darwin: implement keyring using purego

Use purego to call CoreFoundation and Security frameworks directly
without CGo.

Fixes #110

Signed-off-by: Alexander Yastrebov <yastrebov.alex@gmail.com>

Author: AlexanderYastrebov

README.md

@@ -21,8 +21,7 @@ keyring instead of having the user type it on every invocation.
 
 #### OS X
 
-The OS X implementation depends on the `/usr/bin/security` binary for
-interfacing with the OS X keychain. It should be available by default.
+The OS X implementation uses [purego](https://pkg.go.dev/github.com/ebitengine/purego) to call Security Framework API.
 
 #### Linux and *BSD
 

go.mod

@@ -7,4 +7,7 @@ require (
 	github.com/godbus/dbus/v5 v5.1.0
 )
 
-require golang.org/x/sys v0.26.0 // indirect
+require (
+	github.com/ebitengine/purego v0.10.0 // indirect
+	golang.org/x/sys v0.26.0 // indirect
+)

go.sum

@@ -1,6 +1,8 @@
 github.com/danieljoos/wincred v1.2.2 h1:774zMFJrqaeYCK2W57BgAem/MLi6mtSE47MB6BOJ0i0=
 github.com/danieljoos/wincred v1.2.2/go.mod h1:w7w4Utbrz8lqeMbDAK0lkNJUv5sAOkFi7nd/ogr0Uh8=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/ebitengine/purego v0.10.0 h1:QIw4xfpWT6GWTzaW5XEKy3HXoqrJGx1ijYHzTF0/ISU=
+github.com/ebitengine/purego v0.10.0/go.mod h1:iIjxzd6CiRiOG0UyXP+V1+jWqUXVjPKLAI0mRfJZTmQ=
 github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk=
 github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=

