Replace the deprecated SecKeychain with SecItem

[purejava]

As the title says, this introduces SecItem, without breaking anything. So this PR is ready for review.

Also, SecItem is the base for having keychain access control and Touch ID support (which is not part of this PR, see cryptomator/cryptomator#3311 (comment)).

[coderabbitai]

Walkthrough

This update involves refining the handling of macOS Keychain services in Cryptomator by transitioning from SecKeychain functions to SecItem functions for managing passwords. Additionally, Maven plugin versions have been updated in the pom.xml to ensure the build process remains stable and up-to-date.

Changes

File	Change Summary
src/main/native/...MacKeychain_Native.m	Refactored to use SecItem functions with dictionaries for storing, retrieving, and deleting passwords, enhancing password management and error handling.
pom.xml	Updated plugin versions for maven-enforcer-plugin, exec-maven-plugin, maven-source-plugin, maven-javadoc-plugin, maven-gpg-plugin, and maven-deploy-plugin to their latest versions.

Sequence Diagrams

sequenceDiagram
    participant JavaApp
    participant NativeLib
    participant macOSKeychain

    JavaApp->>NativeLib: storePassword(service, key, password)
    NativeLib->>macOSKeychain: SecItemCopyMatching (find existing password)
    alt Password Exists
        NativeLib->>macOSKeychain: SecItemUpdate (update password)
    else Password Not Found
        NativeLib->>macOSKeychain: SecItemAdd (add new password)
    end
    macOSKeychain-->>NativeLib: Status
    NativeLib-->>JavaApp: Status

Loading

sequenceDiagram
    participant JavaApp
    participant NativeLib
    participant macOSKeychain

    JavaApp->>NativeLib: loadPassword(service, key)
    NativeLib->>macOSKeychain: SecItemCopyMatching (retrieve password)
    macOSKeychain-->>NativeLib: Password Data
    NativeLib-->>JavaApp: Password Data

Loading

sequenceDiagram
    participant JavaApp
    participant NativeLib
    participant macOSKeychain

    JavaApp->>NativeLib: deletePassword(service, key)
    NativeLib->>macOSKeychain: SecItemCopyMatching (find password)
    NativeLib->>macOSKeychain: SecItemDelete (delete password)
    macOSKeychain-->>NativeLib: Status
    NativeLib-->>JavaApp: Status

Loading

Poem

In the Keychain of Mac we delve,
With SecItem functions we now evolve.
Passwords stored with deft precision,
Updates made with clear vision.
Maven plugins too, now shine bright,
Building strong, our future's light.
Hoppy coding, day and night! 🐇✨

---

Tip

Early access features: enabled

We are currently testing the following features in early access:

• OpenAI gpt-4o model for code reviews and chat: OpenAI claims that this model is better at understanding and generating code than the previous models. We seek your feedback over the next few weeks before making it generally available.

Note:

• You can enable or disable early access features from the CodeRabbit UI or by updating the CodeRabbit configuration file.
• Please join our Discord Community to provide feedback and report issues.
• OSS projects are currently opted into early access features by default.

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share

• X
• Mastodon
• Reddit
• LinkedIn

Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai generate interesting stats about this repository and render them as a table.
  • @coderabbitai show all the console.log statements in this repository.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (invoked as PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Additionally, you can add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.

CodeRabbit Configration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 3

Review Details

Configuration used: CodeRabbit UI
Review profile: CHILL

Commits

Files that changed from the base of the PR and between b92c684 and cd0cb40.

Files selected for processing (1)

• src/main/native/org_cryptomator_macos_keychain_MacKeychain_Native.m (1 hunks)

Additional comments not posted (1)

src/main/native/org_cryptomator_macos_keychain_MacKeychain_Native.m (1)

10-10: Ensure that the necessary headers are included for the new SecItem functions.

Verification successful

---

The function Java_org_cryptomator_macos_keychain_MacKeychain_00024Native_storePassword has been fully extracted and reviewed. It includes proper memory management by releasing the byte arrays and handles different outcomes of the keychain operations (SecItemCopyMatching, SecItemUpdate, and SecItemAdd). The necessary headers are included, and the function appears to be implemented correctly.

• The header <Security/Security.h> is included.
• The function handles both updating existing keychain items and adding new ones.
• Proper memory management is ensured by releasing the byte arrays.
• Error handling is implemented with logging for unexpected statuses.

