How to implement what “psql > \d table1” command does, manually in C?

I’m writing a Postgresql server extension in C, it’s a server-side trigger function. I’m using the standard server side interface in C that Postgres offers:

#include <stdio.h> #include <time.h> #include "postgres.h" #include "utils/rel.h" #include "executor/spi.h" #include "commands/trigger.h" #include "utils/fmgrprotos.h"  #ifdef PG_MODULE_MAGIC PG_MODULE_MAGIC; #endif  extern Datum trig_test(PG_FUNCTION_ARGS);  PG_FUNCTION_INFO_V1(trig_test);  Datum trig_test(PG_FUNCTION_ARGS) {       // ........      // TODO:    // 1) infer a table over which a trgger is being executed (is more or less clear how to)   // 2) (!) archive the same result over that table   // as psq would do via this: "\d that_table" (how?)   // 3) write the output into a variable or file (is clear how to) } 

My current task is to achieve the same result as the \d <table1> does in C, inside of a trigger function. And more essentially I need the "indexes" part, including primary_key and also whether or not primary key is made of a single column or multiple ones, and which ones.

How can I do it?

Preferably, not strictly, without having to use SPI_exec() command because I figure that it might be slower than some other, more direct way.

Is possible to implement a Web Cryptography API custom provider?

I’m reading some basic info about Web Cryptography API and I’m wondering if is possible to implement some crypto provider (C/C++ library or something) with some extra algorithms or is mandatory to use the ones “embedded” with the web browser. I have finded articles about the security and tutorials about how to use it but nothing about custom implementation. I don’t know if it uses Operating System libraries or only web browser libraries, if should be used “as is”… Some reference or clarification is appreciated.

Heavy thrown implement for Invoker

I have this idea of a hybrid Fighter|Invoker, using Cleave and Deft Hurler to throw Divine Bolts. Deft Hurler (Dr 368) lets you use a ranged basic attack after Cleave:

Cleave: You can forgo dealing damage to the adjacent enemy to instead make a ranged basic attack with a heavy thrown weapon against one creature other than the target of your cleave. This ranged basic attack does not provoke opportunity attacks.

RAW, implement powers used with weapon implements still count as “with a weapon”.

Power of Skill (DP) turns Divine Bolts into a basic attack:

You can use any power you have that is associated with this feat as a basic attack. (Divine Bolts is listed)

Now I just need a heavy thrown weapon with the highest damage that is usable as an implement by an Invoker.
Bonus points if it is possible without a multiclass feat, as I want to use Seeker MC in paragon to get Primal Eye.


If it matters:
Str 17, Con 12, Dex 13, Int 8, Wis 16, Cha 8
Goliath (but any Str/Wis race will do)

What is the correct way to implement the OAuth2 state parameter?

I’m trying to understand how to properly implement state in an OAuth2 client, to mitigate CSRF attacks. This answer explains the attack scenario pretty well, to summarize:

  1. The attacker starts the authorization code flow, and gets a code from the authorization server
  2. The attacker traps his redirect url (e.g. https://client.com/exchangecodefortoken?code=attacker_code), and tricks a victim into accessing that link
  3. The victim is logged in with the attacker account, and if he upload sensitive info to the client application, that info will be uploaded to the attacker’s account meaning the attacker will have access to it.

The RFC vaguely says that state should be derived from the user session, for example using a cookie:

The client MUST implement CSRF protection for its redirection URI. This is typically accomplished by requiring any request sent to the redirection URI endpoint to include a value that binds the request to the user-agent’s authenticated state (e.g., a hash of the session cookie used to authenticate the user-agent). The client SHOULD utilize the “state” request parameter to deliver this value to the authorization server when making an authorization request.

This question implements this by creating an id cookie and a random state for each session, and correlating those two in the client DB. The client then handles an authorization code callback (e.g https://client.com/exchangecodefortoken?code=abc&state=def) by verifying that:

params.state == DB_at(cookies[id]).state 

It seems to me that an attacker can still bypass this kind of protection, because he knows his own id cookie:

  1. The attacker starts the authorization code flow, and gets a code from the authorization server
  2. The attacker traps his redirect url (e.g. https://client.com/exchangecodefortoken?code=attacker_code&state=attacker_state). He then uses that URL to prepare a link that when clicked, also sets the id cookie to the attacker’s id cookie (not very familiar with cookies, but this answer implies you can do this)
  3. The victim accesses the malicious link, and is redirected to the client with the attacker’s state and id cookie
  4. The request passes aforementioned verification and the victim is logged in with the attacker’s account – the attack succeeded.

How should you securely implement the state parameter?

(I’ve also seen answers like this one that claim that the attack is the other way around: at the end the attacker gets access to the victim’s account – and not vice versa. I though the explanations given for this scenario are incorrect/incomplete, but please correct me if I’m wrong on this)

How to implement my PKI?

EDIT: Reasons to roll my own

https://security.stackexchange.com/a/130775/127025

How can we trust a CA?


I’m designing my own server (foo.ext), and I’ve been investigating about how I can authenticate myself to the rest of the world.

I understand that perfect security is not possible, but I would like to have enough security so that it would be difficult to break in even for the NSA.

After some investigation, I’ve arrived to the conclussion that the only way to maintain a chain of trust is to secure the first link. So I’m going to roll my own personal Certificate Authority and put it forever out of the internet.

