How do I...Configure Deki Wiki to digitally sign requests to extensions?

Part 1: Creating keys to digitally sign requests

Deki Wiki ships with a tool called mindtouch.deki.keygen to generate signing keys.  The tools is located in the tools folder of your installation.

Open a command prompt in the tools folder and execute mindtouch.deki.keygen:

mindtouch.deki.keygen

The tool will generate a fresh pair of keys with each invocation, like this:

MindTouch Deki Wiki KeyGen, Copyright (c) 2008 MindTouch, Inc.


Digital Signature Keys
----------------------
Private: BwIAAAAiAABEU1MyAAQAAL2tVq6st4vDcVydr6TwOwwJPvaIHxhmaHQAs1RcjEhswo4klHtQ9eUhTeup58jd6HV/jS8nj2AM7NAmhZEpuBcnnxHkoaq9AkJgko4/5ef8+uiMVA080sNiokR0UyB9C3yZZmVqcNYAsQucqlhJE6QxjK6ukR4N/Ab9FHcAcfqZ2wBZCRefYHig+ZOvwUA3eyfPn6FzGOL43oNo/F9mGxWSfab9R5/7jzOYGZXm7TBBVcn1qGdZ1tq2Rnt86Z+2sRGNrzgFRXVngKJcZlsvTZKv7AW1JlgJyY0giT9xi7kLPkp0FrXfvdfPt3aRmCxhLWTjmdYBxUY25q+RuzX+k9mDHPHIO7w5mniYoXB4bxd0OrhSR7iWCoojE3mzHuoXBe/XczDqwU2CCwAAADzbDb70xdthG2BplBqax1fUcMtz
Public : BgIAAAAiAABEU1MxAAQAAL2tVq6st4vDcVydr6TwOwwJPvaIHxhmaHQAs1RcjEhswo4klHtQ9eUhTeup58jd6HV/jS8nj2AM7NAmhZEpuBcnnxHkoaq9AkJgko4/5ef8+uiMVA080sNiokR0UyB9C3yZZmVqcNYAsQucqlhJE6QxjK6ukR4N/Ab9FHcAcfqZ2wBZCRefYHig+ZOvwUA3eyfPn6FzGOL43oNo/F9mGxWSfab9R5/7jzOYGZXm7TBBVcn1qGdZ1tq2Rnt86Z+2sRGNrzgFRXVngKJcZlsvTZKv7AW1JlgJyY0giT9xi7kLPkp0FrXfvdfPt3aRmCxhLWTjmdYBxUY25q+RuzX+k9mDHPHIO7w5mniYoXB4bxd0OrhSR2YOlYKRR1DrCvOTHGu4BFtjuC/3YL0nvZu6OjYkCEYCoivMr3heW3ab+CPR99MWlxNV5RooLJAyAHKOC29YlwUzZtazLzE3Mumk2UfHPIYIW+Kse3nFK9/o7e5YDbTBSkZ4ReLpgvDx6syvnhxuQyRaV4GsW7J9xtMdeBdrGI4LCwAAADzbDb70xdthG2BplBqax1fUcMt

Keep a copy of both keys in a secure location.  These keys are unique and can never be generated again!

You may share the public key, but do NOT share the private key.  If the private key is compromised, rerun the keygen tool to create a new set of keys.

Part 2: Configuring Deki Wiki with the private key

Copy the private key (first line) from the keyken tool.

Log into Deki Wiki with your Administrator's password.  Go to the Control Panel and click on Configuration.

Under Add or modify key enter the following text for config key and value (note: value is truncated for readability; you must copy the entire private key!).

Deki Wiki is now configured to digitally sign outgoing request to extensions.  Note that this will create additional overhead for the application.

Appendix A: Configuring extensions with the public key

(Note: the steps described here apply to XML and .Net extensions; extensions written in PHP or other language may require different steps or not support signature validation altogether)

Now that Deki Wiki is configured to digitally sign requests to extensions, we need to setup our extension to validate the signature.  To do so, copy the public key and add it to your extension's configuration file (note: value is truncated for readability; you must copy the entire public key!).

Once an extension is configured with the public key, it will require all requests to have a valid signature.  If the signature is not valid, missing, or the date of the requests is not within a +/-1 minute margin, the extension will reject the request.

Appendix B: Digital signature specification

Deki Wiki follows these steps when digitally signing a request:

1. Serialize the contents of the request body as a byte-stream according to the charset specified in the content-type.
2. Check if any implicit environment headers are present (i.e. X-DekiScript-Env).  If so, sort the headers alphabetically according to their value, then append them to the byte-stream using UTF-8 encoding.
3. Append the current UTC date-time in RFC 3339 format (e.g. 2008-04-12T23:20:50.52Z) to the byte-stream using UTF-8 encoding.
4. Generate the digital signature of the byte-stream using the DSA cryptographic algorithm.
5. Append the signature header (i.e. X-DekiScript-DSig) containing both the digital signature (dsig) and date-time (date) parameters.