From 15817e7d29a5c496585ea0e45a8a8139f053f001 Mon Sep 17 00:00:00 2001
From: Timur Pocheptsov <timur.pocheptsov@qt.io>
Date: Mon, 23 Sep 2024 14:50:22 +0200
Subject: [PATCH] SecureTransport: use memory-only PKCS12 import on macOS >= 15
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Our workaround with a temporary keychain is not working anymore.
Startring from macOS 15 Security framework supports a new option:
kSecImportToMemoryOnly. Setting it to kCFBooleanTrue allows us to
import PCKS12 without accessing 'login' keychain and thus avoiding
blocking system-alerts requesting keychain access.

Pick-to: 6.8
Fixes: QTBUG-128579
Change-Id: Ic86460b05dbee07194b146cefc45df6a478946b1
Reviewed-by: Tor Arne Vestbø <tor.arne.vestbo@qt.io>
---
 src/plugins/tls/securetransport/qtls_st.cpp | 33 +++++++++++++++------
 1 file changed, 24 insertions(+), 9 deletions(-)

diff --git a/src/plugins/tls/securetransport/qtls_st.cpp b/src/plugins/tls/securetransport/qtls_st.cpp
index 48b7f3364f8..ff431dabd17 100644
--- a/src/plugins/tls/securetransport/qtls_st.cpp
+++ b/src/plugins/tls/securetransport/qtls_st.cpp
@@ -817,17 +817,32 @@ bool TlsCryptographSecureTransport::setSessionCertificate(QString &errorDescript
         const void *values[2] = { password };
         CFIndex nKeys = 1;
 #ifdef Q_OS_MACOS
-        bool envOk = false;
-        const int env = qEnvironmentVariableIntValue("QT_SSL_USE_TEMPORARY_KEYCHAIN", &envOk);
-        if (envOk && env) {
-            static const EphemeralSecKeychain temporaryKeychain;
-            if (temporaryKeychain.keychain) {
-                nKeys = 2;
-                keys[1] = kSecImportExportKeychain;
-                values[1] = temporaryKeychain.keychain;
+#if QT_MACOS_IOS_PLATFORM_SDK_EQUAL_OR_ABOVE(150000, 180000)
+        // Starting from macOS 15 our temporary keychain is ignored.
+        // We have to use kSecImportToMemoryOnly/kCFBooleanTrue key/value
+        // instead. This key is "memory" but looks like Security framework
+        // does not compare strings, but pointers instead, so we need an actual
+        // key/constant.
+        if (__builtin_available(macOS 15, *)) {
+            nKeys = 2;
+            keys[1] = kSecImportToMemoryOnly;
+            values[1] = kCFBooleanTrue;
+        } else {
+#else
+        {
+#endif
+            bool envOk = false;
+            const int env = qEnvironmentVariableIntValue("QT_SSL_USE_TEMPORARY_KEYCHAIN", &envOk);
+            if (envOk && env) {
+                static const EphemeralSecKeychain temporaryKeychain;
+                if (temporaryKeychain.keychain) {
+                    nKeys = 2;
+                    keys[1] = kSecImportExportKeychain;
+                    values[1] = temporaryKeychain.keychain;
+                }
             }
         }
-#endif
+#endif // Q_OS_MACOS
         QCFType<CFDictionaryRef> options = CFDictionaryCreate(nullptr, keys, values, nKeys,
                                                               nullptr, nullptr);
         QCFType<CFArrayRef> items;