#include <Security/SecItem.h>
#include <Security/SecItemPriv.h>
#include <Security/SecItemInternal.h>
#ifndef SECITEM_SHIM_OSX
#include <Security/SecKey.h>
#include <Security/SecKeyPriv.h>
#include <Security/SecCertificateInternal.h>
#include <Security/SecIdentity.h>
#include <Security/SecIdentityPriv.h>
#include <Security/SecRandom.h>
#include <Security/SecBasePriv.h>
#endif // *** END SECITEM_SHIM_OSX ***
#include <errno.h>
#include <limits.h>
#include <pthread.h>
#include <sqlite3.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include <sys/param.h>
#include <sys/stat.h>
#include <Security/SecBase.h>
#include <CoreFoundation/CFData.h>
#include <CoreFoundation/CFDate.h>
#include <CoreFoundation/CFDictionary.h>
#include <CoreFoundation/CFNumber.h>
#include <CoreFoundation/CFString.h>
#include <CoreFoundation/CFURL.h>
#include <CommonCrypto/CommonDigest.h>
#include <libkern/OSByteOrder.h>
#include <security_utilities/debugging.h>
#include <assert.h>
#include <Security/SecInternal.h>
#include <TargetConditionals.h>
#include "securityd_client.h"
#include "securityd_server.h"
#include <AssertMacros.h>
#include <asl.h>
#include <sys/types.h>
#include <pwd.h>
#include <grp.h>
#include <unistd.h>
#ifndef SECITEM_SHIM_OSX
#include <libDER/asn1Types.h>
#endif // *** END SECITEM_SHIM_OSX ***
#define CERTIFICATE_DATA_COLUMN_LABEL "certdata"
#ifndef SECITEM_SHIM_OSX
static CFDictionaryRef
SecItemCopyAttributeDictionary(CFTypeRef ref) {
CFDictionaryRef refDictionary = NULL;
CFTypeID typeID = CFGetTypeID(ref);
if (typeID == SecKeyGetTypeID()) {
refDictionary = SecKeyCopyAttributeDictionary((SecKeyRef)ref);
} else if (typeID == SecCertificateGetTypeID()) {
refDictionary =
SecCertificateCopyAttributeDictionary((SecCertificateRef)ref);
} else if (typeID == SecIdentityGetTypeID()) {
assert(false);
SecIdentityRef identity = (SecIdentityRef)ref;
SecCertificateRef cert = NULL;
SecKeyRef key = NULL;
if (!SecIdentityCopyCertificate(identity, &cert) &&
!SecIdentityCopyPrivateKey(identity, &key))
{
CFDataRef data = SecCertificateCopyData(cert);
CFDictionaryRef key_dict = SecKeyCopyAttributeDictionary(key);
if (key_dict && data) {
refDictionary = CFDictionaryCreateMutableCopy(kCFAllocatorDefault, 0, key_dict);
CFDictionarySetValue((CFMutableDictionaryRef)refDictionary,
CFSTR(CERTIFICATE_DATA_COLUMN_LABEL), data);
}
CFReleaseNull(key_dict);
CFReleaseNull(data);
}
CFReleaseNull(cert);
CFReleaseNull(key);
} else {
refDictionary = NULL;
}
return refDictionary;
}
static CFTypeRef
SecItemCreateFromAttributeDictionary(CFDictionaryRef refAttributes) {
CFTypeRef ref = NULL;
CFStringRef class = CFDictionaryGetValue(refAttributes, kSecClass);
if (CFEqual(class, kSecClassCertificate)) {
ref = SecCertificateCreateFromAttributeDictionary(refAttributes);
} else if (CFEqual(class, kSecClassKey)) {
ref = SecKeyCreateFromAttributeDictionary(refAttributes);
} else if (CFEqual(class, kSecClassIdentity)) {
CFAllocatorRef allocator = NULL;
CFDataRef data = CFDictionaryGetValue(refAttributes, CFSTR(CERTIFICATE_DATA_COLUMN_LABEL));
SecCertificateRef cert = SecCertificateCreateWithData(allocator, data);
SecKeyRef key = SecKeyCreateFromAttributeDictionary(refAttributes);
if (key && cert)
ref = SecIdentityCreate(allocator, cert, key);
CFReleaseSafe(cert);
CFReleaseSafe(key);
#if 0
} else if (CFEqual(class, kSecClassGenericPassword)) {
