Ticket #44473: use-osx-keychain.patch

kdelibs-4.12.5//kdeui/

@@ -309 +309 @@
 
 if (Q_WS_MAC AND MAC_USE_OSXKEYCHAIN)
     FIND_LIBRARY(SECURITY_LIBRARY Security)
-    set(kdeui_LIB_SRCS ${kdeui_LIB_SRCS} util/kwallet_mac.cpp)
+        set(kdeui_LIB_SRCS ${kdeui_LIB_SRCS} util/kwallet_mac.cpp util/qosxkeychain.cpp)
+           add_definitions(-DMAC_USE_OSXKEYCHAIN)
+    else(Q_WS_MAC AND MAC_USE_OSXKEYCHAIN)
+         set(kdeui_LIB_SRCS ${kdeui_LIB_SRCS} util/kwallet.cpp)
 else(Q_WS_MAC AND MAC_USE_OSXKEYCHAIN)
-     set(kdeui_LIB_SRCS ${kdeui_LIB_SRCS} util/kwallet.cpp)
-else(Q_WS_MAC AND MAC_USE_OSXKEYCHAIN)
-  set(kdeui_LIB_SRCS ${kdeui_LIB_SRCS} util/kwallet.cpp)
+    set(kdeui_LIB_SRCS ${kdeui_LIB_SRCS} util/kwallet.cpp)
 endif(Q_WS_MAC AND MAC_USE_OSXKEYCHAIN)
 
 if(NOT WINCE)

kdelibs-4.12.5/kdeui/util/

@@ -1 @@
-/* This file is part of the KDE project
+/* @file kwallet_mac.cpp
+ * This file is part of the KDE project
  *
  * Copyright (C) 2002-2004 George Staikos <staikos@kde.org>
  * Copyright (C) 2008 Michael Leupold <lemma@confuego.org>
  * Copyright (C) 2010 Frank Osterfeld <osterfeld@kde.org>
+ * Copyright (C) 2014 René Bertin <rjvbertin@gmail.com>
  *
  * This library is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Library General Public
@@ -36 +38 @@
 
 #include <cassert>
 
-#include <Carbon/Carbon.h>
-#include <Security/Security.h>
-#include <Security/SecKeychain.h>
+#include <sys/param.h>
+
+#include "qosxkeychain.h"
 
 using namespace KWallet;
 
@@ -49 +51 @@
 typedef QMap<QString, QByteArray> StringByteArrayMap;
 Q_DECLARE_METATYPE(StringByteArrayMap)
 
-namespace {
-    template <typename T>
-    struct CFReleaser {
-        explicit CFReleaser( const T& r ) : ref( r ) {}
-        ~CFReleaser() { CFRelease( ref ); }
-        T ref;
-    };
-}
-
-static QString asQString( CFStringRef sr ) {
-    return QString::fromLatin1( CFStringGetCStringPtr( sr, NULL ) ); //TODO Latin1 correct?
-}
-
-static QString errorString( OSStatus s ) {
-    const CFReleaser<CFStringRef> ref( SecCopyErrorMessageString( s, NULL ) );
-    return asQString( ref.ref );
-}
-
-static bool isError( OSStatus s, QString* errMsg ) {
-    if ( errMsg )
-        *errMsg = errorString( s );
-    return s != 0;
-}
-
+#ifdef OSX_KEYCHAIN_PORT_DISABLED
 static QString appid()
 {
     KComponentData cData = KGlobal::mainComponent();
@@ -85 +64 @@
     }
     return qApp->applicationName();
 }
+#endif
 
-static OSStatus removeEntryImplementation(const QString& walletName, const QString& key) {
-    const QByteArray serviceName( walletName.toUtf8() );
-    const QByteArray accountName( key.toUtf8() );
-    SecKeychainItemRef itemRef;
-    QString errMsg;
-    OSStatus result = SecKeychainFindGenericPassword( NULL, serviceName.size(), serviceName.constData(), accountName.size(), accountName.constData(), NULL, NULL, &itemRef );
-    if ( isError( result, &errMsg ) ) {
-        qWarning() << "Could not retrieve password:"  << qPrintable(errMsg);
-        return result;
-    }
-    const CFReleaser<SecKeychainItemRef> itemReleaser( itemRef );
-    result = SecKeychainItemDelete( itemRef );
-    if ( isError( result, &errMsg ) ) {
-        qWarning() << "Could not delete password:"  << qPrintable(errMsg);
-        return result;
-    }
-    return result;
-}
-
-
-const QString Wallet::LocalWallet() {
+/*static*/ const QString Wallet::LocalWallet()
+{
     KConfigGroup cfg(KSharedConfig::openConfig("kwalletrc")->group("Wallet"));
     if (!cfg.readEntry("Use One Wallet", true)) {
         QString tmp = cfg.readEntry("Local Wallet", "localwallet");
@@ -123 +84 @@
     return tmp;
 }
 
-const QString Wallet::NetworkWallet() {
+/*static*/ const QString Wallet::NetworkWallet()
+{
     KConfigGroup cfg(KSharedConfig::openConfig("kwalletrc")->group("Wallet"));
 
     QString tmp = cfg.readEntry("Default Wallet", "kdewallet");
@@ -133 +95 @@
     return tmp;
 }
 
-const QString Wallet::PasswordFolder() {
+/*static*/ const QString Wallet::PasswordFolder()
+{
     return "Passwords";
 }
 
-const QString Wallet::FormDataFolder() {
+/*static*/ const QString Wallet::FormDataFolder()
+{
     return "Form Data";
 }
 
-class Wallet::WalletPrivate
+#pragma mark ==== Wallet::WalletPrivate ====
+class Wallet::WalletPrivate : public OSXKeychain
 {
 public:
     explicit WalletPrivate(const QString &n)
-     : name(n)
-    {}
+        : OSXKeychain(n)
+    {
+        isKDEChain = ( n == LocalWallet() || n == NetworkWallet() || n.contains( "wallet", Qt::CaseInsensitive ) );
+    }
 
     // needed for compilation reasons
-    void walletServiceUnregistered() {
+    void walletServiceUnregistered()
+    {
     }
-
-    QString name;
-    QString folder;
 };
 
 Wallet::Wallet(int handle, const QString& name)
-    : QObject(0L), d(new WalletPrivate(name)) {
+    : QObject(0L), d(new WalletPrivate(name))
+{
     Q_UNUSED(handle);
 }
 
-Wallet::~Wallet() {
+Wallet::~Wallet()
+{
     delete d;
 }
 
-
-QStringList Wallet::walletList() {
+/*static*/ QStringList Wallet::walletList()
+{
 #ifdef OSX_KEYCHAIN_PORT_DISABLED
     return walletLauncher->getInterface().wallets();
 #else
-    return QStringList();
+    // RJVB: Mac OS X's Keychain supports multiple keychains, but they can only be accesses by full path, not
+    // found by name. That makes it cumbersome to map to multiple wallets when using only the wallet name.
+    // However, it would be perfectly possible to create OS X Keychains called Wallet::LocalWallet() and
+    // Wallet::NetworkWallet() in the equivalent of ~/.kde/share/apps/kwallet .
+    QStringList l;
+    OSXKeychain::KeychainList(l);
+    return l;
 #endif
 }
 
 
-void Wallet::changePassword(const QString& name, WId w) {
+/*static*/ void Wallet::changePassword(const QString& name, WId w)
+{
 #ifdef OSX_KEYCHAIN_PORT_DISABLED
     if( w == 0 )
         kDebug(285) << "Pass a valid window to KWallet::Wallet::changePassword().";
     walletLauncher->getInterface().changePassword(name, (qlonglong)w, appid());
+#else
+    Q_UNUSED(w);
+    kWarning() << "Wallet::changePassword unimplemented '" << name << "'";
 #endif
 }
 
 
-bool Wallet::isEnabled() {
+/*static*/ bool Wallet::isEnabled()
+{
     //PENDING(frank) check
     return true;
 }
 
 
-bool Wallet::isOpen(const QString& name) {
+/*static*/ bool Wallet::isOpen(const QString& name)
+{
 #ifdef OSX_KEYCHAIN_PORT_DISABLED
     return walletLauncher->getInterface().isOpen(name); // default is false
 #else
-    return true;
+    return OSXKeychain::IsOpen(name);
+#endif
+}
+
+bool Wallet::isOpen() const
+{
+#ifdef OSX_KEYCHAIN_PORT_DISABLED
+    return d->handle != -1;
+#else
+    return d->isOpen();
 #endif
 }
 