Scripts Executed

The following scripts were executed for the analysis:

---

Script:

#!/bin/bash
# Description: Verify that all necessary headers for SecItem functions are included.
# Test: Search for the inclusion of Security/Security.h in the file.
rg --type objc --files-with-matches '#import <Security/Security.h>' src/main/native/org_cryptomator_macos_keychain_MacKeychain_Native.m

Length of output: 205

---

---

Script:

#!/bin/bash
# Description: Extract the Java_org_cryptomator_macos_keychain_MacKeychain_00024Native_storePassword function for review.
ast-grep --lang objc --pattern 'JNIEXPORT $_ Java_org_cryptomator_macos_keychain_MacKeychain_00024Native_storePassword($_) {
  $$$
}' src/main/native/org_cryptomator_macos_keychain_MacKeychain_Native.m

Length of output: 312

---

---

Script:

#!/bin/bash
# Description: Extract the Java_org_cryptomator_macos_keychain_MacKeychain_00024Native_storePassword function for review.
rg --type objc --context 20 'JNIEXPORT.*Java_org_cryptomator_macos_keychain_MacKeychain_00024Native_storePassword' src/main/native/org_cryptomator_macos_keychain_MacKeychain_Native.m

Length of output: 1700

---

---

Script:

#!/bin/bash
# Description: Extract more lines of the Java_org_cryptomator_macos_keychain_MacKeychain_00024Native_storePassword function for a complete review.
rg --type objc --context 40 'JNIEXPORT.*Java_org_cryptomator_macos_keychain_MacKeychain_00024Native_storePassword' src/main/native/org_cryptomator_macos_keychain_MacKeychain_Native.m

Length of output: 2710

---

---

Script:

#!/bin/bash
# Description: Extract the remaining lines of the Java_org_cryptomator_macos_keychain_MacKeychain_00024Native_storePassword function for a complete review.
rg --type objc --context 60 'JNIEXPORT.*Java_org_cryptomator_macos_keychain_MacKeychain_00024Native_storePassword' src/main/native/org_cryptomator_macos_keychain_MacKeychain_Native.m

Length of output: 3834

[coderabbitai]

Refactor to improve error handling and reduce code duplication.

-    if (status == errSecSuccess && result != NULL) {
-        status = SecItemDelete((__bridge CFDictionaryRef)searchAttributes);
-    } else if (status != errSecItemNotFound) {
-        NSLog(@"Error deleting item from keychain. Status code: %d", (int)status);
-    }
+    switch (status) {
+        case errSecSuccess:
+            if (result != NULL) {
+                status = SecItemDelete((__bridge CFDictionaryRef)searchAttributes);
+            }
+            break;
+        default:
+            NSLog(@"Error deleting item from keychain. Status code: %d", (int)status);
+            break;
+    }

Also applies to: 116-122

---

Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation.

Suggested change

	// find existing:
	NSDictionary *searchAttributes = @{
	(__bridge id)kSecClass: (__bridge id)kSecClassGenericPassword,
	(__bridge id)kSecAttrService: [NSString stringWithCString:(char *)serviceStr encoding:NSUTF8StringEncoding],
	(__bridge id)kSecAttrAccount: [NSString stringWithCString:(char *)keyStr encoding:NSUTF8StringEncoding],
	(__bridge id)kSecMatchLimit: (__bridge id)kSecMatchLimitOne
	// find existing:
	NSDictionary *searchAttributes = @{
	(__bridge id)kSecClass: (__bridge id)kSecClassGenericPassword,
	(__bridge id)kSecAttrService: [NSString stringWithCString:(char *)serviceStr encoding:NSUTF8StringEncoding],
	(__bridge id)kSecAttrAccount: [NSString stringWithCString:(char *)keyStr encoding:NSUTF8StringEncoding],
	(__bridge id)kSecMatchLimit: (__bridge id)kSecMatchLimitOne
	};
	switch (status) {
	case errSecSuccess:
	if (result != NULL) {
	status = SecItemDelete((__bridge CFDictionaryRef)searchAttributes);
	}
	break;
	default:
	NSLog(@"Error deleting item from keychain. Status code: %d", (int)status);
	break;
	}

[coderabbitai]

Refactor to improve error handling and reduce code duplication.

