Wednesday, 10 October 2012

Eclipse Appcache Plugin - auto-generate HTML5 appcache files


HTML5 Appache

I won't go into a full explanation here (if you want a tutorial the HTML5 Rocks website) but HTML5 appache is a method of caching web content so that, when offline, it can still be accessed

One method of doing this is to add a meta tag to each page specifying an appcache file, which will tell the browser to cache that page. But what if you want to tell the browser to cache everything when the site is first accessed? Well HTML5 has a way of doing that too - you still add the meta tag but also specify the files to be cached in the file. When it is accessed, those files will be cached. This though leaves you with a problem - how do you make sure you locate every file to be cached and add them to the file? This is where this plugin can help

Plugin

The Appcache Eclipse Plugin is a plugin for the Eclipse IDE that will check all your files for your site and add all html, image, css and javascript files to the appcache. Once the plugin is installed, all you need to do is add the click the menu button and add the meta tag to your page(s)

At the moment it will create an appcache file for the folder selected and all subfolders. This will be improved over time to add additional useful features

Download

As this is a plugin, you need to download the Eclipse IDE. Using Eclipse is beyond the scope of these instructions

Often there are 2 methods of installing an Eclipse plugin - direct download or update site. Our update site is coming soon, so direct download of the jar file is the only option for now.

Installation

Once you have download the jar file, simple copy it into the plugins folder of Eclipse install folder. The path should be <ECLIPSE HOME> - plugins

Now restart Eclipse if it was already running. The plugin should now be installed

Generate an appcache file

Inside Eclipse, in either the Project Explorer or Navigator, right click on root folder of your website. By default this will be called WebContent. You should see a menu option called Generate Appcache

Clicking this menu option will generate an appcache folder in your web root folder called appcache.appcache. You can rename it to whatever you like, but the rest of the instructions will assume you leave it as appcache.appcache

Link to your pages

On each html page you will need to add an HTML5 appcache argument. This goes in the <html> tag like this:
<html manifest="appcache.appcache">
This is all you need to do except ensure your web server serves the appcache file correctly. There are some good instructions on the HTML5 Rocks site

Enjoy

This should make generating full-website appcache a whole lot easier.  If you have any feature requests, or want to contribute, head over to the appcache pages on the website

Monday, 25 June 2012

Mjölnir - Brute-forcing a keystore


Mjölnir Brute-force, or how to brute-force your own keystore password


If, like me, you've been in the unfortunate siutation where you have forgotten your own keystore (or certificate key) password then help may be at hand. After some fruitless searching I decide to write my own piece of software to brute force my keystore certificate.  As I am/have been a Java programmer I decided to write it in the language I knew best, and this is how I did it.

I have made the source code available for anyone who wants it

Loading the keystore


The Java API already has code for loading a keystore, java.security.KeyStore.  The keystore needs to be placed on the classpath (I just stuck it in the root on my Eclipse project)

// Load the keystore in the user's home directory
File file = new File(keystoreName);
is = new FileInputStream(file);
KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
keystore.load(is, keystorePassword.toCharArray());
return keystore;

The above code simply attempts to load a keystore with the given keystoreName (filename) and keystorePassword.  If the password is incorrect an exception will be thrown.  As I was in a hacky mood, I went with catching the exception and returning null if the password was at fault.  The full method looks like:

public KeyStore loadKeystore(String keystoreName, String keystorePassword) {
FileInputStream is = null;
try {
// Load the keystore in the user's home directory
File file = new File(keystoreName);
is = new FileInputStream(file);
KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
keystore.load(is, keystorePassword.toCharArray());
return keystore;
} catch (java.security.cert.CertificateException e) {
throw new KeystoreException(e);
} catch (NoSuchAlgorithmException e) {
throw new KeystoreException(e);
} catch (FileNotFoundException e) {
// Keystore does not exist
throw new KeystoreException(e);
} catch (KeyStoreException e) {
throw new KeystoreException(e);
} catch (IOException e) {
if (e.getCause().getMessage().contains("Password verification failed")) {
return null;
}
throw new KeystoreException(e);
} finally {
try {
is.close();
} catch (IOException e) {
// at least we tried
e.printStackTrace();
}
}
}

To check a keystore password this just needs to be called a LOT of times with different configurations of password.  However we will come back to that shortly as, on this occasion, I knew my keystore password but not the password for the certificate it contained.

