- From: Henry Story <henry.story@bblfish.net>
- Date: Thu, 26 Jan 2012 02:02:21 +0100
- To: Jürgen Jakobitsch <j.jakobitsch@semantic-web.at>
- Cc: public-webid@w3.org
- Message-Id: <6ACF9DC2-0C4F-4728-8194-4744CF8867B0@bblfish.net>
On 26 Jan 2012, at 01:13, Jürgen Jakobitsch wrote:
> btw henry,
>
> did you remove cleanHexString method from your codebase?
> if yes then why?
I suppose you are speaking of the codebase on github
https://github.com/bblfish/foafssl-java
Mhh! That is out of date. I thought I had updated it for the latest spec...
https://github.com/bblfish/foafssl-java/blob/master/foafssl-verifier-sesame/src/main/java/net/java/dev/sommer/foafssl/sesame/verifier/SesameFoafSslVerifier.java
This is indeed how we did things before updating to the latest spec which I was hoping to put out in order to simplify things. This is what the SPARQL query was three months ago
if (publicKey instanceof RSAPublicKey) {
RSAPublicKey certRsakey = (RSAPublicKey) publicKey;
TupleQuery query = null;
try {
query = rep.prepareTupleQuery(QueryLanguage.SPARQL,
"PREFIX cert: <http://www.w3.org/ns/auth/cert#>"
+ "PREFIX rsa: <http://www.w3.org/ns/auth/rsa#>"
+ "SELECT ?m ?e ?mod ?exp "
+ "FROM <"+webid.getGraphName().toString()+">"
+ "WHERE { "
+ " { ?key cert:identity ?agent } "
+ " UNION "
+ " { ?agent cert:key ?key }"
+ " ?key rsa:modulus ?m ;"
+ " rsa:public_exponent ?e ."
+ " OPTIONAL { ?m cert:hex ?mod . }"
+ " OPTIONAL { ?e cert:decimal ?exp . }"
+ "}");
} catch (MalformedQueryException e) {
log.log(Level.SEVERE, "Error in Query String!", e);
webid.fail("SERVER ERROR - Please warn administrator");
return false;
} catch (RepositoryException e) {
log.log(Level.SEVERE, "Error with repository", e);
webid.fail("SERVER ERROR - Please warn administrator");
return false;
}
Then one had to verify either the ?key and its datatype or the exponent.
Or perhaps you mean rather the code from Clerezza?
https://github.com/bblfish/clerezza/blob/bblfish/parent/platform.security.foafssl/core/src/main/scala/org/apache/clerezza/foafssl/auth/WebIDClaim.scala
This is should be up to date, but is not so well tested. And Clerezza seems to be a dead end project, as far as I can tell.
Or the Scala code that I am working on now? This is here.
https://dvcs.w3.org/hg/read-write-web/file/27674711ebe9/src/main/scala/auth/WebIdClaim.scala
I initially started out with this nice simple ASK SPARLQ query we have in the spec
46 val askQuery = QueryFactory.create("""
47 PREFIX : <http://www.w3.org/ns/auth/cert#>
48 ASK {
49 ?webid :key [ :modulus ?m ;
50 :exponent ?e ].
51 }""")
The hope was to simply replace ?m and ?e with the right datatypes like this
65 private def rsaTest(webid: WebID, rsakey: RSAPublicKey): (Model) => Validation[WebIDVerificationFailure, WebID] = {
66 model =>
67 val initialBinding = new QuerySolutionMap();
68 initialBinding.add("webid", model.createResource(webid.url.toString))
69 initialBinding.add("m", model.createTypedLiteral(hex(rsakey.getModulus.toByteArray), XSDhexBinary))
70 initialBinding.add("e", model.createTypedLiteral(rsakey.getPublicExponent.toString, XSDinteger))
71 val qe: QueryExecution = QueryExecutionFactory.create(WebIDClaim.askQuery, model, initialBinding)
72 try {
73 if (qe.execAsk()) webid.success
74 else new WebIDVerificationFailure("could not verify public key", None, this).fail
75 } finally {
76 qe.close()
77 }
78 }
But Jena does not do hexBinary datatype infrencing correctly (i.e., it does not remove leading and trailing spaces, so that I had to change it to a less effient ASK query
49 val query = QueryFactory.create("""
50 PREFIX : <http://www.w3.org/ns/auth/cert#>
51 SELECT ?m ?e
52 WHERE {
53 ?webid :key [ :modulus ?m ;
54 :exponent ?e ].
