eclipse-cognicrypt / cognicrypt Goto Github PK
View Code? Open in Web Editor NEWCogniCrypt is an Eclipse plugin that supports Java developers in using Java Cryptographic APIs.
License: Eclipse Public License 2.0
CogniCrypt is an Eclipse plugin that supports Java developers in using Java Cryptographic APIs.
License: Eclipse Public License 2.0
On invoking the wizard a blank window is displayed in the background. Appears to be unintended.
Closing the wizard does not terminate said window.
When choosing to implement a client, and giving hostname and port for the server to connect to, one should be able to make a test connection to that server under the default configuration.
If the test connection can be established successfully, the "We have compiled a default configuration ..." screen should be displayed. Otherwise, show an error message and show the "Select cipher suites" screen."
The integration of new primitives should be supported by CogniCrypt by means of a guided dialogue system. Steps should at least include:
"What kind of algorithm do you want to integrate?" - Cipher, MAC, MessageDigest, ...
"Which CSP provides the implementation?" - SUNJCE, Bouncycastle, Mine, ...
If 'Mine' was selected: "Please provide the provider's name and its jar file."
"Please provide Clafer model for the algorithm" (Show respective snippet of existing algorithms in the same algorithm class)"
Linked to #14
Edit: The expert probably does not provide a CSP, but rather a Java project with the implementation. Scratch the part about "which CSP provides the implementation" and assume you need to do the CSP part for them.
Displaying AES AES(2) etc. is very counter-intuitive for the end user. Can we come up with a better representation?
Originally created by: @snadi
Some(tm) cryptographers prefer to implement cryptographic schemes in C(++). Extend the integration interface of #13 such that algorithms implemented in C(++) can be integrated as well. In particular, add a question about the respective programming language. If C(++) is selected, generate stubs for an JNI after the algorithm type is selected. Depending on the algorithm type, different methods need to be generated (e.g. ciphers need at least the methods encrypt, decrypt, generateKey). Finally, ask the primitive developer to connect methods in the JNI with the ones in their C(++) implementation.
After few minutes of running the error occurs. It is caused by an exception in SAX parser and it was detected during refactoring XMLParser class.
Most likely it's caused by wrong usage of plugin e.g. adding same task twice, which causes error. A usability improvement can be restricting such usage of plugin or warning the user."
The tool CDRep (https://soarsmu.github.io/papers/CDRep.pdf) automatically detects and patches misuses of Crypto APIs. When we decide to build some sort of quick fix generation engine for CogniCrypt, we should look into this in a bit more detail to check if we can adopt ideas & concepts from there.
Add a drop-down menu to the first screen in the wizard with all Java projects in the workspace. Depending on the situation when the user clicks the button a different project is auto-selected in the drop-down menu. When a Java file is opened in the editor auto-select its project. When a Java project had been selected that project is auto selected. If neither of the two is true don't auto select anything and leave it to the user to select one. The next button only becomes clickable once the user has selected both a project and a task.
Collect as many Android apps as you can find that use cryptographic APIs.
The collection process should entail three steps:
You can find a similar analysis here: https://code.crossing.tu-darmstadt.de/projects/E1/repos/code_cryptominer/browse/code/grouminer/PackageFilterer/src/PackageFilterer.java
It has the same base functionality)
If you have questions concerning question 2, get in touch with @johspaeth or @nguyenLisa.
The input of the doFinal and update method in Cipher is the plaintext as a byte array. Usually, a tool is supposed to actually encrypt a file or a message. During the conversion from, say, strings to byte arrays the user may still make mistakes that weaken the encryption. Extend the symmetric-encryption task by adding a new question that allows the user to select the original source of the byte arrays and add conversions for each supported answer to the xsl stylesheet.
Question could be something like "What type of data do you wish to encrypt?" -> Messages (String), Files (File), Byte Array ...
At present CC displays the instance details list by auto selecting the best possible instance according to
the user requirements.
Introduce a new wizard page after user is done giving answers to the mandatory high level questions for the selected task.
This page should give user the following two options-
Option 1: Keep the default configuration of Instance which fulfills the user needs
Option 2: Change the auto compile configuration
When user selects option 1 CogniCrypt should directly introduce the code into the selected project, no need to show the Instance Details of the auto compile version.
When user selects option 2 then the user should see the instance details page and allow user to select algorithm of their choice.