} else if (CFEqual(class, kSecClassInternetPassword)) {
} else if (CFEqual(class, kSecClassAppleSharePassword)) {
#endif
} else {
ref = NULL;
}
return ref;
}
static CFTypeRef makeRef(CFTypeRef ref, bool return_data, bool return_attributes)
{
CFTypeRef result = NULL;
if (!ref || (CFGetTypeID(ref) != CFDictionaryGetTypeID()))
return NULL;
CFTypeRef return_ref = SecItemCreateFromAttributeDictionary(ref);
if (return_data || return_attributes) {
if (return_attributes)
result = CFDictionaryCreateMutableCopy(kCFAllocatorDefault, 0, ref);
else
result = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
if (return_ref) {
CFDictionarySetValue((CFMutableDictionaryRef)result, kSecValueRef, return_ref);
CFRelease(return_ref);
}
if (!return_data)
CFDictionaryRemoveValue((CFMutableDictionaryRef)result, kSecValueData);
} else
result = return_ref;
return result;
}
OSStatus
SecItemCopyDisplayNames(CFArrayRef items, CFArrayRef *displayNames)
{
return -1 ;
}
static void merge_dictionary_by_overwrite(const void *key, const void *value, void *context)
{
if (!CFEqual(key, kSecValueRef))
CFDictionarySetValue((CFMutableDictionaryRef)context, key, value);
}
static void copy_applier(const void *key, const void *value, void *context)
{
CFDictionarySetValue(context, key, value);
}
static OSStatus cook_query(CFDictionaryRef query, CFMutableDictionaryRef *explode)
{
CFMutableDictionaryRef args = NULL;
CFTypeRef value = CFDictionaryGetValue(query, kSecValueRef);
if (value) {
CFDictionaryRef refAttributes = SecItemCopyAttributeDictionary(value);
if (!refAttributes)
return errSecValueRefUnsupported;
args = CFDictionaryCreateMutableCopy(kCFAllocatorDefault, 0, refAttributes);
CFRelease(refAttributes);
CFDictionaryApplyFunction(query, merge_dictionary_by_overwrite, args);
}
value = CFDictionaryGetValue(query, kSecAttrIssuer);
if (value) {
const DERItem name = { (unsigned char *)CFDataGetBytePtr(value), CFDataGetLength(value) };
DERDecodedInfo content;
if (!DERDecodeItem(&name, &content) &&
(content.tag == ASN1_CONSTR_SEQUENCE))
{
CFDataRef canonical_issuer = createNormalizedX501Name(kCFAllocatorDefault, &content.content);
if (canonical_issuer) {
if (!args) {
args = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
CFDictionaryApplyFunction(query, copy_applier, args);
}
CFDictionarySetValue(args, kSecAttrIssuer, canonical_issuer);
CFRelease(canonical_issuer);
}
}
}
*explode = args;
return noErr;
}
typedef OSStatus (*secitem_operation)(CFDictionaryRef attributes, ...);
static bool explode_identity(CFDictionaryRef attributes, secitem_operation operation,
OSStatus *return_status, CFTypeRef *return_result)
{
bool handled = false;
CFTypeRef value = CFDictionaryGetValue(attributes, kSecValueRef);
if (value) {
CFTypeID typeID = CFGetTypeID(value);
if (typeID == SecIdentityGetTypeID()) {
handled = true;
OSStatus status = errSecSuccess;
SecIdentityRef identity = (SecIdentityRef)value;
SecCertificateRef cert = NULL;
SecKeyRef key = NULL;
if (!SecIdentityCopyCertificate(identity, &cert) &&
!SecIdentityCopyPrivateKey(identity, &key))
{
CFMutableDictionaryRef partial_query =
CFDictionaryCreateMutableCopy(kCFAllocatorDefault, 0, attributes);
CFDictionarySetValue(partial_query, kSecValueRef, cert);
CFTypeRef result = NULL;
bool duplicate_cert = false;
status = operation(partial_query, return_result ? &result : NULL);
