurge() {
-    StLock<Mutex> _(gParentCertCacheLock);
+    StLock<Mutex> _(gParentCertCacheLock());
     CFReleaseNull(gParentCertCache);
     CFReleaseNull(gParentCertCacheList);
 }
 
     CFReleaseNull(gParentCertCache);
     CFReleaseNull(gParentCertCacheList);
 }
 
-static CFArrayRef parentCacheRead(SecCertificateRef certificate) {
+static CFArrayRef CF_RETURNS_RETAINED parentCacheRead(SecCertificateRef certificate) {
     CFArrayRef parents = NULL;
     CFIndex ix;
     CFDataRef digest = SecCertificateGetSHA1Digest(certificate);
     if (!digest) return NULL;
 
     CFArrayRef parents = NULL;
     CFIndex ix;
     CFDataRef digest = SecCertificateGetSHA1Digest(certificate);
     if (!digest) return NULL;
 
-    StLock<Mutex> _(gParentCertCacheLock);
+    StLock<Mutex> _(gParentCertCacheLock());
     if (gParentCertCache && gParentCertCacheList) {
         if (0 <= (ix = CFArrayGetFirstIndexOfValue(gParentCertCacheList,
                                                    CFRangeMake(0, CFArrayGetCount(gParentCertCacheList)),
     if (gParentCertCache && gParentCertCacheList) {
         if (0 <= (ix = CFArrayGetFirstIndexOfValue(gParentCertCacheList,
                                                    CFRangeMake(0, CFArrayGetCount(gParentCertCacheList)),
@@ -4298,7 +4358,7 @@ static void parentCacheWrite(SecCertificateRef certificate, CFArrayRef parents)
     CFDataRef digest = SecCertificateGetSHA1Digest(certificate);
     if (!digest) return;
 
     CFDataRef digest = SecCertificateGetSHA1Digest(certificate);
     if (!digest) return;
 
-    StLock<Mutex> _(gParentCertCacheLock);
+    StLock<Mutex> _(gParentCertCacheLock());
     if (!gParentCertCache || !gParentCertCacheList) {
         CFReleaseNull(gParentCertCache);
         gParentCertCache = makeCFMutableDictionary();
     if (!gParentCertCache || !gParentCertCacheList) {
         CFReleaseNull(gParentCertCache);
         gParentCertCache = makeCFMutableDictionary();
@@ -4314,6 +4374,7 @@ static void parentCacheWrite(SecCertificateRef certificate, CFArrayRef parents)
             CFDictionaryAddValue(gParentCertCache, digest, parents);
             if (PARENT_CACHE_SIZE <= CFArrayGetCount(gParentCertCacheList)) {
                 // Remove least recently used cache entry.
             CFDictionaryAddValue(gParentCertCache, digest, parents);
             if (PARENT_CACHE_SIZE <= CFArrayGetCount(gParentCertCacheList)) {
                 // Remove least recently used cache entry.
+                CFDictionaryRemoveValue(gParentCertCache, CFArrayGetValueAtIndex(gParentCertCacheList, 0));
                 CFArrayRemoveValueAtIndex(gParentCertCacheList, 0);
             }
             CFArrayAppendValue(gParentCertCacheList, digest);
                 CFArrayRemoveValueAtIndex(gParentCertCacheList, 0);
             }
             CFArrayAppendValue(gParentCertCacheList, digest);
@@ -4322,13 +4383,13 @@ static void parentCacheWrite(SecCertificateRef certificate, CFArrayRef parents)
 }
 
 /*
 }
 
 /*
- * SecItemCopyParentCertificates returns an array of zero of more possible
+ * SecItemCopyParentCertificates_osx returns an array of zero of more possible
  * issuer certificates for the provided certificate. No cryptographic validation
  * of the signature is performed in this function; its purpose is only to
  * provide a list of candidate certificates.
  */
 CFArrayRef
  * issuer certificates for the provided certificate. No cryptographic validation
  * of the signature is performed in this function; its purpose is only to
  * provide a list of candidate certificates.
  */
 CFArrayRef
-SecItemCopyParentCertificates(SecCertificateRef certificate, void *context)
+SecItemCopyParentCertificates_osx(SecCertificateRef certificate, void *context)
 {
 #pragma unused (context) /* for now; in future this can reference a container object */
        /* Check for parents in keychain cache */
 {
 #pragma unused (context) /* for now; in future this can reference a container object */
        /* Check for parents in keychain cache */
@@ -4389,7 +4450,7 @@ SecItemCopyParentCertificates(SecCertificateRef certificate, void *context)
        }
 
        if ((status != errSecSuccess) && (status != errSecItemNotFound)) {
        }
 
        if ((status != errSecSuccess) && (status != errSecItemNotFound)) {
-               secitemlog(LOG_WARNING, "SecItemCopyParentCertificates: %d", (int)status);
+               secitemlog(LOG_WARNING, "SecItemCopyParentCertificates_osx: %d", (int)status);
        }
        CFRelease(query);
 
