[iCloud] account thing won't login after openhab restart

[vsubbotskyy]

Expected Behavior

Should login to iCloud

Current Behavior

Right now when I save the binding it won't login and won't trigger 2fa

Steps to Reproduce (for Bugs)

Restart openhab service, observe iCloud account thing

Context

This started recently I guess. I found only one post on community portal, and it is very recent:
https://community.openhab.org/t/icloud-binding-authentication-problem/159739

Your Environment

• openHAB 4.2.1 - Release Build
• iCloud Binding 4.2.1

[openhab-bot]

This issue has been mentioned on openHAB Community. There might be relevant details there:

https://community.openhab.org/t/icloud-binding-authentication-problem/159739/5

[phuongpham]

Check the fix for pyicloud at picklepete/pyicloud#456

for base.py

[maihacke]

I had a look into this. The problem is that Apple changed there authentication mechanism. They know use SRP, which is not supported by the binding.
Having this analyzed a bit it should be possible to adopt the binding accordingly.

Currently there is one challenge with has to be discussed.
We will need an SRP implementation. There exists several options, e.g. Bouncycastle or Nimbus SRP:
Since BC is already included in OH I did few tests with BC, but soon was blocked by the following problem:

OH includes pcpkix-jdk18on-1.77.jar which is repackaged in org.openhab.io.jetty.certificate.jar. BCs SRP implementation is part of pcprov-jdkon-1.77.jar. When adding this to the classpath I get an security exceptions because the jar signatures do not match. I saw some older discussions around this in the forum (e.g. https://community.openhab.org/t/io-jetty-certificate-embeds-bouncy-castle-crypto-classes-resulting-in-classloader-error/153020/1).
From what I see currently it would not be possible to use SRP from BC without changes to certificate.jar form OH-core.
So it might be easier to directly go to Nimbus.

I'm not sure who is responsible for these type of questions, so any opinion on that, @kaikreuzer ?