20 March 2012

XML list elements, Sclerotic Internet

XML list elements, Sclerotic Internet

I hate XML almost as much as I hate ASN.1

To merely list elements, without knowing names in advance, which would surely defeat the purpose, you need xalan.jar
and the rather neat xpath concept

You cant use java javax.xml
you need org.apache.xpath.XPathAPI.
You need to download the entire 65MB of xalan just to get xalan.jar

Sadly, such sites as jarfinder and findjar now just point to ad-sites which dont actually find jars

After an afternoon searching for XML stuff on the Internet, I find it sclerotic, clogged with undated pages offering obsolete or deprecated methods
Without a means to die, evolution is impossible, and we are left with Stalinist relics pretending to function.

Anyway to converts an XML document into a comma separated list.
Comma separated is so much simpler, ergo better...

        NodeList nodelist = null;
        String xpath = "//*[not(*)]"; // Get all elements without a child element

        nodelist = org.apache.xpath.XPathAPI.selectNodeList(doc, xpath);\
        int z = nodelist.getLength();

        for (int i=0; i < z ; i++) { print("\n " + postColon(nodelist.item(i).getNodeName())); // postcolon removes the ds: and dct: - what possible use are they?
        print(", " + nodelist.item(i).getTextContent());

 note the .item(i) syntax - this varies from xalan to Java - making a mockery of the idea of XML as a standard... exampledepot - lots of neat strings to select

19 March 2012

DER encoded public key

DER encoded Public key [I hate ASN.1]


Note the "extra length" byte 81 which is required if length >= 0x80 ???
if the actual length > 0xFF then more rules???

Note the 00 unused bits byte which follows the 03 bit string

03 81                   bit string
8D 00 unused buts 0                        L=8D
30 81 89 sequence                           L=89
02 81 81 Integer                               L= 81

02 03 integer (note NO "extra" length byte)

Very few ASN.1 decoders will expand this
most of the online and Free decoders dont
bouncycastle DERObject to ASN1Object does NOT

java certificate object does return modulus and exponent

pumka    mentions    lipingshare ASN.1 Editor
which DOES expand... the msi installer is picky about its location..
oddly it shows modulus in Hex and Exponent in DEcimal

so to extract data (if length < 256 bytes)
must go something like this:
If ((raw[1] & 0x80) != 0)
    lz = 2;
    lz = 1;
length = raw[lz];
if (raw[0] == 0x03)
    dz = lz+1;
    dz = lz;

...now to spend a couple months writing ASN.1 de/encode??

14 March 2012

Google Bucks, Myki, E-Fulusi

Google considered the possibility of creating its own currency called Google Bucks.. Eric Schmidt.. at Mobile World Congress in Barcelona on Tuesday.

“peer-to-peer” money system ..transfer cash to each other ..
the project was eventually nixed because of the various laws about currency
The concept would also make it easier for potential money laundering scandals. [confused journalese? easier scandals?]

..we didn’t want to get into that because of these issues,” Schmidt ..

Google launched its e-Wallet, which comes with a prepaid card that you can top up from your bank account or credit card to pay for goods.
Queues grow as bugs plague new $1.35 billion myki system
With two weeks until weekly and monthly Metcards become extinct..
Metcard machines have started being pulled out of stations in Melbourne's west.
Daniel Bowen of the Public Transport Users Association said the readers worked most of the time ..
More than a third of commuters now used myki.    heraldsun
how to get it right, such as London’s Oyster and Singapore’s EZ-Link smartcards, and one close to home: Perth’s SmartRider    wordpress   zdnet

An error in Victoria's recently implemented Myki smart card system has seen two customers credited over $150,000 to their accounts.

why-transport-smart-card-projects-go-bad    zdnet

The Bank of Tanzania (BoT) has drafted mobile payment regulations ..
..February report, registered customers for mobile financial services 19.4 million November 2011, compared to 14,327 June 2008.
alue of transactions increased from TZS 1.42 million in 2007 to TZS 1.62 trillion in 2011,

trust accounts to facilitate transactions from TZS 3.04 billion in June 2009 to TZS 97.6 billion at end of 2011.

E Fulusi (T) pioneered 2008 M-Pesa started four service providers Vodacom (M-Pesa), Airtel (Airtel Money), Tigo (Tigo Pesa), and Zantel (Ezy-Pesa).     telecompaper

E-Fulusi mobile wallet technology currently powers the Mobipawa and ZPESA services, the first two mobile banking services in Tanzania.


06 March 2012

XML Canonicalizer

When signing an XML file, obviously all need to agree on "proper" form
so use a canonicalizer
Java doesnt have one, so use apache rather than sun
-so far I have included all the apache xml jars,  ... several at least are required

public static String canon (String raw)
String cooked = null;
byte inputBytes[] = raw.getBytes();
org.apache.xml.security.c14n.Canonicalizer c14n = Canonicalizer.getInstance(Canonicalizer.ALGO_ID_C14N_OMIT_COMMENTS);
byte result[] = c14n.canonicalize(inputBytes);
cooked = new String(result);
catch (Exception ex)
print("\n canon excptn " + ex.getMessage());
print("\n raw " + raw + "\n");
return cooked;

However this doesnt seem to do much:

<dc:FileDataCollection xmlns:dc="http://www.fredrick.dc" xmlns:dca="http://www.fredrick.dc/AuditRegisters" xmlns:dce="http://www.fredrick.dc/Events" xmlns:dct="http://www.fredrick.dc/Transactions" xmlns:dcv="http://www.fredrick.dc/Versions" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

<FileHeader  >
            <FileHeaderTag>    FHTAG_EVENT_LOG</FileHeaderTag    >        

 cooked Canonical 
<dc:FileDataCollection xmlns:dc="http://www.fredrick.dc" xmlns:dca="http://www.fredrick.dc/AuditRegisters" xmlns:dce="http://www.fredrick.dc/Events" xmlns:dct="http://www.fredrick.dc/Transactions" xmlns:dcv="http://www.fredrick.dc/Versions" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

            <FileHeaderTag>    FHTAG_EVENT_LOG</FileHeaderTag>                   indent spaces same,  spaces in tag removed
                <MsgSequenceNumber></MsgSequenceNumber>                          empty tag left
line-seperator  is LF 0x0A, no CR which is handy

The Client has sent me some demo XML signed files: the certificate is OK, has an OK public key, which verifies the Signature to a decent Digest. BUT the plaintext Digest is different!
One at least, probably both, have been cobbled together. And no SHA1 digest of  a range of versions of the raw input produce a digest identical to either of the 2 received.   Aint adversarial business grand!