 
-int Wallet::closeWallet(const QString& name, bool force) {
+/*static*/ int Wallet::closeWallet(const QString& name, bool force)
+{
 #ifdef OSX_KEYCHAIN_PORT_DISABLED
     QDBusReply<int> r = walletLauncher->getInterface().close(name, force);
     return r.isValid() ? r : -1;
 #else
-    return 0;
+    Q_UNUSED(force);
+    return OSXKeychain::Lock(name);
 #endif
 }
 
 
-int Wallet::deleteWallet(const QString& name) {
+/*static*/ int Wallet::deleteWallet(const QString& name)
+{
 #ifdef OSX_KEYCHAIN_PORT_DISABLED
     QDBusReply<int> r = walletLauncher->getInterface().deleteWallet(name);
     return r.isValid() ? r : -1;
 #else
-    return -1;
+    return OSXKeychain::Destroy(name);
 #endif
 }
 
 
-Wallet *Wallet::openWallet(const QString& name, WId w, OpenType ot) {
+/*static*/ Wallet *Wallet::openWallet(const QString& name, WId w, OpenType ot)
+{
     Q_UNUSED(w);
     Q_UNUSED(ot);
     Wallet *wallet = new Wallet(-1, name);
     QMetaObject::invokeMethod( wallet, "emitWalletOpened", Qt::QueuedConnection );
+    OSStatus err = wallet->d->unLock();
+    kDebug() << "Opened wallet '" << name << "': " << wallet << " error=" << err;
     return wallet;
 }
 
 
-bool Wallet::disconnectApplication(const QString& wallet, const QString& app) {
+/*static*/ bool Wallet::disconnectApplication(const QString& wallet, const QString& app)
+{
 #ifdef OSX_KEYCHAIN_PORT_DISABLED
     return walletLauncher->getInterface().disconnectApplication(wallet, app); // default is false
 #else
+    kWarning() << "Wallet::disconnectApplication unimplemented, '" << app << "' from '" << wallet << "'";
     return true;
 #endif
 }
 
 
-QStringList Wallet::users(const QString& name) {
+/*static*/ QStringList Wallet::users(const QString& name)
+{
 #ifdef OSX_KEYCHAIN_PORT_DISABLED
     return walletLauncher->getInterface().users(name); // default is QStringList()
 #else
+    kWarning() << "Wallet::users unimplemented, '" << name << "'";
     return QStringList();
 #endif
 }
 
 
-int Wallet::sync() {
+int Wallet::sync()
+{
 #ifdef OSX_KEYCHAIN_PORT_DISABLED
     if (d->handle == -1) {
         return -1;
@@ -258 +257 @@
 }
 
 
-int Wallet::lockWallet() {
+int Wallet::lockWallet()
+{
 #ifdef OSX_KEYCHAIN_PORT_DISABLED
     if (d->handle == -1) {
         return -1;
@@ -271 +271 @@
     if (r.isValid()) {
         return r;
     }
+#else
+    d->currentService.clear();
 #endif
-    return -1;
+    return d->lock();
 }
 
 
-const QString& Wallet::walletName() const {
+const QString& Wallet::walletName() const
+{
     return d->name;
 }
 
 
-bool Wallet::isOpen() const {
-#ifdef OSX_KEYCHAIN_PORT_DISABLED
-    return d->handle != -1;
-#else
-    return true;
-#endif
-}
-
-
-void Wallet::requestChangePassword(WId w) {
+void Wallet::requestChangePassword(WId w)
+{
 #ifdef OSX_KEYCHAIN_PORT_DISABLED
     if( w == 0 )
         kDebug(285) << "Pass a valid window to KWallet::Wallet::requestChangePassword().";
@@ -299 +294 @@
     }
 
     walletLauncher->getInterface().changePassword(d->name, (qlonglong)w, appid());
+#else
+    Q_UNUSED(w);
+    kWarning() << "Wallet::requestChangePassword unimplemented '" << d->name << "'";
 #endif
 }
 
 
-void Wallet::slotWalletClosed(int handle) {
+void Wallet::slotWalletClosed(int handle)
+{
 #ifdef OSX_KEYCHAIN_PORT_DISABLED
     if (d->handle == handle) {
         d->handle = -1;
@@ -311 +310 @@
         d->name.clear();
         emit walletClosed();
     }
+#else
+    Q_UNUSED(handle);
+    kWarning() << "Wallet::slotWalletClosed unimplemented '" << d->name << "'";
+    d->currentService.clear();
 #endif
 }
 
 
-QStringList Wallet::folderList() {
+QStringList Wallet::folderList()
+{
 #ifdef OSX_KEYCHAIN_PORT_DISABLED
     if (d->handle == -1) {
         return QStringList();
@@ -324 +328 @@
     QDBusReply<QStringList> r = walletLauncher->getInterface().folderList(d->handle, appid());
     return r;
 #else
-    return QStringList();
+    return QStringList(d->folderList());
 #endif
 }
 
 
-QStringList Wallet::entryList() {
+QStringList Wallet::entryList()
+{
 #ifdef OSX_KEYCHAIN_PORT_DISABLED
     if (d->handle == -1) {
         return QStringList();
@@ -338 +343 @@
     QDBusReply<QStringList> r = walletLauncher->getInterface().entryList(d->handle, d->folder, appid());
     return r;
 #else
-    return QStringList();
+    QStringList r = QStringList();
+    d->itemList(r);
+    return r;
 #endif
 }
 
 
-bool Wallet::hasFolder(const QString& f) {
+bool Wallet::hasFolder(const QString& f)
+{
 #ifdef OSX_KEYCHAIN_PORT_DISABLED
     if (d->handle == -1) {
         return false;
@@ -352 +360 @@
     QDBusReply<bool> r = walletLauncher->getInterface().hasFolder(d->handle, f, appid());
     return r; // default is false
 #else
-    return true;
+    d->folderList();
+    return d->serviceList.contains(f);
 #endif
 }
 
 
-bool Wallet::createFolder(const QString& f) {
+bool Wallet::createFolder(const QString& f)
+{
 #ifdef OSX_KEYCHAIN_PORT_DISABLED
     if (d->handle == -1) {
         return false;
@@ -370 +380 @@
 
     return true;                                // folder already exists
 #else
-    return true;
+    return setFolder(f);
 #endif
 }
 
 
-bool Wallet::setFolder(const QString& f) {
+bool Wallet::setFolder(const QString &f)
+{
 #ifdef OSX_KEYCHAIN_PORT_DISABLED
     bool rc = false;
 
@@ -397 +408 @@
 
     return rc;
 #else
+    // act as if we just changed folders even if we have no such things; the property
+    // is stored as the ServiceItemAttr (which shows up as the "Where" field in the Keychain Utility).
+    if( f.size() == 0 ){
+        d->currentService.clear();
+    }
+    else{
+        d->currentService = QString(f);
+    }
     return true;
 #endif
 }
 
 
-bool Wallet::removeFolder(const QString& f) {
+bool Wallet::removeFolder(const QString& f)
+{
 #ifdef OSX_KEYCHAIN_PORT_DISABLED
     if (d->handle == -1) {
         return false;
@@ -415 +435 @@
 
     return r;                                   // default is false
 #else
+    kWarning() << "Wallet::removeFolder unimplemented (returns true) '" << d->name << "'";
+    if( d->currentService == f ){
+        d->currentService.clear();
+    }
     return true;
 #endif
 }
 
 
-const QString& Wallet::currentFolder() const {
+const QString& Wallet::currentFolder() const
+{
+#ifdef OSX_KEYCHAIN_PORT_DISABLED
     return d->folder;
+#else
+    return d->currentService;
+#endif
 }
 
 
-int Wallet::readEntry(const QString& key, QByteArray& value) {
-    const QByteArray serviceName( walletName().toUtf8() );
-    const QByteArray accountName( key.toUtf8() );
-    UInt32 passwordSize = 0;
-    void* passwordData = 0;
-    QString errMsg;
-    if ( isError( SecKeychainFindGenericPassword( NULL, serviceName.size(), serviceName.constData(), accountName.size(), accountName.constData(), &passwordSize, &passwordData, NULL ), &errMsg ) ) {
-        qWarning() << "Could not retrieve password:"  << qPrintable(errMsg);
-        return -1;
-    }
-
-    value = QByteArray( reinterpret_cast<const char*>( passwordData ), passwordSize );
-    SecKeychainItemFreeContent( NULL, passwordData );
-    return 0;
+int Wallet::readEntry(const QString &key, QByteArray &value)
+{   OSStatus err = d->readItem( key, &value, NULL );
+    kDebug() << "Wallet::readEntry '" << key << "' from wallet " << d->name << ", error=" << ((err)? -1 : 0);
+    return (err)? -1 : 0;
 }
 
