[jitsi-dev] Problems with x86-x64 bits windows installers


#1

Hi there,

I'm currently trying to develope a new security module for jitsi. Last
month, I've been working over last stable release of jitsi but since last
monday I've changed it to the newest jitsi version (because of I was having
a lot of problems in windows x64 using PKCS11 libraries).

I've intalled jitsi-1.0-latest-x86.exe in Windows 7 (x64) and then in Jitsi
Tools->Options->Advanced-> TLS Configuration I can add a PKCS11
certificate. But if I install jitsi-1.0-latest-x64.exe I can't select the
PKCS11 certificate type (only PKCS12 or jks). This could be OK for me
because in mi first step I will develope only for x86 platforms ( it should
work on 64 bit ).

So I've downloaded jitsi-src-1.0-latest.zip to develope my module on it,
using netbeans 7.1.1 on windows xp sp3 (company orders!). So my first step
was "testing": build source code and create an installer for windows x86,
to check all before starting my develop. Builder and installer prepared
using 32 bits libraries (even java 32 bits).
I've launched this installer in Windows 7 (x64). First I saw a small
window that
warns of x86 installer on x64 platform like your installer called
jitsi-1.0-latest-x86.exe. When the installation finished I went,
again, to Tools->Options->Advanced->
TLS Configuration to add a PKCS11 certificate but PKCS11 it's not an option
now, only PKCS12 or jks, as in x64 installer.

Could you, please, check it? Any idea about it?
How do you build the proyect and/or create the x86 installer to make
available PKCS11?

Thanks a lot.
Kind Regards,

···

*--*
*
*
* --DAVID--*


#2

Hey David

  I'm currently trying to develope a new security module for jitsi.

Last

month, I've been working over last stable release of jitsi but since last
monday I've changed it to the newest jitsi version (because of I was

having a

lot of problems in windows x64 using PKCS11 libraries).

Interesting, would you mind to share what you're trying to develop?

Please be aware that PKCS11 is not supported on Windows x64. This is a
limitation from the Sun/Oracle JRE, not from Jitsi. The JRE simply doesn't
provide the necessary security provider.

  I've intalled jitsi-1.0-latest-x86.exe in Windows 7 (x64) and then

in

Jitsi Tools->Options->Advanced-> TLS Configuration I can add a PKCS11
certificate. But if I install jitsi-1.0-latest-x64.exe I can't select the
PKCS11 certificate type (only PKCS12 or jks). This could be OK for me

because

in mi first step I will develope only for x86 platforms ( it should work

on

64 bit ).

If you need to support PKCS11 on x64, you basically have three options:
1) Hope that your smartcard vendor has a library written in plain Java
2) Buy an alternative PKCS11 security provider (there is a company out
there, but I currently can't remember the name)
3) Access the card directly through javax.smartcardio on an APDU level and
create a security provider around it (hard work and probably impossible if
you don't have the exact specs of the card, impossible as a generic method)

  So I've downloaded jitsi-src-1.0-latest.zip to develope my module on
it, using netbeans 7.1.1 on windows xp sp3 (company orders!). So my first
step was "testing": build source code and create an installer for windows
x86, to check all before starting my develop. Builder and installer

prepared

using 32 bits libraries (even java 32 bits).
  I've launched this installer in Windows 7 (x64). First I saw a small
window that warns of x86 installer on x64 platform like your installer

called

jitsi-1.0-latest-x86.exe. When the installation finished I went, again, to
Tools->Options->Advanced-> TLS Configuration to add a PKCS11 certificate

but

PKCS11 it's not an option now, only PKCS12 or jks, as in x64 installer.

This is strange. If PKCS11 is not listed as an option, then the platform is
detected as x64. Is it possible that your self-built installer deploys a
64bit JRE?

  Could you, please, check it? Any idea about it?

The current x86-nightly on a x64 Win7 shows the PKCS11 option just fine.

  How do you build the proyect and/or create the x86 installer to make
available PKCS11?

