(2024-01-19) Into The Kingdom Of Bouncy Castle Here Be Dragons

Mike Morris: Into the Kingdom of Bouncy Castle; Here Be Dragons. After a bit of downtime over the holiday season, it's back to work on the Wikid Project.

My first use-case is this: I keep a mass/mess of personal notes in my own notebook ("2nd Brain" if you like, though I dislike the term) where Zim Desktop Wiki is my tool of choice (and has been for over 5 years so far).

Zim can export/copy text in that Fucking Horrible Markdown language, for import into the Hugo engine that currently powers the garden

as soon as I edit one of those articles -- whether I edit in the Garden or in my Zim notebook -- they're out of synch

When I want to share a particular thought (wikipage) I'd like to just mark it as "Share this page with That Other Wiki Over There." That Other Wiki would be a public-facing instance that can receive the pages and allow the world to read them (Tending Your Inner And Outer Digital Gardens)

Later on I'll be Exploring more interesting and sophisticated sharing and collaboration models. This is the whole purpose of the Wikid project. Baby steps, remember.

All these ideas around sharing notes and ideas mean that we need some authentication and authorisation.

each Wikid instance (and Wikid clients) will need its own identity and a public/private keypair so that we can verify where new pages, new edits are coming from.

So the next Small Step I can take is to cryptographically sign every outgoing bit of wikistuff to prove that it's coming from me, and to verify that every bit of incoming wikistuff is from someone I know

I'm happy to make the initial introductions happen out-of-band (at least for now!)

So into the Java Crypto Architecture we dive

Of course one turns to the Java crypto KeyStore

Only it turns out that storing a private key requires that you store it with a Certificate (strictly a Certificate Chain) that "guarantees" that the key really belongs to the entity who claims to own it and also carries a copy of the public key.

Remember that we want installation of a Wikid instance to be a one click sort of thing so that mere mortals can use it, too

I'll just roll a self-signed certificate.
No you won't.
There is no way in the JDK APIs to generate a new Certificate

Please, please, please don't make me use Bouncy Castle ever again

The Bouncy Castle home page: Welcome to the home of the Legion of the Bouncy Castle. A fun place to stay, if you've got some time to kill.

Android lacked any sane crypto APIs of its own as Google, in their wisdom, decided to leave those choices to the device vendors who all made wildly different choices. In consequence there was nothing an application developer could rely on, so we all ended up using the Android variant of Bouncy Castle when we had to do any cryptography.

Bouncy Castle is a perfect example of Poisoned OpenSource.