I’ve designed 4 levels of CA in the following way:

Level 0 (Self-signed personal CA):


This is a self-signed CA. I will re-issue it every 10 years. It will live in my most secure computer which will never connect to the internet. It will sign one and only one certificate, the level 1 CA, every 5 years.

Level 1 (Limited personal CA):


This CA will live in the same computer as the level 0 CA (although in different containers). I will give in hand (USB) a copy of the certificate of this CA to my clients, who will have to install this CA in their browsers to be able to connect to my server securely.

This CA will be limited (by the level 0 CA) to issue certificates for foo.ext and *.foo.com. The reason for this limitation is that my clients will be able to install this CA in their browsers, and have a guarantee that I will never be able to impersonate something like google.com in their browsers.

Level 2 (Intermediate CA):


This CA will be signed by level 1 CA with the same limitations. This CA will sign certificates for two things: my server foo.ext and my level 3 CA. It will live in a separate computer which will also be disconnected from the internet. It will exchange keys, certificates and certificate requests by USB.

The reason for this CA is to be a firewall before my level 1 & 0 CAs. For that purpose, every time I need to certificate this CA, I will first reset its computer, so that if there is a breach, it won’t propagate to level 1 & 0 CAs.

This CA will be certified every year.

Level 3 (Subordinate CA):


This CA will be further limited to only *.foo.ext (and not foo.ext). It will/may live in the same computer where my server will be.

It will certify the different services of my server every month or so.


Every CA and service will be isolated from the rest in a container.

I will have two different servers.

foo.ext will be the most secure of the two, and its purpose will only be to publish any breaches in the level 3 CA or any service certified by that CA. This server will be signed by level 2 CA, so it won’t be affected by such breaches. When a breach is published, I will publish any certificates to be revoked.

*.foo.ext will have a set of services, which will be the main objective of all this PKI. The rest is just security overhead.

For my services over SSH, I will be my only client (no-one will be allowed to SSH into my server).

For my services over HTTPS, anyone can connect, but those services will only serve static content, and will be download only (only GET & HEAD).

I also want to set up a mail server, but I still don’t know much about mail, so I will delay that until I know how to do it securely.


Every public key, certificate request and certificate exchanges between different units of my PKI will be done by hand (by myself) to avoid someone sneaking around. Private keys will never, under any circumstance, get out of the unit in which they were generated.

Private keys will not be password encrypted, because I would need to keep the password in plain text in the same computer, which makes it useless IMHO. Instead, I will just hide the level 0 & 1 computer from physical attacks as much as possible.


I have this picture of the whole PKI

PKI


Now to the code.

I’ve found in the internet some code to do that, but it was either outdated, or incomplete, or misdocumented or all of them. Given that I want it to be as secure as possible (within my possibilities), I’m not going to use that code until I know what every line is doing.

I will use RSA keys of (at least) 4096 bits. I won’t use more bits because it may not be supported by browsers. And not less because of security.

For Signing, I will use sha512.

I would like to do everything with libressl, and avoid ssh-keygen or openssl as much as possible.

I have the following cheat sheet for now, which I hope is correct and up to date:

Generate a RSA private key:

libressl genpkey -algorithm RSA -out caX.foo.key.pem            \         -pkeyopt rsa_keygen_bits:4096 

Check private key:

libressl rsa -noout -text -in caX.foo.key.pem 

Extract public key from PEM RSA private key:

libressl rsa -in caX.foo.key.pem -pubout -out caX.foo.key.pub 

Generate level 0 certificate:

libressl req -new -x509 -key ca0.foo.key.pem -sha512 -days 3660 \         -out ca0.foo.cert.pem 

What I don’t know how to do:

  • Generate certificate requests and certificates

I have some (incomplete or incorrect) commands.

Generate CSR (certificate signing request):

libressl req -new -sha512 -key clientX.foo.key.pem -out clientX.foo.csr.pem 

Sign certificate:

libressl x509 -req -in clientX.foo.csr.pem -out clientX.foo.cert.pem    \         -CA caX.cert.pem -CAkey caX.key.pem -sha512 -CAcreateserial 

-CAcreateserial as I understand it should only be used by a CA signing its first certificate.

Missing in those commands is for example the limitation for the CAs and for the end services to be able to certificate only the domains or subdomains I want them to certificate.


My question is: how to implement my PKI design? by which I mean, how to correctly generate CSRs and sign them with the specifications I want.

It may very well be splitted into various subbquestions, but I prefer to ask a single question because they are intrinsically related, and that way you can have an overview of the whole system, which is necessary to better answer the question.

How do I implement the SSL on an embedded device?

I understand that SSL/TLS is the best option to ensure secure communication on embedded IoT devices. Like I read the details of SSL, there are a series of steps involved (certificate verification, handshake, cipher suite, and more…). When we are doing the same via a browser like Chrome accessing a secured website, I think this all is implemented/taken care by the browser itself.

Device is not having a UI, so no browser being used there! consider this like a IoT gateway like smart home gateway or connected vehicle telematics gateway!

How do I implement the SSL on an embedded device? Also is everything on SSL require to be implemented by a developer in this case?

will some library like wolfSSL be a good option?

When to implement authentication and authorization?

I am currently in situation where I have to decide when to implement security measures. So the question is simple, is it better to implement authorization and authentication methods right off the bat in the beginning of the project, OR at the end of the project, before the first release?

Things I considered: at the end, one would make quite a bit of changes to the API; at the beginning it is time consuming, if the client wants to see first results soon.