Can't help you here - it's a long time ago that I last built an installer
myself.

Thanks a lot.
Kind Regards,

Regards,
Ingo


#3

Hi Ingo,

> I'm currently trying to develope a new security module for jitsi.
>Last
> month, I've been working over last stable release of jitsi but since

last

> monday I've changed it to the newest jitsi version (because of I was
>having a
> lot of problems in windows x64 using PKCS11 libraries).

Interesting, would you mind to share what you're trying to develop?

Please be aware that PKCS11 is not supported on Windows x64. This is a
limitation from the Sun/Oracle JRE, not from Jitsi. The JRE simply doesn't
provide the necessary security provider.

I'll develope a module to use digital certificate or DNIe (Spain) to cipher
calls.

Thanks, I know that issue as for Sun/Oracle but I'm working using 32bits
and for platforms with jre x86.

> I've intalled jitsi-1.0-latest-x86.exe in Windows 7 (x64) and then
>in
> Jitsi Tools->Options->Advanced-> TLS Configuration I can add a PKCS11
> certificate. But if I install jitsi-1.0-latest-x64.exe I can't select

the

> PKCS11 certificate type (only PKCS12 or jks). This could be OK for me
>because
> in mi first step I will develope only for x86 platforms ( it should work
>on
> 64 bit ).

If you need to support PKCS11 on x64, you basically have three options:
1) Hope that your smartcard vendor has a library written in plain Java
2) Buy an alternative PKCS11 security provider (there is a company out
there, but I currently can't remember the name)
3) Access the card directly through javax.smartcardio on an APDU level and
create a security provider around it (hard work and probably impossible if
you don't have the exact specs of the card, impossible as a generic

method)

I have to develope it for generic smartcard reader but specific
smartcard...
so I'm using javax.smartcardio on an APDU.

> So I've downloaded jitsi-src-1.0-latest.zip to develope my module

on

> it, using netbeans 7.1.1 on windows xp sp3 (company orders!). So my

first

> step was "testing": build source code and create an installer for

windows

> x86, to check all before starting my develop. Builder and installer
>prepared
> using 32 bits libraries (even java 32 bits).
> I've launched this installer in Windows 7 (x64). First I saw a

small

> window that warns of x86 installer on x64 platform like your installer
>called
> jitsi-1.0-latest-x86.exe. When the installation finished I went, again,

to

> Tools->Options->Advanced-> TLS Configuration to add a PKCS11 certificate
>but
> PKCS11 it's not an option now, only PKCS12 or jks, as in x64 installer.

This is strange. If PKCS11 is not listed as an option, then the platform

is

detected as x64. Is it possible that your self-built installer deploys a
64bit JRE?

I don't think so because I've built it and create the installer under
Windows
XP SP3 with only 32bit jdk and jre installed. I can't understand it because
of
if I install jitsi-1.0-latest-x86.exe downloaded from jitsi.org on
Windows 7 x64 the PKCS11 option is shown but if I build the x86 installer
from source, doesn't.

> Could you, please, check it? Any idea about it?
The current x86-nightly on a x64 Win7 shows the PKCS11 option just fine.

Yes, but I need it even for my own build.

> How do you build the proyect and/or create the x86 installer to

make

> available PKCS11?

Can't help you here - it's a long time ago that I last built an installer
myself.

OK, anyway thanks.
I hope other guy who built an installer a short time ago could help
me soon.

Have you got any other idea about this incomprehensive issue?

Thanks a lot.
Kind Regards,

···

*--*
* --DAVID--*

2012/4/4 Ingo Bauersachs <ingo@jitsi.org>

Hey David

> I'm currently trying to develope a new security module for jitsi.
Last
> month, I've been working over last stable release of jitsi but since last
> monday I've changed it to the newest jitsi version (because of I was
having a
> lot of problems in windows x64 using PKCS11 libraries).

Interesting, would you mind to share what you're trying to develop?

Please be aware that PKCS11 is not supported on Windows x64. This is a
limitation from the Sun/Oracle JRE, not from Jitsi. The JRE simply doesn't
provide the necessary security provider.