Loading a keystore key

So I now needed to load the certificate.  Java also has an API for this in the java.security.Key class.  In a similar vein to before, we can wrap this call so it returns null if unsuccessful

public Key loadKey(KeyStore keystore, String keyAlias, String password) {
try {
// get my private key
Key key = keystore.getKey(keyAlias, password.toCharArray());
return key;
} catch (NoSuchAlgorithmException e) {
// let it return null
} catch (KeyStoreException e) {
// let it return null
} catch (UnrecoverableKeyException e) {
// let it return null
}
return null;
}

Assuming we could load the keystore, we can use that to try and load the key.  Either way, we now have methods for attempting to load a keystore of key.  Null will be returned if we are unsuccessful

Brute forcing


Next we need to be able to call one of these methods but alter the password attempt each time.  Firstly I defined the possible characters it might comprise:

// possible characters used
char[] charset = { 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k',
'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w',
'x', 'y', 'z' };

You can add, or take away, any that you want.  We will also need to store the current guess so we can increment it on the next iteration. I've stored them like this

private char[] cs; // Character Set
private char[] cg; // Current Guess
public BruteForce(char[] characterSet, int guessLength) {
cs = characterSet;
cg = new char[guessLength];
Arrays.fill(cg, cs[0]);
}

Next we need to increment the current guess each time so we are trying a different password, making sure we try every combination

protected void increment() {
int index = cg.length - 1;
while (index >= 0) {
if (cg[index] == cs[cs.length - 1]) {
if (index == 0) {
cg = new char[cg.length + 1];
Arrays.fill(cg, cs[0]);
break;
} else {
cg[index] = cs[0];
index--;
}
} else {
cg[index] = cs[Arrays.binarySearch(cs, cg[index]) + 1];
break;
}
}
}

The above method increments the currentGuess array each time it is called, making it 1 larger if necessary.  This means we try every combination of every character in the array eg
aa
ab
ac
ad

and so on

The current guess can then be used to attempt to load the keystore, or key.  If null is returned the password was wrong and the next guess can be attempted eg

public synchronized String getNextAttempt() {
increment();
return String.valueOf(cg);
}
String attempt = attack.getNextAttempt();
boolean found = source.attempt(attempt);

Notice the use of the synchronized key word - I added this as I ran it in a multithreaded environment.  Making the method synchronized means that the incrementing and getting the next guess are atomic, so no other thread can access the next guess at the same time.  This ensures that none are missed

Putting this all together I managed to brute force a 7 character password in about 5 hours (using 100 threads on an i7 PC)

I've built a min-framework around it and also added an heuristic brute force attack (using keywords I might use in a password) until I fouind that it wasn't any of those, leaving me to have to brute force it. It can be found on our site.  Feel free to use it.  If anyone wants to take on developing it further let me know and I'll give you access to the repository


Wednesday, 11 November 2009

Runtime bean wiring

Sproing provides an easy method of wiring an object into Spring at runtime when that object hasn't been created by Spring but needs access to Spring beans.

The SpringWirer class provides a static method that, given an object, will wire it into the existing application context and set the spring beans needed

public class Jedi {
private Force force;

public Jedi() {
// wire this object up
SpringWirer.wireBean(this);
force.push();
}

// set the Force spring bean
public void setForce(Force force) {
this.force = force;
}

}

In this example, the Force object can be accessed because it is a bean defined in Spring. At runtime, the SpringWirer.wireBean(this) call will wire the object into Spring, setting the Force object using the setter method

Sproing version 0.3.1alpha is available now from Sith Open Source

Thursday, 29 October 2009

Sproing: Arbitrary Spring loading

Sometimes is is desirable to load spring when an arbitrary (ie, not containing a main() method) object is created. Sproing provides this for when another application is creating java objects in order to provide a route into your code (for example FitNesse, The Grinder etc) that you need to wire into spring. Sproing does this by loading any application context files you specify and then wiring the object into it, allowing you to inject beans at runtime.

