XML list elements, Sclerotic Internet
I hate XML almost as much as I hate ASN.1
To merely list elements, without knowing names in advance, which would surely defeat the purpose, you need xalan.jar
and the rather neat xpath concept
You cant use java javax.xml
you need org.apache.xpath.XPathAPI.
You need to download the entire 65MB of xalan just to get xalan.jar
Sadly, such sites as jarfinder and findjar now just point to ad-sites which dont actually find jars
After an afternoon searching for XML stuff on the Internet, I find it sclerotic, clogged with undated pages offering obsolete or deprecated methods
Without a means to die, evolution is impossible, and we are left with Stalinist relics pretending to function.
Anyway to converts an XML document into a comma separated list.
Comma separated is so much simpler, ergo better...
NodeList nodelist = null;
String xpath = "//*[not(*)]"; // Get all elements without a child element
nodelist = org.apache.xpath.XPathAPI.selectNodeList(doc, xpath);\
int z = nodelist.getLength();
for (int i=0; i < z ; i++) { print("\n " + postColon(nodelist.item(i).getNodeName())); // postcolon removes the ds: and dct: - what possible use are they?
print(", " + nodelist.item(i).getTextContent());
}
note the .item(i) syntax - this varies from xalan to Java - making a mockery of the idea of XML as a standard... exampledepot - lots of neat strings to select
20 March 2012
19 March 2012
DER encoded public key
DER encoded Public key [I hate ASN.1]
038181006BA216825F01E8A2E9015AAD9872B3BD68B453D29C7C4648C6653407111C1488D3E633EF07FEF90BA09BF90A94160091C24789FEDA738858C24B95949C844A4AB312B5F52250A9A234382F0B2E8402F260A54F065436632671B004737ED81B5EBE1003A71829C1D3ADEB5F17AB0BE58B6B8969FD6A115ADE4A615FA68B20E7E3]
Note the "extra length" byte 81 which is required if length >= 0x80 ???
if the actual length > 0xFF then more rules???
Note the 00 unused bits byte which follows the 03 bit string
03 81 bit string
8D 00 unused buts 0 L=8D
30 81 89 sequence L=89
02 81 81 Integer L= 81
(modulus)
00CE64E4BADC06A5D6D72FFB9A97E81EACC4C007864DE5FFCF5212FFC0433C7DDDD7042EDB2DBB97217170224A763D3FDDC92EF5447299243873070A84DCDA4392882D17BC61A0BC22D8DA46AD3C3F7A5EF430A34813F11B0C611D36DE4E54377716DE82B7E2AC21994244CDC406ADF83F32A685B5D925F2796FFF35F5B6DA19D1
02 03 integer (note NO "extra" length byte)
modulus
010001
Very few ASN.1 decoders will expand this
most of the online and Free decoders dont
bouncycastle DERObject to ASN1Object does NOT
java certificate object does return modulus and exponent
pumka mentions lipingshare ASN.1 Editor
which DOES expand... the msi installer is picky about its location..
oddly it shows modulus in Hex and Exponent in DEcimal
so to extract data (if length < 256 bytes)
must go something like this:
If ((raw[1] & 0x80) != 0)
lz = 2;
else
lz = 1;
length = raw[lz];
if (raw[0] == 0x03)
dz = lz+1;
else
dz = lz;
move(raw,dz,data,0,lz)
...now to spend a couple months writing ASN.1 de/encode??
038181006BA216825F01E8A2E9015AAD9872B3BD68B453D29C7C4648C6653407111C1488D3E633EF07FEF90BA09BF90A94160091C24789FEDA738858C24B95949C844A4AB312B5F52250A9A234382F0B2E8402F260A54F065436632671B004737ED81B5EBE1003A71829C1D3ADEB5F17AB0BE58B6B8969FD6A115ADE4A615FA68B20E7E3]
Note the "extra length" byte 81 which is required if length >= 0x80 ???
if the actual length > 0xFF then more rules???
