Extension:PageProtectionPlus/Developer Notes

From MediaWiki.org
Jump to navigation Jump to search
MediaWiki extensions manual
OOjs UI icon advanced.svg
PageProtectionPlus
Release status: unknown
Implementation Tag, Special
Description Protect areas and sections from access
Latest version 2.3b (2007-12-18)
MediaWiki 1.8.0
License No license specified
Download http://entropy.echelon.pl/people/siefca/PageProtectionPlus-2.1b.tar.gz
Translate the PageProtectionPlus extension if it is available at translatewiki.net

Welcome to the MediaWiki extension for protecting pages. This page is considered to be useful for extension developers and those who like to know, how the things are working.

Design[edit]

Headers[edit]

Compatibility header[edit]

We can see that the text in database was encrypted by PageProtection using pure-RSA without any marks, we know that because of 'protect' tags. We run compatible driver to decrypt it. In fact it is not some external piece of code, just call to Cipher::Decipher() with correct parameters set to handle RSA.

Native headers[edit]

When we see --- BEGIN KEY: we should pass all message to the Encryption::Decrypt() for decryption. Header structure contains a comma-separated parameters' list within two marks, an encrypted key, and the ending mark. It has 2 parts:

  • header containing key parameters and an encrypted symmetric key
  • encrypted text

and it looks like that:

--- BEGIN KEY: key_encryption_algorithm,
 key_encrypton_identifier,
 txt_encryption_algorithm,
 txt_encryption_mode,
 txt_encryption_key_size,
 txt_encryption_iv_size ---

BASE64  encoded  &  RSA-encrypted   symmetric  key  with  IV attached to it & with a few random bytes (salt - why not?)

--- END KEY ---
BASE64 encoded & symmetrically encrypted text body

Where:

  • key_encryption_algorithm is a name of asymmetric algorightm used to encryt the key (e.g.: rsa)
  • key_encrypton_identifier is an asymmetric key identifier (ID of a public key used to encrypt data)
  • txt_encryption_algorithm is a name of symmetric algorightm used to encrypt text (e.g.: blowfish)
  • txt_encryption_mode is a name of an encryption mode for text (only cbc is supported)
  • txt_encryption_key_size is a size of a key (in bytes) used to encrypt a text
  • txt_encryption_iv_size is a size of an initial vector (in bytes) used to encrypt a text

And the example header looks like that:

--- BEGIN KEY: RSA,3f29d838,RIJNDAEL-256,CBC,32,32 ---
rGnwssOE9CGdINDYCDjFYI7AYW5uwOkYUSSq/5TsCrwU3Gccj19XKKIg4v/ZRMKvzkRgyTyTo9hH
mkbFWPtsTzYnLpkLifuFA2Sv9mmWopsYdoN1Zzgy58vtqGJRh0TG
--- END KEY ---


There is one exception, where we encrypt the text using pure-symmetric cipher, the header fields have the following meanings:

  • no_key_encryption_mark is a mark that tells, that no symmetric key is in use (it is: NULL)
  • key_encrypton_identifier is an asymmetric key identifier (ID of a public key used to encrypt data)
  • txt_encryption_algorithm is a name of asymmetric algorightm used to encrypt text (e.g.: RSA)
  • txt_encryption_mode (reserved for mode if one will be available in some future engine)
  • txt_encryption_key_size is a size of a key (in bits) used to encrypt a text
  • txt_encryption_iv_size (reserved)


And the example header looks like that (using just RSA key):

--- BEGIN KEY: NULL,3f29d838,RSA,,1024,0 ---
--- END KEY ---

GnuPG headers (future)[edit]

It is a development line to made PageProtectionPlus GPG-compatible. We can then forget about engines and so on. In the future, when we see GnuPG header, we can run Encryption::GPG().

CryptoParser class[edit]

The CryptoParser class handles getting and creating the header. Parameters in the header's headline should be trated as case insensitive, because the case may be changed during parsing process. Parameters are trimmed while parsing, so the white-characters are removed from both sides of each parameter.

Implicit Groups[edit]

Are there plans to provide for implicitGroups as used in MediaWiki? Particularly 'user'. Implementing the implicitGroup 'user' would allow for anyone with an account to view the protected text. I nice option to only protect portions of a page instead of the whole thing with the other access restriction methods (namespace, etc). See include/User.php for details on implicitGroups.

To provide the implicitGroups (including user) as a valid entry in the access group list, modify the following line of code in includes/AccessList.php in the hasAccess() function, line 119:

 if(in_array($group, $user->mGroups)){

add the additional check against the implicit (or Effective) group list.

 if(in_array($group, $user->mGroups) 
    || in_array($group, $user->getEffectiveGroups())){