xwiki-devs August 2010

xwiki-devs@xwiki.org

29 participants
47 discussions

[xwiki-devs] [proposal] Add cryptography api component and script service to xwiki

by Caleb James DeLisle

Hello all, I you have been watching on irc and in the sandbox commit notifications you know Alex and I have been working hard on developing some high quality cryptographic services, I think it is ready to add to the core. What xwiki-crypto provides: * PasswordVerificationFunction provides ability to protect ("hash") a password using functions which require a configurable amount of processor power and RAM. This allows a configurable level of difficulty for password guessing attacks and configurable memory costs even frustrate hardware (GPU) based cracking attempts. This uses a standards conforming implementation of what is a truly state of the art password hashing technology developed by Colin Percival, deputy security officer for FreeBSD operating system. The design paper is here: http://www.tarsnap.com/scrypt/scrypt.pdf This will be able to be used for http://jira.xwiki.org/jira/browse/XWIKI-70 (Safe password storage) * Password based encryption using the function defined above for converting the password to the encryption key. The default encryption algorithm is CAST-5 which has been used by PGP encryption system. * RSA-2048 key generation and text signature. Option #1: Generate key in user's browser (Supports Firefox and Opera, possible to add IE support.) and be able to use the crypto.signText function in javascript allowing for signature which are unforgable even by the administrator (or hacker) of the server. Option #2: Generate key on the server and store password encrypted (see above) allowing for "pretty good" level of signature non-reputability. What this will look like to a script: ## Password Encryption #set($ciphertext = $services.crypto.passwd.encryptText("this is a secret", "hopefully a strong password")) ## Password Decryption #set($plaintext = $services.crypto.passwd.decryptText($ciphertext, "hopefully a strong password")) ## Protecting a password (so can be validated but the original can't be derived from the protected password and it's hard to do password guessing attacks) #set($safePassword = $services.crypto.passwd.protectPassword($userSuppliedPlaintextPassword) ## Validating a password against the "safe password" #if($services.crypto.passwd.isPasswordCorrect($userSuppliedPlaintextPassword, $safePassword) you win! #end ## Generating a key in the user's browser (this won't likely be used often) ## $spkac is a public key given by the browser when the user clicks on the create certificate button, this is compatible with FOAFSSL. ## 365 is the number of days the certificate should be valid for. ## this returns 2 certificate, one is the user's and the other is a self signed authority which trusts it. #set($certAndAuthority = $services.crypto.x509.certsFromSpkac($spkac, 365)) ## Generating a key (x509 certificate + private key) on the server side (this won't likely be used often) ## this returns an XWikiX509KeyPair #set($privateKeyAndCert = $services.crypto.x509.newCertAndPrivateKey(365, "password for protecting private key") ## Serializing a keyPair to a base64 string (this does not conform to any standard because no decent standard was available) #set($keyPairAsString = $privateKeyAndCert.serializeAsBase64()) ## Deserializing the keypair back from the string #set($privateKeyAndCert = $services.crypto.x509.keyPairFromBase64($keyPairAsString) ## Signing text with a "$privateKeyAndCert" ## This outputs a base64 String representing the signature. #set($signature = $services.crypto.x509.signText("this is the text I want to sign", $privateKeyAndCert, "password for protecting private key") ## Verifying text (this verifies text signed with either the above signText function or with the mozilla/opera javascript crypto.signtText function.) ## this outputs an XWikiX509Certificate object which can then be compared to known trusted certificates. #set($signingCertificate = $services.crypto.x509.verifyText("this is the text I want to sign", $signature)) ## Serializing a certificate as a String in conforming PEM format (readable by OpenSSL) #set($pemString = $signingCertificate.toPEMString()) ## Deserializing a certificate from PEM format #set($signingCertificate = $services.crypto.x509.certFromPEM($pemString) The interfaces: http://svn.xwiki.org/svnroot/xwiki/contrib/sandbox/xwiki-crypto/src/main/ja… http://svn.xwiki.org/svnroot/xwiki/contrib/sandbox/xwiki-crypto/src/main/ja… http://svn.xwiki.org/svnroot/xwiki/contrib/sandbox/xwiki-crypto/src/main/ja… http://svn.xwiki.org/svnroot/xwiki/contrib/sandbox/xwiki-crypto/src/main/ja… WDYT? Caleb

14 years, 4 months

[xwiki-devs] How to tag pages via XMLRPC (xwiki 2.4)

by Kirst Martin Wolfgang

Hi, I want to automatically tag some pages within our XWiki (v2.4) via XMLRPX API. I've setup my eclipse for automatic uploading of pages and attachments, but I can't find any documentation how to tag pages. Simple question: how can I tag pages via XMLRPC? It seems to me, that the solutions lies within "XWikiXmlRpcClient#storeObject(XWikiObject)". But how are the parameters? Regards Martin

14 years, 4 months

[xwiki-devs] Fwd: [xwiki-notifications] XWiki updates, 9 documents have been modified since 2010/08/05 00:00