-    if (status == errSecSuccess && result != NULL) {
-        // update existing:
-        NSDictionary *changeAttributes = @{
-            (__bridge id)kSecValueData: [NSData dataWithBytes:pwStr length:length]
-        };
-        status = SecItemUpdate((__bridge CFDictionaryRef)searchAttributes, (__bridge CFDictionaryRef)changeAttributes);
-    } else if (status == errSecItemNotFound) {
-        // add new:
-        NSDictionary *keychainAttributes = @{
-            (__bridge id)kSecClass: (__bridge id)kSecClassGenericPassword,
-            (__bridge id)kSecAttrService: [NSString stringWithCString:(char *)serviceStr encoding:NSUTF8StringEncoding],
-            (__bridge id)kSecAttrAccount: [NSString stringWithCString:(char *)keyStr encoding:NSUTF8StringEncoding],
-            (__bridge id)kSecValueData: [NSData dataWithBytes:pwStr length:length]
-        };
-        status = SecItemAdd((__bridge CFDictionaryRef)keychainAttributes, NULL);
-    } else {
-        NSLog(@"Error storing item in keychain. Status code: %d", (int)status);
-    }
+    switch (status) {
+        case errSecSuccess:
+            if (result != NULL) {
+                NSDictionary *changeAttributes = @{(__bridge id)kSecValueData: [NSData dataWithBytes:pwStr length:length]};
+                status = SecItemUpdate((__bridge CFDictionaryRef)searchAttributes, (__bridge CFDictionaryRef)changeAttributes);
+            }
+            break;
+        case errSecItemNotFound:
+            NSDictionary *keychainAttributes = @{
+                (__bridge id)kSecClass: (__bridge id)kSecClassGenericPassword,
+                (__bridge id)kSecAttrService: [NSString stringWithCString:(char *)serviceStr encoding:NSUTF8StringEncoding],
+                (__bridge id)kSecAttrAccount: [NSString stringWithCString:(char *)keyStr encoding:NSUTF8StringEncoding],
+                (__bridge id)kSecValueData: [NSData dataWithBytes:pwStr length:length]
+            };
+            status = SecItemAdd((__bridge CFDictionaryRef)keychainAttributes, NULL);
+            break;
+        default:
+            NSLog(@"Error storing item in keychain. Status code: %d", (int)status);
+            break;
+    }

Also applies to: 32-40, 41-49, 51-53

---

Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation.

Suggested change

	NSDictionary *searchAttributes = @{
	(__bridge id)kSecClass: (__bridge id)kSecClassGenericPassword,
	(__bridge id)kSecAttrService: [NSString stringWithCString:(char *)serviceStr encoding:NSUTF8StringEncoding],
	(__bridge id)kSecAttrAccount: [NSString stringWithCString:(char *)keyStr encoding:NSUTF8StringEncoding],
	(__bridge id)kSecReturnAttributes: @YES,
	(__bridge id)kSecReturnData: @YES,
	(__bridge id)kSecMatchLimit: (__bridge id)kSecMatchLimitOne
	};
	NSDictionary *searchAttributes = @{
	(__bridge id)kSecClass: (__bridge id)kSecClassGenericPassword,
	(__bridge id)kSecAttrService: [NSString stringWithCString:(char *)serviceStr encoding:NSUTF8StringEncoding],
	(__bridge id)kSecAttrAccount: [NSString stringWithCString:(char *)keyStr encoding:NSUTF8StringEncoding],
	(__bridge id)kSecReturnAttributes: @YES,
	(__bridge id)kSecReturnData: @YES,
	(__bridge id)kSecMatchLimit: (__bridge id)kSecMatchLimitOne
	};
	switch (status) {
	case errSecSuccess:
	if (result != NULL) {
	NSDictionary *changeAttributes = @{(__bridge id)kSecValueData: [NSData dataWithBytes:pwStr length:length]};
	status = SecItemUpdate((__bridge CFDictionaryRef)searchAttributes, (__bridge CFDictionaryRef)changeAttributes);
	}
	break;
	case errSecItemNotFound:
	NSDictionary *keychainAttributes = @{
	(__bridge id)kSecClass: (__bridge id)kSecClassGenericPassword,
	(__bridge id)kSecAttrService: [NSString stringWithCString:(char *)serviceStr encoding:NSUTF8StringEncoding],
	(__bridge id)kSecAttrAccount: [NSString stringWithCString:(char *)keyStr encoding:NSUTF8StringEncoding],
	(__bridge id)kSecValueData: [NSData dataWithBytes:pwStr length:length]
	};
	status = SecItemAdd((__bridge CFDictionaryRef)keychainAttributes, NULL);
	break;
	default:
	NSLog(@"Error storing item in keychain. Status code: %d", (int)status);
	break;
	}

[coderabbitai]

Ensure proper memory management and error handling.

