Add the ability to import and export firefox RDFs

[landroni]

This would also allow for compatibility with PWM Java Edition.

[tasermonkey]

I'm actually attempting to integrate with the Java Edition in order to complete this ticket, just I haven't been spending alot of time on it.

[tasermonkey]

I have it actually now reading and writing to/from rdf using the passwordmaker-lib-je library. Though I haven't figured out the exact mechanics of import data from an external source. I think I could have it read/write to the SDCard location on the android application and users can copy to/from that location from a file manager application. I can't have it write to random locations on the sdcard without adding a new permission to the application and right now, I like not requiring any permissions as it should make people feel warm and fuzzy inside.

[Pledkae]

Hiya,

any updates on this one? Thanks!

[tasermonkey]

A little actually. In my 2.0 branch I got in the library to actually achieve it.

I think for right now I will require the user to copy the rdf/xml into a text view and it will load it there.

But I will need to have testers as I myself don't really use a bunch of profiles and don't really have some of the complex ones.

Maybe by Sunday I could get an testable APK up. Though it won't be 100% complete. But you can test the import feature. And still be able to use it to generate passwords.

[Pledkae]

Thank you for the fast response! I'll gladly test the *.apk when the build is up. Cheers!

[tasermonkey]

Sorry, I didn't quite get it done enough...Ran into a few unexpected problems. Due to work and stuff this week, may be closer to friday or sunday next week.

[Pledkae]

Whenever you're ready, mate. Thanks for trying...

[tasermonkey]

Hey, I got an alpha version up. Please see this: https://github.com/tasermonkey/android-passwordmaker/releases/tag/v2.0.0-alpha1 for more information and some warnings. Like it will pretty much kill whatever old settings you had in the application. However, it should be able to import your RDFs from the Firefox version (and I think chrome version now). I tried to test it, but my password maker settings is pretty simple compared to what it could be.

[tasermonkey]

I found a bug in the Account Editor part. For some reason atleast on my phone, it won't let me actually choose a different CharacterSet other than AlphaNumSpecial. I imagine that the import though will still work and properly have the correct CharacterSet.

[Pledkae]

Hi,

I've tested the *.apk and I'm quite happy with what you've done. Thanks! For me, there is almost no need for more. Although I've ran into a problem with a few accounts which meet the following criteria:

[tasermonkey]

Interesting. I replicated atleast the first line item there. I will work on that this weekend.

Are all of those from importing the accounts? Or setting it up manually in the application. Because right now, there was a slight bug in actually selecting say a custom character list to begin with. But it looks like however the HMAC is set, its not getting it.

Would you mind attaching a slimmed down version of the RDF you were importing, if you were indeed importing. This way I can test against that and make sure those work more easily. You can use say, http://gist.github.com or something if you wish to attach the RDF file.

[Pledkae]

Yep, all of those are from importing only. No manual settings at all. Here's the example, I hope it'll help:

https://gist.github.com/Pledkae/609f70dd130b4fc76091

[Pledkae]

Sorry, the example I posted yesterday isn't good because URLs used for password generation are all based on the same domain and auto selection always chooses the first account, obviously. This one should do the trick: https://gist.github.com/Pledkae/3c014e602a90390c512e

[tasermonkey]

Thanks. This RDF was generated form the Android version or from Firefox. Hopefully, it doesn't matter, as it should be generating basically the same, but its good information to have just in case.

[Pledkae]

It was generated from Firefox.

[tasermonkey]

@Pledkae, java version doesn't support the HMAC-SHA256 Version 1.5.1 due to the fact that the JVM doesn't have it implemented. This is because this version is a buggy javascript implementation of the hash algorithm. Which means in order to support it, it would need to be manually added.

Same goes with: MD5-V0.6 HMAC-MD5-V0.6

I can make it so that its not silently ignored though.

[tasermonkey]

I could also make it so that the application could ask maybe to convert it to the non-buggy version, though I can't guarantee that it will generate the proper hashes every time.

[miquelfire]

The 0.6 can be done. Basically, the character set system was designed to trim the leading "Zero" characters from the beginning of the string, but 0.6 did do that (basically, if it was 0-9 were the characters, 0.6 would display something like 0004, while the character set system would just display 4). I know some versions added a parameter to the character set thing to control that feature (first Java version actually had the 0.6 behavior, but not the later ones)

[tasermonkey]

so after: val = inCharSet(hash(message), activeCharSet) ... trim off the 0's?

Is it the 0's specifically? Or the first character of the selected character set?

Then would the algorithm then loop back to generate a password of the min length?

So instead of return '0004' it would trim it to '4' then rerun the algorithm, until it got something like: '3245'.

• James

[miquelfire]

so after: val = inCharSet(hash(message), activeCharSet) ... trim off the 0's?

If your non 0.6 rstr2any funcion is not correct, you would need to do that.