by Jerome Velociter

Seems some content is missing. The summary refers to "XWiki JavaScript API" and "XWiki API Reference" pages, but they do not appear in the body of the mail. Anyone knows what could cause this ? Jerome. ----- Forwarded Message ----- From: notifications(a)xwiki.org To: notifications(a)xwiki.org Sent: Friday, August 6, 2010 12:00:18 AM GMT +01:00 Amsterdam / Berlin / Bern / Rome / Stockholm / Vienna Subject: [xwiki-notifications] XWiki updates, 9 documents have been modified since 2010/08/05 00:00 Contents • dev • Community • Release Plans • Release Plans Archives • IRC • IRC Archive for channel #xwiki • platform • DevGuide • XWiki API Reference • XWiki JavaScript API • xwiki • XWiki • ChristophDewes • JarbasJunior • guenter • pmarzouk Hello Developers, This message is sent by XWiki. Here are the documents in your watchlist that have been modified since the last notification: dev Community Release Plans Community.ReleasePlans On 2010/08/05 13:49, the document has been modified by Thomas Mortagne * [[API doc>>http://platform.xwiki.org/xwiki/bin/view/DevGuide/API]] ([[core>>http://maven.xwiki.org/releases/com/xpn/xwiki/platform/xwiki-core/]] [[rendering>>http://maven.xwiki.org/releases/org/xwiki/platform/xwiki-core-rendering-api…) doc>>http://platform.xwiki.org/xwiki/bin/view/DevGuide/API]] |= Release notes |= Update download page |= News on OW2 |= News on xwiki.org |= API doc (core rendering) |= Wikipedia |= Freshmeat |= Wikimatrix |= ANN Mail = 2.3.2 = (% style="width: 100%;" %) |=(% colspan="3" %)Update translations |= CORE |= XE |= WYSIWYG | x| x| x (% style="width: 100%;" %) |=Module |= Version |= Jira |= Maven |= OW2 | xwiki-core | 2.3.2| x| x| - | xwiki-plugin-skinx| 1.13.1| x| x| - | xwiki-platform-web | 2.3.2| x| x| - | xwiki-product-enterprise | 2.3.2| x| x|x\\ | xwiki-product-enterprise-manager| 2.3.2| x| x|x (% style="width: 100%;" %) |= Release notes |= Update download page |= News on OW2 |= News on xwiki.org |= API doc (core rendering) |= Wikipedia |= Freshmeat |= Wikimatrix |= ANN Mail |x|x| x|x| x|x| x|x|x author: xwiki:XWiki.Sergiu > xwiki:XWiki.ThomasMortagne Release Plans Archives Community.ReleasePlansArchives On 2010/08/05 13:49, the document has been modified by Thomas Mortagne = 2.3.2 = (% style="width: 100%;" %) |=(% colspan="3" %)Update translations |= CORE |= XE |= WYSIWYG | x| x| x (% style="width: 100%;" %) |=Module |= Version |= Jira |= Maven |= OW2 | xwiki-core | 2.3.2| x| x| - | xwiki-plugin-skinx| 1.13.1| x| x| - | xwiki-platform-web | 2.3.2| x| x| - | xwiki-product-enterprise | 2.3.2| x| x|x\\ | xwiki-product-enterprise-manager| 2.3.2| x| x|x (% style="width: 100%;" %) |= Release notes |= Update download page |= News on OW2 |= News on xwiki.org |= API doc (core rendering) |= Wikipedia |= Freshmeat |= Wikimatrix |= ANN Mail |x|x| x|x| x|x| x|x|x parent: Scheduler.ReleasePlans > ReleasePlans author: xwiki:XWiki.Sergiu > xwiki:XWiki.ThomasMortagne IRC IRC Archive for channel #xwiki IRC.xwikiArchive20100805 Between 2010/08/05 01:24 and 2010/08/05 21:48, the document has been modified 3 times, by 1 user: Sergiu Dumitriu #includeForm("IRC.IRCArchiveClassSheet") IRC.IRCArchiveClass channel: #xwiki content: abusenius left at 01:24 (Quit: Konversation terminated! sdumitriu left at 02:23 (Ping timeout: 240 seconds tsziklay left at 03:12 (Quit: ChatZilla 0.9.86 [Firefox 3.6.8/20100722155716] boscop_ joined #xwiki at 03:53 boscop left at 03:56 (Ping timeout: 265 seconds MartinCleaver left at 04:35 (Quit: MartinCleaver venkatesh joined #xwiki at 05:49 kibahop joined #xwiki at 08:27 LadySerena left at 08:36 (Quit: Time to sharpen my claws! asrfel joined #xwiki at 08:41 sdumitriu joined #xwiki at 08:52 Enygma` joined #xwiki at 08:52 mflorea joined #xwiki at 08:56 lucaa joined #xwiki at 08:56 florinciu joined #xwiki at 09:05 tmortagne joined #xwiki at 09:06 tmortagne left #xwiki at 09:06 mflorea left at 09:21 (Quit: Leaving. tmortagne joined #xwiki at 09:23 mflorea joined #xwiki at 09:24 vmassol joined #xwiki at 09:32 mflorea - (09:36): guys, how can I delete a translation of a wiki page? tmortagne left at 09:36 (Quit: Leaving. sdumitriu - (09:37): mflorea: Add ?language=xz in the /delete/ URL tmortagne joined #xwiki at 09:38 mflorea - (09:38): let me try sdumitriu - (09:38): Works only if that’s not the default language of the document ztane - (09:48): how do I get the password reset dialog working on a private wiki? :) vmassol left at 09:50 (Quit: Leaving. KermitTheFragger joined #xwiki at 09:54 tmortagne - (09:54): sounds like a long proposal :) mangroovie joined #xwiki at 09:54 ztane - (09:56): hmm maybe should go for ldap sdumitriu - (09:56): ztane: Private = forbid unauthenticated view? ztane - (09:57): yes ztane - (09:58): enterprise extranet wiki :)) cjdelisle - (09:59): It has been a long time coming. Oddly enough there aren’t a real lot of services provided. ztane - (09:59): do not want anything to leak out to nonauthorized, except the password reset form jvdrean joined #xwiki at 10:04 sdumitriu - (10:11): ztane: Sorry, that’s not possible yet sdumitriu - (10:12): Preventing unauthenticated access really prevents it abusenius joined #xwiki at 10:21 vmassol joined #xwiki at 10:23 cjdelisle - (10:28): abusenius: Any thing else you need in xwiki-crypto? (working on the proposal) abusenius - (10:32): hm, no, just the methods for storing/loading certs/keys that we might want put elsewhere abusenius - (10:32): *to put cjdelisle - (10:33): Yea, IMO load/store is not really in the scope of crypto. abusenius - (10:35): should I move it to signedscripts? thats the only place it’s used atm cjdelisle - (10:36): *distraction: IPv6 is a joke, 19.0.0.0 - 19.255.255.255 is Ford Motor Company ip space, it is not even announced to the backbone routers. cjdelisle - (10:36): What car company doesn’t need 16,000 unused ips? abusenius - (10:36): *IPv4? cjdelisle - (10:37): IP6 is a joke because like 40% of ip4 numbers are routed, 3% respond to pings. abusenius - (10:37): it’s a good investment, they will be able to sell it for a lot of money quite soon :) cjdelisle - (10:37): Not if arin/ripe catch you. abusenius - (10:37): well, it’s just that nobody uses them abusenius - (10:38): well, thats another question cjdelisle - (10:38): Well not nobody, some halliburton space suddenly started getting announced from eastern europe. cjdelisle - (10:38): spam spam spam spam cjdelisle - (10:41): Halliburton 34.0.0.0 - 34.255.255.255 (to their credit they announce a couple hundred ips in that range and run their site in it.) abusenius - (10:42): I’Ve read somewhere that one of the problems is that they used to give just 2 types of ip ranges, 255.255.255.0 for "small" companies and 255.0.0.0 for "big" companies :) cjdelisle - (10:45): that 255.255.255.0 is called a /24 because 24 of the 32 bits are defined. 