28 February 2012

Security Misc.

Some Security items:

Redphone 0.4 removed from AndroidApps, beta may be available..

Redphone uses ZRTP, Diffie-Hellman key exchange and the Secure Real-time Transport Protocol (SRTP) for encryption.
..ZRTP designed by Phillip Zimmerman, the inventor of PGP

Download free from Android market
RedPhone 0.4

That app seems to be not longer available on Android Market.

..need someone to call, join #whispersystems on irc.freenode.net

Airport woes

Moxie Marlinspike, was met by two U.S. Customs and Border Protection agents at the door of his plane when he arrived at JFK airport on a Jet Blue flight from the Dominican Republic. ..held him for 4 1/2 hours,..seized Marlinspike’s laptop and two cellphones, and asked for his passwords..

Marlinspike refused, and the devices were later returned to him.

“I can’t trust any of these devices now,”.. “They could have modified the hardware or installed new keyboard firmware.”

Marlinspike gained attention last year at the Black Hat security conference in Las Vegas when he revealed a serious vulnerability in how internet browsers verify digital security certificates. ..He released two free tools that would help an attacker conduct such an attack.

Three months later, PayPal froze his account

.....ticket agents, .. were blocked from producing a boarding pass for him without first calling .. Department of Homeland Security. Secure Flight .....

security researcher Jake Appelbaum, was detained in July at a New Jersey airport,..on his way to the DefCon hacker conference ..a U.S. rep for WikiLeaks, was questioned ..three-hour period about WikiLeaks,..Julian Assange and Appelbaum’s opinion about the wars in Iraq and Afghanistan.

...David House was met by U.S. customs agents as he deplaned earlier this month at Chicago’s O’Hare ..from Mexico....had his laptop seized

..House helped set up the Bradley Manning Support Network, ..


5 for SMS

whispersys has no downloads .. just points to Android MArket

Beta may be here try

Phones on which beta may work



Code signing FAQs available at:
- Hey lets send Shuttleworth into space AGAIN (just kidding, and thanks for all the Ubuntu)


Slow trains?
Australian firm Sequoia Smart Solutions [Freemantle?] €5m for designing the smart- card system. (not a huge amount?)
Leap card, 10 years late and €26m over budget.( sounds fairly typical)

It allows Dublin commuters to top up on credit in advance and then swipe it for cheaper fares on trains, buses and trams.  (this is a feature, , surely, not a bug)

..Irish Independent reveal for the first time how a host of companies benefited from repeated delays in the project, which pushed costs up from €29.6m to €55.4m. (the ii article reveals typical incompetence, not malicious delaying??)

AdMob, Mobclix, InMobi, etc. can pillage all sorts of information from unsuspecting users. Users will blame you, not the advertising company

Stuxnet video
digitalbond   c/o Bruce Schneier schneier
Some Security puff :
The BIG-IP Edge Client app provides not only full SSL VPN access from iPhones and

Center for Information Security (http://www.cisecurity.org) offers
a multipoint checklist that includes implementing Network Intrusion Detection.. load-balancing/failover to combat
Denial of Service or shutdown...sterilize WHOIS records of personal information that can be used for social
engineering ..Open Web Applications Security Project’s (OWASP –
http://www.owasp.org) AppSec tutorial series ..hardening Apache. M.. http://xianshield.org/guides/apache2.0guide.html).
..separate partitions for binaries, html documents and logs, ..
Apache in its own, nonprivileged group (i.e. not nobody), removing its shell and locking its login.


Certificate and Schlumberger Cryptoflex PKI card

re Schlumberger Cryptoflex PKI card
We have the CHVS, its all good.
BTW dont read the public key, do the correct thing and read the certificate, then get the public key from the certificate.
And to send the certificate, dont use certificate.toString
as the helpful forums.oracle say
.."Don't do that. Use the getEncoded() method, and at the receiving end feed that to a CertificateFactory. Depending on your transport you might also need base64-encoding."
Just to complete the story: to get a certificate back from encoded byte array:

ByteArrayInputStream bisb = new ByteArrayInputStream(encodedBytes);
CertificateFactory cfb = CertificateFactory.getInstance("X.509");
X509Certificate certb = (X509Certificate)cfb.generateCertificate(bisb);
print(" X509 back again " + certb.getSigAlgName() );

and the base64 stuff:

To convert X509 certificate to base64 string:

byte[] bCert = certificate.getEncoded();
String sCert = javax.xml.bind.DatatypeConverter.printBase64Binary(bcert);
And to convert back:
String sCert = XML extract the X509Certificate object...
byte[] bencoded = javax.xml.bind.DatatypeConverter.parseBase64Binary(sCert); // Converts the string argument into an array of bytes.

02 February 2012

Schlumberger Smart Card Toolkit

Schlumberger Smart Card Toolkit

Where is the toolkit?
Google search just brings up a bunch of damned fool intermediate sites,
such as 'software.informer' - blatent parasites on the information body