-    if (status == errSecSuccess && result != NULL) {
-        NSDictionary *attributes = (__bridge_transfer NSDictionary *)result;
-        NSData *passwordData = attributes[(__bridge id)kSecValueData];
-        NSUInteger pwLen = [passwordData length];
-        const void *pwBytes = [passwordData bytes];
-        jbyteArray password = (*env)->NewByteArray(env, (int)pwLen);
-        (*env)->SetByteArrayRegion(env, password, 0, (int)pwLen, (jbyte *)pwBytes);
-        return password;
-    } else if (status != errSecItemNotFound) {
-        NSLog(@"Error retrieving item from keychain. Status code: %d", (int)status);
-    }
+    switch (status) {
+        case errSecSuccess:
+            if (result != NULL) {
+                NSDictionary *attributes = (__bridge_transfer NSDictionary *)result;
+                NSData *passwordData = attributes[(__bridge id)kSecValueData];
+                NSUInteger pwLen = [passwordData length];
+                const void *pwBytes = [passwordData bytes];
+                jbyteArray password = (*env)->NewByteArray(env, (int)pwLen);
+                (*env)->SetByteArrayRegion(env, password, 0, (int)pwLen, (jbyte *)pwBytes);
+                return password;
+            }
+            break;
+        default:
+            NSLog(@"Error retrieving item from keychain. Status code: %d", (int)status);
+            return NULL;
+    }

Also applies to: 82-94

---

Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation.

Suggested change

	// Create a dictionary of search attributes to find the item in the keychain
	NSDictionary *searchAttributes = @{
	(__bridge id)kSecClass: (__bridge id)kSecClassGenericPassword,
	(__bridge id)kSecAttrService: [NSString stringWithCString:(char *)serviceStr encoding:NSUTF8StringEncoding],
	(__bridge id)kSecAttrAccount: [NSString stringWithCString:(char *)keyStr encoding:NSUTF8StringEncoding],
	(__bridge id)kSecReturnAttributes: @YES,
	(__bridge id)kSecReturnData: @YES,
	(__bridge id)kSecMatchLimit: (__bridge id)kSecMatchLimitOne
	};
	// Create a dictionary of search attributes to find the item in the keychain
	NSDictionary *searchAttributes = @{
	(__bridge id)kSecClass: (__bridge id)kSecClassGenericPassword,
	(__bridge id)kSecAttrService: [NSString stringWithCString:(char *)serviceStr encoding:NSUTF8StringEncoding],
	(__bridge id)kSecAttrAccount: [NSString stringWithCString:(char *)keyStr encoding:NSUTF8StringEncoding],
	(__bridge id)kSecReturnAttributes: @YES,
	(__bridge id)kSecReturnData: @YES,
	(__bridge id)kSecMatchLimit: (__bridge id)kSecMatchLimitOne
	};
	switch (status) {
	case errSecSuccess:
	if (result != NULL) {
	NSDictionary *attributes = (__bridge_transfer NSDictionary *)result;
	NSData *passwordData = attributes[(__bridge id)kSecValueData];
	NSUInteger pwLen = [passwordData length];
	const void *pwBytes = [passwordData bytes];
	jbyteArray password = (*env)->NewByteArray(env, (int)pwLen);
	(*env)->SetByteArrayRegion(env, password, 0, (int)pwLen, (jbyte *)pwBytes);
	return password;
	}
	break;
	default:
	NSLog(@"Error retrieving item from keychain. Status code: %d", (int)status);
	return NULL;
	}

[purejava]

The force push was due to a rebase. A pulled the latest commits from devel and put my changes on top.

[purejava]

BTW, existing keychain entries do work flawlessly and get updated etc.

[coderabbitai]

Actionable comments posted: 2

Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

Commits

Files that changed from the base of the PR and between cd0cb40 and 77c6e10.

Files selected for processing (1)

• src/main/native/org_cryptomator_macos_keychain_MacKeychain_Native.m (1 hunks)

Additional comments not posted (1)

src/main/native/org_cryptomator_macos_keychain_MacKeychain_Native.m (1)

10-58: Ensure proper memory management when handling JNI environment pointers.

Verification successful

---

Ensure proper memory management when handling JNI environment pointers.

The search results confirm that the GetByteArrayElements and ReleaseByteArrayElements methods are used correctly within the Java_org_cryptomator_macos_keychain_MacKeychain_00024Native_storePassword function. The GetByteArrayElements method is used to obtain pointers to the byte arrays, and the ReleaseByteArrayElements method is used to release these pointers, ensuring proper memory management.

• GetByteArrayElements is used to obtain pointers to the service, key, and password byte arrays.
• ReleaseByteArrayElements is used to release these pointers after they are no longer needed.