> I've intalled jitsi-1.0-latest-x86.exe in Windows 7 (x64) and then
in
> Jitsi Tools->Options->Advanced-> TLS Configuration I can add a PKCS11
> certificate. But if I install jitsi-1.0-latest-x64.exe I can't select the
> PKCS11 certificate type (only PKCS12 or jks). This could be OK for me
because
> in mi first step I will develope only for x86 platforms ( it should work
on
> 64 bit ).

If you need to support PKCS11 on x64, you basically have three options:
1) Hope that your smartcard vendor has a library written in plain Java
2) Buy an alternative PKCS11 security provider (there is a company out
there, but I currently can't remember the name)
3) Access the card directly through javax.smartcardio on an APDU level and
create a security provider around it (hard work and probably impossible if
you don't have the exact specs of the card, impossible as a generic method)

> So I've downloaded jitsi-src-1.0-latest.zip to develope my module
on
> it, using netbeans 7.1.1 on windows xp sp3 (company orders!). So my first
> step was "testing": build source code and create an installer for windows
> x86, to check all before starting my develop. Builder and installer
prepared
> using 32 bits libraries (even java 32 bits).
> I've launched this installer in Windows 7 (x64). First I saw a
small
> window that warns of x86 installer on x64 platform like your installer
called
> jitsi-1.0-latest-x86.exe. When the installation finished I went, again,
to
> Tools->Options->Advanced-> TLS Configuration to add a PKCS11 certificate
but
> PKCS11 it's not an option now, only PKCS12 or jks, as in x64 installer.

This is strange. If PKCS11 is not listed as an option, then the platform is
detected as x64. Is it possible that your self-built installer deploys a
64bit JRE?

> Could you, please, check it? Any idea about it?
The current x86-nightly on a x64 Win7 shows the PKCS11 option just fine.

> How do you build the proyect and/or create the x86 installer to
make
> available PKCS11?

Can't help you here - it's a long time ago that I last built an installer
myself.

> Thanks a lot.
> Kind Regards,

Regards,
Ingo


#4

Hey

  I'll develope a module to use digital certificate or DNIe (Spain) to
cipher calls.

How do you perform the actual key exchange?
We did something similar with the SuisseID (a Swiss smartcard with X.509
certificates) and MIKEY as the key exchange for SRTP.

  > 3) Access the card directly through javax.smartcardio on an APDU
level and

  > create a security provider around it (hard work and probably
impossible if

  > you don't have the exact specs of the card, impossible as a

generic

method)

  I have to develope it for generic smartcard reader but specific
smartcard... so I'm using javax.smartcardio on an APDU.

Do you have the specification for the card on that level? This is often
confidential information. For the SuisseID project we needed to do some
reverse engineering despite having a card description under an NDA.

  > This is strange. If PKCS11 is not listed as an option, then the
platform is

  > detected as x64. Is it possible that your self-built installer
deploys a

  > 64bit JRE?

  I don't think so because I've built it and create the installer

under

Windows XP SP3 with only 32bit jdk and jre installed. I can't
understand it because of if I install jitsi-1.0-latest-x86.exe
downloaded from jitsi.org on Windows 7 x64 the PKCS11 option is shown
but if I build the x86 installer from source, doesn't.

The _installed_ JRE/JDK doesn't matter - it's what you have specified in
/resources/install/installers.properties. Maybe windows.jre.file or
windows.jre.zip property points to a 64bit JRE?

Other than that, please try to find out why the system property
sun.arch.data.model says 64 instead of 32 (see the class OSUtils). For
example, create a simple class that just does a println of that property and
execute it with the JRE installed from your self-built Jitsi-installer (e.g.
"C:\Program Files (x86)\Jitsi\jre\bin\java.exe" ArchTest).

Regards,
Ingo

PS: Could you please send mails to the list in plain text?


#5

Hi

> I'll develope a module to use digital certificate or DNIe (Spain) to
> cipher calls.