Note the 00 unused bits byte which follows the 03 bit string
03 81 bit string
8D 00 unused buts 0 L=8D
30 81 89 sequence L=89
02 81 81 Integer L= 81
(modulus)
00CE64E4BADC06A5D6D72FFB9A97E81EACC4C007864DE5FFCF5212FFC0433C7DDDD7042EDB2DBB97217170224A763D3FDDC92EF5447299243873070A84DCDA4392882D17BC61A0BC22D8DA46AD3C3F7A5EF430A34813F11B0C611D36DE4E54377716DE82B7E2AC21994244CDC406ADF83F32A685B5D925F2796FFF35F5B6DA19D1
02 03 integer (note NO "extra" length byte)
modulus
010001
Very few ASN.1 decoders will expand this
most of the online and Free decoders dont
bouncycastle DERObject to ASN1Object does NOT
java certificate object does return modulus and exponent
pumka mentions lipingshare ASN.1 Editor
which DOES expand... the msi installer is picky about its location..
oddly it shows modulus in Hex and Exponent in DEcimal
so to extract data (if length < 256 bytes)
must go something like this:
If ((raw[1] & 0x80) != 0)
lz = 2;
else
lz = 1;
length = raw[lz];
if (raw[0] == 0x03)
dz = lz+1;
else
dz = lz;
move(raw,dz,data,0,lz)
...now to spend a couple months writing ASN.1 de/encode??
14 March 2012
Google Bucks, Myki, E-Fulusi
Google considered the possibility of creating its own currency called Google Bucks.. Eric Schmidt.. at Mobile World Congress in Barcelona on Tuesday.
“peer-to-peer” money system ..transfer cash to each other ..
the project was eventually nixed because of the various laws about currency
The concept would also make it easier for potential money laundering scandals. [confused journalese? easier scandals?]
..we didn’t want to get into that because of these issues,” Schmidt ..
digitaltrends
Google launched its e-Wallet, which comes with a prepaid card that you can top up from your bank account or credit card to pay for goods.
______________________________________________________
Myki
Queues grow as bugs plague new $1.35 billion myki system
With two weeks until weekly and monthly Metcards become extinct..
Metcard machines have started being pulled out of stations in Melbourne's west.
Daniel Bowen of the Public Transport Users Association said the readers worked most of the time ..
More than a third of commuters now used myki. heraldsun
__________________________________________________________
how to get it right, such as London’s Oyster and Singapore’s EZ-Link smartcards, and one close to home: Perth’s SmartRider wordpress zdnet
An error in Victoria's recently implemented Myki smart card system has seen two customers credited over $150,000 to their accounts.
why-transport-smart-card-projects-go-bad zdnet
_______________________________________________________
The Bank of Tanzania (BoT) has drafted mobile payment regulations ..
..February report, registered customers for mobile financial services 19.4 million November 2011, compared to 14,327 June 2008.
alue of transactions increased from TZS 1.42 million in 2007 to TZS 1.62 trillion in 2011,
trust accounts to facilitate transactions from TZS 3.04 billion in June 2009 to TZS 97.6 billion at end of 2011.
E Fulusi (T) pioneered 2008 M-Pesa started four service providers Vodacom (M-Pesa), Airtel (Airtel Money), Tigo (Tigo Pesa), and Zantel (Ezy-Pesa). telecompaper
E-Fulusi mobile wallet technology currently powers the Mobipawa and ZPESA services, the first two mobile banking services in Tanzania.
_____________________________________________________________________
“peer-to-peer” money system ..transfer cash to each other ..
the project was eventually nixed because of the various laws about currency
The concept would also make it easier for potential money laundering scandals. [confused journalese? easier scandals?]
..we didn’t want to get into that because of these issues,” Schmidt ..
digitaltrends
Google launched its e-Wallet, which comes with a prepaid card that you can top up from your bank account or credit card to pay for goods.
______________________________________________________
Myki
Queues grow as bugs plague new $1.35 billion myki system
With two weeks until weekly and monthly Metcards become extinct..
Metcard machines have started being pulled out of stations in Melbourne's west.
Daniel Bowen of the Public Transport Users Association said the readers worked most of the time ..