This confirms that the JNI memory management practices are correctly implemented in the function.

Scripts executed

The following scripts were executed for the analysis:

---

Script:

#!/bin/bash
# Description: Verify memory management practices in JNI functions.

# Test: Search for JNI memory management best practices. Expect: Proper use of Get/Release methods.
rg --type c 'GetByteArrayElements' 'ReleaseByteArrayElements'

Length of output: 124

---

---

Script:

#!/bin/bash
# Description: Verify memory management practices in JNI functions.

# Test: Search for JNI memory management best practices. Expect: Proper use of Get/Release methods.
rg --type c 'GetByteArrayElements'
rg --type c 'ReleaseByteArrayElements'

Length of output: 73

---

---

Script:

#!/bin/bash
# Description: Verify memory management practices in the specific JNI function.

# Test: Search for the specific JNI function and check for proper use of Get/Release methods.
rg --type c 'JNIEXPORT jint JNICALL Java_org_cryptomator_macos_keychain_MacKeychain_00024Native_storePassword'
rg --type c 'GetByteArrayElements' src/main/native/org_cryptomator_macos_keychain_MacKeychain_Native.m
rg --type c 'ReleaseByteArrayElements' src/main/native/org_cryptomator_macos_keychain_MacKeychain_Native.m

Length of output: 1433

[coderabbitai]

Enhance error messages to provide more context in deletion operations.

-    NSLog(@"Error deleting item from keychain. Status code: %d", (int)status);
+    NSLog(@"Error deleting item from keychain. Status code: %d. Ensure the item exists and is accessible.", (int)status);

---

Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation.

Suggested change

	// find existing:
	NSDictionary *searchAttributes = @{
	(__bridge id)kSecClass: (__bridge id)kSecClassGenericPassword,
	(__bridge id)kSecAttrService: [NSString stringWithCString:(char *)serviceStr encoding:NSUTF8StringEncoding],
	(__bridge id)kSecAttrAccount: [NSString stringWithCString:(char *)keyStr encoding:NSUTF8StringEncoding],
	(__bridge id)kSecMatchLimit: (__bridge id)kSecMatchLimitOne
	};
	CFDictionaryRef result = NULL;
	OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)searchAttributes, (CFTypeRef *)&result);
	if (status == errSecSuccess && result != NULL) {
	status = SecItemDelete((__bridge CFDictionaryRef)searchAttributes);
	} else if (status != errSecItemNotFound) {
	NSLog(@"Error deleting item from keychain. Status code: %d", (int)status);
	}
	(*env)->ReleaseByteArrayElements(env, service, serviceStr, JNI_ABORT);
	(*env)->ReleaseByteArrayElements(env, key, keyStr, JNI_ABORT);
	if (itemRef) {
	CFRelease(itemRef);
	}
	// find existing:
	NSDictionary *searchAttributes = @{
	(__bridge id)kSecClass: (__bridge id)kSecClassGenericPassword,
	(__bridge id)kSecAttrService: [NSString stringWithCString:(char *)serviceStr encoding:NSUTF8StringEncoding],
	(__bridge id)kSecAttrAccount: [NSString stringWithCString:(char *)keyStr encoding:NSUTF8StringEncoding],
	(__bridge id)kSecMatchLimit: (__bridge id)kSecMatchLimitOne
	};
	CFDictionaryRef result = NULL;
	OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)searchAttributes, (CFTypeRef *)&result);
	if (status == errSecSuccess && result != NULL) {
	status = SecItemDelete((__bridge CFDictionaryRef)searchAttributes);
	} else if (status != errSecItemNotFound) {
	NSLog(@"Error deleting item from keychain. Status code: %d. Ensure the item exists and is accessible.", (int)status);
	}
	(*env)->ReleaseByteArrayElements(env, service, serviceStr, JNI_ABORT);
	(*env)->ReleaseByteArrayElements(env, key, keyStr, JNI_ABORT);

[coderabbitai]

Refactor to simplify error handling in password retrieval.

-    } else if (status != errSecItemNotFound) {
-        NSLog(@"Error retrieving item from keychain. Status code: %d", (int)status);
-    }
+    } else {
+        NSLog(@"Error retrieving item from keychain. Status code: %d", (int)status);
+    }

---

Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation.