 
-int Wallet::readEntryList(const QString& key, QMap<QString, QByteArray>& value) {
+int Wallet::readEntryList(const QString& key, QMap<QString, QByteArray>& value)
+{
 #ifdef OSX_KEYCHAIN_PORT_DISABLED
     registerTypes();
 
@@ -464 +484 @@
 
     return rc;
 #else
+    Q_UNUSED(key);
+    Q_UNUSED(value);
+    kWarning() << "Wallet::readEntryList unimplemented (returns -1) '" << d->name << "'";
     return -1;
 #endif
 }
 
 
-int Wallet::renameEntry(const QString& oldName, const QString& newName) {
+int Wallet::renameEntry(const QString& oldName, const QString& newName)
+{
 #ifdef OSX_KEYCHAIN_PORT_DISABLED
     int rc = -1;
 
@@ -484 +508 @@
 
     return rc;
 #else
-    return -1;
+    return d->renameItem( oldName, newName );
 #endif
 }
 
 
-int Wallet::readMap(const QString& key, QMap<QString,QString>& value) {
+int Wallet::readMap(const QString &key, QMap<QString,QString> &value)
+{
     QByteArray v;
-    const int ret = readEntry( key, v );
-    if ( ret != 0 )
+    const int ret = (d->readItem( key, &v, NULL ))? -1 : 0;
+    if( ret != 0 ){
         return ret;
-    if ( !v.isEmpty() ) {
-        QDataStream ds( &v, QIODevice::ReadOnly );
+    }
+    if( !v.isEmpty() ){
+        QByteArray w = QByteArray::fromBase64(v);
+        QDataStream ds( &w, QIODevice::ReadOnly );
         ds >> value;
     }
+    kDebug() << "Wallet::readMap '" << key << "' from wallet " << d->name << ", error=0";
     return 0;
 }
 
 
-int Wallet::readMapList(const QString& key, QMap<QString, QMap<QString, QString> >& value) {
+int Wallet::readMapList(const QString& key, QMap<QString, QMap<QString, QString> >& value)
+{
 #ifdef OSX_KEYCHAIN_PORT_DISABLED
     registerTypes();
 
@@ -530 +559 @@
 
     return rc;
 #else
+    Q_UNUSED(key);
+    Q_UNUSED(value);
+    kWarning() << "Wallet::readMapList unimplemented (returns -1) '" << d->name << "'";
     return -1;
 #endif
 }
 
 
-int Wallet::readPassword(const QString& key, QString& value) {
+int Wallet::readPassword(const QString& key, QString& value)
+{
     QByteArray ba;
-    const int ret = readEntry( key, ba );
-    if ( ret == 0 )
+    const int ret = (d->readItem( key, &ba, NULL ))? -1 : 0;
+    if ( ret == 0 ){
         value = QString::fromUtf8( ba.constData() );
+    }
+    kDebug() << "Wallet::readPassword '" << key << "' from wallet " << d->name << ", error=" << ret;
     return ret;
 }
 
 
-int Wallet::readPasswordList(const QString& key, QMap<QString, QString>& value) {
+int Wallet::readPasswordList(const QString& key, QMap<QString, QString>& value)
+{
+    Q_UNUSED(key);
+    Q_UNUSED(value);
+    kWarning() << "Wallet::readPasswordList unimplemented (returns -1) '" << d->name << "'";
     return -1;
 }
 
-static OSStatus writeEntryImplementation( const QString& walletName, const QString& key, const QByteArray& value ) {
-    const QByteArray serviceName( walletName.toUtf8() );
-    const QByteArray accountName( key.toUtf8() );
-    QString errMsg;
-    OSStatus err = SecKeychainAddGenericPassword( NULL, serviceName.size(), serviceName.constData(), accountName.size(), accountName.constData(), value.size(), value.constData(), NULL );
-    if (err == errSecDuplicateItem) {
-        err = removeEntryImplementation( walletName, key );
-        if ( isError( err, &errMsg ) ) {
-            kWarning() << "Could not delete old key in keychain for replacing: " << qPrintable(errMsg);
-            return err;
-        }
-    }
-    if ( isError( err, &errMsg ) ) {
-        kWarning() << "Could not store password in keychain: " << qPrintable(errMsg);
-        return err;
-    }
-    kDebug() << "Succesfully written out key:" << key;
-    return err;
-
-}
-
-int Wallet::writeEntry(const QString& key, const QByteArray& password, EntryType entryType) {
-    Q_UNUSED( entryType )
-    return writeEntryImplementation( walletName(), key, password );
+int Wallet::writeEntry(const QString& key, const QByteArray& password )
+{   int ret = d->writeItem( key, password );
+    kDebug() << "wrote entry '" << key << "' to wallet " << d->name << ", error=" << ret;
+    return ret;
 }
 
-
-int Wallet::writeEntry(const QString& key, const QByteArray& value) {
-    return writeEntryImplementation( walletName(), key, value );
+int Wallet::writeEntry(const QString& key, const QByteArray& password, EntryType entryType)
+{
+    OSXKeychain::EntryType entryCode;
+        switch( entryType ){
+                case Wallet::Password:
+                        entryCode = OSXKeychain::Password;
+                        break;
+                case Wallet::Map:
+                        entryCode = OSXKeychain::Map;
+                        break;
+        case Wallet::Stream:
+            entryCode = OSXKeychain::Stream;
+            break;
+                default:
+                        entryCode = OSXKeychain::Unknown;
+                        break;
+        }
+        int ret = d->writeItem( key, password, &entryCode );
+    kDebug() << "wrote entry '" << key << "' of type=" << (int) entryType << "to wallet " << d->name << ", error=" << ret;
+    return ret;
 }
 
-
-int Wallet::writeMap(const QString& key, const QMap<QString,QString>& value) {
+int Wallet::writeMap(const QString& key, const QMap<QString,QString>& value)
+{
     QByteArray mapData;
     QDataStream ds(&mapData, QIODevice::WriteOnly);
     ds << value;
-    return writeEntry( key, mapData );
+    OSXKeychain::EntryType etype = OSXKeychain::Map;
+    int ret = d->writeItem( key, mapData.toBase64(),
+                           "This is a KDE Wallet::Map item. Its password\n"
+                           "cannot be read in the OS X Keychain Utility.\n"
+                           "Use KDE's own kwalletmanager for that.", &etype );
+    kDebug() << "wrote map '" << key << "' to wallet " << d->name << ", error=" << ret;
+    return ret;
 }
 
 
-int Wallet::writePassword(const QString& key, const QString& value) {
-    return writeEntry( key, value.toUtf8() );
+int Wallet::writePassword(const QString &key, const QString& value)
+{   OSXKeychain::EntryType etype = OSXKeychain::Password;
+    int ret = d->writeItem( key, value.toUtf8(), &etype );
+    kDebug() << "wrote password '" << key << "' to wallet " << d->name << ", error=" << ret;
+    return ret;
 }
 
 
-bool Wallet::hasEntry(const QString& key) {
-    const QByteArray serviceName( walletName().toUtf8() );
-    const QByteArray accountName( key.toUtf8() );
-    return !isError( SecKeychainFindGenericPassword( NULL, serviceName.size(), serviceName.constData(), accountName.size(), accountName.constData(), NULL, NULL, NULL ), 0 );
+bool Wallet::hasEntry(const QString &key)
+{   bool ret = d->hasItem( key, NULL );
+    kDebug() << "wallet '" << d->name << "'" << ((ret)? " has" : " does not have") << " entry '" << key << "'";
+    return ret;
 }
 
-int Wallet::removeEntry(const QString& key) {
-    return removeEntryImplementation( walletName(), key );
+int Wallet::removeEntry(const QString& key)
+{   int ret = d->removeItem( key );
+    kDebug() << "removed entry '" << key << "' from wallet " << d->name << ", error=" << ret;
+    return ret;
 }
 
 
-Wallet::EntryType Wallet::entryType(const QString& key) {
+Wallet::EntryType Wallet::entryType(const QString& key)
+{
 #ifdef OSX_KEYCHAIN_PORT_DISABLED
     int rc = 0;
 