        }
        CFRelease(query);
 
@@ -4407,7 +4468,7 @@ SecItemCopyParentCertificates(SecCertificateRef certificate, void *context)
                                }
                        }
                }
                                }
                        }
                }
-       } else if (resultType == CFDataGetTypeID()) {
+       } else if (results && resultType == CFDataGetTypeID()) {
                SecCertificateRef cert = SecCertificateCreateWithData(kCFAllocatorDefault, (CFDataRef)results);
                if (cert) {
                        CFArrayAppendValue(result, cert);
                SecCertificateRef cert = SecCertificateCreateWithData(kCFAllocatorDefault, (CFDataRef)results);
                if (cert) {
                        CFArrayAppendValue(result, cert);
@@ -4428,11 +4489,10 @@ SecCertificateRef SecItemCopyStoredCertificate(SecCertificateRef certificate, vo
 #pragma unused (context) /* for now; in future this can reference a container object */
 
        /* Certificates are unique by issuer and serial number. */
 #pragma unused (context) /* for now; in future this can reference a container object */
 
        /* Certificates are unique by issuer and serial number. */
+       CFDataRef serialNumber = SecCertificateCopySerialNumberData(certificate, NULL);
 #if (TARGET_OS_MAC && !(TARGET_OS_EMBEDDED || TARGET_OS_IPHONE))
 #if (TARGET_OS_MAC && !(TARGET_OS_EMBEDDED || TARGET_OS_IPHONE))
-       CFDataRef serialNumber = SecCertificateCopySerialNumber(certificate, NULL);
        CFDataRef normalizedIssuer = SecCertificateCopyNormalizedIssuerContent(certificate, NULL);
 #else
        CFDataRef normalizedIssuer = SecCertificateCopyNormalizedIssuerContent(certificate, NULL);
 #else
-       CFDataRef serialNumber = SecCertificateCopySerialNumber(certificate);
        CFDataRef normalizedIssuer = SecCertificateGetNormalizedIssuerContent(certificate);
        CFRetainSafe(normalizedIssuer);
 #endif
        CFDataRef normalizedIssuer = SecCertificateGetNormalizedIssuerContent(certificate);
        CFRetainSafe(normalizedIssuer);
 #endif
@@ -4604,6 +4664,18 @@ SecItemCopyTranslatedAttributes(CFDictionaryRef inOSXDict, CFTypeRef itemClass,
                 * which won't work once the item is updated.
                 */
                CFDictionaryRemoveValue(result, kSecAttrModificationDate);
                 * which won't work once the item is updated.
                 */
                CFDictionaryRemoveValue(result, kSecAttrModificationDate);
+
+        /* Find all intermediate certificates in OSX keychain and append them in to the kSecMatchIssuers.
+         * This is required because secd cannot do query in to the OSX keychain
+         */
+        CFTypeRef matchIssuers = CFDictionaryGetValue(result, kSecMatchIssuers);
+        if (matchIssuers && CFGetTypeID(matchIssuers) == CFArrayGetTypeID()) {
+            CFArrayRef newMatchIssuers = _CopyMatchingIssuers((CFArrayRef)matchIssuers);
+            if (newMatchIssuers) {
+                CFDictionarySetValue(result, kSecMatchIssuers, newMatchIssuers);
+                CFRelease(newMatchIssuers);
+            }
+        }
     }
        else {
                /* iOS doesn't add the class attribute, so we must do it here. */
     }
        else {
                /* iOS doesn't add the class attribute, so we must do it here. */
@@ -4626,6 +4698,46 @@ SecItemCopyTranslatedAttributes(CFDictionaryRef inOSXDict, CFTypeRef itemClass,
 