How do you perform the actual key exchange?
We did something similar with the SuisseID (a Swiss smartcard with X.509
certificates) and MIKEY as the key exchange for SRTP.

We are encripting SIP under TLS not the SRTP.
Maybe it something similar because of I heared that ours is like the SwissID
or BelgiumID, I can't remember exactly now.

> > 3) Access the card directly through javax.smartcardio on an APDU
> level and
>
> > create a security provider around it (hard work and probably
> impossible if
>
> > you don't have the exact specs of the card, impossible as a
generic
> method)
>
> I have to develope it for generic smartcard reader but specific
> smartcard... so I'm using javax.smartcardio on an APDU.

Do you have the specification for the card on that level? This is often
confidential information. For the SuisseID project we needed to do some
reverse engineering despite having a card description under an NDA.

Yes, we have. Because of here in Spain all specification card level
become public
since a few months.

> > This is strange. If PKCS11 is not listed as an option, then the
> platform is
>
> > detected as x64. Is it possible that your self-built installer
> deploys a
>
> > 64bit JRE?
>
> I don't think so because I've built it and create the installer
under
> Windows XP SP3 with only 32bit jdk and jre installed. I can't
> understand it because of if I install jitsi-1.0-latest-x86.exe
> downloaded from jitsi.org on Windows 7 x64 the PKCS11 option is shown
> but if I build the x86 installer from source, doesn't.

The _installed_ JRE/JDK doesn't matter - it's what you have specified in
/resources/install/installers.properties. Maybe windows.jre.file or
windows.jre.zip property points to a 64bit JRE?

Yes, sure. All its.jre.zip property points to a 64bit JRE?

Yes, sure. All items point to 32-bits versions.
windows.jre.file=C:\Install\jre-6u31-windows-i586.exe
windows.jre.zip= [blank]

Other than that, please try to find out why the system property
sun.arch.data.model says 64 instead of 32 (see the class OSUtils). For
example, create a simple class that just does a println of that property and
execute it with the JRE installed from your self-built Jitsi-installer (e.g.
"C:\Program Files (x86)\Jitsi\jre\bin\java.exe" ArchTest).

Oh! Thanks for the suggested test because of that I realized the
path "C:\Program Files (x86)\Jitsi\jre\bin\" was empty after installation.
I've typed: windows.jre.zip=C:\Install\jre-6u31-windows-x86.zip (which is
my Windows XP JRE folder compressed). Now it works properly
and PKCS11 option is available even on Windows x64.

Only another stupid question because of this change into installers.properties
the installer build process shows a few warnings about fonts, like:
[exec] C:\NetBeansProjects\jitsi\release\windows\tmp\component-defines.wxi(323)
: warning LGHT1076 : ICE60: The file LucidaBrightRegular.ttf is not a
Font, and its version is not a companion file reference. It should
have a language specified in the Language column.
Have you got any idea about these warnings?

Thanks a lot for your quick and effective help.
Kind Regards,

···

--
--DAVID--


#6

We are encripting SIP under TLS not the SRTP.
Maybe it something similar because of I heared that ours is like the

SwissID

or BelgiumID, I can't remember exactly now.

Ah okay, so it's just the logon to the SIP server.

Only another stupid question because of this change into
installers.properties the installer build process shows a few warnings
about fonts, like: [exec]
C:\NetBeansProjects\jitsi\release\windows\tmp\component-
defines.wxi(323) : warning LGHT1076 : ICE60: The file
LucidaBrightRegular.ttf is not a Font, and its version is not a
companion file reference. It should have a language specified in the
Language column.
Have you got any idea about these warnings?

No idea, that's too deep in WiX for me. But the font exists on Win7, so
maybe the wix-file just references it because it was there at the time of
creation and you could possible replace it with something else. Missing
fonts are usually not a problem on Windows as it tries to use a similar one.
If your installer works fine, I wouldn't care too much about that.

Thanks a lot for your quick and effective help.

You're welcome! :slight_smile:

Regards,
Ingo