When the user ever has CogniCrypt re-generate the code for their application, but has changed the code CogniCrypt has generated for them the first time, CogniCrypt as of now overrides everything. KaleidoCrypt adds tool support for this use case in that it allows to merge the existing code in the project with the one that CogniCrypt attempts to generate in the second run. Integrate the two.
This will be more than one issue, presumably, this issue should help to keep track of the integration process. Please reference this issues in all (future) issues that work towards this goal.
Can we use better separators for improving the readability of the instance details?
We should try to think of some meaningful questions for the tasks that make use of the properties in the variability model
Originally created by: @snadi
A hybrid encryption comprises a public key and a symmetric encryption. The actual data is encrypted using a symmetric encryption. Then, the symmetric key is encrypted using a public key encryption.
This has already been done:
This still needs to be done:
Develop questions for configurator wizard and consequences of responses
Write XSL Stylesheet for Code - This has been done partly. Reuse old stylesheet for symmetric encryption.
If there are functionalities needed for the integration of this task, open another issue and implement them."
Since we will likely replace Clafer later design configurator to have the least possible dependencies on it.. This is bigger than a single issue but just opening it up so we don't forget.
Originally created by: @snadi
Resources should probably work through before tackling this issue:
https://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/CryptoSpec.html
https://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/HowToImplAProvider.html
And this is the problem: https://www.google.de/search?q=call+so+file+from+within+jar+file
Currently, these two tasks are separated.
Task Name: Encrypt Data Using a Secret Key
When choosing "yes" as an option to derive key from user specific password, the output class doesn't implement the correct method.
Actual Output:
public class Output {
public byte[] templateUsage(byte[] data) throws GeneralSecurityException {
KeyGenerator kg = KeyGenerator.getInstance("AES");
kg.init(128);
SecretKey key = kg.generateKey();
Enc enc = new Enc();
return enc.encrypt(data, key);
}
}
Expected Output:
public class Output {
public byte[] templateUsage(byte[] data, char[] pwd) throws GeneralSecurityException {
KeyDeriv kd = new KeyDeriv();
SecretKey key = kd.getKey(pwd);
Enc enc = new Enc();
return enc.encrypt(data, key);
}
}
Cognicrypt automatically selects the first configuration in the instance-selection screen. Since all configurations that are shown in that screen comply with specified requirements, it doesn't make sense to not auto-select the one with the highest security level. Hence, Cognicrypt should sort the configurations based on security level in descending order.
One way to do that may be to tell Clafer's instance generator to sort the instances, but as far as I know, there is no such mechanism. Another way would be to post-process the generated instances, retrieve their security level and then order them in the Java code."
User authentication is one of the most common use cases application developers wish to implement. Integrate multiple solutions for that use case.
This integration includes
If there are functionalities needed for the integration of this use case, open another issue and implement them.
Implementation provided as jar. Usage example in the CogniCrypt.pdf.
Remaining steps:
One goal of CogniCrypt is to simplify developers' usage of cryptographic APIs. A vital aspect to realize this goal is a usable UI. The current UI as it is falls short of that in a number of ways. Address and correct these issues.
This issue is a an umbrella issue in which sub-tasks for individual flaws should be created as sub-tasks of this issue. This should make it easier to keep track of all UI-related issues.
When someone selects an algorithm provided by one of "our" JCA providers (or BouncyCastle once we support it), the respective jar file must be added to the user's project. This most likely also requires a change in the Clafer model to mark where the algorithms belong to.
For keysize properties, it doesn't make sense to have a spinner with increments of 1
Similarly, for security, performance etc., the integer values will mean nothing to the user
Originally created by: @snadi
In /src/test/java/crossing/e1/configurator/test/ui, there are five UI tests, created with the UI-testing plugin RCPTT. Right now, they work for my machine. Integrate them into the nightly build.
This might help: https://www.eclipse.org/rcptt/documentation/userguide/maven/"
It seems that in the advanced mode, all "enums" are displayed as global properties for the user. This shouldn't be the case as the user shouldn't set a global security or performance level, but should only set those specific to the task. It might just be the display wording, but this needs to be investigated to see where these constraints are exactly displayed from (maybe global as in parent cipher?)"
