Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-17206

Wiki crypto store should provide some utilities to enforce security on stored data

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Critical
    • Resolution: Unresolved
    • Affects Version/s: 6.1
    • Fix Version/s: None
    • Component/s: Crypto
    • Labels:
    • Difficulty:
      Unknown
    • Similar issues:

      Description

      The Wiki crypto store module is quite useful to be able to store keys and certificate directly in a Wiki document.
      However, AFAICS there's currently no check performed on the space where the data are stored, or any helpers to enforce the confidentiality of the stored data.

      So for example, I can use the DocumentReference of the current user to store a pair of keys, but right now it means that anyone could see the private keys just by displaying the XML of my user profile.

      At the very least, we should improve the current API to send warnings if the data are stored in an "unsafe" place (here I consider a place is unsafe if guest users can view it).
      Now best would be certainly to be able to hide automatically private key data stored in xobjects, like we do for user password/emails.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              surli Simon Urli
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: