Update: it was easier than I thought...
Some further fine tuning required (restricting search to Wireguard service name), but the basic keychain access works.
function GetWireguardProfiles(constref AList: TStrings): boolean;
var
s: OSStatus;
keychain: KCRef;
search: KCSearchRef;
item: KCItemRef;
iMaxLen: uint32;
iActualLen: uint32;
pc: pansichar;
attrList: KCAttributeList;
attra: array[0..1] of KCAttribute;
attr1: KCAttribute;
itemClass: KCItemClass;
sService: string;
begin
Result := True;
Initialize(keychain);
s := KCGetDefaultKeychain(keychain);
// AList.Add(Format('KCGetDefaultKeychain() = %d', [s]));
// search
search := nil;
item := nil;
itemClass := kGenericPasswordKCItemClass;
attra[0].tag := kClassKCItemAttr;
attra[0].Data := @itemClass;
attra[0].length := sizeof(itemClass);
// TODO : restrict search to service
attrList.Count := 1;
attrList.attr := @attra[0];
// @see https://github.com/aptana/Jaxer/blob/f7994fc75a768c9873f094e29868c22e88b46b50/server/src/mozilla/extensions/wallet/src/singsign.cpp#L3204
s := KCFindFirstItem(keychain, @attrList, search, item);
// AList.Add(Format('KCFindFirstItem() = %d', [s]));
repeat
iMaxLen := 1024;
iActualLen := 0;
pc := AllocMem(iMaxLen);
try
attr1.tag := kServiceKCItemAttr;
attr1.length := iMaxLen;
attr1.Data := pc;
s := KCGetAttribute(item, attr1, iActualLen);
if (s = 0) then begin
sService := ansistring(pc);
// AList.Add(Format('KCGetAttribute() = %d, server = %s', [s, sService]));
if ('com.wireguard.macos' = sService) then begin
s := KCGetData(item, iMaxLen, pc, iActualLen);
// AList.Add(Format('KCGetData(maxLength = %d, actualLength = %d) = %d', [iMaxLen, iActualLen, s]));
if (0 = s) then begin
AList.Add(ansistring(pc));
end;
end;
end else begin
// AList.Add(Format('KCGetAttribute() = %d', [s]));
end;
finally
FreeMem(pc);
end;
s := KCFindNextItem(search, item);
// AList.Add(Format('KCFindNextItem() = %d', [s]));
until (s <> 0);
end;