@@ -619 +667 @@
 
     return static_cast<EntryType>(rc);
 #else
+    // RJVB: a priori, entries are always 'password' on OS X, but since we also do use them for storing
+    // maps, it may be best to return Wallet::Unknown to leave some uncertainty and not mislead our caller.
+    OSXKeychain::EntryType etype;
+    if( !d->itemType( key, &etype ) ){
+        switch( etype ){
+            case OSXKeychain::Password:
+                return Wallet::Password;
+                break;
+            case OSXKeychain::Map:
+                return Wallet::Map;
+                break;
+            case OSXKeychain::Stream:
+                return Wallet::Stream;
+                break;
+        }
+    }
     return Wallet::Unknown;
 #endif
 }
 
 
-void Wallet::slotFolderUpdated(const QString& wallet, const QString& folder) {
+void Wallet::slotFolderUpdated(const QString& wallet, const QString& folder)
+{
     if (d->name == wallet) {
         emit folderUpdated(folder);
     }
 }
 
 
-void Wallet::slotFolderListUpdated(const QString& wallet) {
+void Wallet::slotFolderListUpdated(const QString& wallet)
+{
     if (d->name == wallet) {
         emit folderListUpdated();
     }
 }
 
 
-void Wallet::slotApplicationDisconnected(const QString& wallet, const QString& application) {
+void Wallet::slotApplicationDisconnected(const QString& wallet, const QString& application)
+{
 #ifdef OSX_KEYCHAIN_PORT_DISABLED
     if (d->handle >= 0
         && d->name == wallet
         && application == appid()) {
         slotWalletClosed(d->handle);
     }
+#else
+    Q_UNUSED(wallet);
+    Q_UNUSED(application);
+        kWarning() << "Wallet::slotApplicationDisconnected unimplemented '" << d->name << "'";
 #endif
 }
 
-void Wallet::walletAsyncOpened(int tId, int handle) {
+void Wallet::walletAsyncOpened(int tId, int handle)
+{
 #ifdef OSX_KEYCHAIN_PORT_DISABLED
     // ignore responses to calls other than ours
     if (d->transactionId != tId || d->handle != -1) {
         return;
     }
-    
+
     // disconnect the async signal
     disconnect(this, SLOT(walletAsyncOpened(int,int)));
-    
+
     d->handle = handle;
     emit walletOpened(handle > 0);
+#else
+    Q_UNUSED(tId);
+    Q_UNUSED(handle);
+        kWarning() << "Wallet::walletAsyncOpened unimplemented '" << d->name << "'";
 #endif
 }
 
-void Wallet::emitWalletAsyncOpenError() {
+void Wallet::emitWalletAsyncOpenError()
+{
     emit walletOpened(false);
 }
 
-void Wallet::emitWalletOpened() {
+void Wallet::emitWalletOpened()
+{
   emit walletOpened(true);
 }
 
@@ -678 +756 @@
     QDBusReply<bool> r = walletLauncher->getInterface().folderDoesNotExist(wallet, folder);
     return r;
 #else
-    return false;
+    bool ret = true;
+    if( Wallet::walletList().contains(wallet) ){
+        ret = !Wallet(-1, wallet).hasFolder(folder);
+    }
+    return ret;
 #endif
 }
 
@@ -689 +771 @@
     QDBusReply<bool> r = walletLauncher->getInterface().keyDoesNotExist(wallet, folder, key);
     return r;
 #else
-    return false;
+    bool ret = true;
+    if( Wallet::walletList().contains(wallet) ){
+        Wallet w(-1, wallet);
+        if( w.hasFolder(folder) ){
+            ret = !w.hasEntry(key);
+        }
+    }
+    return ret;
 #endif
 }
 
 void Wallet::slotCollectionStatusChanged(int status)
 {
+    Q_UNUSED(status);
+        kWarning() << "Wallet::slotCollectionStatusChanged unimplemented '" << d->name << "' status=" << status;
 }
 
 void Wallet::slotCollectionDeleted()
 {
+#ifdef OSX_KEYCHAIN_PORT_DISABLED
     d->folder.clear();
-    d->name.clear();
+#else
+    d->currentService.clear();
+#endif
+    kDebug() << "Wallet::slotCollectionDeleted: closing private data '" << d->name;
+    d->close();
     emit walletClosed();
 }
 
 
-void Wallet::virtual_hook(int, void*) {
+void Wallet::virtual_hook(int, void*)
+{
     //BASE::virtual_hook( id, data );
 }
 

kdelibs-4.12.5/kdeui/util/

@@ +1 @@
+/*
+ *  @file qosxkeychain.h
+ *  This file is part of the KDE project
+ *
+ *  Created by René J.V. Bertin on 20140809.
+ *  Copyright 2014 RJVB.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Library General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Library General Public License for more details.
+ *
+ * You should have received a copy of the GNU Library General Public License
+ * along with this library; see the file COPYING.LIB.  If not, write to
+ * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+ * Boston, MA 02110-1301, USA.
+ */
+
+#include <Security/Security.h>
+#include <Security/SecKeychain.h>
+
+namespace {
+    template <typename T>
+    struct CFReleaser {
+        explicit CFReleaser( const T& r ) : ref( r ) {}
+        ~CFReleaser() { if( ref ){ CFRelease( ref ); } }
+        T ref;
+    };
+
+    template <typename T>
+    struct CPPDeleter {
+        explicit CPPDeleter( const T& r ) : ptr( r ) {}
+        ~CPPDeleter() { if( ptr ){ delete ptr; } }
+        T ptr;
+    };
+
+    template <typename T>
+    struct CPPArrayDeleter {
+        explicit CPPArrayDeleter( const T& r ) : ptr( r ) {}
+        ~CPPArrayDeleter() { if( ptr ){ delete[] ptr; } }
+        T ptr;
+    };
+
+    template <typename T>
+    struct CacheOldValue {
+        explicit CacheOldValue( T &var, const T newVal )
+            : oldVal(var), varRef(var)
+        {
+            var = newVal;
+        }
+        ~CacheOldValue()
+        {
+            varRef = oldVal;
+        }
+        T oldVal, &varRef;
+    };
+}
+
+static inline QString asQString( CFStringRef sr )
+{   CFIndex len = CFStringGetLength(sr)*2;
+    const CPPArrayDeleter<char*> buff(new char[len]);
+    if( CFStringGetCString( sr, buff.ptr, len, kCFStringEncodingUTF8 ) ){
+        return QString::fromUtf8(buff.ptr); //RJVB: use UTF8
+    }
+    else if( CFStringGetCString( sr, buff.ptr, len, kCFStringEncodingNonLossyASCII ) ){
+        return QString::fromLocal8Bit(buff.ptr);
+    }
+    else{
+        CFStringGetCString( sr, buff.ptr, len, NULL );
+        return QString::fromLatin1(buff.ptr);
+    }
+}
+
+static inline QString errorString( OSStatus s )
+{
+    const CFReleaser<CFStringRef> ref( SecCopyErrorMessageString( s, NULL ) );
+    return asQString( ref.ref );
+}
+
+static inline bool isError( OSStatus s, QString *errMsg )
+{
+    if( errMsg ){
+        *errMsg = errorString(s);
+    }
+    return s != 0;
+}
+
+class OSXKeychain
+{
+private:
+    SecKeychainRef keyChainRef;
+    QString keyChainPath;
+    bool isDefaultKeychain, generateFolderList;
+
+public:
+        enum EntryType { Unknown='K\?\?\?', Password='KPWD', Map='KMAP', Stream='KSTR' };
+    QString name;
+    QString currentService, lastReadService;
+    QStringList serviceList;
+    bool isKDEChain;
+
+    OSXKeychain();
+    OSXKeychain(const QString &name);
+    virtual ~OSXKeychain();
+
+    inline SecKeychainRef reference()
+    {
+        return keyChainRef;
+    }
+    inline QString &path()
+    {
+        return keyChainPath;
+    }
+    inline bool isDefault()
+    {
+            return isDefaultKeychain;
+    }
+    inline bool isOpen()
+    {
+        return IsOpen(keyChainRef);
+    }
+    inline OSStatus lock()
+    {
+        return Lock(keyChainRef);
+    }
+    inline OSStatus unLock()
+    {
+        return UnLock(keyChainRef);
+    }
+    void close();
+    inline bool hasItem(const QString &key, OSStatus *errReturn, SecKeychainItemRef *itemRef=NULL)
+    {
+            // qDebug() << "OSXKeychain::hasItem(" << key << "): scanning '" << name << "'=" << (void*) keyChainRef;
+            return OSXKeychain::HasItem( key, keyChainRef, errReturn, itemRef );
+    }
+    inline OSStatus readItem(const QString &key, QByteArray *value, SecKeychainItemRef *itemRef=NULL)
+    {
+        return ReadItem( key, value, keyChainRef, itemRef, this );
+    }
+    inline OSStatus itemType(const QString &key, EntryType *entryType)
+    {
+        return ItemType( key, entryType, keyChainRef );
+    }
+    inline OSStatus removeItem(const QString &key)
+    {
+        return RemoveItem( key, keyChainRef );
+    }
+    inline OSStatus writeItem( const QString &key, const QByteArray &value, EntryType *entryType=NULL )
+    {
+        return WriteItem( key, value, keyChainRef, NULL, entryType, this );
+    }
+    inline OSStatus writeItem( const QString &key, const QByteArray &value, const QString &comment,
+                               EntryType *entryType=NULL )
+    {
+        return WriteItem( key, value, comment, keyChainRef, entryType, this );
+    }
+    inline OSStatus itemList( QStringList &keyList )
+    {
+        return ItemList( keyChainRef, keyList, this );
+    }
+    inline QStringList folderList()
+    {
+        QStringList r;
+        CacheOldValue<bool> gFL(generateFolderList, true);
+        ItemList( keyChainRef, r, this );
+        r.clear();
+        return serviceList;
+    }
+    OSStatus renameItem(const QString &currentKey, const QString &newKey);
+
+#pragma mark ==== class methods aka static member functions ====
+    static OSStatus KeychainList(QStringList &theList);
+    static QString Path(const SecKeychainRef keychain);
+    static bool IsOpen(const SecKeychainRef keychain);
+    static bool IsOpen(const QString& name);
+    static OSStatus UnLock(const SecKeychainRef keychain);
+    static OSStatus Lock(const SecKeychainRef keychain);
+    static OSStatus Lock(const QString &walletName);
+    /** use the keychain search functions to find the first matching item, if any, returning True if found.
+     The OS X error code is returned through @p errReturn when not NULL, the item itself through @p itemRef.
+     This reference will have to be released with CFRelease() when done with it (when @p itemRef==NULL the
+     function does this release itself).
+     */
+    static bool HasItem(const QString &key,
+                         const SecKeychainRef keychain, OSStatus *errReturn, SecKeychainItemRef *itemRef);
+    static OSStatus ReadItem(const QString &key, QByteArray *value,
+                              const SecKeychainRef keychain, SecKeychainItemRef *itemRef=NULL, OSXKeychain *osxKeyChain=NULL);
+    static OSStatus ItemType(const QString &key, EntryType *entryType,
+                               const SecKeychainRef keychain);
+    static OSStatus RemoveItem(const QString &key, const SecKeychainRef keychain);
+    static OSStatus WriteItem( const QString &key, const QByteArray &value,
+                               const SecKeychainRef keychain, SecKeychainItemRef *itemRef=NULL, EntryType *entryType=NULL, OSXKeychain *osxKeyChain=NULL );
+    static OSStatus WriteItem( const QString& key, const QByteArray& value,
+                               const QString& comment, const SecKeychainRef keychain, EntryType *entryType, OSXKeychain *osxKeyChain=NULL );
+    static OSStatus ItemList( const SecKeychainRef keychain, QStringList &keyList, OSXKeychain *osxKeyChain=NULL );
+    static OSStatus Destroy( SecKeychainRef *keychain );
+    static OSStatus Destroy( const QString &walletName );
+};

