What is the standard way to retrieve generic passwords in the Keychain of OS X using only Java? Apple Developer Pages provide some good background but the implementation and examples are in C or native code unfortunately.

The Java KeyStore OS X implementation appears to be good only for public/private key pairs and certs but not generic username/password combos.

I see a project started Here: but it is relatively old and not actively maintained.

Is there a more state of the art solution to the problem of securing credentials in Mac OS X in Java?

EDIT: OAuth is not an option for the class of problem and environment that I am operating in ...

Further to the answer above by f-stephen-q, this library appears to work well still. I'm using a fork of it which is mavenised

$ git clone https://github.com/physion/osx-keychain-java
$ mvn install
$ cp dist/osxkeychain.jar ~/myproject/external

Adding a dependency

<dependency>
  <groupId>us.physion</groupId>
  <artifactId>osx-keychain</artifactId>
  <version>1.0</version>
  <scope>system</scope>
  <systemPath>${project.basedir}/external/osxkeychain.jar</systemPath>
</dependency>

Running it

osx-keychain-java$ jshell -cp ./dist/osxkeychain.jar

jshell> import com.mcdermottroe.apple.*;
jshell> OSXKeychain keychain = OSXKeychain.getInstance();
keychain ==> com.mcdermottroe.apple.OSXKeychain@2286778

jshell> keychain.addGenericPassword("aardvark", "a", "b");

jshell> keychain.findGenericPassword("aardvark", "a");
$4 ==> "b"

I've done this myself by using the command line, e.g. running /usr/bin/security. However it doesn't have strong access controls. So you can run the /usr/bin/security from a terminal to access the same passwords, but a C++ app calling into the library directly would be blocked.

Because of this I'm using it only for oauth tokens for Social Media accounts. Things that you could do similarly by launching a web browser when logged in as the user.

https://github.com/yschimke/oksocial/blob/master/src/main/java/com/baulsupp/oksocial/credentials/OSXCredentialsStore.java

This seems to be a fairly common problem; the only solution I've found that looks like it might meet your requirements is this Github project, but it seems to be extremely old/unmaintained, and I can't speak to the quality or security of the code.

Unfortunately, there does not seem to be native support for accessing passwords stored in the keychain, and this does not seem to be a common enough problem for there to be an actively-developed library to solve it.

There is also JNA + Maven project here which doesn't require compiling any native code in the build. Apparently supports OSX and Windows.

https://bitbucket.org/east301/java-keyring/

It has less features than osx-keychain-java, but supports Add and Get Generic Password.

<dependency>
  <groupId>net.east301</groupId>
  <artifactId>java-keyring</artifactId>
  <version>1.0.0</version>
</dependency>

Example code

import net.east301.keyring.Keyring;
import net.east301.keyring.PasswordRetrievalException;

Keyring keyring = Keyring.create();
String pw = keyring.getPassword(service, account);

I am now using https://github.com/davidafsilva/jkeychain which is a fork of conormcd/osx-keychain-java

Gradle

compile 'pt.davidafsilva.apple:jkeychain:1.0.0'

Example

final OSXKeychain keychain = OSXKeychain.getInstance();
final Optional<String> mySecret = keychain.findGenericPassword("mySecret", "username");

Example project usage: https://github.com/yschimke/okurl/blob/b3208514b4338a2f57bfedccb2da4e6f54d0d99a/src/main/kotlin/com/baulsupp/okurl/credentials/OSXCredentialsStore.kt