 } /* extern "C" */
 
 
 } /* extern "C" */
 
+static CFArrayRef
+_CopyMatchingIssuers(CFArrayRef matchIssuers) {
+    CFMutableArrayRef result = NULL;
+    CFMutableDictionaryRef query = NULL;
+    CFMutableDictionaryRef policyProperties = NULL;
+    SecPolicyRef policy = NULL;
+    CFTypeRef matchedCertificates = NULL;
+
+    require_quiet(policyProperties = CFDictionaryCreateMutable(kCFAllocatorDefault, 1, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks), out);
+    CFDictionarySetValue(policyProperties, kSecPolicyKU_KeyCertSign, kCFBooleanTrue);
+    require_quiet(policy = SecPolicyCreateWithProperties(kSecPolicyAppleX509Basic, policyProperties), out);
+    
+    require_quiet(query = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks), out);
+    CFDictionarySetValue(query, kSecClass, kSecClassCertificate);
+    CFDictionarySetValue(query, kSecMatchIssuers, matchIssuers);
+    CFDictionarySetValue(query, kSecMatchLimit, kSecMatchLimitAll);
+    CFDictionarySetValue(query, kSecReturnAttributes, kCFBooleanTrue);
+    CFDictionarySetValue(query, kSecUseCertificatesWithMatchIssuers, kCFBooleanTrue);
+    CFDictionarySetValue(query, kSecMatchPolicy, policy);
+    
+    if (SecItemCopyMatching_osx(query, &matchedCertificates) == errSecSuccess && CFGetTypeID(matchedCertificates) == CFArrayGetTypeID()) {
+        require_quiet(result = CFArrayCreateMutableCopy(kCFAllocatorDefault, 0, (CFArrayRef)matchedCertificates), out);
+        for(CFIndex i = 0; i < CFArrayGetCount((CFArrayRef)matchedCertificates); ++i) {
+            CFDictionaryRef attributes = (CFDictionaryRef)CFArrayGetValueAtIndex((CFArrayRef)matchedCertificates, i);
+            CFTypeRef subject = CFDictionaryGetValue(attributes, kSecAttrSubject);
+            if (!CFArrayContainsValue(result, CFRangeMake(0, CFArrayGetCount(result)), subject)) {
+                CFArrayAppendValue(result, subject);
+            }
+        }
+    }
+    
+out:
+    CFReleaseSafe(query);
+    CFReleaseSafe(policyProperties);
+    CFReleaseSafe(policy);
+    CFReleaseSafe(matchedCertificates);
+
+    return result;
+}
+
 static OSStatus
 SecItemMergeResults(bool can_target_ios, OSStatus status_ios, CFTypeRef result_ios,
                                        bool can_target_osx, OSStatus status_osx, CFTypeRef result_osx,
 static OSStatus
 SecItemMergeResults(bool can_target_ios, OSStatus status_ios, CFTypeRef result_ios,
                                        bool can_target_osx, OSStatus status_osx, CFTypeRef result_osx,
@@ -4642,8 +4754,10 @@ SecItemMergeResults(bool can_target_ios, OSStatus status_ios, CFTypeRef result_i
                // If both keychains were targetted, examine returning statuses and decide what to do.
                if (status_ios != errSecSuccess) {
                        // iOS keychain failed to produce results because of some error, go with results from OSX keychain.
                // If both keychains were targetted, examine returning statuses and decide what to do.
                if (status_ios != errSecSuccess) {
                        // iOS keychain failed to produce results because of some error, go with results from OSX keychain.
+            // Since iOS keychain queries will fail without a keychain-access-group or proper entitlements, SecItemCopyMatching
+            // calls against the OSX keychain API that should return errSecItemNotFound will return nonsense from the iOS keychain.
                        AssignOrReleaseResult(result_osx, result);
                        AssignOrReleaseResult(result_osx, result);
-                       return status_osx;
+            return status_osx;
                } else if (status_osx != errSecSuccess) {
                        if (status_osx != errSecItemNotFound) {
                                // OSX failed to produce results with some failure mode (else than not_found), but iOS produced results.
                } else if (status_osx != errSecSuccess) {
                        if (status_osx != errSecItemNotFound) {
                                // OSX failed to produce results with some failure mode (else than not_found), but iOS produced results.
@@ -4692,37 +4806,13 @@ SecItemMergeResults(bool can_target_ios, OSStatus status_ios, CFTypeRef result_i
        }
 }
 