if ((operation == (secitem_operation)SecItemAdd) &&
(status == errSecDuplicateItem)) {
duplicate_cert = true;
status = errSecSuccess;
}
if (!status || status == errSecItemNotFound) {
bool skip_key_operation = false;
if (operation == (secitem_operation)SecItemDelete) {
CFDictionaryRef key_dict = NULL, query_dict = NULL;
CFDataRef pkhh = NULL;
key_dict = SecKeyCopyAttributeDictionary(key);
if (key_dict)
pkhh = (CFDataRef)CFDictionaryGetValue(key_dict, kSecAttrApplicationLabel);
const void *keys[] = { kSecClass, kSecAttrPublicKeyHash };
const void *vals[] = { kSecClassCertificate, pkhh };
if (pkhh)
query_dict = CFDictionaryCreate(NULL, keys,
vals, (sizeof(keys) / sizeof(*keys)),
NULL, NULL);
if (query_dict)
if (noErr == SecItemCopyMatching(query_dict, NULL))
skip_key_operation = true;
CFReleaseSafe(query_dict);
CFReleaseSafe(key_dict);
}
if (!skip_key_operation) {
CFDictionarySetValue(partial_query, kSecValueRef, key);
CFDictionarySetValue(partial_query, kSecReturnPersistentRef, kCFBooleanFalse);
status = operation(partial_query, NULL);
if ((operation == (secitem_operation)SecItemAdd) &&
(status == errSecDuplicateItem) &&
!duplicate_cert)
status = errSecSuccess;
}
if (result) {
if (!status) {
sqlite_int64 rowid;
if (_SecItemParsePersistentRef(result, NULL, &rowid)) {
*return_result = _SecItemMakePersistentRef(kSecClassIdentity, rowid);
}
}
CFRelease(result);
}
}
CFReleaseNull(partial_query);
}
else
status = errSecInvalidItemRef;
CFReleaseNull(cert);
CFReleaseNull(key);
*return_status = status;
}
} else {
value = CFDictionaryGetValue(attributes, kSecClass);
if (value && CFEqual(kSecClassIdentity, value) &&
(operation == (secitem_operation)SecItemDelete)) {
CFMutableDictionaryRef dict = CFDictionaryCreateMutableCopy(kCFAllocatorDefault, 0, attributes);
CFDictionaryRemoveValue(dict, kSecClass);
CFDictionarySetValue(dict, kSecClass, kSecClassCertificate);
OSStatus status = SecItemDelete(dict);
if (!status) {
CFDictionarySetValue(dict, kSecClass, kSecClassKey);
status = SecItemDelete(dict);
}
CFRelease(dict);
*return_status = status;
handled = true;
}
}
return handled;
}
static void infer_cert_label(CFDictionaryRef attributes, CFMutableDictionaryRef args)
{
if (!args || !attributes)
return;
if (CFDictionaryContainsKey(attributes, kSecAttrLabel))
return;
CFTypeRef value_ref = CFDictionaryGetValue(attributes, kSecValueRef);
if (!value_ref || (CFGetTypeID(value_ref) != SecCertificateGetTypeID()))
return;
SecCertificateRef certificate = (SecCertificateRef)value_ref;
CFStringRef label = SecCertificateCopySubjectSummary(certificate);
if (label) {
CFDictionarySetValue(args, kSecAttrLabel, label);
CFReleaseNull(label);
}
}
CFDataRef _SecItemMakePersistentRef(CFTypeRef class, sqlite_int64 rowid)
{
uint8_t bytes[sizeof(sqlite_int64) + 4];
if (rowid < 0)
return NULL;
if (CFStringGetCString(class, (char *)bytes, 4 + 1 ,
kCFStringEncodingUTF8))
{
OSWriteBigInt64(bytes + 4, 0, rowid);
return CFDataCreate(NULL, bytes, sizeof(bytes));
}
return NULL;
}
bool _SecItemParsePersistentRef(CFDataRef persistent_ref, CFStringRef *return_class, sqlite_int64 *return_rowid)
{
bool valid_ref = false;
if (CFGetTypeID(persistent_ref) == CFDataGetTypeID() &&
CFDataGetLength(persistent_ref) == (CFIndex)(sizeof(sqlite_int64) + 4)) {
const uint8_t *bytes = CFDataGetBytePtr(persistent_ref);
sqlite_int64 rowid = OSReadBigInt64(bytes + 4, 0);