More than a third of commuters now used myki. heraldsun
__________________________________________________________
how to get it right, such as London’s Oyster and Singapore’s EZ-Link smartcards, and one close to home: Perth’s SmartRider wordpress zdnet
An error in Victoria's recently implemented Myki smart card system has seen two customers credited over $150,000 to their accounts.
why-transport-smart-card-projects-go-bad zdnet
_______________________________________________________
The Bank of Tanzania (BoT) has drafted mobile payment regulations ..
..February report, registered customers for mobile financial services 19.4 million November 2011, compared to 14,327 June 2008.
alue of transactions increased from TZS 1.42 million in 2007 to TZS 1.62 trillion in 2011,
trust accounts to facilitate transactions from TZS 3.04 billion in June 2009 to TZS 97.6 billion at end of 2011.
E Fulusi (T) pioneered 2008 M-Pesa started four service providers Vodacom (M-Pesa), Airtel (Airtel Money), Tigo (Tigo Pesa), and Zantel (Ezy-Pesa). telecompaper
E-Fulusi mobile wallet technology currently powers the Mobipawa and ZPESA services, the first two mobile banking services in Tanzania.
_____________________________________________________________________
06 March 2012
XML Canonicalizer
When signing an XML file, obviously all need to agree on "proper" form
so use a canonicalizer
Java doesnt have one, so use apache rather than sun
-so far I have included all the apache xml jars, ... several at least are required
public static String canon (String raw)
{
String cooked = null;
try
{
byte inputBytes[] = raw.getBytes();
org.apache.xml.security.c14n.Canonicalizer c14n = Canonicalizer.getInstance(Canonicalizer.ALGO_ID_C14N_OMIT_COMMENTS);
byte result[] = c14n.canonicalize(inputBytes);
cooked = new String(result);
}
catch (Exception ex)
{
print("\n canon excptn " + ex.getMessage());
print("\n raw " + raw + "\n");
}
return cooked;
However this doesnt seem to do much:
raw
<dc:FileDataCollection xmlns:dc="http://www.fredrick.dc" xmlns:dca="http://www.fredrick.dc/AuditRegisters" xmlns:dce="http://www.fredrick.dc/Events" xmlns:dct="http://www.fredrick.dc/Transactions" xmlns:dcv="http://www.fredrick.dc/Versions" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<FileHeader >
<FileHeaderTag> FHTAG_EVENT_LOG</FileHeaderTag >
<FileCreationDate>2012-02-21T15:45:55</FileCreationDate>
<SignKeyVer>0</SignKeyVer>
</FileHeader>
<FileBody>
<FileMessage>
<MsgHeader>
<MsgSequenceNumber></MsgSequenceNumber>
<MsgReportDate>2012-02-21T15:45:55</MsgReportDate>
<DeviceID>65537</DeviceID>
<ComplementDeviceID>0</ComplementDeviceID>
=======================================
cooked Canonical
<dc:FileDataCollection xmlns:dc="http://www.fredrick.dc" xmlns:dca="http://www.fredrick.dc/AuditRegisters" xmlns:dce="http://www.fredrick.dc/Events" xmlns:dct="http://www.fredrick.dc/Transactions" xmlns:dcv="http://www.fredrick.dc/Versions" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<FileHeader>
<FileHeaderTag> FHTAG_EVENT_LOG</FileHeaderTag> indent spaces same, spaces in tag removed
<FileCreationDate>2012-02-21T15:45:55</FileCreationDate>
<SignKeyVer>0</SignKeyVer>
</FileHeader>
<FileBody>
<FileMessage>
<MsgHeader>
<MsgSequenceNumber></MsgSequenceNumber> empty tag left
line-seperator is LF 0x0A, no CR which is handy
The Client has sent me some demo XML signed files: the certificate is OK, has an OK public key, which verifies the Signature to a decent Digest. BUT the plaintext Digest is different!