        }
 }
 
-static bool
-ShouldTryUnlockKeybag(OSErr status)
-{
-    static typeof(SASSessionStateForUser) *soft_SASSessionStateForUser = NULL;
-       static dispatch_once_t onceToken;
-       static void *framework;
-
-       if (status != errSecInteractionNotAllowed)
-               return false;
-
-    dispatch_once(&onceToken, ^{
-               framework = dlopen("/System/Library/PrivateFrameworks/login.framework/login", RTLD_LAZY);
-               if (framework == NULL)
-                       return;
-               soft_SASSessionStateForUser = (typeof(soft_SASSessionStateForUser)) dlsym(framework, "SASSessionStateForUser");
-    });
-
-    if (soft_SASSessionStateForUser == NULL)
-        return false;
-
-    SessionAgentState sessionState = soft_SASSessionStateForUser(getuid());
-    if(sessionState != kSA_state_desktopshowing)
-        return false;
-
-    return true;
-}
-
 OSStatus
 SecItemCopyMatching(CFDictionaryRef query, CFTypeRef *result)
 {
 OSStatus
 SecItemCopyMatching(CFDictionaryRef query, CFTypeRef *result)
 {
-       secitemlog(LOG_NOTICE, "SecItemCopyMatching");
+    os_activity_t activity = os_activity_create("SecItemCopyMatching", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_DEFAULT);
+    os_activity_scope(activity);
+    os_release(activity);
+
        if (!query) {
                return errSecParam;
        }
        if (!query) {
                return errSecParam;
        }
@@ -4744,14 +4834,6 @@ SecItemCopyMatching(CFDictionaryRef query, CFTypeRef *result)
                }
                else {
                        status_ios = SecItemCopyMatching_ios(attrs_ios, &result_ios);
                }
                else {
                        status_ios = SecItemCopyMatching_ios(attrs_ios, &result_ios);
-            if(ShouldTryUnlockKeybag(status_ios)) {
-                // The keybag is locked. Attempt to unlock it...
-                               secitemlog(LOG_WARNING, "SecItemCopyMatching triggering SecurityAgent");
-                if(errSecSuccess == SecKeychainVerifyKeyStorePassphrase(1)) {
-                    CFReleaseNull(result_ios);
-                    status_ios = SecItemCopyMatching_ios(attrs_ios, &result_ios);
-                }
-            }
                        CFRelease(attrs_ios);
                }
                secitemlog(LOG_NOTICE, "SecItemCopyMatching_ios result: %d", status_ios);
                        CFRelease(attrs_ios);
                }
                secitemlog(LOG_NOTICE, "SecItemCopyMatching_ios result: %d", status_ios);
@@ -4779,7 +4861,10 @@ SecItemCopyMatching(CFDictionaryRef query, CFTypeRef *result)
 OSStatus
 SecItemAdd(CFDictionaryRef attributes, CFTypeRef *result)
 {
 OSStatus
 SecItemAdd(CFDictionaryRef attributes, CFTypeRef *result)
 {
-       secitemlog(LOG_NOTICE, "SecItemAdd");
+    os_activity_t activity = os_activity_create("SecItemAdd", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_DEFAULT);
+    os_activity_scope(activity);
+    os_release(activity);
+
        if (!attributes) {
                return errSecParam;
        }
        if (!attributes) {
                return errSecParam;
        }
@@ -4805,14 +4890,6 @@ SecItemAdd(CFDictionaryRef attributes, CFTypeRef *result)
                        status = errSecParam;
                } else {
             status = SecItemAdd_ios(attrs_ios, &result_ios);
                        status = errSecParam;
                } else {
             status = SecItemAdd_ios(attrs_ios, &result_ios);
-            if(ShouldTryUnlockKeybag(status)) {
-                // The keybag is locked. Attempt to unlock it...
-                               secitemlog(LOG_WARNING, "SecItemAdd triggering SecurityAgent");
-                if(errSecSuccess == SecKeychainVerifyKeyStorePassphrase(3)) {
-                    CFReleaseNull(result_ios);
-                    status = SecItemAdd_ios(attrs_ios, &result_ios);
-                }
-            }
                        CFRelease(attrs_ios);
                }
                secitemlog(LOG_NOTICE, "SecItemAdd_ios result: %d", status);