Suggested change

	// Create a dictionary of search attributes to find the item in the keychain
	NSDictionary *searchAttributes = @{
	(__bridge id)kSecClass: (__bridge id)kSecClassGenericPassword,
	(__bridge id)kSecAttrService: [NSString stringWithCString:(char *)serviceStr encoding:NSUTF8StringEncoding],
	(__bridge id)kSecAttrAccount: [NSString stringWithCString:(char *)keyStr encoding:NSUTF8StringEncoding],
	(__bridge id)kSecReturnAttributes: @YES,
	(__bridge id)kSecReturnData: @YES,
	(__bridge id)kSecMatchLimit: (__bridge id)kSecMatchLimitOne
	};
	CFDictionaryRef result = NULL;
	OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)searchAttributes, (CFTypeRef *)&result);
	(*env)->ReleaseByteArrayElements(env, service, serviceStr, JNI_ABORT);
	(*env)->ReleaseByteArrayElements(env, key, keyStr, JNI_ABORT);
	if (pwStr) {
	SecKeychainItemFreeContent(NULL, pwStr);
	if (status == errSecSuccess && result != NULL) {
	NSDictionary *attributes = (__bridge_transfer NSDictionary *)result;
	NSData *passwordData = attributes[(__bridge id)kSecValueData];
	NSUInteger pwLen = [passwordData length];
	const void *pwBytes = [passwordData bytes];
	jbyteArray password = (*env)->NewByteArray(env, (int)pwLen);
	(*env)->SetByteArrayRegion(env, password, 0, (int)pwLen, (jbyte *)pwBytes);
	return password;
	} else if (status != errSecItemNotFound) {
	NSLog(@"Error retrieving item from keychain. Status code: %d", (int)status);
	}
	return result;
	return NULL; // empty
	// Create a dictionary of search attributes to find the item in the keychain
	NSDictionary *searchAttributes = @{
	(__bridge id)kSecClass: (__bridge id)kSecClassGenericPassword,
	(__bridge id)kSecAttrService: [NSString stringWithCString:(char *)serviceStr encoding:NSUTF8StringEncoding],
	(__bridge id)kSecAttrAccount: [NSString stringWithCString:(char *)keyStr encoding:NSUTF8StringEncoding],
	(__bridge id)kSecReturnAttributes: @YES,
	(__bridge id)kSecReturnData: @YES,
	(__bridge id)kSecMatchLimit: (__bridge id)kSecMatchLimitOne
	};
	CFDictionaryRef result = NULL;
	OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)searchAttributes, (CFTypeRef *)&result);
	(*env)->ReleaseByteArrayElements(env, service, serviceStr, JNI_ABORT);
	(*env)->ReleaseByteArrayElements(env, key, keyStr, JNI_ABORT);
	if (status == errSecSuccess && result != NULL) {
	NSDictionary *attributes = (__bridge_transfer NSDictionary *)result;
	NSData *passwordData = attributes[(__bridge id)kSecValueData];
	NSUInteger pwLen = [passwordData length];
	const void *pwBytes = [passwordData bytes];
	jbyteArray password = (*env)->NewByteArray(env, (int)pwLen);
	(*env)->SetByteArrayRegion(env, password, 0, (int)pwLen, (jbyte *)pwBytes);
	return password;
	} else {
	NSLog(@"Error retrieving item from keychain. Status code: %d", (int)status);
	}
	return NULL; // empty

[coderabbitai]

Actionable comments posted: 0

Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

Commits

Files that changed from the base of the PR and between 77c6e10 and 85a1a50.

Files selected for processing (1)

• pom.xml (7 hunks)

Files skipped from review due to trivial changes (1)

• pom.xml

[tobihagemann]

Sorry for the delay. Looking very good, thank you! Just did some minor refactorings.

[coderabbitai]

Actionable comments posted: 3

Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

Commits

Files that changed from the base of the PR and between 85a1a50 and 0fcd405.

Files selected for processing (1)

• src/main/native/org_cryptomator_macos_keychain_MacKeychain_Native.m (1 hunks)

Additional comments not posted (1)

src/main/native/org_cryptomator_macos_keychain_MacKeychain_Native.m (1)

103-103: Enhance error messages to provide more context in deletion operations.

The error message should provide more context to assist in troubleshooting.

-	NSLog(@"Error deleting item from keychain. Status code: %d", (int)status);
+	NSLog(@"Error deleting item from keychain. Status code: %d. Ensure the item exists and is accessible.", (int)status);

[coderabbitai]

Refactor to improve error handling and reduce code duplication.

The current code can be refactored to use a switch statement for better readability and maintainability.