One at least, probably both, have been cobbled together. And no SHA1 digest of a range of versions of the raw input produce a digest identical to either of the 2 received. Aint adversarial business grand!
so use a canonicalizer
Java doesnt have one, so use apache rather than sun
-so far I have included all the apache xml jars, ... several at least are required
public static String canon (String raw)
{
String cooked = null;
try
{
byte inputBytes[] = raw.getBytes();
org.apache.xml.security.c14n.Canonicalizer c14n = Canonicalizer.getInstance(Canonicalizer.ALGO_ID_C14N_OMIT_COMMENTS);
byte result[] = c14n.canonicalize(inputBytes);
cooked = new String(result);
}
catch (Exception ex)
{
print("\n canon excptn " + ex.getMessage());
print("\n raw " + raw + "\n");
}
return cooked;
However this doesnt seem to do much:
raw
<dc:FileDataCollection xmlns:dc="http://www.fredrick.dc" xmlns:dca="http://www.fredrick.dc/AuditRegisters" xmlns:dce="http://www.fredrick.dc/Events" xmlns:dct="http://www.fredrick.dc/Transactions" xmlns:dcv="http://www.fredrick.dc/Versions" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<FileHeader >
<FileHeaderTag> FHTAG_EVENT_LOG</FileHeaderTag >
<FileCreationDate>2012-02-21T15:45:55</FileCreationDate>
<SignKeyVer>0</SignKeyVer>
</FileHeader>
<FileBody>
<FileMessage>
<MsgHeader>
<MsgSequenceNumber></MsgSequenceNumber>
<MsgReportDate>2012-02-21T15:45:55</MsgReportDate>
<DeviceID>65537</DeviceID>
<ComplementDeviceID>0</ComplementDeviceID>
=======================================
cooked Canonical
<dc:FileDataCollection xmlns:dc="http://www.fredrick.dc" xmlns:dca="http://www.fredrick.dc/AuditRegisters" xmlns:dce="http://www.fredrick.dc/Events" xmlns:dct="http://www.fredrick.dc/Transactions" xmlns:dcv="http://www.fredrick.dc/Versions" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<FileHeader>
<FileHeaderTag> FHTAG_EVENT_LOG</FileHeaderTag> indent spaces same, spaces in tag removed
<FileCreationDate>2012-02-21T15:45:55</FileCreationDate>
<SignKeyVer>0</SignKeyVer>
</FileHeader>
<FileBody>
<FileMessage>
<MsgHeader>
<MsgSequenceNumber></MsgSequenceNumber> empty tag left
line-seperator is LF 0x0A, no CR which is handy
The Client has sent me some demo XML signed files: the certificate is OK, has an OK public key, which verifies the Signature to a decent Digest. BUT the plaintext Digest is different!
One at least, probably both, have been cobbled together. And no SHA1 digest of a range of versions of the raw input produce a digest identical to either of the 2 received. Aint adversarial business grand!
28 February 2012
Security Misc.
Some Security items:
Redphone 0.4 removed from AndroidApps, beta may be available..
Redphone uses ZRTP, Diffie-Hellman key exchange and the Secure Real-time Transport Protocol (SRTP) for encryption.
..ZRTP designed by Phillip Zimmerman, the inventor of PGP
Download free from Android market
RedPhone 0.4
..need someone to call, join #whispersystems on irc.freenode.net
.._________________________________
Moxie Marlinspike, was met by two U.S. Customs and Border Protection agents at the door of his plane when he arrived at JFK airport on a Jet Blue flight from the Dominican Republic. ..held him for 4 1/2 hours,..seized Marlinspike’s laptop and two cellphones, and asked for his passwords..
Marlinspike refused, and the devices were later returned to him.
“I can’t trust any of these devices now,”.. “They could have modified the hardware or installed new keyboard firmware.”
Marlinspike gained attention last year at the Black Hat security conference in Las Vegas when he revealed a serious vulnerability in how internet browsers verify digital security certificates. ..He released two free tools that would help an attacker conduct such an attack.
Three months later, PayPal froze his account
.....ticket agents, .. were blocked from producing a boarding pass for him without first calling .. Department of Homeland Security. Secure Flight .....
Others.....
security researcher Jake Appelbaum, was detained in July at a New Jersey airport,..on his way to the DefCon hacker conference ..a U.S. rep for WikiLeaks, was questioned ..three-hour period about WikiLeaks,..Julian Assange and Appelbaum’s opinion about the wars in Iraq and Afghanistan.