internal/darwin/framework.go

@@ -0,0 +1,105 @@
+//go:build darwin
+
+package darwin
+
+import (
+	"unsafe"
+
+	"github.com/ebitengine/purego"
+)
+
+const (
+	kCFStringEncodingUTF8 = 0x08000100
+	kCFAllocatorDefault   = 0
+)
+
+type osStatus int32
+
+const (
+	errSecSuccess       osStatus = 0      // No error.
+	errSecDuplicateItem osStatus = -25299 // The specified item already exists in the keychain.
+	errSecItemNotFound  osStatus = -25300 // The specified item could not be found in the keychain.
+)
+
+type _CFRange struct {
+	location int64
+	length   int64
+}
+
+var (
+	kCFTypeDictionaryKeyCallBacks   uintptr
+	kCFTypeDictionaryValueCallBacks uintptr
+	kCFBooleanTrue                  uintptr
+)
+
+var (
+	kSecClass                uintptr
+	kSecClassGenericPassword uintptr
+	kSecAttrService          uintptr
+	kSecAttrAccount          uintptr
+	kSecValueData            uintptr
+	kSecReturnData           uintptr
+	kSecMatchLimit           uintptr
+	kSecMatchLimitAll        uintptr
+)
+
+var (
+	CFDictionaryCreate        func(allocator uintptr, keys, values *uintptr, numValues int64, keyCallBacks, valueCallBacks uintptr) uintptr
+	CFStringCreateWithCString func(allocator uintptr, cStr string, encoding uint32) uintptr
+	CFDataCreate              func(alloc uintptr, bytes []byte, length int64) uintptr
+	CFDataGetLength           func(theData uintptr) int64
+	CFDataGetBytes            func(theData uintptr, theRange _CFRange, buffer []byte)
+	CFRelease                 func(cf uintptr)
+)
+
+var (
+	SecItemCopyMatching func(query uintptr, result *uintptr) osStatus
+	SecItemAdd          func(query uintptr, result uintptr) osStatus
+	SecItemUpdate       func(query uintptr, attributesToUpdate uintptr) osStatus
+	SecItemDelete       func(query uintptr) osStatus
+)
+
+func init() {
+	cfLib := must(purego.Dlopen("/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation", purego.RTLD_NOW|purego.RTLD_GLOBAL))
+
+	kCFTypeDictionaryKeyCallBacks = must(purego.Dlsym(cfLib, "kCFTypeDictionaryKeyCallBacks"))
+	kCFTypeDictionaryValueCallBacks = must(purego.Dlsym(cfLib, "kCFTypeDictionaryValueCallBacks"))
+	kCFBooleanTrue = deref(must(purego.Dlsym(cfLib, "kCFBooleanTrue")))
+
+	purego.RegisterLibFunc(&CFDictionaryCreate, cfLib, "CFDictionaryCreate")
+	purego.RegisterLibFunc(&CFStringCreateWithCString, cfLib, "CFStringCreateWithCString")
+	purego.RegisterLibFunc(&CFDataCreate, cfLib, "CFDataCreate")
+	purego.RegisterLibFunc(&CFDataGetLength, cfLib, "CFDataGetLength")
+	purego.RegisterLibFunc(&CFDataGetBytes, cfLib, "CFDataGetBytes")
+	purego.RegisterLibFunc(&CFRelease, cfLib, "CFRelease")
+
+	secLib := must(purego.Dlopen("/System/Library/Frameworks/Security.framework/Security", purego.RTLD_NOW|purego.RTLD_GLOBAL))
+
+	kSecClass = deref(must(purego.Dlsym(secLib, "kSecClass")))
+	kSecClassGenericPassword = deref(must(purego.Dlsym(secLib, "kSecClassGenericPassword")))
+	kSecAttrService = deref(must(purego.Dlsym(secLib, "kSecAttrService")))
+	kSecAttrAccount = deref(must(purego.Dlsym(secLib, "kSecAttrAccount")))
+	kSecValueData = deref(must(purego.Dlsym(secLib, "kSecValueData")))
+	kSecReturnData = deref(must(purego.Dlsym(secLib, "kSecReturnData")))
+	kSecMatchLimit = deref(must(purego.Dlsym(secLib, "kSecMatchLimit")))
+	kSecMatchLimitAll = deref(must(purego.Dlsym(secLib, "kSecMatchLimitAll")))
+
+	purego.RegisterLibFunc(&SecItemCopyMatching, secLib, "SecItemCopyMatching")
+	purego.RegisterLibFunc(&SecItemAdd, secLib, "SecItemAdd")
+	purego.RegisterLibFunc(&SecItemUpdate, secLib, "SecItemUpdate")
+	purego.RegisterLibFunc(&SecItemDelete, secLib, "SecItemDelete")
+}
+
+func deref(ptr uintptr) uintptr {
+	// We take the address and then dereference it to trick
+	// go vet from creating a possible miss-use of unsafe.Pointer
+	// See https://github.com/golang/go/issues/41205
+	return **(**uintptr)(unsafe.Pointer(&ptr))
+}
+
+func must[T any](v T, err error) T {
+	if err != nil {
+		panic(err)
+	}
+	return v
+}