255.0.0.0 is a /8, nobody can get a /8 anymore, they gave them out in like 1991. cjdelisle - (10:46): You guys can still get a /24 for like 150€ but arin won’t sell anything smaller than a /20. cjdelisle - (10:48): The problem is provide independent space means you announce your (tiny little) range to all of the backbone routers and the global routing tables get so huge they need bigger routers. cjdelisle - (10:50): What’s easiest for the backbone is if 192 routes to usa, 64 routes to chicago, 32 routes to some isp and 25 routes to the specific computer. Except 192 range is not like that, 192.64.32.1 might be a computer in chicago and 192.64.33.1 might be in estonia. sburjan joined #xwiki at 10:52 cjdelisle - (10:57): humpf... decryption succeeded with wrong password. I think it decrypted to garbage but I have to check... abusenius - (10:57): we might want to check if the output == input cjdelisle - (11:00): yup, repeating the test in loop 0-1000 cjdelisle - (11:01): if the output is the same length, I think the padding scheme doesn’t notice anything is wrong. cjdelisle - (11:01): indeed, I already have a bad decryption. abusenius - (11:03): in theory, a wrong password might decrypt to any meaningful text, but the probability is very very low cjdelisle - (11:04): hmm, actually the key would have to be as long as the original text to decrypt to anything. cjdelisle - (11:05): I remember someone talking about an algorithm which would decrypt to various things based on the password given. cjdelisle - (11:05): It would be pretty obvious to a cryptographer though that there was more to it though. abusenius - (11:06): well, if the key is as long as the text, then you can decrypt to any text of the same length abusenius - (11:07): if the key is shorter, the number of possible decryptions is much smaller cjdelisle - (11:07): But it brings up an interesting topic, if you xor "illegal data" against random and publish the random on one server and the output on another, which server gets the takedown notice? abusenius - (11:07): but one of them might still be meaningful cjdelisle - (11:08): It’s essentially impossible to determine random from something xor’d against random. cjdelisle - (11:09): 4 collisions. abusenius - (11:09): well, you can easily invent any content you want :) abusenius - (11:09): what yre you encrypting? cjdelisle - (11:10): I just rigged the test to repeat trying to decrypt with the wrong password and dump any time it collides. Enygma` left at 11:10 (Ping timeout: 276 seconds cjdelisle - (11:10): decryptWithWrongPasswordTest() * 1000 abusenius - (11:11): so "collision" = successfull decryption to garbage? cjdelisle - (11:11): yup. cjdelisle - (11:11): done. 4/1000 tries. abusenius - (11:11): the only way decryption algorithm can distinguish "meaningful" text from garbage is the padding kibahop left #xwiki at 11:12 cjdelisle - (11:12): IMO it should output garbage every time it fails. Imagine trying to password guess that :D abusenius - (11:12): so if the garbage by chance contains one byte of correct padding, it will succeed abusenius - (11:12): well, you can check for printable character for example cjdelisle - (11:12): yup, check for invalid utf8 cjdelisle - (11:13): imagine encrypting an mp3, basically any text is valid in an mp3 cjdelisle - (11:13): or mpeg4 abusenius - (11:13): there is a header you can trry to match abusenius - (11:14): frames etc. abusenius - (11:14): but it is harder abusenius - (11:14): thats one of the reasons people first compress, then encrypt :) cjdelisle - (11:16): Yea, it would be tough trying to beat this algorithm though, it took like 5 minutes for 2000 cycles of scrypt, I could make it take longer with config too. cjdelisle - (11:27): proposal sent. mangroovie left at 11:29 (Ping timeout: 252 seconds cjdelisle - (11:41): I don’t see the user manager in the sandbox, is it written? (http://dev.xwiki.org/xwiki/bin/view/Design/UsersModule) abusenius - (11:42): it is very new imo, probably not yet cjdelisle - (11:45): The proposed interface looks like it can only be implemented using some sort of String USER_CLASS = "XWiki.XWikiUsers"; cjdelisle - (11:47): Maybe I should propose a best practice that we never make the core depend on the content of the database. AKA hardcoding document names. abusenius - (11:51): which interface? cjdelisle - (11:53): defined here http://dev.xwiki.org/xwiki/bin/view/Design/UsersModule mangroovie joined #xwiki at 11:53 venkatesh left at 11:53 (Ping timeout: 265 seconds abusenius - (11:54): ah, ok abusenius - (11:56): maybe, I "never ever" rule is quite unrealistic though abusenius - (11:56): s/I/a/ cjdelisle - (11:58): Well that’s how all best practices are, sometimes you are just plain painted into a corner. cjdelisle - (11:58): I usually end up throwing away code when that happens. abusenius - (12:01): moved cert storage methods out of crypto, about to commit cjdelisle - (12:01): there was storage in crypto? cjdelisle - (12:02): I don’t see it... abusenius - (12:03): well, user document utils were misused for that abusenius - (12:04): I mean listinf fingerprints etc. abusenius - (12:04): *listing venkatesh joined #xwiki at 12:04 cjdelisle - (12:04): Oh, I haven’t looked there in a while. thanks ;) cjdelisle - (12:04): k I think I know how you can validate a cert. cjdelisle - (12:05): Take the webid and do a http get on it, you’ll get the foafssl stuff. cjdelisle - (12:06): We can also set it up so you get a list of signed permissions granted to the user. abusenius - (12:07): yea, we could do that cjdelisle - (12:07): parse those permissions, extract cert from signature, recurse. cjdelisle - (12:08): It will be awesome but slooooooow. cjdelisle - (12:09): hmm, maybe not if the user pages get cached. abusenius - (12:09): the recursion would not be very deep abusenius - (12:09): unless we overdo it :) venkatna joined #xwiki at 12:10 abusenius - (12:10): it should be something like admin -> user permission -> cert cjdelisle - (12:10): What’s awesome about it is I can be on one wiki and give you permission on another, you can then give permissions to people on my wiki. venkatesh left at 12:10 (Ping timeout: 248 seconds abusenius - (12:11): not that everybody was waiting to do that