kdelibs-4.12.5/kdeui/util/

@@ +1 @@
+/*
+ *  @file qosxkeychain.cpp
+ *  This file is part of the KDE project
+ *
+ *  Created by René J.V. Bertin on 20140809.
+ * Copyright (C) 2014 René Bertin <rjvbertin@gmail.com>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Library General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Library General Public License for more details.
+ *
+ * You should have received a copy of the GNU Library General Public License
+ * along with this library; see the file COPYING.LIB.  If not, write to
+ * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+ * Boston, MA 02110-1301, USA.
+ */
+
+#include <cassert>
+#include <sys/param.h>
+
+#include <QtGui/QApplication>
+#include <QtCore/QtCore>
+#include <QtCore/QPointer>
+#include <QtGui/QWidget>
+
+#include "kwallet.h"
+#include <kdebug.h>
+using namespace KWallet;
+#include "qosxkeychain.h"
+
+#include <CoreServices/CoreServices.h>
+
+//! Define INTERNET_TOO=1 in order to build read-access to the kSecInternetPasswordItemClass items
+#define INTERNET_TOO    0
+
+// #undef kWarning
+// #undef kDebug
+// #define kWarning    qWarning
+// #define kDebug      qDebug
+
+// returns the textual representation of a FourCharCode (e.g. 'JPEG')
+static QString OSTStr( FourCharCode etype )
+{   union OSTStr {
+        struct {
+            char startquote;
+            uint32_t four;
+            char endquote;
+        } __attribute__ ((packed)) value;
+        char representation[7];
+    }  __attribute__ ((packed)) ltype;
+    ltype.value.four = EndianU32_BtoN(etype);
+    ltype.representation[0] = ltype.representation[5] = '\'';
+    ltype.representation[6] = '\0';
+    return QString::fromAscii(ltype.representation);
+}
+
+static SecKeychainRef defaultChain()
+{   QString errMsg;
+    SecKeychainRef keychain;
+    if( isError( SecKeychainCopyDefault(&keychain), &errMsg ) ){
+        kWarning() << "Could not retrieve reference to default keychain:"  << qPrintable(errMsg);
+        keychain = NULL;
+    }
+    return keychain;
+}
+
+/*! Return a name for @p keychain, and possibly the full path to its file
+ * The name  will be the equivalent of the `basename path .keychain` shell
+ * command.
+ */
+static QString keyChainName( SecKeychainRef keychain, QString *path=NULL )
+{   QFileInfo keyFile;
+    QString p = OSXKeychain::Path(keychain);
+    int ext = p.lastIndexOf(".keychain");
+    keyFile = QFileInfo( ((ext > 0)? p.left(ext) : p) );
+    if( path ){
+        *path = QString(p);
+    }
+    return keyFile.fileName();
+}
+
+/*! Open an OS X keychain with name @p n.
+ * OS X keychains can be created without a full path (say, "kdewallet"), in which case they
+ * are stored e.g. as ~/Library/Keychains/kdewallet . However, opening a preexisting keychain like "login"
+ * without using the full path seems to fail even if e.g. ~/Library/Keychains/login exists.
+ * We try to work around that issue by matching @p n against the known keychain names.
+ */
+static OSStatus openKeychain( const QString &n, SecKeychainRef *keychain )
+{   OSStatus err;
+    CFArrayRef list = NULL;
+
+    *keychain = NULL;
+    err = SecKeychainCopySearchList( &list );
+    if( !err && list ){
+        CFIndex len = CFArrayGetCount(list), i;
+        for( i = 0 ; i < len && !*keychain ; ++i ){
+            SecKeychainRef kr = (SecKeychainRef) CFArrayGetValueAtIndex( list, i );
+            QString path, name = keyChainName( kr, &path );
+            if( name == n ){
+                // a hit, try to open it!
+                err = SecKeychainOpen( path.toUtf8(), keychain );
+                if( err ){
+                    kWarning() << "openKeychain(" << n << ") error" << err << "opening matching" << path;
+                }
+                else{
+                    kDebug() << "openKeychain(" << n << ") opened matching" << path;
+                }
+            }
+        }
+        CFRelease(list);
+    }
+    if( !*keychain ){
+        err = SecKeychainOpen( n.toUtf8(), keychain );
+    }
+    // we actually need to query the keychain's status to know if we succeeded
+    // in opening an existing keychain!
+    if( !err ){
+        SecKeychainStatus status;
+        err = SecKeychainGetStatus( *keychain, &status );
+    }
+    return err;
+}
+
+static OSStatus basicWriteItem( const QByteArray *serviceName, const QByteArray &accountName, const QByteArray &value,
+                               const SecKeychainRef keychain, SecKeychainItemRef *itemRef=NULL )
+{   OSStatus err;
+    QString errMsg;
+    if( serviceName ){
+        err = SecKeychainAddGenericPassword( keychain, serviceName->size(), serviceName->constData(),
+                                                     accountName.size(), accountName.constData(),
+                                                     value.size(), value.constData(), itemRef );
+    }
+    else{
+        err = SecKeychainAddGenericPassword( keychain, 0, NULL,
+                                                     accountName.size(), accountName.constData(),
+                                                     value.size(), value.constData(), itemRef );
+    }
+    if( err != errSecDuplicateItem && isError( err, &errMsg ) ){
+        kWarning() << "Could not store password in keychain: " << qPrintable(errMsg);
+    }
+    return err;
+}
+
+OSXKeychain::OSXKeychain()
+    : name("default")
+{ QString errMsg;
+    keyChainRef = defaultChain();
+    if( keyChainRef ){
+        keyChainPath = OSXKeychain::Path(keyChainRef);
+        kDebug() << "Retrieved reference to default keychain" << (void*) keyChainRef << "in " << keyChainPath;
+        name = keyChainName(keyChainRef);
+        isDefaultKeychain = true;
+    }
+    else{
+        keyChainPath = QString::fromUtf8("<undefined>");
+    }
+    serviceList.clear();
+    serviceList.append("");
+}
+
+OSXKeychain::OSXKeychain(const QString &n)
+    : name(n)
+{   QString errMsg;
+    OSStatus err = openKeychain( n, &keyChainRef );
+
+    if( err == errSecNoSuchKeychain ){
+        kWarning() << "Keychain '" << n << "' does not exist: attempting to create it";
+        err = SecKeychainCreate( n.toUtf8(), 0, NULL, true, NULL, &keyChainRef );
+        isKDEChain = true;
+    }
+
+    if( isError( err, &errMsg ) ){
+        // the protocol cannot handle failure to open a keychain, so we have to return the default.
+        keyChainRef = defaultChain();
+        kWarning() << "Error opening keychain '" << n << "' (falling back to default keychain): " << qPrintable(errMsg);
+        name = keyChainName(keyChainRef);
+        isDefaultKeychain = true;
+    }
+    else{
+        isDefaultKeychain = false;
+    }
+
+    if( keyChainRef ){
+        keyChainPath = OSXKeychain::Path(keyChainRef);
+        kDebug() << "Retrieved reference to keychain" << name << (void*) keyChainRef << "in " << keyChainPath;
+    }
+    else{
+        keyChainPath = QString::fromUtf8("<undefined>");
+    }
+    serviceList.clear();
+    serviceList.append("");
+}
+
+void OSXKeychain::close()
+{
+    if( keyChainRef ){
+        CFRelease(keyChainRef);
+        keyChainRef = NULL;
+    }
+}
+
+OSXKeychain::~OSXKeychain()
+{
+    close();
+}
+
+OSStatus OSXKeychain::renameItem(const QString &currentKey, const QString &newKey)
+{   OSStatus err;
+    SecKeychainItemRef itemRef = NULL;
+    err = ReadItem( currentKey, NULL, keyChainRef, &itemRef, this );
