Allow item searches to ignore legacy keychains.

Fixes #238.

Author: brotskydotcom

security-framework/src/item.rs

@@ -128,6 +128,7 @@ pub struct ItemSearchOptions {
     keychains: Option<CFArray<SecKeychain>>,
     #[cfg(not(target_os = "macos"))]
     keychains: Option<CFArray<CFType>>,
+    ignore_legacy_keychains: bool,  // defined everywhere, only consulted on macOS
     case_insensitive: Option<bool>,
     class: Option<ItemClass>,
     key_class: Option<KeyClass>,
@@ -157,6 +158,12 @@ impl crate::ItemSearchOptionsInternals for ItemSearchOptions {
         self.keychains = Some(CFArray::from_CFTypes(keychains));
         self
     }
+    
+    #[inline]
+    fn ignore_legacy_keychains(&mut self) -> &mut Self {
+        self.ignore_legacy_keychains = true;
+        self
+    }
 }
 
 impl ItemSearchOptions {
@@ -340,6 +347,15 @@ impl ItemSearchOptions {
                     &keychains.as_CFType().to_void(),
                 );
             }
+            else {
+                if self.ignore_legacy_keychains {
+                    #[cfg(all(target_os = "macos", feature = "OSX_10_15"))]
+                    params.add(
+                        &kSecUseDataProtectionKeychain.to_void(),
+                        &CFBoolean::true_value().to_void(),
+                    )
+                }
+            }
 
             if let Some(class) = self.class {
                 params.add(&kSecClass.to_void(), &class.0.to_void());

security-framework/src/lib.rs

@@ -64,6 +64,7 @@ trait Pkcs12ImportOptionsInternals {
 #[cfg(target_os = "macos")]
 trait ItemSearchOptionsInternals {
     fn keychains(&mut self, keychains: &[SecKeychain]) -> &mut Self;
+    fn ignore_legacy_keychains(&mut self) -> &mut Self;
 }
 
 trait AsInner {

security-framework/src/os/macos/item.rs

@@ -12,13 +12,26 @@ pub trait ItemSearchOptionsExt {
     ///
     /// If this is not called, the default keychain will be searched.
     fn keychains(&mut self, keychains: &[SecKeychain]) -> &mut Self;
+
+    /// Only search the protected data keychains.
+    ///
+    /// Has no effect if a legacy keychain has been explicitly specified
+    /// using [keychains](ItemSearchOptionsExt::keychains).
+    ///
+    /// Has no effect except in sandboxed applications on macOS 10.15 and above
+    fn ignore_legacy_keychains(&mut self) -> &mut Self;
 }
 
 impl ItemSearchOptionsExt for ItemSearchOptions {
     #[inline(always)]
     fn keychains(&mut self, keychains: &[SecKeychain]) -> &mut Self {
         ItemSearchOptionsInternals::keychains(self, keychains)
     }
+
+    #[inline(always)]
+    fn ignore_legacy_keychains(&mut self) -> &mut Self {
+        ItemSearchOptionsInternals::ignore_legacy_keychains(self)
+    }
 }
 
 #[cfg(test)]