...David House was met by U.S. customs agents as he deplaned earlier this month at Chicago’s O’Hare ..from Mexico....had his laptop seized
..House helped set up the Bradley Manning Support Network, ..
wired
___________________________________________________________________
5 for SMS
whispersys has no downloads .. just points to Android MArket
Beta may be here try
brothersoft
Phones on which beta may work
brothersoft
____________________________________________________________________________________________
Code signing FAQs available at:
thawte
- Hey lets send Shuttleworth into space AGAIN (just kidding, and thanks for all the Ubuntu)
____________________________________________________________________________________________
Leap card, 10 years late and €26m over budget.( sounds fairly typical)
It allows Dublin commuters to top up on credit in advance and then swipe it for cheaper fares on trains, buses and trams. (this is a feature, , surely, not a bug)
..Irish Independent reveal for the first time how a host of companies benefited from repeated delays in the project, which pushed costs up from €29.6m to €55.4m. (the ii article reveals typical incompetence, not malicious delaying??)
__________________________________________________
AdMob, Mobclix, InMobi, etc. can pillage all sorts of information from unsuspecting users. Users will blame you, not the advertising company
__________________________________
Stuxnet video
digitalbond c/o Bruce Schneier schneier
__________________________________
Some Security puff :
The BIG-IP Edge Client app provides not only full SSL VPN access from iPhones and
iPads,
Center for Information Security (http://www.cisecurity.org) offers
a multipoint checklist that includes implementing Network Intrusion Detection.. load-balancing/failover to combat
Denial of Service or shutdown...sterilize WHOIS records of personal information that can be used for social
engineering ..Open Web Applications Security Project’s (OWASP –
http://www.owasp.org) AppSec tutorial series ..hardening Apache. M.. http://xianshield.org/guides/apache2.0guide.html).
..separate partitions for binaries, html documents and logs, ..
Apache in its own, nonprivileged group (i.e. not nobody), removing its shell and locking its login.
__________________________________
Redphone 0.4 removed from AndroidApps, beta may be available..
Redphone uses ZRTP, Diffie-Hellman key exchange and the Secure Real-time Transport Protocol (SRTP) for encryption.
..ZRTP designed by Phillip Zimmerman, the inventor of PGP
Download free from Android market
RedPhone 0.4
UPS! APP NOT FOUND
That app seems to be not longer available on Android Market.
..need someone to call, join #whispersystems on irc.freenode.net
.._________________________________
Airport woes
Moxie Marlinspike, was met by two U.S. Customs and Border Protection agents at the door of his plane when he arrived at JFK airport on a Jet Blue flight from the Dominican Republic. ..held him for 4 1/2 hours,..seized Marlinspike’s laptop and two cellphones, and asked for his passwords..
Marlinspike refused, and the devices were later returned to him.
“I can’t trust any of these devices now,”.. “They could have modified the hardware or installed new keyboard firmware.”
Marlinspike gained attention last year at the Black Hat security conference in Las Vegas when he revealed a serious vulnerability in how internet browsers verify digital security certificates. ..He released two free tools that would help an attacker conduct such an attack.
Three months later, PayPal froze his account
.....ticket agents, .. were blocked from producing a boarding pass for him without first calling .. Department of Homeland Security. Secure Flight .....
Others.....
security researcher Jake Appelbaum, was detained in July at a New Jersey airport,..on his way to the DefCon hacker conference ..a U.S. rep for WikiLeaks, was questioned ..three-hour period about WikiLeaks,..Julian Assange and Appelbaum’s opinion about the wars in Iraq and Afghanistan.
...David House was met by U.S. customs agents as he deplaned earlier this month at Chicago’s O’Hare ..from Mexico....had his laptop seized
..House helped set up the Bradley Manning Support Network, ..
wired
___________________________________________________________________
5 for SMS
whispersys has no downloads .. just points to Android MArket
Beta may be here try
brothersoft
Phones on which beta may work
brothersoft
____________________________________________________________________________________________
Code signing FAQs available at:
thawte
- Hey lets send Shuttleworth into space AGAIN (just kidding, and thanks for all the Ubuntu)
____________________________________________________________________________________________
Slow trains?
