I'm trying to get my head around JWT tokens in Golang. I'm using github.com/dgrijalva/jwt-go.
What caught me off guard is the fact that I can enter multiple valid signatures.
For example, head over to http://jwt.io
- enter MySuperSecretKey for the secret
This token is valid:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0NTc3MzAyODMsInVzZXIiOiJ1c2VyMSJ9.SxshVL42DUH9e7jXUblbB_bTwKxhe4jo70DrvbQMlaU
as well as this one:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0NTc3MzAyODMsInVzZXIiOiJ1c2VyMSJ9.SxshVL42DUH9e7jXUblbB_bTwKxhe4jo70DrvbQMlaV
In fact, if I change the last letter to V, W or X, I get a "Signature Verfied" message.
Can anyone tell me what's going on here?
It's the Base64 encoding of the signature which can have the last letter changed to certain targets without affecting the relevant bits.
Try popping both signatures into a base64->hex decoder and you'll get the same results. In fact at https://conv.darkbyte.ru/ both signatures get re-evaluated to base64 SxshVL42DUH9e7jXUblbBbTwKxhe4jo70DrvbQMlaQ==
Related
I am using the botbuilder DialogTestClient 's sendActivity method to send prompts to my bot while testing but the method only accepts string types and in my bot i use number promts to prompt the user for numbers . Do you have any idea on how i can overturn this problem ?
Thanks in advance
I'm a bit unclear if you are having this issue only for DialogTestClient or all Clients, but in nodejs you can just convert the string to number using Number(promptInput). If the promptInput is already a number, it will still work fine. I assume there is a similar function in C#.
Edit: Some additional context. You can take a look at userProfileDialog.js in multi-turn-prompt sample for an example. Essentially, NumberPrompt has a "succeeded" property in the recognizer that ensures you entered a number. You can use that plus whatever validations you want in the validator function. If it succeeds and is validated, a number, not a string, is passed to the next step in your dialog.
If the error is coming when you are trying to repeat back the prompt value to the user, you need to convert it to a string. I favor using the backtick for this (template string/literal), e.g.
await step.context.sendActivity(`You entered ${step.result}`);
where step.result is the numberPrompt result.
I am trying to get some data parsed out of a subject line in Office 365 Flows. I have an email that has a consistent format:
Help Desk [Ticket #12345]
I want to get the number '12345' for use in later steps in the flow. So far, I've attempted to use the substring expression in a compose connector:
substring(triggerBody()?['Subject'], 20, 5)
But I get an error about the string being null.
Besides the index being incorrect (to retrieve '12345' from Help Desk [Ticket #12345] you need to use substring(value, 0, 5) as the index is 0-based), the expression looks correct. But you can take a step-by-step approach to see what is wrong.
To start, take a look at the flow run to see exactly what the trigger outputs are:
If you see the Subject field (as I do in my case), create a variable containing that value only to make sure that you don't have any typo:
If it works correctly, then you should see in the flow run the subject:
If everything is still good at that point, create a new variable with the substring that you want:
And again, check the value.
If you got to this point, then you should be able to retrieve the ticket id.
We're building a system to validate mobile phone numbers.
To achieve this, when a user adds his number, we are sending him a text message with a 6 digit code.
We don't want this code to go in our database as we don't like to clutter our database with fields that have no business meaning.
So we came up with the idea to reuse pragmarx/google2falibrary, have it generate an OTP code, dispatch it to the user by a text message, and then the circle would be round.
So basically we wanted to use the phone number, prefixed by somehting secret as the "secret" for the pragmarx/google2fa library:
$secret = '1263' . $mobile->country_code . $mobile->subscriber;
$google2fa = new Google2FA();
$google2fa->setEnforceGoogleAuthenticatorCompatibility(false);
$google2fa->getCurrentOtp($secret);
The above results in a secretsimilar to 12633232970987. However, the call to getCurrentOtp throws an exception Invalid characters in the base32 string. which is obviously not what I was hoping for.
So, I tried adding
$secret = base_convert($secret, 10, 32)
and pass that to the getCurrentOtpmethod, but that returned the same error. Checking into the library code, I see the following constant:
const VALID_FOR_B32 = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567';
My base_convert returns a string that has other characters in there though. Are these really the only valid characters?
My alternative would be to just have the library generate a random secret, but we don't really want to do that, as that would require us to keep that secret somewhere in the database (or at least in cache), which we would like to avoid. The idea is that we could generate the code for a mobile number using the number as the secret, and let the OTP mechanism deal with expiring codes.
Anyone has any suggestion how I can resolve this?
