I already added a 'synchronize' mode to FindVUK that downloads a keydb.cfg from a website, compares it to the local file and finally:
1) adds new entries from the online file to the local file
2) apply changes of entries that are different between both files to the local file (the online file is the 'master')
3) uploads new entries from the local file to the online db also as xml in a different format.
Here's an example:
Code:
<?xml version="1.0" encoding="UTF-8"?>
<Bluray>
<FileType>BlurayLegacyXML</FileType>
<LegacyEntries>
<LegacyEntry>
<DiscId Date="">C0A58017FAD25AC92C3B9F19D74FC1E5BFC1B025</DiscId>
<Title>MARAUDERS (Marauders)</Title>
<VolumeUniqueKey>1A741C903EB21F024F94B2F3F3F19D2A</VolumeUniqueKey>
<VolumeId/>
<MediaKey/>
<Comment>MKBv62/FindVUK 0.96</Comment>
</LegacyEntry>
<LegacyEntry>
<DiscId Date="">E20E7A19466208B7C58D0A87B8050425564E0F49</DiscId>
<Title>Bikini Destination triple fantasy</Title>
<VolumeUniqueKey>0E0BCB9F4F66870166F4C6FC23A3020F</VolumeUniqueKey>
<VolumeId/>
<MediaKey/>
<Comment/>
</LegacyEntry>
</LegacyEntries>
</Bluray>
And I also thought how it's possible to prevent invalid entries in the database created by super funny script kiddies .. and decided that it's necessary to sign the xml in order to decide if it's trustworthy or not.
I know there's an XML signature specification but it's not included in Purebasic and after reading the spec I decided that it would definitely be too much work to reimplement it in Purebasic (and I also thought that I could use an external library - but it's also too complicated or I'm too stupid..).
In the end I created my own format that looks like this:
Code:
<?xml version="1.0" encoding="UTF-8"?>
<Main>
<Data>
<UUID>fa9c7bdf-00d5-49e6-9c27-ba4d39d9c9f8</UUID>
<Timestamp>2018-01-13T10:00:44+0000</Timestamp>
<Base64>PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48Qmx1cmF5PjxGaWxlVHlwZT5CbHVyYXlNZXRhWE1MPC9G
aWxlVHlwZT48RGlzY0lkIERhdGU9IjIwMTctMDgtMjIiPjE2QUJGRDgzMzc2RDQxRThDRDI2RDE0MzhGRjAyMTQ2MDU5NjYzQkQ8L0Rp
c2NJZD48Vm9sdW1lSWQ+RjE4QjQ4RjJCQzk3MTlFNDcxQkVENjNFQTQzQkRDMjU8L1ZvbHVtZUlkPjxNZWRpYUtleT5EMkJGOERBQzZB
Mjg4QTgwQjg0Q0E1RTg5MjRENzZDQjwvTWVkaWFLZXk+PFZvbHVtZVVuaXF1ZUtleT5FN0U1MTYzMjhCQUZBRThEOEQ5MUMyODUzMDY5
NUVFODwvVm9sdW1lVW5pcXVlS2V5PjxWb2x1bWVMYWJlbD5XYXIgZm9yIHRoZSBQbGFuZXQgb2YgdGhlIEFwZXM8L1ZvbHVtZUxhYmVs
PjxCRHBsdXMgRGF0ZT0iMjAxNy4wOS4wNyI+MTwvQkRwbHVzPjxCdXNFbmNyeXB0aW9uRW5hYmxlZD4xPC9CdXNFbmNyeXB0aW9uRW5h
YmxlZD48TUtCcmV2PjUwPC9NS0JyZXY+PE1haW5QbGF5bGlzdD4wMDgwMC5tcGxzPC9NYWluUGxheWxpc3Q+PFVuaXF1ZUtleXM+PFVu
aXF1ZUtleSBOcj0iMSI+ODBDQTBCNzEyRTFGRDExMEU4QjkyODdCOUYzQzRGQUM8L1VuaXF1ZUtleT48L1VuaXF1ZUtleXM+PE1ldGFU
aXRsZXM+PE1ldGFUaXRsZSBMYW5ndWFnZT0iZW5nIj5XYXIgZm9yIHRoZSBQbGFuZXQgb2YgdGhlIEFwZXM8L01ldGFUaXRsZT48TWV0
YVRpdGxlIExhbmd1YWdlPSJmcmEiPkxhIFBsYW7DqHRlIGRlcyBTaW5nZXMgOiBTdXByw6ltYXRpZTwvTWV0YVRpdGxlPjxNZXRhVGl0
bGUgTGFuZ3VhZ2U9InNwYSI+TGEgZ3VlcnJhIGRlbCBwbGFuZXRhIGRlIGxvcyBzaW1pb3M8L01ldGFUaXRsZT48TWV0YVRpdGxlIExh
bmd1YWdlPSJubGQiPldhciBmb3IgdGhlIFBsYW5ldCBvZiB0aGUgQXBlczwvTWV0YVRpdGxlPjxNZXRhVGl0bGUgTGFuZ3VhZ2U9ImRl
dSI+UGxhbmV0IGRlciBBZmZlbjogU3Vydml2YWw8L01ldGFUaXRsZT48TWV0YVRpdGxlIExhbmd1YWdlPSJpdGEiPlRoZSBXYXIgLSBJ
bCBQaWFuZXRhIGRlbGxlIFNjaW1taWU8L01ldGFUaXRsZT48TWV0YVRpdGxlIExhbmd1YWdlPSJqcG4iPldhciBmb3IgdGhlIFBsYW5l
dCBvZiB0aGUgQXBlczwvTWV0YVRpdGxlPjxNZXRhVGl0bGUgTGFuZ3VhZ2U9ImNhdCI+TGEgZ3VlcnJhIGRlbCBwbGFuZXRhIGRlIGxv
cyBzaW1pb3M8L01ldGFUaXRsZT48L01ldGFUaXRsZXM+PC9CbHVyYXk+</Base64>
</Data>
<Signature>
<Checksum cipher="SHA256">0da227c5c0419892e196a8fff53f6f43e94a378e67359ddeba51416f5bfa6ed6</Checksum>
<Signature>1D783940EFA594B7955B21F353336A3F2228265A44F445B18DB9029B585CD2A17EE68CD1C7
C3C2D69C534C78040130F073CC1075D55A63FCA62843BD0EBD4A09</Signature>
</Signature>
</Main>
(usually Base64-Data and the Signature do not include linebreaks - just added them here to reduce the length of the lines)
The original XML (BlurayMetaXML or BlurayLegacyXML) is Base64 encoded - a SHA256 checksum is created from the data, a unique uuid and the timestamp - and the checksum is signed with libsodium and a private key that is 'embedded' into findvuk.
On the other end I've created a php-script that checks if the checksum matches the data and if the signature validates against the checksum with the help of a public key.
I know embedding a key into an application isn't really a secure solution - but I think it serves the purpose (if someone has a better idea just tell me).
So this is everything that is already working on my side