all their life, but yea, would be possible :) cjdelisle - (12:12): I don’t expect anyone beating a path to the door for it but I can see in the future there might be applications. cjdelisle - (12:13): If I grant admin authority to an admin of another wiki, all of their wiki’s users get defacto permissions on mine. cjdelisle - (12:15): the escaping test makes a nice DoS engine. abusenius - (12:16): :) cjdelisle - (12:17): Have you seen Websecurity? abusenius - (12:18): not sure what you mean abusenius - (12:18): afk for lunch cjdelisle - (12:19): http://www.websecurify.com/ cjdelisle - (12:19): I’ll go find something to eat too. florinciu1 joined #xwiki at 12:39 florinciu left at 12:44 (Ping timeout: 276 seconds florinciu1 left at 12:46 (Read error: Connection reset by peer florinciu joined #xwiki at 12:47 sylviarusu joined #xwiki at 12:56 florinciu left at 13:05 (Ping timeout: 240 seconds florinciu joined #xwiki at 13:08 tmortagne - (13:10): cjdelisle: i’m not sure i understand what you mean in XWIKI-5390 cjdelisle - (13:10): http://maven.xwiki.org/site/xwiki-core-parent/xwiki-core/apidocs/com/xpn/xw… cjdelisle - (13:11): all still version 1.7 tmortagne - (13:12): cjdelisle: there is a hudson project for it already, that’s http://hudson.xwiki.org/job/xwiki-platform-core-site-job/ but it has been disabled some time ago because we had issue with javadoc plugin think tmortagne - (13:12): s/think/I think/ cjdelisle - (13:13): I see, I can try to see if I can get it working again. tmortagne - (13:13): yep cjdelisle - (13:13): It’s pretty important because that’s the only place to get javadoc for XWikiDocument etc. tmortagne - (13:14): cjdelisle: well there is m2Eclipse automatically downloading javadoc/source too ;) tmortagne - (13:14): which is very usefull tmortagne - (13:15): but it’s only for released projects cjdelisle - (13:15): When I wrote the DevGuide.Scripting I had to reference some javadoc so I chose that. cjdelisle - (13:15): Because it’s hosted. cjdelisle - (13:16): If I can get this working then I see no reason to keep uploading .zip files to xwiki.org so that will close another issue. cjdelisle - (13:16): Make any sense? tmortagne - (13:17): cjdelisle: it’s not the same thing tmortagne - (13:17): this job deploy trunk jaavadoc tmortagne - (13:17): in xwiki.org we provide specific releases javadoc cjdelisle - (13:17): hmm. good point. Maybe we can have hudson build from branches? tmortagne - (13:17): what should be done in xwiki.org is having something more dynamic that get the proper javadoc from maven.xwiki.org files instead of having to attach tmortagne - (13:18): i want to add this since a long time in zip plugin but never had the time cjdelisle - (13:18): in the zip plugin? tmortagne - (13:19): the xwiki plugin which is used to view the javadoc inside the zip file attached to the page tmortagne - (13:19): http://platform.xwiki.org/xwiki/bin/download/DevGuide/API/xwiki-core-render… cjdelisle - (13:19): make it able to load a page hosted somewhere else? cjdelisle - (13:19): s/load a page/read a zip/ tmortagne - (13:20): yes make it able to work with a zip from anywhere and not only an attached file cjdelisle - (13:20): hmm, as long as it can’t be exploited to... say open really big zips somewhere? abusenius - (13:21): re websecurity, no, haven’t seen it before cjdelisle - (13:22): I was talking to a guy who mentioned if you can convince a bot to download a file, feed it a linux .iso tmortagne - (13:23): cjdelisle: you can always indicate a maximum size abusenius - (13:23): we should try some tools like websecurity on xwiki at some point, but not now (would be too disappointing ^^) florinciu left at 13:23 (Ping timeout: 258 seconds cjdelisle - (13:23): abusenius: I see a bunch of FATAL: not escaping single quote. cjdelisle - (13:23): I don’t think even escapetoo.xml escapes single quotes. tmortagne - (13:24): checking something: i think there is something abut javadoc in nexus actually abusenius - (13:24): it does abusenius - (13:24): getXMLEncoded doesn’t cjdelisle - (13:24): That’s right :) abusenius - (13:24): afaik abusenius - (13:24): it is technically correct to not escape single quotes in URL abusenius - (13:25): but not secure, because a href=’bla’ is also correct cjdelisle - (13:25): no getXMLEncoded escapes ’ to and it becomes ’ which breaks everything abusenius - (13:25): ah, right tmortagne - (13:25): cjdelisle: http://nexus.xwiki.org/nexus/service/local/repositories/releases/archive/co… tmortagne - (13:25): tadaa cjdelisle - (13:25): cool. I wish it said something like /latest/ tmortagne - (13:26): maybe there is something tmortagne - (13:27): i will at least modify the API page to go there and stop attaching files abusenius - (13:27): is it possible to link javadocs for *all* components on DevGuide/API ? abusenius - (13:28): currently it only lists core tmortagne - (13:28): abusenius: and rendering ;) tmortagne - (13:28): but yes it should be more that theses two tmortagne - (13:28): should be at least important components abusenius - (13:28): yea, but you need to do voodoo magic to find other docs :) cjdelisle - (13:29): That was a nice thing about maven.xwiki.org was everything was linked together. tmortagne - (13:31): cjdelisle: you mean maven.xwiki.org/site ? cjdelisle - (13:31): yup cjdelisle - (13:32): *idea* What if we added the svn location to the class javadoc comment in each class, then it will make a link in each javadoc pointing to the source. cjdelisle - (13:32): Maybe svn config will do the trick. abusenius - (13:33): wasn’t there a configuration option for javadoc for that? tmortagne - (13:34): cjdelisle: there is probably some maven javadoc plugin configuration we could use for it cjdelisle - (13:34): I don’t know that the javadoc would know where the files are hosted in svn, it sure would be nice though to have a docjar style [source] button abusenius - (13:35): (but maybe I saw it in doxygen, not sure) cjdelisle - (13:36): I really like this format everything is linked from there. http://maven.xwiki.org/site/xwiki-core-parent/xwiki-core/apidocs/index.html… abusenius - (13:38): http://download.oracle.com/javase/1.4.2/docs/tooldocs/windows/javadoc.html#… ? cjdelisle - (13:39): abusenius: I see three tests in error: Blog/Publisher.xml Panels/CreatePanel.xml templates/createinline.vm Do you want to do something to them before putting the tests in the tree? abusenius - (13:40): let me see cjdelisle - (13:40): Creates an HTML version of each source file (with line numbers) argh.. hate line