Support "no signature" signers on local X.509 certificates.

jitsi-media-transform/src/main/kotlin/org/jitsi/nlj/dtls/DtlsConfig.kt

@@ -54,6 +54,10 @@ class DtlsConfig {
         }
     }
 
+    val useNoSignatureSigner: Boolean by config {
+        "jmt.dtls.use-no-signature-signer".from(JitsiConfig.newConfig)
+    }
+
     companion object {
         val config = DtlsConfig()
     }

jitsi-media-transform/src/main/kotlin/org/jitsi/nlj/dtls/DtlsUtils.kt

@@ -114,7 +114,11 @@ class DtlsUtils {
                 subject,
                 keyPair.public
             )
-            val signer = JcaContentSignerBuilder("SHA256withECDSA").build(keyPair.private)
+            val signer = if (config.useNoSignatureSigner) {
+                NoSignatureSigner()
+            } else {
+                JcaContentSignerBuilder("SHA256withECDSA").build(keyPair.private)
+            }
 
             return certBuilder.build(signer).toASN1Structure()
         }

jitsi-media-transform/src/main/kotlin/org/jitsi/nlj/dtls/NoSignatureSigner.kt

@@ -0,0 +1,47 @@
+package org.jitsi.nlj.dtls
+
+import org.bouncycastle.asn1.ASN1ObjectIdentifier
+import org.bouncycastle.asn1.DERNull
+import org.bouncycastle.asn1.x509.AlgorithmIdentifier
+import org.bouncycastle.operator.ContentSigner
+import java.io.OutputStream
+
+/**
+ * A "signing" algorithm which produces an empty signature.  Based on
+ * draft-davidben-x509-alg-none.
+ * Should be treated as an unknown algorithm by all recipients, so any attempt to
+ * validate it will return false.
+ */
+class NoSignatureSigner : ContentSigner {
+    override fun getAlgorithmIdentifier(): AlgorithmIdentifier {
+        return identifier
+    }
+
+    override fun getOutputStream(): OutputStream {
+        return OutputStream.nullOutputStream()
+    }
+
+    override fun getSignature(): ByteArray {
+        /*
+        The Certificate's signatureValue field MUST be a BIT STRING of length zero.
+         */
+        return ByteArray(0)
+    }
+
+    companion object {
+        private val identifier = AlgorithmIdentifier(
+            /*
+             id-pkix OBJECT IDENTIFIER  ::= { iso(1) identified-organization(3)
+                  dod(6) internet(1) security(5) mechanisms(5) pkix(7) }
+
+              id-alg-noSignature OBJECT IDENTIFIER ::= {id-pkix id-alg(6) 2}
+             */
+            ASN1ObjectIdentifier("1.3.6.1.5.5.7.6.2"),
+            /*
+            The parameters for id-alg-noSignature MUST be present
+               and MUST be encoded as NULL.
+             */
+            DERNull.INSTANCE
+        )
+    }
+}

jitsi-media-transform/src/main/resources/reference.conf

@@ -47,7 +47,8 @@ jmt {
     local-fingerprint-hash-function = sha-256
     // The hash functions that are accepted for remote certificate fingerprints, in decreasing strength order
     accepted-fingerprint-hash-functions = [ sha-512, sha-384, sha-256, sha-1 ]
-
+    // Whether to use the "no-signature" signer rather than self-signing the local certificate
+    use-no-signature-signer = true
   }
   srtp {
     // The maximum number of packets that can be discarded early (without going through the SRTP stack for