Is it the 0's specifically? Or the first character of the selected character set?

The first character of the selected set would be the trimmed character.

Then would the algorithm then loop back to generate a password of the min length?

So instead of return '0004' it would trim it to '4' then rerun the algorithm, until it got something like: '3245'.

If you're not already doing that, anyone with a long enough password length is getting the wrong passwords. There's special rules with this, I can't remember off the top of my head however.

[tasermonkey]

Its been so long ago since I implemented the core of the algorithm, I must have spaced that out...But: For:

    Account account = new Account();
    account.setAlgorithm(AlgorithmType.SHA256);
    account.setLength(55);
    account.setCharacterSet("012");
    Account account_No_trim = new Account(account);
    account_No_trim.setTrim(false);
    System.out.println(pm.makePassword(masterPassword, account, "cnn.com"));
    System.out.println(pm.makePassword(masterPassword, account_No_trim, "cnn.com"));

The output is

trimmed:     1102122200022222120202121222200011012002011212110001101
not-trimmed: 0000000110212220002222212020212122220001101200201121211

So is correct to say, that only the "0.6" md5 algorithm does not trim the leading zeroes? It appear to be the default to trim the leading zeroes.

[tasermonkey]

I did SHA256, because it seemed that whatever md5 generated, it didn't want to place that many 0's infront of the string, so I tried different hash algos. Basically that trim flag gets sent to the r2any function and that determines if it trims the extra zero's fat.

[miquelfire]

Yes, you are correct.

[tasermonkey]

Hey guys, I just put up another alpha release here: https://github.com/tasermonkey/android-passwordmaker/releases/tag/v2.0.0-alpha2

If you already are using the first one, please try to export the alpha1 version first, if you wish not to lose anything, though it seemed to upgrade for me just fine if I used adb install -r .

• This version should also have the 0.6 MD5 stuff working :-)
• I also like now the autocompleting of the input field on the main screen.
• Also fixed the hashing output of some of the algorithms, those were basically the inability to change the character set in alpha1.

[Pledkae]

Hi,

I've just done a test of alpha2 release and I must say I really fancy the input field autocomplete feature. Good job!

Unfortunately, the generated password results are basically the same for me as in alpha1 with the exception of HMAC-SHA-256 Version 1.5.1 algorithm. Accounts are imported now (they weren't imported at all the last time) and generated passwords are different than ones using Firefox add-on version. It's not a big deal for me - it's easier to choose another algorithm and change a few account passwords than to rely on inconsistent results. I've read your explanation and I'm fine with that.

But I still get a blank password for the following algorithms: HMAC-MD4 HMAC-RIPEMD-160 MD4 RIPEMD-160

If it means anything, AlphaNumSpecial string used is: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789`~!@#$%^&*()_-+={}|[]:";'<>?,./

Prior to installing alpha2, I've cleaned cache and data and uninstalled aplha1 completely. After the alpha2 installation, I've done RDF import.

Cheers!

[tasermonkey]

I should have tested on my phone first. It worked on the emulator. I will fix that. Sorry for the inconvenience, but thanks for testing.

[tasermonkey]

Ok, I transfered this repository over to the passwordmaker organization. So any followup will need to be done from the issue tracker in the new location: https://github.com/passwordmaker/android-passwordmaker/issues

[tasermonkey]

Hurray! on my android, just what I expected: 07-05 10:40:50.468 1058-1058/org.passwordmaker.android W/System.err﹕ java.security.NoSuchAlgorithmException: MessageDigest RIPEMD160 implementation not found

I think some how its not using the spongycastle implementation that I thought I had it configured to do.

[tasermonkey]

Hah, after fixing this up, it more than double the size of the APK (to 1.6 MB). I am using Spongycastle properly now. Proguard was removing the class files from it, as its a runtime dependency and it didn't detect that my application was using it. The new APK is here. https://github.com/passwordmaker/android-passwordmaker/releases/tag/v2.0.0-alpha4

Thanks again!

[Pledkae]

Works like a charm now! Thank you very much for making this possible, you're a life saver!

[tasermonkey]

OK, I think I am going to release this and see what happens. :-)

[tasermonkey]

Ahh shoot, anyone have an android tablet to see how the v2.0.0-alpha4 APK looks/works? I don't have a physical one, and my macbook air resolution isn't high enough to really support the tablet emulator even. And there are slightly different code paths for the tablet, especially for the UI interaction.

[miquelfire]

I poked around for a bit. Seems to work on my 2nd gen Nexus 7. BTW, is there a delete profile button?

[tasermonkey]

Sigh, I forgot to add that in. :-) Curious how many people edit their profiles on the phone after I got the import/export of rdf's.

[Pledkae]

Don't have a tablet, but this might help: http://www.bluestacks.com/app-player.html (If you already don't use this one as emulator, of course.)

[tasermonkey]

Released!