numbers. abusenius - (13:41): well, better than nothing abusenius - (13:43): I could put those tests in error onto ignore list cjdelisle - (13:43): also I like the idea of pointing to the actual svn server. abusenius - (13:43): 2 of them fail because the xredirect is properly escaped, but my test string isn’t a URL abusenius - (13:43): 1 fails with 409, no idea why abusenius - (13:44): there are allready a dozen or so ignored tests in error cjdelisle - (13:46): Hmm, you really ought to have commit access so you can work on this once it’s in the tree, unfortunately it’s tough to get a quorum on anything right now. florinciu joined #xwiki at 13:46 venkatna left at 13:47 (Quit: Leaving abusenius - (13:48): can it be (sym)linked to sandbox? cjdelisle - (13:50): I don’t know what svn does with symlinks. abusenius - (13:51): I think on all decent operating systems it works fine :) cjdelisle - (13:51): Websecurity is a pretty good DoS cannon, when I ran it locally, my wiki eventually just ceased up and refused to serve anything. abusenius - (13:52): checkout on windows would create a copy of the directory tmortagne - (13:53): i doubt svn will support sym links anyway tmortagne - (13:53): especially svn 1.4 abusenius - (13:53): ok, if the svn server is 1.4 then we can forget it abusenius - (13:54): why is it 1.4 btw? it’s like stone age... tmortagne - (13:55): i agree tmortagne - (13:55): i’m aking for an upgrade since ages cjdelisle - (13:55): blah, hudson ceased up in wysiwyg test. Lets see if I can kill the build... cjdelisle - (13:56): yay I did something. cjdelisle - (13:58): last time the javadoc build ran out of swap space (so it says). I’ll try running it and see what happens this time. vmassol left at 13:58 (Quit: Leaving. sburjan - (14:08): cjdelisle, : was the implementation hard ? I mean .. understanding that technical paper and then implementing cjdelisle - (14:08): re scrypt? sburjan - (14:08): We had to implement DES and AES from specs like these..and it was HORRIBLE sburjan - (14:08): yes cjdelisle - (14:08): It wasn’t too bad because there was a reference implementation in c sburjan - (14:09): oh, so you didn;t wrote if from scratch cjdelisle - (14:09): It definitly is not AES. sburjan - (14:09): it’s stronger than AES, right sburjan - (14:09): AES is totally hard (at least for me) cjdelisle - (14:09): It does something different. sburjan - (14:09): yeah, I know cjdelisle - (14:10): The point is that there is no way to go from the password to the key without using x amount of ram for y cpu cycles of time. cjdelisle - (14:10): Fortunately it uses PBKCS2 which I could rip from bouncycastle. sburjan - (14:10): but basically this is a much more complex hash function, right ? cjdelisle - (14:11): yup. sburjan - (14:11): md5 is birthday paradox vulnerable sburjan - (14:11): I guess this isn;t :) cjdelisle - (14:11): It uses PBKCS2, and it uses salsa20 cjdelisle - (14:11): ahh, PBKCS2(Sha-256) :) cjdelisle - (14:12): yea md5 is bad. sburjan - (14:12): oh :)) sburjan - (14:12): md5 is obsolete sburjan - (14:12): intresting sburjan - (14:12): I never understood properly the algebra behind crypto systems sburjan - (14:13): although i wanted to :) cjdelisle - (14:13): This isn’t really crypto. cjdelisle - (14:13): It’s just designed to take a long time. cjdelisle - (14:13): So it generates an absurd amount of data. Then it takes an int from 4 bytes of a hash output and gets the data at the location of that int. cjdelisle - (14:14): The idea is you can’t safely throw away any of that data because you might need it. sburjan - (14:14): I see sburjan - (14:14): so this happens for all the new passwords ? sburjan - (14:14): new user accounts, etc ? sburjan - (14:15): I nea this happens for every password cjdelisle - (14:15): So it keeps seeding the hash with pieces of the big block of data, then it takes the output and feeds it to PBKDF2 again. sburjan - (14:15): *mean cjdelisle - (14:16): No it it’s just a service at the moment, once I convince everyone to include it in the tree, then we can think about using it for the user accounts. sburjan - (14:16): so what do you hash with these service more exactly ? cjdelisle - (14:16): Passwords. sburjan - (14:16): so only user passwords. or are there another type of passwords ? sburjan - (14:17): that are used in xwiki cjdelisle - (14:17): It is intended to be useable for the user accounts, I just want to put the code there before we even talk about implementing it for user passwords. cjdelisle - (14:17): Sure, any password can be handles by this. sburjan - (14:17): I see cjdelisle - (14:17): s/handles/handled/ abusenius - (14:17): btw, XWIKI-70 is the oldest bug (i.e. not feature request or task) atm sburjan - (14:18): so it is collision free ? or you made it like this in order to take as far as possible advante of collisions Enygma` joined #xwiki at 14:18 cjdelisle - (14:18): It is as collision resistant as pbkdf2(sha256) cjdelisle - (14:19): because the password is included in the final hash. sburjan - (14:19): yeah, but the time to find another string that hashes the same... requires much more time due to y ram and x cpu cycles, right ? cjdelisle - (14:20): Well the main attack vector is password guessing with word lists. cjdelisle - (14:20): so it’s not really a collision but the real password that is most likely to be found. sburjan - (14:20): hmmm sburjan - (14:21): dictionary attack ? :) cjdelisle - (14:21): This makes it difficult because it occupies 1MB of ram for about 100milliseconds. sburjan - (14:21): i see cjdelisle - (14:21): These numbers are configurable. sburjan - (14:21): but the actual auth mechanism is comparing the hash from db with the hash(typed password), right ? cjdelisle - (14:21): The default scrypt takes 200MB for 5 seconds. sburjan - (14:22): like md5 is still used cjdelisle - (14:22): It’s a little more complicated than that, but that’s the idea. sburjan - (14:22): I see cjdelisle - (14:22): You have a PasswordVerificationFunction which is Serializable and includes all of the information to recreate the same output given the same password. cjdelisle - (14:23): that is the salt, the memory cost number, and the processor cost number. sburjan - (14:23): yeah.. sburjan - (14:23): intresting cjdelisle - (14:24): So you load the code from the database, deserialize, and feed it the password to validate. cjdelisle - (14:24): If we decide in the future to change the function, all we need to do is create a new function and start using it for all new passwords. sburjan - (14:24): so