internal/darwin/keychain.go

@@ -0,0 +1,168 @@
+//go:build darwin
+
+package darwin
+
+import (
+	"errors"
+	"fmt"
+)
+
+var ErrNotFound = errors.New("secret not found in keyring")
+
+func FindGenericPassword(service, username string) (string, error) {
+	cfService := CFStringCreateWithCString(kCFAllocatorDefault, service, kCFStringEncodingUTF8)
+	defer CFRelease(cfService)
+
+	cfAccount := CFStringCreateWithCString(kCFAllocatorDefault, username, kCFStringEncodingUTF8)
+	defer CFRelease(cfAccount)
+
+	keys := []uintptr{
+		kSecClass,
+		kSecAttrService,
+		kSecAttrAccount,
+		kSecReturnData,
+	}
+	values := []uintptr{
+		kSecClassGenericPassword,
+		cfService,
+		cfAccount,
+		kCFBooleanTrue,
+	}
+
+	query := CFDictionaryCreate(
+		kCFAllocatorDefault,
+		&keys[0], &values[0], int64(len(keys)),
+		kCFTypeDictionaryKeyCallBacks,
+		kCFTypeDictionaryValueCallBacks,
+	)
+	defer CFRelease(query)
+
+	var data uintptr
+	st := SecItemCopyMatching(query, &data)
+	if st == errSecItemNotFound {
+		return "", ErrNotFound
+	} else if st != errSecSuccess {
+		return "", fmt.Errorf("error SecItemCopyMatching: %d", st)
+	}
+	defer CFRelease(data)
+
+	length := CFDataGetLength(data)
+	if length < 0 {
+		return "", fmt.Errorf("error CFDataGetLength: %d", length)
+	}
+
+	buffer := make([]byte, length)
+	CFDataGetBytes(data, _CFRange{0, length}, buffer)
+
+	return string(buffer), nil
+}
+
+func AddGenericPassword(service, username, password string) error {
+	cfService := CFStringCreateWithCString(kCFAllocatorDefault, service, kCFStringEncodingUTF8)
+	defer CFRelease(cfService)
+
+	cfAccount := CFStringCreateWithCString(kCFAllocatorDefault, username, kCFStringEncodingUTF8)
+	defer CFRelease(cfAccount)
+
+	cfPasswordData := CFDataCreate(kCFAllocatorDefault, []byte(password), int64(len(password)))
+	defer CFRelease(cfPasswordData)
+
+	keys := []uintptr{
+		kSecClass,
+		kSecAttrService,
+		kSecAttrAccount,
+		kSecValueData,
+	}
+	values := []uintptr{
+		kSecClassGenericPassword,
+		cfService,
+		cfAccount,
+		cfPasswordData,
+	}
+
+	query := CFDictionaryCreate(
+		kCFAllocatorDefault,
+		&keys[0], &values[0], int64(len(keys)),
+		kCFTypeDictionaryKeyCallBacks,
+		kCFTypeDictionaryValueCallBacks,
+	)
+	defer CFRelease(query)
+
+	sa := SecItemAdd(query, 0)
+	if sa == errSecDuplicateItem {
+		su := SecItemUpdate(query, query)
+		if su != errSecSuccess {
+			return fmt.Errorf("error SecItemUpdate: %d", su)
+		}
+	} else if sa != errSecSuccess {
+		return fmt.Errorf("error SecItemAdd: %d", sa)
+	}
+	return nil
+}
+
+func DeleteGenericPassword(service, username string) error {
+	cfService := CFStringCreateWithCString(kCFAllocatorDefault, service, kCFStringEncodingUTF8)
+	defer CFRelease(cfService)
+
+	cfAccount := CFStringCreateWithCString(kCFAllocatorDefault, username, kCFStringEncodingUTF8)
+	defer CFRelease(cfAccount)
+
+	keys := []uintptr{
+		kSecClass,
+		kSecAttrService,
+		kSecAttrAccount,
+	}
+	values := []uintptr{
+		kSecClassGenericPassword,
+		cfService,
+		cfAccount,
+	}
+
+	query := CFDictionaryCreate(
+		kCFAllocatorDefault,
+		&keys[0], &values[0], int64(len(keys)),
+		kCFTypeDictionaryKeyCallBacks,
+		kCFTypeDictionaryValueCallBacks,
+	)
+	defer CFRelease(query)
+
+	st := SecItemDelete(query)
+	if st == errSecItemNotFound {
+		return ErrNotFound
+	} else if st != errSecSuccess {
+		return fmt.Errorf("error SecItemDelete: %d", st)
+	}
+	return nil
+}
+
+func DeleteGenericPasswords(service string) error {
+	cfService := CFStringCreateWithCString(kCFAllocatorDefault, service, kCFStringEncodingUTF8)
+	defer CFRelease(cfService)
+
+	keys := []uintptr{
+		kSecClass,
+		kSecAttrService,
+		kSecMatchLimit,
+	}
+	values := []uintptr{
+		kSecClassGenericPassword,
+		cfService,
+		kSecMatchLimitAll,
+	}
+
+	query := CFDictionaryCreate(
+		kCFAllocatorDefault,
+		&keys[0], &values[0], int64(len(keys)),
+		kCFTypeDictionaryKeyCallBacks,
+		kCFTypeDictionaryValueCallBacks,
+	)
+	defer CFRelease(query)
+
+	st := SecItemDelete(query)
+	if st == errSecItemNotFound {
+		return nil
+	} else if st != errSecSuccess {
+		return fmt.Errorf("error SecItemDelete: %d", st)
+	}
+	return nil
+}