55 }""")
which now requires me to iterate through possible results
76 val initialBinding = new QuerySolutionMap();
77 initialBinding.add("webid", model.createResource(webid.url.toString))
78 // initialBinding.add("m", model.createTypedLiteral(hex(rsakey.getModulus.toByteArray), XSDhexBinary))
79 // initialBinding.add("e", model.createTypedLiteral(rsakey.getPublicExponent.toString, XSDinteger))
80 val qe: QueryExecution = QueryExecutionFactory.create(WebIDClaim.query, model, initialBinding)
81 try {
82 def matches: Boolean = {
83 import scala.collection.JavaConversions._
84 val resultset = qe.execSelect().toSet
85 resultset.exists {
86 sol: QuerySolution => try {
87 val mod = sol.getLiteral("m")
88 if (mod.getDatatype == XSDDatatype.XSDhexBinary &&
89 new BigInteger(stripSpace(mod.getLexicalForm), 16) == rsakey.getModulus) {
90 val exp = sol.getLiteral("e")
91 numericDataTypes.contains(exp.getDatatype) && new BigInteger(exp.getLexicalForm) == rsakey.getPublicExponent
92 } else false
93 } catch {
94 case _ => false
95 }
96 }
97 }
Anyway, given this problem, I did just recently re-introduced a little more lenient removal of white space here, with the function stripspace, which goes a little beyond what the hexBinary standard says is strictly correct
62 def stripSpace(hex: String): String = hex.filter(c => !Character.isWhitespace(c))
63
Anyway. The advantage of the cert:hex datatype was that is was (is) very lenient on how people write out their strings. Because it was the same domain as xsd:integer though people could write out their integers in any of a number of forms (xsd:int, xsd:integer, etc... )
It seems that most people here are not verifying the datatypes at all, but just looking inside the literal. This means of course that the literal type has no meaning, and should be removed. One reason I liked the xsd:hexBinary idea was that we could have also gotten for free the xsd:base64Binary too. But if every implementation ignores the datatype then we won't be able to use those.
Currently it seems like people are using cert:modulus as a relation to a string.
If people want to encode in the spec that is ok, but it does not come without its own issues.
>
> wkr j
>
> ----- Original Message -----
> From: "Jürgen Jakobitsch" <j.jakobitsch@semantic-web.at>
> To: "rzeno" <ruset.zeno@gmail.com>
> Cc: public-webid@w3.org
> Sent: Thursday, January 26, 2012 1:02:22 AM
> Subject: Re: problems with datatype literals
>
> hi,
>
> thanks for error-reporting.
> i have updated WebIDRealm [1] to at least check if the datatype
> is set correctly. parsing is still the same.
> in your case WebIDRealm now throws a RDFParseException that states
> that a modulus was found of which the datatype is not XMLSchema.HEXBINARY,
> same for exponent with XMLSchema.INTEGER
>
> wkr j
>
> [1] http://webid.turnguard.com/WebIDTestServer/debug
>
>
>
> ----- Original Message -----
> From: "rzeno" <ruset.zeno@gmail.com>
> To: public-webid@w3.org
> Sent: Thursday, January 26, 2012 12:22:46 AM
> Subject: problems with datatype literals
>
> hi,
>
> accidentaly Henry Store discover a problem with checking validity of
> datatypes literals, more specific with checking if modulus is hexBinary
> in webid case.
>
> in my foaf, the prefix for hexBinary is wrong:
>
> http://www/w3/org/2001/XMLSchema#hexBinary
>
> notice the slashes between www, w3 and org.
>
> tested on:
>
> https://foafssl.org/test/WebId -> say that fail
>
> http://webidauth.rhizolab.org/ -> 'Give it a try' => and was ok
> https://data.fm/test/webid -> field verified contain the webid
> https://resourceme.bergnet.org/news/ -> i used login, was ok
> https://webid.turnguard.com:8443/WebIDTestServer/ -> i used debug and said
> that all 16 tests are okr
> http://webid.fcns.eu/ -> webid login, was ok.
>
> i know that checking if a literal is valid according to the datatype
> doesn't have a simple solution in the general case so probably the best bet
> is to implement a specific solution for this case but i think anyway is
> important to take a decision about this, at least what implication could
> have and how important is.
>
> PS: my webid is http://sort-of.strangled.net/foaf.rdf#me in case you need.
>
> best regards
>
>
> --
> | Jürgen Jakobitsch,
> | Software Developer
> | Semantic Web Company GmbH
> | Mariahilfer Straße 70 / Neubaugasse 1, Top 8
> | A - 1070 Wien, Austria
> | Mob +43 676 62 12 710 | Fax +43.1.402 12 35 - 22
>
> COMPANY INFORMATION
> | http://www.semantic-web.at/
>
> PERSONAL INFORMATION
> | web : http://www.turnguard.com
> | foaf : http://www.turnguard.com/turnguard
> | skype : jakobitsch-punkt
> | xmlns:tg = "http://www.turnguard.com/turnguard#"
>
>
> --
> | Jürgen Jakobitsch,
> | Software Developer
> | Semantic Web Company GmbH
> | Mariahilfer Straße 70 / Neubaugasse 1, Top 8
> | A - 1070 Wien, Austria
> | Mob +43 676 62 12 710 | Fax +43.1.402 12 35 - 22
>
> COMPANY INFORMATION
> | http://www.semantic-web.at/
>
> PERSONAL INFORMATION
> | web : http://www.turnguard.com
> | foaf : http://www.turnguard.com/turnguard
> | skype : jakobitsch-punkt
> | xmlns:tg = "http://www.turnguard.com/turnguard#"
>
Social Web Architect
http://bblfish.net/
Received on Thursday, 26 January 2012 01:03:00 UTC