each password is serialized in an object that is stored in the db ? cjdelisle - (14:25): the ourtput from hashing the password is a byte[] in the object yes. sburjan - (14:25): I see sburjan - (14:25): pretty cool cjdelisle - (14:26): http://svn.xwiki.org/svnroot/xwiki/contrib/sandbox/xwiki-crypto/src/main/ja… sburjan - (14:26): and what is the memory and cpu cost going in the ecuation? sburjan - (14:26): when "hashing" the inputed password in order to compare it from the serialized object ? cjdelisle - (14:27): Configurable, but I have it set to 1Mb for 100ms by default. sburjan - (14:28): yeas, but what operation is slowed down intensionally with the ram and CPU thing ? cjdelisle - (14:28): indeed, you can’t have everything :) boscop_ is now known as boscop (~boscop(a)g227154161.adsl.alicedsl.de sburjan - (14:30): no no .. where is the slow down come in place ? sburjan - (14:30): this this slows down .. you wanted this.. cpu cycles, etc cjdelisle - (14:31): ? sburjan - (14:32): you force the system to work in time. to be limited by ram and CPU sburjan - (14:32): not to take advance of the full computational powers of a possible attacker cjdelisle - (14:32): If the system is under heavy load when the user registers, then their crypted password will be weaker. cjdelisle - (14:33): decrypting the password will always take the same amount of cpu cycles. sburjan - (14:33): oh sburjan - (14:33): so decrypting is the operation that takes advantage of the intentional slowness sburjan - (14:33): got it cjdelisle - (14:34): When crypting the password, It does a test run to get the desired number of cycles from the desired time to crypt. cjdelisle - (14:34): It’s not all that accurate but within 100% according to the tests. sburjan - (14:35): I see cjdelisle - (14:35): I noticed it usually takes a little more time than it is asked to take. sburjan - (14:36): and isnt there a disk if someone tries a dictionary attack to block the server (DDOS) due to heavy platform load in order to decrypt the passwd ? sburjan - (14:36): *risk, not disk cjdelisle - (14:37): Well if you’re trying to ddos the server then you can use infinite loops etc. if you are trying to guess the password, then you want a graphics processor. cjdelisle - (14:37): Anyway if you have a botnet (DDoS) then you can get thousands of windows boxes to try passwords locally. cjdelisle - (14:39): However I think you can cease up an xwiki installation just by trying to log in with a million threads right now. cjdelisle - (14:41): bbiab... tmortagne left at 14:43 (Read error: Connection reset by peer tmortagne joined #xwiki at 14:43 sburjan - (14:46): wait, you lost me :) sburjan - (14:47): the decrypt function is GPU dependant ? MartinCleaver joined #xwiki at 14:57 abusenius - (14:59): sburjan: he is talking about using GPGPU to speedup breaking hashes sburjan - (15:01): so it uses graphics card to break hashes ? abusenius - (15:01): the bad guys use them sburjan - (15:01): I;m a little bit confused sburjan - (15:01): yeah, the bad guys abusenius - (15:01): yes, 1000 threads are better than 4 sburjan - (15:02): a gpu has 1000 threads ? abusenius - (15:02): new ones yes sburjan - (15:02): I see abusenius - (15:02): light-weight threads sburjan - (15:02): and the other thing I didn’t understand sburjan - (15:02): Anyway if you have a botnet (DDoS) then you can get thousands of windows boxes to try passwords locally. sburjan - (15:03): but how do you get locally the serialized objects that contain the passwdz ? abusenius - (15:03): well, assuming you have DB dump or something sburjan - (15:03): but for that you already need privileges abusenius - (15:03): sure abusenius - (15:04): the idea is, if the attacker can get access to the server, he still can’t find out your password abusenius - (15:05): otherwise you might as well just sleep(10) on the server side abusenius - (15:06): having a password in cleartext is bad, because people reuse them for example cjdelisle - (15:06): privileges lol. All you need for database dumps is bobby tables. cjdelisle - (15:06): we’re better than some but never trust the db. cjdelisle - (15:07): Actually, the password hashes are right in the XWikiUsers object. sburjan - (15:07): bobby tables ? cjdelisle - (15:08): http://xkcd.com/327/ cjdelisle - (15:09): It’s a dumb joke but it has sort of turned into a meme. sburjan - (15:09): yea :)) sburjan - (15:09): but we’re still vulnerable to sql injection ? cjdelisle - (15:10): hmmmmmmm yes. mflorea left at 15:11 (Quit: Leaving. lucaa left at 15:13 (Quit: Leaving. cjdelisle - (15:13): We’re looking into a way to use encryption to make it so sql injection is pointless. sburjan - (15:14): parameterization doesnt work in our case ? cjdelisle - (15:14): If everything used it then it would work. I’m talking about cases where there is a registered user and he has access to searchDocuments etc. sburjan - (15:15): and making them be used everywhere is hard ? cjdelisle - (15:16): Well even if they are used everywhere all the adversary has to do is register and write their own vulnerable queries. cjdelisle - (15:19): We have been talking about having a root "superadmin" certificate stored in a file on the hard disk. That cert signs the admin’s permissions and the admin signs the user permissions. cjdelisle - (15:20): you can dump (or alter) the database but all you get is certificates and password encrypted private keys cjdelisle - (15:20): change a cert, break the cert chain, change a key, then it doesn’t match the cert. cjdelisle - (15:38): oh sburjan Cryptography (at least public key RSA) works because it’s fast to raise something to the 65537th power and slow to get the 65537th root. cjdelisle - (15:39): that’s the "one way trap function" sylviarusu left at 15:40 (Quit: Leaving. sburjan - (15:43): I see sburjan - (15:43): I started to read more about sql injection sburjan - (15:43): too bad that htere isn;t a "training" site :) sburjan - (15:43): so I can actually see it work abusenius - (15:44): try xwiki.org ^^ cjdelisle - (15:45): lol sburjan - (15:45): i’m sure it’s not vulnerable :)) sburjan - (15:45): you guys fixed it sburjan - (15:45): :D sburjan - (15:45): at least the most vital places cjdelisle - (15:45): actually yea, you’d just end up spamming zipe’s logs with your attempts. cjdelisle - (15:45): *xipe cjdelisle - (15:46): Do you have a local installation on your computer? sburjan - (15:46): of XWiki ? cjdelisle - (15:46): yea. sburjan - (15:46): of course sburjan - (15:46): I’m writing automatic tests, so