[jitsi-dev] Jitsi on Mac OS X with keychain support


#1

Hi.

Contributor agreement signed.

Attached are the complete source classes.

All resource files must be changed, I renamed the key
"plugin.certconfig.WINDOWS_TRUSTSTORE" to
"plugin.certconfig.OS_TRUSTSTORE", because the key is not only for
windows anymore (now we could switch in all operating systems between OS
keystore and java keystore [not tested with unix, because I am an
Windows/Mac developer]).

Regards
    Kai

CertificateServiceImpl.java (43.8 KB)

CertConfigPanel.java (10.4 KB)

resources_de.properties (113 KB)

resources.properties (105 KB)

···

Am Freitag, 02.01.2015 um 12:10 schrieb Ingo Bauersachs:

I am missing the keychain support for Mac OS X. If I use my own CA and
have the root certificate in the system keychain, Jitsi ask me
nevertheless if I wish to accept the connection.

In difference to windows: Jitsi accepts the connection without a question.

I have found the respective class and add a few lines of code and in
Eclipse it work on Mac OS X. So, what should I do so that the code is
included in the next release?

See the attachment for "my" CertificateServiceImpl.setTrustStore.

Thank you for your work so far!

Can you please create a patch that makes your change optional, just as it is for Windows? There is a corresponding setting in the UI (Settings->Advanced->TLS, backed by CertConfigPanel.java) that needs to be considered too.

Before you start though, please consider if you're willing to sign our contributor agreement (http://bluejimp.com/bca.pdf) otherwise we unfortunately cannot integrate a contribution.

Best regards
     Kai

Ingo

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev


#2

Sorry, I made a mistake. The corrected java source for the CertificateServiceImpl is appended.

Regards
   Kai

CertificateServiceImpl.java (43.6 KB)


#3

Hey

Contributor agreement signed.

Attached are the complete source classes.

Great! Thanks!

Could you please send your changes as a patch or a pull request on Github? I don't know which IDE you're using so I can't really give you a hint. With the git command-line it would be e.g. git format-patch -1

All resource files must be changed, I renamed the key
"plugin.certconfig.WINDOWS_TRUSTSTORE" to
"plugin.certconfig.OS_TRUSTSTORE", because the key is not only for
windows anymore (now we could switch in all operating systems between OS
keystore and java keystore [not tested with unix, because I am an
Windows/Mac developer]).

That is fine, I knew that. However please only change the English resource as all other languages are maintained with Pootle (http://translate.jitsi.org)

Regards
    Kai

Ingo


#4

Hi Ingo.

Here is the patch file. I hope it is correct, bacause this was the first time for me for Git patch creation.

Regards
   Kai

jitsi-macos.patch (10.7 KB)

···

Am Samstag, 03.01.2015 um 12:19 schrieb Ingo Bauersachs:

Hey

Contributor agreement signed.

Attached are the complete source classes.

Great! Thanks!

Could you please send your changes as a patch or a pull request on Github? I don't know which IDE you're using so I can't really give you a hint. With the git command-line it would be e.g. git format-patch -1

All resource files must be changed, I renamed the key
"plugin.certconfig.WINDOWS_TRUSTSTORE" to
"plugin.certconfig.OS_TRUSTSTORE", because the key is not only for
windows anymore (now we could switch in all operating systems between OS
keystore and java keystore [not tested with unix, because I am an
Windows/Mac developer]).

That is fine, I knew that. However please only change the English resource as all other languages are maintained with Pootle (http://translate.jitsi.org)

Regards
     Kai

Ingo

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev


#5

Hey Fabian

Here is the patch file. I hope it is correct, bacause this was the first
time for me for Git patch creation.

The patch file was good, but if you're working on existing code, please don't reformat lines where you didn't actually change something. Disable any automatic formatters in Eclipse.

I looked at the patch now and tested it. I was immediately greeted with warnings for valid certificates. Adding -Djava.net.debug=all to the VM options showed that Java only loads a handful of certificates that are in my personal keychain. And indeed if I look into the native source code that interacts with the keychain [1], it only accesses the personal keychain without an option to override it (passing NULL as the first parameter to SecKeychainSearchCreateFromAttributes, [2]). Another big #fail from @sun/@oracle.

So unfortunately, I cannot apply your patch - it would break the entire certificate validation on OSX.

If you want to continue working on this, you could maybe write some JNA code that
- Loads the system keychain with SecKeychainOpen on /System/Library/Keychains/SystemRootCertificates.keychain
- Iterates them with SecKeychainSearchCreateFromAttributes
- Converts the binary data with the X509Factory to an X509Certificate
- Fills all certificates into a Java in-memory KeyStore and uses it for validation.

Regards
   Kai

Ingo

[1] http://hg.openjdk.java.net/jdk8/jdk8/jdk/file/687fd7c7986d/src/macosx/native/apple/security/KeystoreImpl.m#l352
[2] https://developer.apple.com/library/mac/documentation/Security/Reference/keychainservices/index.html