-	if (status == errSecSuccess && result != NULL) {
-		// delete:
-		status = SecItemDelete((__bridge CFDictionaryRef)query);
-	} else if (status != errSecItemNotFound) {
-		NSLog(@"Error deleting item from keychain. Status code: %d", (int)status);
-	}
+	switch (status) {
+		case errSecSuccess:
+			if (result != NULL) {
+				status = SecItemDelete((__bridge CFDictionaryRef)query);
+			}
+			break;
+		default:
+			NSLog(@"Error deleting item from keychain. Status code: %d", (int)status);
+			break;
+	}

Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)query, (CFTypeRef *)&result);
	if (status == errSecSuccess && result != NULL) {
	// delete:
	status = SecItemDelete((__bridge CFDictionaryRef)query);
	} else if (status != errSecItemNotFound) {
	NSLog(@"Error deleting item from keychain. Status code: %d", (int)status);
	}
	OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)query, (CFTypeRef *)&result);
	switch (status) {
	case errSecSuccess:
	if (result != NULL) {
	status = SecItemDelete((__bridge CFDictionaryRef)query);
	}
	break;
	default:
	NSLog(@"Error deleting item from keychain. Status code: %d", (int)status);
	break;
	}

[coderabbitai]

Refactor to improve error handling and reduce code duplication.

The current code can be refactored to use a switch statement for better readability and maintainability.

-	if (status == errSecSuccess && result != NULL) {
-		// retrieve password:
-		NSDictionary *attributes = (__bridge_transfer NSDictionary *)result;
-		NSData *passwordData = attributes[(__bridge id)kSecValueData];
-		password = (*env)->NewByteArray(env, (int)passwordData.length);
-		(*env)->SetByteArrayRegion(env, password, 0, (int)passwordData.length, (jbyte *)passwordData.bytes);
-	} else if (status != errSecItemNotFound) {
-		NSLog(@"Error retrieving item from keychain. Status code: %d", (int)status);
-	}
+	switch (status) {
+		case errSecSuccess:
+			if (result != NULL) {
+				NSDictionary *attributes = (__bridge_transfer NSDictionary *)result;
+				NSData *passwordData = attributes[(__bridge id)kSecValueData];
+				password = (*env)->NewByteArray(env, (int)passwordData.length);
+				(*env)->SetByteArrayRegion(env, password, 0, (int)passwordData.length, (jbyte *)passwordData.bytes);
+			}
+			break;
+		default:
+			NSLog(@"Error retrieving item from keychain. Status code: %d", (int)status);
+			break;
+	}

Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)query, (CFTypeRef *)&result);
	jbyteArray password = NULL;
	if (status == errSecSuccess && result != NULL) {
	// retrieve password:
	NSDictionary *attributes = (__bridge_transfer NSDictionary *)result;
	NSData *passwordData = attributes[(__bridge id)kSecValueData];
	password = (*env)->NewByteArray(env, (int)passwordData.length);
	(*env)->SetByteArrayRegion(env, password, 0, (int)passwordData.length, (jbyte *)passwordData.bytes);
	} else if (status != errSecItemNotFound) {
	NSLog(@"Error retrieving item from keychain. Status code: %d", (int)status);
	}
	OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)query, (CFTypeRef *)&result);
	jbyteArray password = NULL;
	switch (status) {
	case errSecSuccess:
	if (result != NULL) {
	NSDictionary *attributes = (__bridge_transfer NSDictionary *)result;
	NSData *passwordData = attributes[(__bridge id)kSecValueData];
	password = (*env)->NewByteArray(env, (int)passwordData.length);
	(*env)->SetByteArrayRegion(env, password, 0, (int)passwordData.length, (jbyte *)passwordData.bytes);
	}
	break;
	default:
	NSLog(@"Error retrieving item from keychain. Status code: %d", (int)status);
	break;
	}

[coderabbitai]

Refactor to improve error handling and reduce code duplication.

The current code can be refactored to use a switch statement for better readability and maintainability.