i have to test them :P cjdelisle - (15:47): Well you can play with that. Try using websecurity against it, just run it over night and see what you get abusenius - (15:47): sburjan, there are training apps actually, http://insecurewebapp.sourceforge.net/main/index.html sburjan - (15:48): hmmm sburjan - (15:48): I’ll take a look cjdelisle - (15:49): http://labs.oracle.com/projects/crypto/HowECCWorks-USLetter.pdf cjdelisle - (15:50): McEllice is a bit more interesting because it can’t be parallelized (quantum computer proof) but it’s also a lot more complicated. sburjan - (15:50): lots of math :) sburjan - (15:50): so this is what your srypto implementation use ? cjdelisle - (15:51): it doesn’t use any public key (not for password derivation.) sburjan - (15:52): cjdelisle, : do you have some masters in computer security ? :) sburjan - (15:52): I know abusenius has cjdelisle - (15:52): xwiki-crypto does have a public key component, it just uses rsa. cjdelisle - (15:52): haha masters in what? sburjan - (15:52): information security :) sburjan - (15:53): computer security cjdelisle - (15:53): I took like 2 semesters of programming in college. abusenius - (15:53): there are no special security degrees afaik sburjan - (15:54): abusenius, : There are masters in all the europe on Information/Computer Security abusenius - (15:54): not in my university :) one can just specialize on that cjdelisle - (15:54): My professors were all ex-nsa, one recommended I apply there. sburjan - (15:54): they teach you the algebra behind the cryptosystems abusenius - (15:54): it is still called "computer science" sburjan - (15:55): things like chinese remainder theorem cjdelisle - (15:55): Yea, I read about it a little, I’m sure I’ll learn it sooner or later. abusenius - (15:56): we got this in the introduction lecture to crypto sburjan - (15:56): abusenius, : but your internship is in Security here at X, right ? abusenius - (15:56): yes cjdelisle - (15:57): hey, I have a masters in breakeology. sburjan - (15:57): so you learned the security stuff all by yourself ? abusenius - (15:57): me? sburjan - (15:57): yes, you abusenius :) cjdelisle - (15:57): breakeology, when you learn by breaking stuff. sburjan - (15:57): breakeology is like .. sociology, antropology ? :)) sburjan - (15:58): so you do have a masters in that :D abusenius - (15:58): no, I’ve learned everything I could find, but I also took all lectures on crypto/security we have abusenius - (15:58): if you’re interested in something, it happens naturally :) sburjan - (15:59): true sburjan - (15:59): but that math is pretty hard :)) sburjan - (15:59): all the modulo stuff sburjan - (15:59): remainders, etc cjdelisle - (15:59): I have 5 pdfs in my system tray. sburjan - (15:59): about ? sburjan - (16:00): security ? cjdelisle - (16:00): How to get ips, DDoS defense, anycast, conficker, and ecc. sburjan - (16:00): they should make a book on crypto. Computer Security for retards. and they should dedicate it to me :)) sburjan - (16:01): Well known idiot’s guide is too high level .. I need something lower abusenius - (16:01): :D cjdelisle - (16:01): hah, I noticed that the math all just looks hard with the weird symbols, read the implementation if you want to understand. cjdelisle - (16:01): Look at this: http://cr.yp.to/salsa20.html abusenius - (16:02): I find probability theory harder, groups are not that bad cjdelisle - (16:02): salsa20 is a full cipher implementation in 22 lines. that is why Bernstein is full of win. cjdelisle - (16:03): no stupid s-boxes, no obfuscation. it’s either secure or it’s not and that doesn’t really depend on how hard it is to understand. abusenius - (16:04): thats just because it doesn’t include the implementation of the hash function ;) cjdelisle - (16:04): yea well it’s actually a cipher. Converting it to a hash which is collision resistant and such is a bigger task. cjdelisle - (16:05): but that function placed well in the eurocrypt contest. abusenius - (16:09): in any case, understanding what you can do (and what not) with some type of encryption is more important than implementation details cjdelisle - (16:10): Yea, the devil really is in the details. cjdelisle - (16:12): I remember reading that people were surprised when joanna rutkowska showed that a computer with full disk encryption can still be attacked by putting malware in the mbr. abusenius - (16:12): less related question, how can I change log4j settings of xwiki instance I use for escaping-tests/ abusenius - (16:12): ? abusenius - (16:13): it seems to use debug logging level cjdelisle - (16:14): take a look at start-wiki and start-wiki-debug.sh there might be something there about it. abusenius - (16:15): hm, not really cjdelisle - (16:16): I don’t know, you could google log4j "-D" cjdelisle - (16:17): I’m sure there is a -Dsomething which will change it. abusenius - (16:18): googling... mflorea joined #xwiki at 16:20 sburjan - (16:21): in java a char is 2 bytes, right ? so a 64 bytes string is actually a 32 char string ? cjdelisle - (16:22): yes a char is two bytes :/ sburjan - (16:23): in the link you gave me , it says that it takes a 64 bytes strin. about salsa20 cjdelisle - (16:23): String has a few other components which occupy some space but you’re pretty much correct. sburjan - (16:23): but if the input string is less than 64 bytes/32 chars ? it’s getting padded ? cjdelisle - (16:24): Well the function will run on much larger pieces of data by breaking them up, and yes it pads at the end. cjdelisle - (16:26): The neat thing about salsa is it’s auto seeking. You give it a key and say block 1000, then you input 1000 along with the key and salt, and it generates some output which you can use to decrypt the data. cjdelisle - (16:27): salsa20 doesn’t actually decrypt your data, it generates psudorandom which you then xor against your data. lucaa joined #xwiki at 16:28 sburjan - (16:28): hmmm sburjan - (16:28): so it can be decrypted sburjan - (16:29): afaik md5 is one way hash sburjan - (16:29): alsa is reversible ? cjdelisle - (16:29): yea. cjdelisle - (16:29): Imagine you take a key and md5 it. sburjan - (16:29): oh... big diffrence cjdelisle - (16:30): Actually imagine you take a key, append a number (0) then md5 it. cjdelisle - (16:30): then you take your plain text and xor it against the output from md5. sburjan - (16:31): this is how you decrypt it ? _______________________________________________ notifications mailing list notifications(a)xwiki.org http://lists.xwiki.org/mailman/listinfo/notifications

