@@ -364,6 +364,71 @@ + (MSIDMacKeychainTokenCache *)defaultKeychainCache
364364
365365#pragma mark - init
366366
367+ - (BOOL )isAppEntitled
368+ {
369+ static dispatch_once_t once;
370+ static BOOL appEntitled = NO ;
371+
372+ dispatch_once (&once, ^{
373+ SecCodeRef selfCode = NULL ;
374+ SecCodeCopySelf (kSecCSDefaultFlags , &selfCode);
375+
376+ if (selfCode)
377+ {
378+ CFDictionaryRef cfDic = NULL ;
379+ SecCodeCopySigningInformation (selfCode, kSecCSSigningInformation , &cfDic);
380+
381+ if (!cfDic)
382+ {
383+ MSID_LOG_WITH_CTX (MSIDLogLevelError, nil , @" Failed to retrieve code signing information"
384+ }
385+ else
386+ {
387+ NSDictionary *signingDic = CFBridgingRelease (cfDic);
388+ NSDictionary *entitlementsDictionary = [signingDic msidObjectForKey: (__bridge NSString *)kSecCodeInfoEntitlementsDict ofClass: [NSDictionary class ]];
389+ NSArray *keychainGroups = [entitlementsDictionary msidObjectForKey: @" keychain-access-groups" ofClass: [NSArray class ]];
390+
391+ for (id element in keychainGroups) {
392+ if ([element hasSuffix: @" com.microsoft.identity.universalstorage"
393+ {
394+ appEntitled = YES ;
395+ break ;
396+ }
397+ }
398+ }
399+
400+ CFRelease (selfCode);
401+ }
402+ });
403+
404+ return appEntitled;
405+ }
406+
407+ - (BOOL )shouldUseLoginKeychain
408+ {
409+ if (@available (macOS 10.15 , *))
410+ {
411+
412+ if ([[NSUserDefaults standardUserDefaults ] boolForKey: kLoginKeychainEmptyKey ])
413+ {
414+ #if MS_INTERNAL_BUILD
415+ return ![self isAppEntitled ];
416+ #else
417+ return NO ;
418+ #endif
419+ }
420+ else
421+ {
422+ // if kLoginKeychainEmptyKey is not set
423+ return YES ;
424+ }
425+ }
426+ else
427+ {
428+ return YES ;
429+ }
430+ }
431+
367432// Initialize with defaultKeychainGroup
368433- (nonnull instancetype )init
369434{
@@ -386,10 +451,7 @@ - (nullable instancetype)initWithGroup:(nullable NSString *)keychainGroup
386451 if (self)
387452 {
388453#if __MAC_OS_X_VERSION_MAX_ALLOWED >= 101500
389- if (@available (macOS 10.15 , *)) {
390-
391- if ([[NSUserDefaults standardUserDefaults ] boolForKey: kLoginKeychainEmptyKey ])
392- {
454+ if (![self shouldUseLoginKeychain ]) {
393455 if (error)
394456 {
395457 *error = MSIDCreateError (MSIDErrorDomain, MSIDErrorInternal, @" Not creating login keychain for performance optimization on macOS 10.15, because no items where previously found in it" nil , nil , nil , nil , nil , NO );
@@ -398,7 +460,7 @@ - (nullable instancetype)initWithGroup:(nullable NSString *)keychainGroup
398460 MSID_LOG_WITH_CTX (MSIDLogLevelWarning, nil , @" Not creating login keychain for performance optimization on macOS 10.15, because no items where previously found in it"
399461 return nil ;
400462 }
401- }
463+
402464#endif
403465
404466 self.appStorageItem = [MSIDMacCredentialStorageItem new ];
@@ -804,12 +866,10 @@ - (MSIDMacCredentialStorageItem *)queryStorageItem:(BOOL)isShared
804866 MSID_TRACE;
805867
806868#if __MAC_OS_X_VERSION_MAX_ALLOWED >= 101500
807- if (@available (macOS 10.15 , *)) {
808- if ([[NSUserDefaults standardUserDefaults ] boolForKey: kLoginKeychainEmptyKey ])
809- {
810- MSID_LOG_WITH_CTX (MSIDLogLevelWarning, context, @" Skipping login keychain read because it has been previously marked as empty on 10.15"
811- return nil ;
812- }
869+ if (![self shouldUseLoginKeychain ])
870+ {
871+ MSID_LOG_WITH_CTX (MSIDLogLevelWarning, context, @" Skipping login keychain read because it has been previously marked as empty on 10.15"
872+ return nil ;
813873 }
814874#endif
815875
0 commit comments