+    if( !err && itemRef ){
+        const QByteArray accountName( newKey.toUtf8() );
+        // store the new key in the account and label attributes
+        SecKeychainAttribute attr[] = { { kSecAccountItemAttr, accountName.size(), (void*) accountName.constData() },
+                                        { kSecLabelItemAttr, accountName.size(), (void*) accountName.constData() } };
+        SecKeychainAttributeList attrList = { 2, &attr[0] };
+        QString errMsg;
+        if( isError( (err = SecKeychainItemModifyAttributesAndData( itemRef, &attrList, 0, NULL )), &errMsg ) ){
+            kWarning() << "OSXKeychain::renameItem(" << currentKey << ") couldn't change name & label to" << accountName
+            << ":" << err << "=" << qPrintable(errMsg);
+        }
+        CFRelease(itemRef);
+    }
+    return err;
+}
+
+#pragma mark ========= static member functions =========
+
+OSStatus OSXKeychain::KeychainList(QStringList &theList)
+{   CFArrayRef list = NULL;
+    OSStatus err = SecKeychainCopySearchList( &list );
+    theList.clear();
+    if( !err && list ){
+        CFIndex len = CFArrayGetCount(list), i;
+        for( i = 0 ; i < len ; ++i ){
+            SecKeychainRef keychain = (SecKeychainRef) CFArrayGetValueAtIndex( list, i );
+            QString name = keyChainName(keychain);
+            if( name.size() > 0 ){
+                theList.append(name);
+            }
+        }
+        CFRelease(list);
+    }
+    return err;
+}
+
+QString OSXKeychain::Path(const SecKeychainRef keychain)
+{   char pathName[MAXPATHLEN];
+    UInt32 plen = MAXPATHLEN;
+    if( SecKeychainGetPath( (keychain)? keychain : OSXKeychain().reference(), &plen, pathName ) == errSecSuccess ){
+        return QString::fromUtf8(pathName);
+    }
+    else{
+        return QString();
+    }
+}
+
+bool OSXKeychain::IsOpen(const SecKeychainRef keychain)
+{   bool isOpen = false;
+    SecKeychainStatus status;
+    QString errMsg;
+    if( isError( SecKeychainGetStatus( keychain, &status ), &errMsg ) ){
+        if( keychain ){
+            kDebug() << "Could not get the status of keychain" << OSXKeychain::Path(keychain) << ":"  << qPrintable(errMsg);
+        }
+        else{
+            kWarning() << "Could not get the default keychain's status:"  << qPrintable(errMsg);
+        }
+    }
+    else{
+        if( (status & kSecUnlockStateStatus) && (status & kSecReadPermStatus) ){
+            isOpen = true;
+        }
+        else{
+            kDebug() << "Keychain" << OSXKeychain::Path(keychain) << " has status" << status;
+        }
+    }
+    return isOpen;
+}
+
+bool OSXKeychain::IsOpen(const QString &walletName)
+{   SecKeychainRef keychain = NULL;
+    OSStatus err = openKeychain( walletName.toUtf8(), &keychain );
+    bool ret = false;
+    if( !err && keychain ){
+        ret = IsOpen(keychain);
+        CFRelease(keychain);
+    }
+    return ret;
+}
+
+OSStatus OSXKeychain::UnLock(const SecKeychainRef keychain)
+{   QString errMsg;
+    OSStatus err;
+    err = SecKeychainUnlock( keychain, 0, NULL, false );
+    if( isError( err, &errMsg ) ){
+        if( keychain ){
+            kDebug() << "Could not unlock the keychain at '" << OSXKeychain::Path(keychain) << "': " << qPrintable(errMsg);
+        }
+        else{
+            kDebug() << "Could not unlock the default keychain:"  << qPrintable(errMsg);
+        }
+    }
+    return err;
+}
+
+OSStatus OSXKeychain::Lock(const SecKeychainRef keychain)
+{   QString errMsg;
+    OSStatus err;
+    if( keychain ){
+        err = SecKeychainLock(keychain);
+        if( isError( err, &errMsg ) ){
+            kDebug() << "Could not lock the keychain at '" << OSXKeychain::Path(keychain) << "': " << qPrintable(errMsg);
+        }
+    }
+    else{
+        err = SecKeychainLockAll();
+        if( isError( err, &errMsg ) ){
+            kDebug() << "Could not lock all keychains:" << qPrintable(errMsg);
+        }
+    }
+    return err;
+}
+
+OSStatus OSXKeychain::Lock(const QString &walletName)
+{   SecKeychainRef keychain = NULL;
+    OSStatus err = openKeychain( walletName, &keychain );
+    if( !err && keychain ){
+        err = Lock(keychain);
+           CFRelease(keychain);
+    }
+    return err;
+}
+
+/** use the keychain search functions to find the first matching item, if any, @return returning True if found.
+ The OS X error code is returned through @p errReturn when not NULL, the item itself through @p itemRef.
+ This reference will have to be released with CFRelease() when done with it (when @p itemRef==NULL the
+ function does this release itself).
+ */
+bool OSXKeychain::HasItem(const QString &key,
+                     const SecKeychainRef keychain, OSStatus *errReturn, SecKeychainItemRef *itemRef)
+{   const QByteArray accountName( key.toUtf8() );
+    OSStatus err;
+    SecKeychainSearchRef searchRef;
+    SecKeychainAttribute attrs = { kSecAccountItemAttr, accountName.size(), (void*) accountName.constData() };
+    SecKeychainAttributeList attrList = { 1, &attrs };
+    err = SecKeychainSearchCreateFromAttributes( keychain, kSecGenericPasswordItemClass,
+                                                (const SecKeychainAttributeList*) &attrList, &searchRef );
+    const CFReleaser<SecKeychainSearchRef> releaseSR(searchRef);
+    bool found;
+    SecKeychainItemRef item;
+    QString errMsg;
+    if( err ){
+        found = false;
+        errMsg = errorString(err);
+        kDebug() << "OSXKeychain::HasItem(" << key << "," << (void*) keychain << "): SecKeychainSearchCreateFromAttributes failed";
+    }
+    else{
+            if( !(err = SecKeychainSearchCopyNext( searchRef, &item )) ){
+                found = true;
+                if( itemRef ){
+                    *itemRef = item;
+                }
+                else if( item ){
+                    CFRelease(item);
+                }
+                errMsg = QString();
+            }
+            else{
+                found = false;
+                errMsg = errorString(err);
+            }
+            if( errReturn ){
+                *errReturn = err;
+            }
+    }
+    kDebug() << ((found)? "Found" : "Did not find") << "item '" << key << "' in keychain " << (void*) keychain << ", error=" << err << " " << qPrintable(errMsg);
+    return found;
+}
+
+OSStatus OSXKeychain::ReadItem(const QString &key, QByteArray *value,
+                          const SecKeychainRef keychain, SecKeychainItemRef *itemRef, OSXKeychain *osxKeyChain)
+{   const QByteArray accountName( key.toUtf8() );
+    UInt32 passwordSize = 0;
+    void* passwordData = 0;
+    QString errMsg;
+    SecKeychainItemRef theItem;
+    OSStatus err = SecKeychainFindGenericPassword( keychain, 0, NULL,
+                                                  accountName.size(), accountName.constData(),
+                                                  &passwordSize, &passwordData, &theItem );
+    if( isError( err, &errMsg ) ){
+        kDebug() << "Error" << err << "retrieving password for '" << accountName << "' :" << qPrintable(errMsg);
+#if INTERNET_TOO
+        if( SecKeychainFindInternetPassword( keychain, 0, NULL,
+                                                      0, NULL,
+                                                      accountName.size(), accountName.constData(),
+                                                      0, NULL, 0,