CFStringRef class = CFStringCreateWithBytes(kCFAllocatorDefault,
bytes, CFStringGetLength(kSecClassGenericPassword),
kCFStringEncodingUTF8, true);
const void *valid_classes[] = { kSecClassGenericPassword,
kSecClassInternetPassword,
kSecClassAppleSharePassword,
kSecClassCertificate,
kSecClassKey,
kSecClassIdentity };
unsigned i;
for (i=0; i< sizeof(valid_classes)/sizeof(*valid_classes); i++) {
if (CFEqual(valid_classes[i], class)) {
if (return_class)
*return_class = valid_classes[i];
if (return_rowid)
*return_rowid = rowid;
valid_ref = true;
break;
}
}
CFRelease(class);
}
return valid_ref;
}
static bool cf_bool_value(CFTypeRef cf_bool)
{
return (cf_bool && CFEqual(kCFBooleanTrue, cf_bool));
}
static void
result_post(CFDictionaryRef query, CFTypeRef raw_result, CFTypeRef *result) {
if (!raw_result)
return;
bool return_ref = cf_bool_value(CFDictionaryGetValue(query, kSecReturnRef));
bool return_data = cf_bool_value(CFDictionaryGetValue(query, kSecReturnData));
bool return_attributes = cf_bool_value(CFDictionaryGetValue(query, kSecReturnAttributes));
if (return_ref) {
if (CFGetTypeID(raw_result) == CFArrayGetTypeID()) {
CFIndex i, count = CFArrayGetCount(raw_result);
CFMutableArrayRef tmp_array = CFArrayCreateMutable(kCFAllocatorDefault, count, &kCFTypeArrayCallBacks);
for (i = 0; i < count; i++) {
CFTypeRef ref = makeRef(CFArrayGetValueAtIndex(raw_result, i), return_data, return_attributes);
if (ref) {
CFArrayAppendValue(tmp_array, ref);
CFRelease(ref);
}
}
*result = tmp_array;
} else
*result = makeRef(raw_result, return_data, return_attributes);
CFRelease(raw_result);
} else
*result = raw_result;
}
#endif // *** END SECITEM_SHIM_OSX ***
OSStatus
#if SECITEM_SHIM_OSX
SecItemAdd_ios(CFDictionaryRef attributes, CFTypeRef *result)
#else
SecItemAdd(CFDictionaryRef attributes, CFTypeRef *result)
#endif // *** END SECITEM_SHIM_OSX ***
{
CFMutableDictionaryRef args = NULL;
CFTypeRef raw_result = NULL;
OSStatus status;
#ifndef SECITEM_SHIM_OSX
require_quiet(!explode_identity(attributes, (secitem_operation)SecItemAdd, &status, result), errOut);
require_noerr_quiet(status = cook_query(attributes, &args), errOut);
infer_cert_label(attributes, args);
#endif // *** END SECITEM_SHIM_OSX ***
if (args)
attributes = args;
status = SECURITYD_AG(sec_item_add, attributes, &raw_result);
#ifndef SECITEM_SHIM_OSX
result_post(attributes, raw_result, result);
#endif // *** END SECITEM_SHIM_OSX ***
errOut:
CFReleaseSafe(args);
return status;
}
OSStatus
#if SECITEM_SHIM_OSX
SecItemCopyMatching_ios(CFDictionaryRef query, CFTypeRef *result)
#else
SecItemCopyMatching(CFDictionaryRef query, CFTypeRef *result)
#endif // *** END SECITEM_SHIM_OSX ***
{
CFMutableDictionaryRef args = NULL;
CFTypeRef raw_result = NULL;
OSStatus status;
#ifndef SECITEM_SHIM_OSX
require_quiet(!explode_identity(query, (secitem_operation)SecItemCopyMatching, &status, result), errOut);
require_noerr_quiet(status = cook_query(query, &args), errOut);
#endif // *** END SECITEM_SHIM_OSX ***
if (args)
query = args;
status = SECURITYD_AG(sec_item_copy_matching, query, &raw_result);
#ifndef SECITEM_SHIM_OSX
result_post(query, raw_result, result);
#endif // *** END SECITEM_SHIM_OSX ***
errOut:
CFReleaseSafe(args);
return status;
}
OSStatus
#if SECITEM_SHIM_OSX
SecItemUpdate_ios(CFDictionaryRef query, CFDictionaryRef attributesToUpdate)
