Re: Modifying Emacs to use the Mac OS X Keychain Services

Re: Modifying Emacs to use the Mac OS X Keychain Services

[Dave Abrahams]

Did anything come of this?  I am really tired of typing in my GPG key
every time I start Gnus.  I'd be more than happy to have a solution that
just used /usr/bin/security to look up the password; I don't need more
security than that.

I looked a bit at the "secrets" API but could understand it easily
enough to code something up.  I just want Emacs to run

   /usr/bin/security --find-internet-password -gs <hostname> <username>

to get the password for my mail server.

TIA,

Dave

on Wed Jun 08 2011, Ted Zlatanov <tzz-AT-lifelogs.com> wrote:

> On Wed, 8 Jun 2011 00:50:50 -0500 Ben Key <bkey76@gmail.com> wrote: 
>
> BK> I rewrote the ns-keychain functions I had already written so that
> BK> they interpret the collection parameter to be an indication of what
> BK> keychain file the data should be stored in.  The values "default" or
> BK> "secrets:default" are interpreted to mean that the default keychain
> BK> should be used.  The values "login" or "secrets:Login" are
> BK> interpreted to mean that the login keychain file should be
> BK> used.  Other values for collection such as "session" or
> BK> "secrets:session" are not supported at this time.  The values
> BK> "session" or "secrets:session" cause an error with an "At this time
> BK> the 'session' collection is not supported on Mac OS X" message.
>
> This is good, but the error should be simply "The collection %s could
> not be found" for any invalid collection, not just "session".
>
> BK>  Other non-supported values simply result in the default keychain
> BK> being used.
>
> Please throw an error if the requested keychain doesn't exist, same as
> above.
>
>>> The major idea of the "session" collection is to NOT store secrets
>>> permanently. Therefore, I would recommend that you raise an error "not
>>> available" or something like this, if somebody uses the "session"
>>> collection in your case.
>
> BK> I could mimic this capability by storing the data in a keychain file,
> BK> such as ~/Library/Keychains/emacs-session.keychain that gets deleted
> BK> using the function SecKeychainDelete when Emacs exits.  This would
> BK> make it an Emacs session keychain.  Of course if Emacs crashes, the
> BK> keychain file would not be deleted.
>
> I don't think this is useful and introduces unwanted security risks.
> There's no need to mimic the Secrets API "session" transient storage if
> it's not directly supported by the Keychain Services.
>
> BK> Since the collection parameter is now being interpreted as an
> BK> indication of which keychain file to store the data in, I had to pick
> BK> a value for the serviceName parameter that is used by functions like
> BK> SecKeychainAddGenericPassword and SecKeychainFindGenericPassword.  I
> BK> chose the value "GNU Emacs."  Are there any objections to this?
>
> Yes, please make it configurable.
>
> BK>  I could have added a parameter to allow the user to select the
> BK> value of the serviceName parameter but this would have made it
> BK> necessary to abandon my plan of adding one ns-keychain function for
> BK> each secrets API function that has the same parameters, and as near
> BK> to the same behavior, as the corresponding secrets API function.
>
> Don't be afraid of diverging from the Secrets API.  The Keychain
> Services API is not the same thing, we know that.  Please add that
> parameter to the calls.
>
> Are you providing both SecKeychain*GenericPassword and
> SecKeychain*InternetPassword?
>
> Ted

-- 
Dave Abrahams
BoostPro Computing                  Software Development        Training
http://www.boostpro.com             Clang/LLVM/EDG Compilers  C++  Boost

Re: Modifying Emacs to use the Mac OS X Keychain Services

[Ted Zlatanov]

On Fri, 27 Jul 2012 11:20:17 -0400 Dave Abrahams <dave@boostpro.com> wrote: 

DA> Did anything come of this?  I am really tired of typing in my GPG key
DA> every time I start Gnus.  I'd be more than happy to have a solution that
DA> just used /usr/bin/security to look up the password; I don't need more
DA> security than that.

DA> I looked a bit at the "secrets" API but could understand it easily
DA> enough to code something up.  I just want Emacs to run

DA>    /usr/bin/security --find-internet-password -gs <hostname> <username>

DA> to get the password for my mail server.

I don't think I knew about this utility :)  Thanks!

I haven't heard from Ben Key (CC-ed on this post) in a year so I figured
it's simpler to implement this myself.  I've pushed something into the
Gnus repo, which you can test.  It doesn't support creation or deletion,
but searching works.

The fundamental problem was that internet (I've spelled it with a
lowercase 'i' to be consistent with Apple) and generic keychains behave
very differently.  So I chose to make the user decide which one he
wants; the following are valid entries in `auth-sources':

#+begin_src lisp
(auth-source-backend-parse 'macos-keychain-internet)
(auth-source-backend-parse 'macos-keychain-generic)
(auth-source-backend-parse "macos-keychain-internet:/path/here.keychain")
(auth-source-backend-parse "macos-keychain-generic:/path/here.keychain")
(auth-source-backend-parse '(:source (:macos-keychain-internet default)))
(auth-source-backend-parse '(:source (:macos-keychain-generic "/path/here.keychain")))
#+end_src

...and here you can see the very first entry in each of your default
internet and generic keychains:

#+begin_src lisp
(let ((auth-sources '(macos-keychain-internet))) (auth-source-search :max 1))
(let ((auth-sources '(macos-keychain-generic))) (auth-source-search :max 1))
#+end_src

The hardest part was mapping internet and generic keychains into the
common auth-source format for searching and for providing results.  For
searching, I chose to map them as explained in the docstring of
`auth-source-macos-keychain-search', using the various /usr/bin/security
parameters.  For results, the logic is simple enough to show here:

#+begin_src lisp
(defun auth-source-macos-keychain-result-append (result generic k v)
  (push v result)
  (setq k (cond
           ((equal k "acct") "user")
           ;; for generic keychains, creator is host, service is port
           ((and generic (equal k "crtr")) "host")
           ((and generic (equal k "svce")) "port")
           ;; for internet keychains, protocol is port, server is host
           ((and (not generic) (equal k "ptcl")) "port")
           ((and (not generic) (equal k "srvr")) "host")
           (t k)))

  (push (intern (format ":%s" k)) result))
#+end_src

At most one result is returned, ever.  This is due to the way
/usr/bin/security works.  If I dump the whole keychain, the user would
get a thousand popup dialogs.

It should be pretty trivial to use the native keychain calls on Mac OS X
within this framework.  Ben, if you're still interested, please let us
know.

I am far from expert on Mac OS X; this worked for me and I hope it works
for you.  Patches welcome to improve it.

Ted