+                                                      kSecProtocolTypeAny, kSecAuthenticationTypeDefault,
+                                                      &passwordSize, &passwordData, &theItem ) ){
+            // just to be sure:
+            theItem = NULL;
+        }
+        else{
+            err = 0;
+            errMsg = QString();
+        }
+#else
+        theItem = NULL;
+#endif
+    }
+    if( !err && theItem ){
+        if( value ){
+            *value = QByteArray( reinterpret_cast<const char*>( passwordData ), passwordSize );
+        }
+        SecKeychainItemFreeContent( NULL, passwordData );
+        if( osxKeyChain && osxKeyChain->isKDEChain ){
+            SecKeychainAttribute attr = { kSecServiceItemAttr, 0, NULL };
+            SecKeychainAttributeList attrList = { 1, &attr };
+            UInt32 len = 0;
+            // try to fetch the item's ServiceItem attribute
+            if( !SecKeychainItemCopyContent( theItem, NULL, &attrList, &len, NULL ) ){
+                if( attr.length > 0 ){
+                    osxKeyChain->lastReadService.clear();
+                    osxKeyChain->lastReadService = QString::fromUtf8( (char*)attr.data, attr.length );
+                }
+                SecKeychainItemFreeContent( &attrList, NULL );
+            }
+        }
+        if( itemRef ){
+            *itemRef = theItem;
+        }
+        else if( theItem ){
+            CFRelease(theItem);
+        }
+    }
+    kDebug() << "OSXKeychain::ReadItem '" << key << "' from keychain " << OSXKeychain::Path(keychain) << ", error=" << err;
+    return err;
+}
+
+OSStatus OSXKeychain::ItemType(const QString &key, EntryType *entryType,
+                          const SecKeychainRef keychain)
+{   const QByteArray accountName( key.toUtf8() );
+    QString errMsg;
+    EntryType etype = (EntryType) 0;
+    SecKeychainItemRef itemRef;
+#if INTERNET_TOO
+    bool isInternetPW = false;
+#endif
+    OSStatus err = SecKeychainFindGenericPassword( keychain, 0, NULL,
+                                                  accountName.size(), accountName.constData(),
+                                                  NULL, NULL, &itemRef );
+    if( isError( err, &errMsg ) ){
+        kDebug() << "Error" << err << "retrieving type for '" << accountName << "' :" << qPrintable(errMsg);
+#if INTERNET_TOO
+        if( SecKeychainFindInternetPassword( keychain, 0, NULL,
+                                            0, NULL,
+                                            accountName.size(), accountName.constData(),
+                                            0, NULL, 0,
+                                            kSecProtocolTypeAny, kSecAuthenticationTypeDefault,
+                                            0, NULL, &itemRef ) ){
+            // just to be sure:
+            itemRef = NULL;
+        }
+        else{
+            isInternetPW = true;
+            err = 0;
+            errMsg = QString();
+        }
+#else
+        itemRef = NULL;
+#endif
+    }
+    if( itemRef ){
+                UInt32 tags[] = { kSecTypeItemAttr };
+                UInt32 formats[] = { CSSM_DB_ATTRIBUTE_FORMAT_STRING };
+        SecKeychainAttributeInfo attrGet = { 1, tags, formats };
+        SecKeychainAttributeList *attrList = NULL;
+        err = SecKeychainItemCopyAttributesAndData( itemRef, &attrGet, NULL, &attrList, NULL, NULL );
+        if( !err ){
+            if( attrList->attr[0].length == sizeof(EntryType) ){
+                memcpy( &etype, attrList->attr[0].data, sizeof(EntryType) );
+            }
+            else if( attrList->attr[0].length ){
+                kDebug() << "Error: key" << key << "item type retrieved is of size" << attrList->attr[0].length << "!=" << sizeof(EntryType);
+            }
+#if INTERNET_TOO
+            else if( isInternetPW ){
+                // this is just a wild guess ...
+                etype = Password;
+            }
+#endif
+            if( entryType ){
+                *entryType = etype;
+            }
+        }
+        SecKeychainItemFreeAttributesAndData( attrList, NULL );
+        CFRelease(itemRef);
+    }
+    kDebug() << "OSXKeychain::ItemType '" << key << "' from keychain " << OSXKeychain::Path(keychain) << "=" << OSTStr(etype) << ", error=" << err;
+    return err;
+}
+
+OSStatus OSXKeychain::RemoveItem(const QString &key, const SecKeychainRef keychain)
+{   const QByteArray accountName( key.toUtf8() );
+    SecKeychainItemRef itemRef;
+    QString errMsg;
+    OSStatus result = SecKeychainFindGenericPassword( keychain, 0, NULL,
+                                                     accountName.size(), accountName.constData(), NULL, NULL, &itemRef );
+    if( isError( result, &errMsg ) ){
+        kDebug() << "Could not find entry" << key << ":"  << qPrintable(errMsg);
+    }
+    else{
+        const CFReleaser<SecKeychainItemRef> itemReleaser(itemRef);
+        result = SecKeychainItemDelete(itemRef);
+        if( isError( result, &errMsg ) ){
+            kWarning() << "Could not delete entry" << key << ":"  << qPrintable(errMsg);
+        }
+    }
+    return result;
+}
+
+OSStatus OSXKeychain::WriteItem( const QString &key, const QByteArray &value,
+                                                   const SecKeychainRef keychain, SecKeychainItemRef *itemRef, EntryType *entryType, OSXKeychain *osxKeyChain )
+{   const QByteArray accountName( key.toUtf8() );
+    OSStatus err;
+    QString errMsg;
+    SecKeychainItemRef theItem = NULL;
+    bool saveLabel;
+    if( osxKeyChain && osxKeyChain->currentService.size() ){
+        const QByteArray serviceName( osxKeyChain->currentService.toUtf8() );
+        // save the "GenericPassword" item using the service name, which appears to be the only way to write
+        // to the "Where" field shown in the Keychain Utility.
+        err = basicWriteItem( &serviceName, accountName, value, keychain, &theItem );
+        // the service (folder!) string will also appear on the "Name" field, which however can be changed
+        // independently, via the Label attribute.
+        saveLabel = true;
+    }
+    else{
+        err = basicWriteItem( NULL, accountName, value, keychain, &theItem );
+        saveLabel = false;
+    }
+    if( err == errSecDuplicateItem ){
+        // RJVB: the previous implementation was wrong. errSecDuplicateItem means the write failed because of an existing item.
+        // So we have to find that item, and modify it.
+        if( !(err = ReadItem( key, NULL, keychain, &theItem )) ){
+            err = SecKeychainItemModifyAttributesAndData( theItem, NULL, value.size(), value.constData() );
+            if( isError( err, &errMsg ) ){
+                kDebug() << "Key '" << key
+                    << "'already exists in keychain but error modifying the existing item: " << qPrintable(errMsg);
+            }
+        }
+        if( !err ){
+            kDebug() << "Key '" << key << "'already existed in keychain: modified the existing item";
+        }
+    }
+    if( !err && saveLabel ){
+        // store the desired text in the label attribute
+        SecKeychainAttribute attr = { kSecLabelItemAttr, accountName.size(), (void*) accountName.constData() };
+        SecKeychainAttributeList attrList = { 1, &attr };
+        QString errMsg;
+        if( isError( (err = SecKeychainItemModifyAttributesAndData( theItem, &attrList, 0, NULL )), &errMsg ) ){