#else
SecItemUpdate(CFDictionaryRef query, CFDictionaryRef attributesToUpdate)
#endif // *** END SECITEM_SHIM_OSX ***
{
CFMutableDictionaryRef args = NULL;
OSStatus status;
#ifndef SECITEM_SHIM_OSX
require_noerr_quiet(status = cook_query(query, &args), errOut);
#endif // *** END SECITEM_SHIM_OSX ***
if (args)
query = args;
if (gSecurityd) {
status = gSecurityd->sec_item_update(query, attributesToUpdate, SecAccessGroupsGetCurrent());
} else {
const void *values[] = { (const void *)query, (const void *)attributesToUpdate };
CFArrayRef pair = CFArrayCreate(kCFAllocatorDefault, values, 2, NULL);
if (pair) {
status = ServerCommandSendReceive(sec_item_update_id, pair, NULL);
CFRelease(pair);
} else {
status = errSecAllocate;
}
}
errOut:
CFReleaseSafe(args);
return status;
}
static void copy_all_keys_and_values(const void *key, const void *value, void *context)
{
CFDictionaryAddValue((CFMutableDictionaryRef)context, key, value);
}
static OSStatus explode_persistent_identity_ref(CFDictionaryRef query, CFMutableDictionaryRef *delete_query)
{
OSStatus status = errSecSuccess;
CFTypeRef persist = CFDictionaryGetValue(query, kSecValuePersistentRef);
CFStringRef class;
if (persist && _SecItemParsePersistentRef(persist, &class, NULL)
&& CFEqual(class, kSecClassIdentity)) {
const void *keys[] = { kSecReturnRef, kSecValuePersistentRef };
const void *vals[] = { kCFBooleanTrue, persist };
CFDictionaryRef persistent_query = CFDictionaryCreate(NULL, keys,
vals, (sizeof(keys) / sizeof(*keys)), NULL, NULL);
CFTypeRef item_query = NULL;
status = SecItemCopyMatching(persistent_query, &item_query);
CFReleaseNull(persistent_query);
if (status)
return status;
CFMutableDictionaryRef new_query = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
&kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
if (new_query) {
CFDictionaryApplyFunction(query, copy_all_keys_and_values, new_query);
CFDictionaryRemoveValue(new_query, kSecValuePersistentRef);
CFDictionarySetValue(new_query, kSecValueRef, item_query);
*delete_query = new_query;
} else
status = errSecAllocate;
CFRelease(item_query);
}
return status;
}
OSStatus
#if SECITEM_SHIM_OSX
SecItemDelete_ios(CFDictionaryRef query)
#else
SecItemDelete(CFDictionaryRef query)
#endif // *** END SECITEM_SHIM_OSX ***
{
CFMutableDictionaryRef args1 = NULL, args2 = NULL;
OSStatus status;
#ifndef SECITEM_SHIM_OSX
require_noerr_quiet(status = explode_persistent_identity_ref(query, &args1), errOut);
if (args1)
query = args1;
require_quiet(!explode_identity(query, (secitem_operation)SecItemDelete, &status, NULL), errOut);
require_noerr_quiet(status = cook_query(query, &args2), errOut);
#endif // *** END SECITEM_SHIM_OSX ***
if (args2)
query = args2;
if (gSecurityd) {
status = gSecurityd->sec_item_delete(query,
SecAccessGroupsGetCurrent());
} else {
status = ServerCommandSendReceive(sec_item_delete_id, query, NULL);
}
errOut:
CFReleaseSafe(args1);
CFReleaseSafe(args2);
return status;
}
OSStatus
SecItemDeleteAll(void)
{
OSStatus status = noErr;
if (gSecurityd) {
#ifndef SECITEM_SHIM_OSX
SecTrustStoreRef ts = SecTrustStoreForDomain(kSecTrustStoreDomainUser);
if (!gSecurityd->sec_truststore_remove_all(ts))
status = errSecInternal;
#endif // *** END SECITEM_SHIM_OSX ***
if (!gSecurityd->sec_item_delete_all())
status = errSecInternal;
} else {