Spring beans are weired using the AutowireCapableBeanFactory.AUTOWIRE_BY_NAME strategy, so your object needs to have setter methods with the same names as the beans you want to wire up. You need to create a subclass of ApplicationWirer and implement the getPaths() method to return the paths of the spring application context files you want to wire up

For example:


public class YourAppWirer extends ApplicationWirer {
public String[] getPaths() {
return new String[] {
"classpath:someApplicationContext.xml",
"classpath:applicationContext.xml"};
}
}




To wire up your object, all you need do is create a new instance of your overridden ApplicationWirer class in a constructor on your object, and call the wire() method

For example, using YourAppWirer in the above example:


public class JediMindTrick {
public JediMindTrick() {
new YourAppWirer().wire(this);
}
}



Provided you have defined public setter methods for any spring dependencies your object needs, and called them the same names as described above, spring will inject these at runtime. You can then write your object methods as normal

Sproing version 0.3.1alpha is available now from Sith Open Source

Thursday, 15 October 2009

Creating a Spring application

Creating a standalone (ie non-web) application can seem a little confusing to some. Sproing makes this easy by extending a Sproing class and implementing a method, and that's it!

All you need do is have your main (the class with the main() method that starts the application) extend ApplicationWirer and implement the getPaths() method that returns the path(s) to your application context xml files. Then a single call to the wire() method does the rest



import uk.org.sith.sproing.spring.ApplicationWirer;
public class Main extends ApplicationWirer {
public static void main(String[] args) {
Main main = new Main();
main.wire(main);
}

public String[] getPaths() {
return new String[] {"applicationContext.xml"};
}
}



This code will start your application and load the applicationContext.xml file into spring with all the spring beans defined. Easy!


Sproing version 0.3.1alpha is available now from Sith Open Source

Saturday, 3 October 2009

Sproing: Spring static ApplicationContext access

It is often useful to gain access to the ApplicationContext object in order to locate existing beans. Sproing provides a ApplicationContextProvider class that can be used anywhere in a spring application to access the application context like so:


ApplicationContext ctx = ApplicationContextProvider.getApplicationContext();


If you have used Sproing to start the application and/or load Spring, you will automatically have access to this class. If you want to use this feature of Sproing in a web application, all you need to do is declare the ApplicationContextProvider as a spring bean in your spring xml file ie


<bean id="applicationContextProvider" class="uk.org.sith.sproing.spring.ApplicationContextProvider"/>


Sproing version 0.3.1alpha is available now from Sith Open Source

Wednesday, 2 September 2009

Sproing: FitNesse-Spring integration

Sproing wires up FitNesse fixtures into Spring by loading any application context files you specify and then wiring the fixture into it, allowing you to inject beans into the fixture at runtime.



The fixture needs to implement SpringWirableFixture and extend your chosen FitNesse fixture. It is wired
using the AutowireCapableBeanFactory.AUTOWIRE_BY_NAME strategy - it needs to do this to work properly with
FitNesse, so your fixtures need to have setter methods with the same names as the beans you want to wire up



You need to create a subclass of AbstractFixtureWirer and implement the getPaths() method to return the paths of the spring
application context files you want to wire up




For example:


public class YourAppFixtureWirer extends AbstractFixtureWirer {

public String[] getPaths() {

return new String[] {
"classpath:fitnesseApplicationContext.xml",
"classpath:applicationContext.xml"};
}

}



To wire up your fixture, all you need do is create a default constructor (or setUp() method if using a fixture that
has one) and create a new instance of your overridden {@link AbstractFixtureWirer} class



For example, using YourAppFixtureWirer in the above example:


public class TestFixture extends ColumnFixture implements SpringWirableFixture {

public TestFixture() {
new YourAppFixtureWirer().wire(this);
}

}




FitNesse will call the default constructor, wiring up your fixture with the bean factory. Provided you have defined
public setter methods for any spring dependencies your fixture needs, and called them the same names as described
above, spring will inject these at runtime. You can then write your fixture methods as normal



It can be downloaded from sourceforge