[release/6.0-staging] Fix copying ephemeral keys to keychains.

github-actions[bot] · vcsjones · web-flow · commit 875f45f05b55 · 2024-09-05T10:50:36.000-07:00
Starting on macOS Sequoia, at least in beta, SecKeychainitemCopyKeychain no longer returns errSecNoSuchKeychain for ephemeral keys.
Instead, it returns errSecInvalidItemRef.

This adds the error code in the handling logic for when we need to add an ephemeral key to the target keychain.

Co-authored-by: Kevin Jones &lt;kevin@vcsjones.com&gt;
diff --git a/src/libraries/Native/Unix/System.Security.Cryptography.Native.Apple/pal_x509_macos.c b/src/libraries/Native/Unix/System.Security.Cryptography.Native.Apple/pal_x509_macos.c
@@ -391,7 +391,7 @@ int32_t AppleCryptoNative_X509CopyWithPrivateKey(SecCertificateRef cert,
     SecKeychainItemRef itemCopy = NULL;
 
     // This only happens with an ephemeral key, so the keychain we're adding it to is temporary.
-    if (status == errSecNoSuchKeychain)
+    if (status == errSecNoSuchKeychain || status == errSecInvalidItemRef)
     {
         status = AddKeyToKeychain(privateKey, targetKeychain, NULL);
     }

Original file line number	Diff line number	Diff line change
`@@ -391,7 +391,7 @@ int32_t AppleCryptoNative_X509CopyWithPrivateKey(SecCertificateRef cert,`
`391`	`391`	`SecKeychainItemRef itemCopy = NULL;`
`392`	`392`
`393`	`393`	`// This only happens with an ephemeral key, so the keychain we're adding it to is temporary.`
`394`		`- if (status == errSecNoSuchKeychain)`
	`394`	`+ if (status == errSecNoSuchKeychain \|\| status == errSecInvalidItemRef)`
`395`	`395`	`{`
`396`	`396`	`status = AddKeyToKeychain(privateKey, targetKeychain, NULL);`
`397`	`397`	`}`