status = ServerCommandSendReceive(sec_delete_all_id, NULL, NULL);
}
return status;
}
OSStatus _SecMigrateKeychain(int32_t handle_in, CFDataRef data_in,
int32_t *handle_out, CFDataRef *data_out)
{
CFMutableArrayRef args = NULL;
CFTypeRef raw_result = NULL;
CFNumberRef hin = NULL, hout = NULL;
OSStatus status = errSecAllocate;
require_quiet(args = CFArrayCreateMutable(kCFAllocatorDefault, 2, NULL), errOut);
require_quiet(hin = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &handle_in), errOut);
CFArrayAppendValue(args, hin);
if (data_in)
CFArrayAppendValue(args, data_in);
require_noerr_quiet(status = SECURITYD(sec_migrate_keychain, args, &raw_result), errOut);
hout = CFArrayGetValueAtIndex(raw_result, 0);
if (data_out) {
CFDataRef data;
if (CFArrayGetCount(raw_result) > 1) {
data = CFArrayGetValueAtIndex(raw_result, 1);
require_quiet(CFGetTypeID(data) == CFDataGetTypeID(), errOut);
CFRetain(data);
} else {
data = NULL;
}
*data_out = data;
}
errOut:
CFReleaseSafe(hin);
CFReleaseSafe(args);
CFReleaseSafe(raw_result);
return status;
}
const char *restore_keychain_location = "/Library/Keychains/keychain.restoring";
OSStatus _SecRestoreKeychain(const char *path)
{
OSStatus status = errSecInternal;
require_quiet(!geteuid(), out);
struct passwd *pass = NULL;
require_quiet(pass = getpwnam("_securityd"), out);
uid_t securityUID = pass->pw_uid;
struct group *grp = NULL;
require_quiet(grp = getgrnam("wheel"), out);
gid_t wheelGID = grp->gr_gid;
require_noerr_quiet(rename(path , restore_keychain_location), out);
require_noerr_quiet(chmod(restore_keychain_location, 0600), out);
require_noerr_quiet(chown(restore_keychain_location, securityUID, wheelGID),
out);
status = ServerCommandSendReceive(sec_restore_keychain_id, NULL, NULL);
require_noerr_quiet(unlink(restore_keychain_location), out);
out:
return status;
}
CFDataRef _SecKeychainCopyOTABackup(void) {
CFTypeRef raw_result = NULL;
CFDataRef backup = NULL;
OSStatus status;
require_noerr_quiet(status = SECURITYD(sec_keychain_backup, NULL,
&raw_result), errOut);
if (raw_result && CFGetTypeID(raw_result) == CFDataGetTypeID()) {
backup = raw_result;
raw_result = NULL;
}
errOut:
CFReleaseSafe(raw_result);
return backup;
}
CFDataRef _SecKeychainCopyBackup(CFDataRef backupKeybag, CFDataRef password) {
CFMutableArrayRef args;
CFTypeRef raw_result = NULL;
CFDataRef backup = NULL;
OSStatus status;
require_quiet(args = CFArrayCreateMutable(kCFAllocatorDefault, 2, NULL),
errOut);
CFArrayAppendValue(args, backupKeybag);
if (password)
CFArrayAppendValue(args, password);
require_noerr_quiet(status = SECURITYD(sec_keychain_backup, args,
&raw_result), errOut);
if (raw_result && CFGetTypeID(raw_result) == CFDataGetTypeID()) {
backup = raw_result;
raw_result = NULL;
}
errOut:
CFReleaseSafe(args);
CFReleaseSafe(raw_result);
return backup;
}
bool _SecKeychainRestoreBackup(CFDataRef backup, CFDataRef backupKeybag,
CFDataRef password) {
CFMutableArrayRef args = NULL;
CFTypeRef raw_result = NULL;
OSStatus status = errSecAllocate;
require_quiet(args = CFArrayCreateMutable(kCFAllocatorDefault, 3, NULL),
errOut);
CFArrayAppendValue(args, backup);
CFArrayAppendValue(args, backupKeybag);
if (password)
CFArrayAppendValue(args, password);
require_noerr_quiet(status = SECURITYD(sec_keychain_restore, args, NULL),
errOut);
errOut:
CFReleaseSafe(args);
CFReleaseSafe(raw_result);
return status;
}