Australian firm Sequoia Smart Solutions [Freemantle?] €5m for designing the smart- card system. (not a huge amount?)Leap card, 10 years late and €26m over budget.( sounds fairly typical)
It allows Dublin commuters to top up on credit in advance and then swipe it for cheaper fares on trains, buses and trams. (this is a feature, , surely, not a bug)
..Irish Independent reveal for the first time how a host of companies benefited from repeated delays in the project, which pushed costs up from €29.6m to €55.4m. (the ii article reveals typical incompetence, not malicious delaying??)
__________________________________________________
AdMob, Mobclix, InMobi, etc. can pillage all sorts of information from unsuspecting users. Users will blame you, not the advertising company
__________________________________
Stuxnet video
digitalbond c/o Bruce Schneier schneier
__________________________________
Some Security puff :
The BIG-IP Edge Client app provides not only full SSL VPN access from iPhones and
iPads,
Center for Information Security (http://www.cisecurity.org) offers
a multipoint checklist that includes implementing Network Intrusion Detection.. load-balancing/failover to combat
Denial of Service or shutdown...sterilize WHOIS records of personal information that can be used for social
engineering ..Open Web Applications Security Project’s (OWASP –
http://www.owasp.org) AppSec tutorial series ..hardening Apache. M.. http://xianshield.org/guides/apache2.0guide.html).
..separate partitions for binaries, html documents and logs, ..
Apache in its own, nonprivileged group (i.e. not nobody), removing its shell and locking its login.
__________________________________
Certificate and Schlumberger Cryptoflex PKI card
re Schlumberger Cryptoflex PKI card
We have the CHVS, its all good.
BTW dont read the public key, do the correct thing and read the certificate, then get the public key from the certificate.
And to send the certificate, dont use certificate.toString
as the helpful forums.oracle say
.."Don't do that. Use the getEncoded() method, and at the receiving end feed that to a CertificateFactory. Depending on your transport you might also need base64-encoding."
...
Just to complete the story: to get a certificate back from encoded byte array:
and the base64 stuff:
To convert X509 certificate to base64 string:
byte[] bCert = certificate.getEncoded();
String sCert = XML extract the X509Certificate object...
byte[] bencoded = javax.xml.bind.DatatypeConverter.parseBase64Binary(sCert); // Converts the string argument into an array of bytes.
We have the CHVS, its all good.
BTW dont read the public key, do the correct thing and read the certificate, then get the public key from the certificate.
And to send the certificate, dont use certificate.toString
as the helpful forums.oracle say
.."Don't do that. Use the getEncoded() method, and at the receiving end feed that to a CertificateFactory. Depending on your transport you might also need base64-encoding."
...
Just to complete the story: to get a certificate back from encoded byte array:
ByteArrayInputStream bisb = new ByteArrayInputStream(encodedBytes);
CertificateFactory cfb = CertificateFactory.getInstance("X.509");
X509Certificate certb = (X509Certificate)cfb.generateCertificate(bisb);
bisb.close();
print(" X509 back again " + certb.getSigAlgName() );and the base64 stuff:
To convert X509 certificate to base64 string:
byte[] bCert = certificate.getEncoded();
String sCert = javax.xml.bind.DatatypeConverter.printBase64Binary(bcert);
And to convert back: String sCert = XML extract the X509Certificate object...
byte[] bencoded = javax.xml.bind.DatatypeConverter.parseBase64Binary(sCert); // Converts the string argument into an array of bytes.
02 February 2012
Schlumberger Smart Card Toolkit
Schlumberger Smart Card Toolkit
Where is the toolkit?
Google search just brings up a bunch of damned fool intermediate sites,
such as 'software.informer' - blatent parasites on the information body
Where is the toolkit?
Google search just brings up a bunch of damned fool intermediate sites,
such as 'software.informer' - blatent parasites on the information body
Subscribe to:
Posts (Atom)