libobs: Add OS keychain API #9122
Conversation
derrod
changed the title
derrod
force-pushed
the
os-keychain-api
branch
5 times, most recently
from
3f94700 to
40d12f7
Compare
|
I know that there has been work ongoing for obsproject/rfcs#39 to overhaul how services work, but since it's not submitted or reviewable yet I have added some things I deemed necessary for this to work properly. Namely, a means of removing authentication information from the config/keychain, which currently is not done. In addition to that I also added token invalidation, which isn't strictly necessary, but was easy enough to add once I added the |
derrod
force-pushed
the
os-keychain-api
branch
4 times, most recently
from
500fb3f to
f03710b
Compare
derrod
changed the title
|
Added Since it is compiled with gcrypt it'll use the application-specific key provided by the secrets portal to encrypt and store data in a local file rather than storing it in the OS keyring. This makes them non-user-managable, but does not require access to the Secret Service D-Bus. |
| NSString *nsKey = [[NSString alloc] initWithBytesNoCopy:(void *) key length:strlen(key) | ||
| encoding:NSUTF8StringEncoding | ||
| freeWhenDone:NO]; | ||
| NSData *nsData = [NSData dataWithBytesNoCopy:(void *) data length:strlen(data) freeWhenDone:NO]; |
There was a problem hiding this comment.
As you ensure that key is not an invalid pointer, you should be able to just box the char pointer to an NSString via NSString *nsKey = @(key);.
Alternatively you could just use CoreFoundation types throughout:
CFStringRef account = CFStringCreateWithCString(kCFAllocatorDefault, key, kCFStringEncodingUTF8);
CFStringRef service = CFStringCreateWithCString(kCFAllocatorDefault, "OBS Studio", kCFStringEncodingUTF8);
CFDataRef data = CFDataCreate(kCFAllocatorDefault, data, strlen(data));
CFTypeRef keys[4] = {kSecAttrAccessible, kSecClass, kSecAttrService,
kSecAttrAccount, kSecValueData};
CFTypeRef values[4] = {kSecAttrAccessibleWhenUnlocked, kSecClassGenericPassword,
service, account, data};
It's functionally probably not much different, but personally I prefer to use CoreFoundation types when interacting in the CoreFoundation world.
You might need to CFRelease some of them after you're done of course.
There was a problem hiding this comment.
I assume I could use CFStringCreateWithCStringNoCopy/CFDataCreateWithBytesNoCopy to avoid copying (since that not necessary here) in the same way as its done with NSString/NSData.
I'd still prefer to avoid using a CFDictionary directly since the readability suffers a lot.
There was a problem hiding this comment.
Fair enough - we use CFDictionary in obs-outputs already to access to root certificates in the keychain, so it would be "familiar". And the readability improves the longer you work with CoreFoundation. 😉
derrod
changed the title
|
Updated with changes made to obsproject/rfcs#54 to add a "label" to the parameters. This requires the API user to specify a user-facing group name for an entry which is then visible in keychain mangers, for example: |
|
Since this has an open and pending RFC, we are opting to close this until the RFC has been finalized. The branch and discussion on implementation is welcome to take place on the RFC, and this may be reopened when the RFC is finalized. |
Description
Implements OS keychain APIs per obsproject/rfcs#54 for Windows, macOS, and Linux (via libsecret).
Motivation and Context
Secure storage for sensitive data.
How Has This Been Tested?
Tested on Windows, macOS, and Ubuntu 22.04 with # applied on top.
Types of changes
Checklist: