View Single Post
Old 14th January 2018, 01:04   #13  |  Link
nalor
Registered User
 
Join Date: Dec 2013
Posts: 490
I already added a 'synchronize' mode to FindVUK that downloads a keydb.cfg from a website, compares it to the local file and finally:
1) adds new entries from the online file to the local file
2) apply changes of entries that are different between both files to the local file (the online file is the 'master')
3) uploads new entries from the local file to the online db also as xml in a different format.

Here's an example:

Code:
<?xml version="1.0" encoding="UTF-8"?>
<Bluray>
	<FileType>BlurayLegacyXML</FileType>
	<LegacyEntries>
		<LegacyEntry>
			<DiscId Date="">C0A58017FAD25AC92C3B9F19D74FC1E5BFC1B025</DiscId>
			<Title>MARAUDERS (Marauders)</Title>
			<VolumeUniqueKey>1A741C903EB21F024F94B2F3F3F19D2A</VolumeUniqueKey>
			<VolumeId/>
			<MediaKey/>
			<Comment>MKBv62/FindVUK 0.96</Comment>
		</LegacyEntry>
		<LegacyEntry>
			<DiscId Date="">E20E7A19466208B7C58D0A87B8050425564E0F49</DiscId>
			<Title>Bikini Destination triple fantasy</Title>
			<VolumeUniqueKey>0E0BCB9F4F66870166F4C6FC23A3020F</VolumeUniqueKey>
			<VolumeId/>
			<MediaKey/>
			<Comment/>
		</LegacyEntry>
	</LegacyEntries>
</Bluray>
And I also thought how it's possible to prevent invalid entries in the database created by super funny script kiddies .. and decided that it's necessary to sign the xml in order to decide if it's trustworthy or not.

I know there's an XML signature specification but it's not included in Purebasic and after reading the spec I decided that it would definitely be too much work to reimplement it in Purebasic (and I also thought that I could use an external library - but it's also too complicated or I'm too stupid..).

In the end I created my own format that looks like this:

Code:
<?xml version="1.0" encoding="UTF-8"?>
<Main>
	<Data>
		<UUID>fa9c7bdf-00d5-49e6-9c27-ba4d39d9c9f8</UUID>
		<Timestamp>2018-01-13T10:00:44+0000</Timestamp>
		<Base64>PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48Qmx1cmF5PjxGaWxlVHlwZT5CbHVyYXlNZXRhWE1MPC9G
		aWxlVHlwZT48RGlzY0lkIERhdGU9IjIwMTctMDgtMjIiPjE2QUJGRDgzMzc2RDQxRThDRDI2RDE0MzhGRjAyMTQ2MDU5NjYzQkQ8L0Rp
		c2NJZD48Vm9sdW1lSWQ+RjE4QjQ4RjJCQzk3MTlFNDcxQkVENjNFQTQzQkRDMjU8L1ZvbHVtZUlkPjxNZWRpYUtleT5EMkJGOERBQzZB
		Mjg4QTgwQjg0Q0E1RTg5MjRENzZDQjwvTWVkaWFLZXk+PFZvbHVtZVVuaXF1ZUtleT5FN0U1MTYzMjhCQUZBRThEOEQ5MUMyODUzMDY5
		NUVFODwvVm9sdW1lVW5pcXVlS2V5PjxWb2x1bWVMYWJlbD5XYXIgZm9yIHRoZSBQbGFuZXQgb2YgdGhlIEFwZXM8L1ZvbHVtZUxhYmVs
		PjxCRHBsdXMgRGF0ZT0iMjAxNy4wOS4wNyI+MTwvQkRwbHVzPjxCdXNFbmNyeXB0aW9uRW5hYmxlZD4xPC9CdXNFbmNyeXB0aW9uRW5h
		YmxlZD48TUtCcmV2PjUwPC9NS0JyZXY+PE1haW5QbGF5bGlzdD4wMDgwMC5tcGxzPC9NYWluUGxheWxpc3Q+PFVuaXF1ZUtleXM+PFVu
		aXF1ZUtleSBOcj0iMSI+ODBDQTBCNzEyRTFGRDExMEU4QjkyODdCOUYzQzRGQUM8L1VuaXF1ZUtleT48L1VuaXF1ZUtleXM+PE1ldGFU
		aXRsZXM+PE1ldGFUaXRsZSBMYW5ndWFnZT0iZW5nIj5XYXIgZm9yIHRoZSBQbGFuZXQgb2YgdGhlIEFwZXM8L01ldGFUaXRsZT48TWV0
		YVRpdGxlIExhbmd1YWdlPSJmcmEiPkxhIFBsYW7DqHRlIGRlcyBTaW5nZXMgOiBTdXByw6ltYXRpZTwvTWV0YVRpdGxlPjxNZXRhVGl0
		bGUgTGFuZ3VhZ2U9InNwYSI+TGEgZ3VlcnJhIGRlbCBwbGFuZXRhIGRlIGxvcyBzaW1pb3M8L01ldGFUaXRsZT48TWV0YVRpdGxlIExh
		bmd1YWdlPSJubGQiPldhciBmb3IgdGhlIFBsYW5ldCBvZiB0aGUgQXBlczwvTWV0YVRpdGxlPjxNZXRhVGl0bGUgTGFuZ3VhZ2U9ImRl
		dSI+UGxhbmV0IGRlciBBZmZlbjogU3Vydml2YWw8L01ldGFUaXRsZT48TWV0YVRpdGxlIExhbmd1YWdlPSJpdGEiPlRoZSBXYXIgLSBJ
		bCBQaWFuZXRhIGRlbGxlIFNjaW1taWU8L01ldGFUaXRsZT48TWV0YVRpdGxlIExhbmd1YWdlPSJqcG4iPldhciBmb3IgdGhlIFBsYW5l
		dCBvZiB0aGUgQXBlczwvTWV0YVRpdGxlPjxNZXRhVGl0bGUgTGFuZ3VhZ2U9ImNhdCI+TGEgZ3VlcnJhIGRlbCBwbGFuZXRhIGRlIGxv
		cyBzaW1pb3M8L01ldGFUaXRsZT48L01ldGFUaXRsZXM+PC9CbHVyYXk+</Base64>
	</Data>
	<Signature>
		<Checksum cipher="SHA256">0da227c5c0419892e196a8fff53f6f43e94a378e67359ddeba51416f5bfa6ed6</Checksum>
		<Signature>1D783940EFA594B7955B21F353336A3F2228265A44F445B18DB9029B585CD2A17EE68CD1C7
C3C2D69C534C78040130F073CC1075D55A63FCA62843BD0EBD4A09</Signature>
	</Signature>
</Main>
(usually Base64-Data and the Signature do not include linebreaks - just added them here to reduce the length of the lines)

The original XML (BlurayMetaXML or BlurayLegacyXML) is Base64 encoded - a SHA256 checksum is created from the data, a unique uuid and the timestamp - and the checksum is signed with libsodium and a private key that is 'embedded' into findvuk.
On the other end I've created a php-script that checks if the checksum matches the data and if the signature validates against the checksum with the help of a public key.
I know embedding a key into an application isn't really a secure solution - but I think it serves the purpose (if someone has a better idea just tell me).

So this is everything that is already working on my side
nalor is offline   Reply With Quote