14 years, 4 months

[xwiki-devs] [proposal] add getDocumentURL to DocumentAccessBridge with boolean isFullURL to specify whether the url should be the external document url.

by Caleb James DeLisle

I discovered that there is no way to get the full (external) document url from DocumentAccessBridge. Alex informed me that xwiki-crypto was creating certificates with only a partial url when it should be using the full url. I would like to add this to DocumentAccessBridge: String getDocumentURL(DocumentReference documentReference, String action, String queryString, String anchor, boolean isFullURL); which mimics String getAttachmentURL(AttachmentReference attachmentReference, boolean isFullURL); WDYT? Caleb

14 years, 4 months

[xwiki-devs] Syntax highlighter for XWiki!

by Asiri Rathnayake

Hello XWikiers! If you have used syntax highlighter ( http://code.google.com/p/syntaxhighlighter/) in wordpress, blogger etc. you are going to like this one: http://asiri.rathnayake.org/xwiki/bin/view/Macro/MCode Now because of the flexibility of XWiki SSX and JSX, you can easily customize this macro (if you wish to extend it). There are few things I wish if I could improve (implementation details) but I hope this would be useful the way it is now :) Let me know if it looks good. Thanks. - Asiri

14 years, 4 months

[xwiki-devs] Default link labels in WYSIWIG Editor

by Ivan Levashew

Hello! I'd like it to be possible to create links with default labels. I mean, [[Space.Page]], [[http://website/]] without "label>>". Speaking for myself, I'd like magnet links to have default labels mostly. I have recompiled WYSIWIG editor several times, and I have added new Wizard steps, so I've got some experience with GWT. I'm thinking about several use cases. The user should be able to enter magnet link as is. The user should be able to construct magnet link from scratch. And a hybrid use case: the users enters a magnet link in the first wizard step and improves it in the second one. An improvement is e. g. changing file name, adding alternative source and so on. I'm implementing two wizard steps: "enter" and "improve". Most often, it is wanted a label to be default. Default magnet label generator produces things like "klein_shock_doctrine.djvu (8.19 Mb)". These default labels mirror a content of magnet links in a human-readable form. But it is not obvious how to achieve this. I've tweaked GWT editor to allow empty labels in magnet links, but such links look empty in WYSIWIG and are being deleted on save. -- If you want to get to the top, you have to start at the bottom

14 years, 4 months

[xwiki-devs] Fwd: Need advice before issuing a new wiki request on myxwiki.org

by Bogdan Flueras

Hello Xwiki Devs, I plan to create a new wiki on myxwiki.org for a large comunity of non-technical users (~1K), so Xwiki is my first choice. However I will add new features to the wiki, like: OpenId and JForum, so what I'm asking if there is a possibility to RE-deploy my modified webapp onto myxwiki.org afterwards, OR once the created wiki there is no other possibility to improve it ... If the answer would be yes, I would be grateful for a How-To. If not, I would search for dedicated hosting, and still be grateful for your work! Best regards! --

14 years, 4 months

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

xwiki-devs August 2010