Originally created by: @snadi
The code that is generated is generated into some project. Currently, we have some heuristics to figure out which project it needs to be generated into. These heuristics might not always be intuitive to the user as they may right-click on the project they need the code in and expect a context-menu entry to start the code-generation wizard.
Add this entry to the context-menu when someone right clicks anything in the package explorer and take the project that was right-clicked (or if a file was clicked its project) as the developr project for the code generation."
This project is being developed by Prof. Blömer's group at Uni Paderborn. For more information, ask me for a project description. The implementation, packed as a jar file, can be found here: https://www.dropbox.com/s/moz5q27e86usmtx/craco4openCCE1.zip?dl=0
This integration includes:
If there are functionalities needed for the integration of this task, open another issue and implement them.
Go through all tasks and check which questions require an answer from the user and which would work just fine with our default answer. Path to a keystore in TLS task is not optional, for instance. Neither is the questions in ABY about which scenario the code should be generated for. If a clear majority of/more than two questions for a task is optional, reorder them such that the mandatory ones come first and the optional ones come last, and add another question in-between to ask the user if they want to skip the optional ones.
http://cryptoexamples.com/java_landing_page.html# lists a bunch of examples showcasing how to use the Java crypto APIs. Check them out to find bugs in our xsl templates and/or ideas for new tasks. Also document mistakes in their examples (e.g. password not cleared after use of PBEKeyspec).
We should eventually integrate the S6 archiving dialog
Originally created by: @snadi
What exactly are global constraints ? The current display of properties is not intuitive for the user.
Also, when property is mode for example, operators such as > and <= don't make sense. The operators should be dependent on the property."
Originally created by: @snadi
CogniCrypt should support a integration of new tasks. Starting point of the integration could be the task list page. Workflow should roughly be as follows:
"Name of your task" => "Description of your task" => "Clafer Model for the task" => "XSL Stylesheet for your task" => "High level questions for your task"
Properly align and display the properties (see attached snapshot)
Now even worse when added checkbox to enable/disable constraint (see second snapshot)
Originally created by: @snadi
Implementation as jar + usage example as java code and configuration question for the wizard are in preparation.
Remaining steps:
Each provider supports a certain number of algorithms in different configurations. Take the Cipher class of the SunJCE Provider for instance (). If AES is taken as a cipher, only the padding schemes NoPadding, PKCS5Padding, ISO10126Padding are allowed. If the user types
cipher.getInstance("AES/CBC/
content proposal/code completion may (only) show the allowed padding schemes to support the developer.
Currently blocked by #191.
Right now, there is one question/UI widget per page, which gets tedious to the user pretty quickly. Extend the UI elements such that these can be grouped. Take into consideration that often the answer to one of the questions changes the value range for the answer of another one or even makes the wizard to skip a question.
A first solution may be to only group those that do not influence one another. In a second step, the UI widgets should be updated depending on the answer of the previous UI page.
Don't put more than three to five widgets on a page though.
For integration, the following things are still missing:
also reproducible on
When GTK3 mode in eclipse is enabled (which it seems to be by default in recent Linux UIs), the CogniCrypt UI breaks when opened for the first time. An error is thrown from the C library libgdk-x11-2.0.so, memory is dumped and CogniCrypt does not show up.
Set eclipse to GTK2 mode by starting it using
export SWT_GTK3=0; eclipse
When going back and forth in the wizard, the order of pages gets mixed up and pages that have been seen yet, are created anew.
The getNextPage and getPreviousPage methods have to be revised. They would either have to work on the set of all pages (that was created when creating the wizard) or re-check the path that the user took on every back/next click.
An example sequence that shows the problem:
Select Task: Communicate over a secure channel
Next >
Please specify the path to your keystore:
Next >
Please give the password for your keystore:
< Back
Next >
The input field is now empty as a new page has been created. The old (redundant) one still exists and can be accessed via the back button.
The last step in the Wizard has the "Finish" button active but while moving back to the previous steps using "Back" button, the "Finish" button is still active. Clicking on "Finish" in the intermediate steps does not perform anything.
Fix:
The "Finish" button should be activated only in the last step of the wizard."
Originally created by @Sneha1602
File should at least describe:
Take a look at the code accompanying that master thesis on crypto misuses and extract rules.
When the user selects an option on a wizard page, show them a preview of the consequences of their choice.
Also document the setup process of the nightly build.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.