                        CFRelease(attrs_ios);
                }
                secitemlog(LOG_NOTICE, "SecItemAdd_ios result: %d", status);
@@ -4836,7 +4913,10 @@ SecItemAdd(CFDictionaryRef attributes, CFTypeRef *result)
 OSStatus
 SecItemUpdate(CFDictionaryRef query, CFDictionaryRef attributesToUpdate)
 {
 OSStatus
 SecItemUpdate(CFDictionaryRef query, CFDictionaryRef attributesToUpdate)
 {
-       secitemlog(LOG_NOTICE, "SecItemUpdate");
+    os_activity_t activity = os_activity_create("SecItemUpdate", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_DEFAULT);
+    os_activity_scope(activity);
+    os_release(activity);
+
        if (!query || !attributesToUpdate) {
                return errSecParam;
        }
        if (!query || !attributesToUpdate) {
                return errSecParam;
        }
@@ -4859,22 +4939,8 @@ SecItemUpdate(CFDictionaryRef query, CFDictionaryRef attributesToUpdate)
                else {
             if (SecItemHasSynchronizableUpdate(true, attributesToUpdate)) {
                 status_ios = SecItemChangeSynchronizability(attrs_ios, attributesToUpdate, false);
                else {
             if (SecItemHasSynchronizableUpdate(true, attributesToUpdate)) {
                 status_ios = SecItemChangeSynchronizability(attrs_ios, attributesToUpdate, false);
-                if(ShouldTryUnlockKeybag(status_ios)) {
-                    // The keybag is locked. Attempt to unlock it...
-                                       secitemlog(LOG_WARNING, "SecItemUpdate triggering SecurityAgent");
-                    if(errSecSuccess == SecKeychainVerifyKeyStorePassphrase(1)) {
-                        status_ios = SecItemChangeSynchronizability(attrs_ios, attributesToUpdate, false);
-                    }
-                }
             } else {
                 status_ios = SecItemUpdate_ios(attrs_ios, attributesToUpdate);
             } else {
                 status_ios = SecItemUpdate_ios(attrs_ios, attributesToUpdate);
-                if(ShouldTryUnlockKeybag(status_ios)) {
-                    // The keybag is locked. Attempt to unlock it...
-                                       secitemlog(LOG_WARNING, "SecItemUpdate triggering SecurityAgent");
-                    if(errSecSuccess == SecKeychainVerifyKeyStorePassphrase(1)) {
-                        status_ios = SecItemUpdate_ios(attrs_ios, attributesToUpdate);
-                    }
-                }
             }
                        CFRelease(attrs_ios);
                }
             }
                        CFRelease(attrs_ios);
                }
@@ -4907,7 +4973,10 @@ SecItemUpdate(CFDictionaryRef query, CFDictionaryRef attributesToUpdate)
 OSStatus
 SecItemDelete(CFDictionaryRef query)
 {
 OSStatus
 SecItemDelete(CFDictionaryRef query)
 {
-       secitemlog(LOG_NOTICE, "SecItemDelete");
+    os_activity_t activity = os_activity_create("SecItemDelete", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_DEFAULT);
+    os_activity_scope(activity);
+    os_release(activity);
+
        if (!query) {
                return errSecParam;
        }
        if (!query) {
                return errSecParam;
        }
@@ -4954,13 +5023,6 @@ OSStatus
 SecItemUpdateTokenItems(CFTypeRef tokenID, CFArrayRef tokenItemsAttributes)
 {
        OSStatus status = SecItemUpdateTokenItems_ios(tokenID, tokenItemsAttributes);
 SecItemUpdateTokenItems(CFTypeRef tokenID, CFArrayRef tokenItemsAttributes)
 {
        OSStatus status = SecItemUpdateTokenItems_ios(tokenID, tokenItemsAttributes);
-    if(ShouldTryUnlockKeybag(status)) {
-        // The keybag is locked. Attempt to unlock it...
-        if(errSecSuccess == SecKeychainVerifyKeyStorePassphrase(1)) {
-                       secitemlog(LOG_WARNING, "SecItemUpdateTokenItems triggering SecurityAgent");
-            status = SecItemUpdateTokenItems_ios(tokenID, tokenItemsAttributes);
-        }
-    }
        secitemlog(LOG_NOTICE, "SecItemUpdateTokenItems_ios result: %d", status);
        return status;
 }
        secitemlog(LOG_NOTICE, "SecItemUpdateTokenItems_ios result: %d", status);
        return status;
 }
mirror of Security