I'm currently working on a project where I have to "convert" some code from Ruby(version 1.9.3p194) to Golang(version 1.7). There is this part where Ruby uses RSA public key encryption and I always get a consistent result every time it gets executed. This is the function used:
Edit: I overlooked that after the public key encryption, there is a base 64 encoding as well
public_key = OpenSSL::PKey::RSA.new(public_encryption_key)
public_encrypted_text = public_key.public_encrypt(text, OpenSSL::PKey::RSA::NO_PADDING)
base64_encrypted_text = Base64.encode64(public_encrypted_text).gsub("\n", "")
escaped_encrypted_text = URI.escape(encrypted_key, "/+=")
However in Golang, due to the rsa library I can't get a consistent result since the function to encrypt takes a random parameter to generate different result each time. I understand why it needs to be different every time, but i can't get anything remotely similar to what ruby generates. These are the functions used in Golang:
//keyBytes is the public key as []byte
block, _ := pem.Decode(keyBytes)
key, err := x509.ParsePKIXPublicKey(block.Bytes)
if err != nil {
return nil, err
}
pubKey, ok := key.(*rsa.PublicKey)
if !ok {
return nil, errors.New("Cannot convert to rsa.PublicKey")
}
result, err := rsa.EncryptPKCS1v15(cryptorand.Reader, pubKey, text)
encryptedText := base64.URLEncoding.EncodeToString(result)
encryptedText = strings.TrimRight(encryptedText, "=")
One of the problems is that ruby can encrypt the text with no problem, and in golang I'm getting an error that the key is too short to encrypt everything.
If I encrypt something else, like "Hello". When decrypting I get from ruby the error "padding check failed". The decryption is being handle like follows:
private_key.private_decrypt(Base64.decode64(text))
EDIT: Thanks to the answer of gusto2 I now know better what is going on since I didn't have much understanding of RSA.
Now in Golang I was able to encrypt the text using PKCS1 v1.5, and just to be sure I tried to decrypt that as well, also in Golang, with no problem.
However in Ruby I still wasn't able to decrypt using the private key. So I figured that the base64 encoding used in Golang was the issue. So I changed that part to this:
encryptedText := base64.StdEncoding.EncodeToString(result)
And also I removed the last line were the equal sign was being trimmed.
With that done it worked like a charm.
I am no knowledgeable about golang, however I may know something about RSA.
The difference seems to be in the padding.
For ruby - no padding is used
For golang - PKCS1v15 padding is used
In the rubyexample you use OpenSSL::PKey::RSA::NO_PADDING is used which is VERY VERY unsafe. It is called textbook RSA and is not inteded in real-life use as it has many weaknesses and dangerous traps. So the ruby example is very dangerously unsafe because of using the textbook RSA. As well it is limited to encrypting small messages (much smaller than the keyspace).
There are two padding types used with RSA:
PKCS1 v1 (commonly referred as PKCS1) - this is a deterministic padding (the output is always the same), many cryptographers consider this option obsolete as some weaknesses has been found when not used properly, but it is still in use and not considered broken.
PKCS1 v2 (commonly refered as OAEP or PSS) which is stochastic (randomized) padding. You can distinguish the last two as the output of OAEP is always different.
One of the problems is that ruby can encrypt the text with no problem, and in golang I'm getting an error that the key is too short to encrypt everything
You've provided only a small part of the golang example, so here I may only assume many things.
As you claim the golang example outputs randomized output and according to the parameters PKCS1 v1.5 is used, I'd assume the implementation is doing hybrid encryption which is good and much safer way to encrypt data with RSA (using symmetric encryption with random key and wrap/encrypt the key with RSA).
I am a NEWBIE. Any help is appreciated.
I've been given the challenge of automating a Key Pass challenge.
a URL is provided (this is an example, I don't think the creator of the challenge wants it in public): www.guessmypasskey.com
When you visit the site, the body text simple returns, Key Denied:
If you add the following path, www.guessmypasskey/?key=a the site will return: Key Denied:00
The key is only alphanumeric and of unknown length...through manual testing I was able to find the key by determining that the binary code returns meant the following: 00 not a character used, 01 character used, wrong position, 11 correct character, correct position.
I envision, opening a browser to the URL with watir, checking a-a, A-Z, 0-9, in the first position...if 00 is displayed on page, delete character from possibility, if 01 is present write the number to a file (this will determine the character length needed.
Basic question, Am I going the wrong direction? Trying to automate with Ruby Cucumber Watir?
I know additional steps will be needed t determine the order of the characters....I'm just trying to get started on the first step, confirming the validity of the characters and the length of the pass key.
Kind of disappointed that the URL the real one. =p
Anyways, that approach would work... but I would imagine it being massive overkill.
Instead, what I would do is simply create a simple Node.js script (using JavaScript) which basically just loops through all possible combinations for each character, stepping through as you move.
You can just use the simple "request" module to request the web page. Then just build up your string like that.
var request = require('request');
// Gets content of one call... add this to your loop somehow.
request({uri: 'http://guessmypasskey.com?key=' + key}, function (err, response, body) {
// body has the result to check
});
This is probably going to be infinitely easier than setting up the tech stack you were talking about... not to mention a lot faster.
Your general approach (ignoring technology) sounds pretty spot on.