+            kWarning() << "OSXKeychain::WriteItem(" << key << ") couldn't set the desired name/label" << accountName
+                << ":" << err << "=" << qPrintable(errMsg);
+        }
+    }
+    if( !err ){
+        EntryType defType = Stream;
+        if( !entryType ){
+            entryType = &defType;
+        }
+        SecKeychainAttribute attr = { kSecTypeItemAttr, sizeof(EntryType), (void*) entryType };
+        SecKeychainAttributeList attrList = { 1, &attr };
+        QString errMsg;
+        if( isError( (err = SecKeychainItemModifyAttributesAndData( theItem, &attrList, 0, NULL )), &errMsg ) ){
+            kWarning() << "OSXKeychain::WriteItem(" << key << ") couldn't set type to" << OSTStr(*entryType)
+                << ":" << qPrintable(errMsg);
+        }
+    }
+    if( itemRef ){
+        *itemRef = theItem;
+    }
+    else if( theItem ){
+        CFRelease(theItem);
+    }
+    kDebug() << "OSXKeychain::WriteItem '" << key << "' to keychain " << (void*) keychain << ", error=" << err;
+    return err;
+}
+
+OSStatus OSXKeychain::WriteItem( const QString &key, const QByteArray &value,
+                                 const QString &comment, const SecKeychainRef keychain, EntryType *entryType, OSXKeychain *osxKeyChain )
+{   SecKeychainItemRef itemRef = NULL;
+    OSStatus err = WriteItem( key, value, keychain, &itemRef, entryType, osxKeyChain );
+    if( !err && itemRef ){
+        const QByteArray commentString(comment.toUtf8());
+        if( commentString.size() ){
+            SecKeychainAttribute attr = { kSecCommentItemAttr, commentString.size(), (void*) commentString.constData() };
+            SecKeychainAttributeList attrList = { 1, &attr };
+            QString errMsg;
+            if( isError( (err = SecKeychainItemModifyAttributesAndData( itemRef, &attrList, 0, NULL )), &errMsg ) ){
+                kWarning() << "OSXKeychain::WriteItem(" << key << ") couldn't add comment" << comment
+                    << ":" << qPrintable(errMsg);
+            }
+        }
+        CFRelease(itemRef);
+    }
+    return err;
+}
+
+// returns the kSecAccountItemAttr's of all items in the keychain
+OSStatus OSXKeychain::ItemList( SecKeychainRef keychain, QStringList &keyList, OSXKeychain *osxKeyChain )
+{   OSStatus err;
+    SecKeychainSearchRef searchRef[2];
+    bool generateFolderList = ( osxKeyChain && osxKeyChain->isKDEChain && osxKeyChain->generateFolderList );
+
+    keyList.clear();
+    if( generateFolderList ){
+        osxKeyChain->serviceList.clear();
+        if( osxKeyChain->currentService.size() > 0 ){
+            osxKeyChain->serviceList.append(osxKeyChain->currentService);
+        }
+    }
+
+    err = SecKeychainSearchCreateFromAttributes( keychain, kSecGenericPasswordItemClass, NULL, &searchRef[0] );
+#if INTERNET_TOO
+    if( SecKeychainSearchCreateFromAttributes( keychain, kSecInternetPasswordItemClass, NULL, &searchRef[1] ) ){
+        searchRef[1] = NULL;
+    }
+#else
+    searchRef[1] = NULL;
+#endif
+    SecKeychainItemRef item;
+    QString errMsg;
+    if( isError(err, &errMsg) ){
+        kDebug() << "OSXKeychain::ItemList(" << (void*) keychain << "): SecKeychainSearchCreateFromAttributes failed" << qPrintable(errMsg);
+    }
+    else{
+        for( size_t i = 0 ; i < sizeof(searchRef)/sizeof(SecKeychainSearchRef) && !err ; ++i ){
+            if( searchRef[i] ){
+                while( !(err = SecKeychainSearchCopyNext( searchRef[i], &item )) ){
+                    if( item ){
+                        // whether the item will be listed in the keyList we return: by default it is
+                        // (better an item shows up multiple times than not at all).
+                        bool listItem = true;
+                        SecKeychainAttribute attr = { kSecAccountItemAttr, 0, NULL };
+                        SecKeychainAttributeList attrList = { 1, &attr };
+                        UInt32 len = 0;
+                        if( osxKeyChain && osxKeyChain->isKDEChain ){
+                            // try to fetch the item's ServiceItem attribute
+                            attr.tag = kSecServiceItemAttr;
+                            if( !SecKeychainItemCopyContent( item, NULL, &attrList, &len, NULL ) ){
+                                QString lbl = QString::fromUtf8( (char*)attr.data, attr.length );
+                                // we got a service item attribute, which is where we store the kwallet folder info.
+                                // If we disallow empty attributes, keychain items without service item attribute will
+                                // appear in each folder that has a non-empty name. In other words, we allow a folder without name.
+                                if( generateFolderList ){
+                                    // add the "folder" to the list if not already listed
+                                    if( !osxKeyChain->serviceList.contains(lbl) ){
+                                        osxKeyChain->serviceList.append(lbl);
+                                    }
+                                }
+                                else{
+                                    // only list the item if it's in the current "folder"
+                                    listItem = (lbl == osxKeyChain->currentService);
+                                }
+                                SecKeychainItemFreeContent( &attrList, NULL );
+                            }
+                        }
+                        else{
+                            // errors retrieving the service item attribute are ignored
+                        }
+                        if( listItem ){
+                            attr.tag = kSecAccountItemAttr;
+                            if( !(err = SecKeychainItemCopyContent( item, NULL, &attrList, &len, NULL )) ){
+                                if( attr.length > 0 ){
+                                    keyList.append(QString::fromUtf8( (char*)attr.data, attr.length ));
+                                }
+                                SecKeychainItemFreeContent( &attrList, NULL );
+                            }
+                            else{
+                                errMsg = errorString(err);
+                                kDebug() << "SecKeychainItemCopyContent returned" << err << "=" << qPrintable(errMsg);
+                            }
+                        }
+                        CFRelease(item);
+                    }
+                }
+                if( err ){
+                    errMsg = errorString(err);
+                }
+                CFRelease(searchRef[i]);
+            }
+        }
+    }
+    return err;
+}
+
+OSStatus OSXKeychain::Destroy( SecKeychainRef *keychain )
+{   OSStatus err = SecKeychainDelete(*keychain);
+    QString errMsg;
+    if( isError( err, &errMsg ) ){
+        kWarning() << "OSXKeychain::Destroy " << (void*) *keychain << ", error " << qPrintable(errMsg);
+    }
+    else{
+        kWarning() << "OSXKeychain::Destroy " << (void*) *keychain << ", error=" << err;
+    }
+    if( keychain ){
+        CFRelease(*keychain);
+        *keychain = NULL;
+    }
+    return err;
+}
+
+OSStatus OSXKeychain::Destroy( const QString &walletName )
+{   SecKeychainRef keychain;
+    OSStatus err = openKeychain( walletName, &keychain );
+    if( !err && keychain ){
+        err = Destroy(&keychain);
+    }
+    return err;
+}