-	if (status == errSecSuccess && result != NULL) {
-		// update existing:
-		NSDictionary *attributesToUpdate = @{
-			(__bridge id)kSecValueData: [NSData dataWithBytes:pwStr length:length]
-		};
-		status = SecItemUpdate((__bridge CFDictionaryRef)query, (__bridge CFDictionaryRef)attributesToUpdate);
-	} else if (status == errSecItemNotFound) {
-		// add new:
-		NSDictionary *attributes = @{
-			(__bridge id)kSecClass: (__bridge id)kSecClassGenericPassword,
-			(__bridge id)kSecAttrService: [NSString stringWithCString:(char *)serviceStr encoding:NSUTF8StringEncoding],
-			(__bridge id)kSecAttrAccount: [NSString stringWithCString:(char *)keyStr encoding:NSUTF8StringEncoding],
-			(__bridge id)kSecValueData: [NSData dataWithBytes:pwStr length:length]
-		};
-		status = SecItemAdd((__bridge CFDictionaryRef)attributes, NULL);
-	} else {
-		NSLog(@"Error storing item in keychain. Status code: %d", (int)status);
-	}
+	switch (status) {
+		case errSecSuccess:
+			if (result != NULL) {
+				NSDictionary *attributesToUpdate = @{(__bridge id)kSecValueData: [NSData dataWithBytes:pwStr length:length]};
+				status = SecItemUpdate((__bridge CFDictionaryRef)query, (__bridge CFDictionaryRef)attributesToUpdate);
+			}
+			break;
+		case errSecItemNotFound:
+			NSDictionary *attributes = @{
+				(__bridge id)kSecClass: (__bridge id)kSecClassGenericPassword,
+				(__bridge id)kSecAttrService: [NSString stringWithCString:(char *)serviceStr encoding:NSUTF8StringEncoding],
+				(__bridge id)kSecAttrAccount: [NSString stringWithCString:(char *)keyStr encoding:NSUTF8StringEncoding],
+				(__bridge id)kSecValueData: [NSData dataWithBytes:pwStr length:length]
+			};
+			status = SecItemAdd((__bridge CFDictionaryRef)attributes, NULL);
+			break;
+		default:
+			NSLog(@"Error storing item in keychain. Status code: %d", (int)status);
+			break;
+	}

Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)query, (CFTypeRef *)&result);
	if (status == errSecSuccess && result != NULL) {
	// update existing:
	status = SecKeychainItemModifyAttributesAndData(
	itemRef, // the item reference
	NULL, // no change to attributes
	pwLen, // length of password
	pwStr // pointer to password data
	);
	NSDictionary *attributesToUpdate = @{
	(__bridge id)kSecValueData: [NSData dataWithBytes:pwStr length:length]
	};
	status = SecItemUpdate((__bridge CFDictionaryRef)query, (__bridge CFDictionaryRef)attributesToUpdate);
	} else if (status == errSecItemNotFound) {
	// add new:
	status = SecKeychainAddGenericPassword(
	NULL, // default keychain
	serviceLen, // length of service name
	(char *)serviceStr, // service name
	keyLen, // length of account name
	(char *)keyStr, // account name
	pwLen, // length of password
	pwStr, // pointer to password data
	NULL // the item reference
	);
	NSDictionary *attributes = @{
	(__bridge id)kSecClass: (__bridge id)kSecClassGenericPassword,
	(__bridge id)kSecAttrService: [NSString stringWithCString:(char *)serviceStr encoding:NSUTF8StringEncoding],
	(__bridge id)kSecAttrAccount: [NSString stringWithCString:(char *)keyStr encoding:NSUTF8StringEncoding],
	(__bridge id)kSecValueData: [NSData dataWithBytes:pwStr length:length]
	};
	status = SecItemAdd((__bridge CFDictionaryRef)attributes, NULL);
	} else {
	NSLog(@"Error storing item in keychain. Status code: %d", (int)status);
	}
	OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)query, (CFTypeRef *)&result);
	switch (status) {
	case errSecSuccess:
	if (result != NULL) {
	NSDictionary *attributesToUpdate = @{(__bridge id)kSecValueData: [NSData dataWithBytes:pwStr length:length]};
	status = SecItemUpdate((__bridge CFDictionaryRef)query, (__bridge CFDictionaryRef)attributesToUpdate);
	}
	break;
	case errSecItemNotFound:
	NSDictionary *attributes = @{
	(__bridge id)kSecClass: (__bridge id)kSecClassGenericPassword,
	(__bridge id)kSecAttrService: [NSString stringWithCString:(char *)serviceStr encoding:NSUTF8StringEncoding],
	(__bridge id)kSecAttrAccount: [NSString stringWithCString:(char *)keyStr encoding:NSUTF8StringEncoding],
	(__bridge id)kSecValueData: [NSData dataWithBytes:pwStr length:length]
	};
	status = SecItemAdd((__bridge CFDictionaryRef)attributes, NULL);
	break;
	default:
	NSLog(@"Error storing item in keychain. Status code: %d", (int)status);
	break;
	}

[purejava]

Sorry for the delay. Looking very good, thank you! Just did some minor refactorings.

No need to worry @tobihagemann. 🙂 Thanks for the review and the improvements!