mORMot Open Source

good morning,

I apologize, I don't think I expressed myself correctly, but it's a little annoying to spend hours reading a manual, follow all the steps without leaving any out, have a question, ask and receive a response of "Read the documentation" , that is, I just read it, implemented it and it didn't work maybe something is missing in the documentation to help...

I'm testing on:
  - Java
    - Using Http Client
  - dart
    - Using Http Client
  - Delphi (pascal object)
    - Using RESTClient

I think this is transparent because if I'm using standard HTTP requests this should work the same regardless of the language I'm working with...

I'm having problems with the session_signature... I even tried to implement something with helpers to see if it would solve it.

That's why I made the previous post with all the data I generated to see if I'm doing something wrong, apparently all coding is correct... but in a piece of code it gives an error

In this place:

function TSQLRestServerAuthenticationSignedURI.RetrieveSession(
   Ctxt: TSQLRestServerURIContext): TAuthSession;
var aTimestamp, aSignature, aMinimalTimestamp, aExpectedSignature: cardinal;
     PTimestamp: PAnsiChar;
     aURLlength: Integer;
begin
   result := inherited RetrieveSession(Ctxt);
   if result=nil then
     exit; // no valid session ID in session_signature
   if Ctxt.URISessionSignaturePos+(18+8+8+8)>length(Ctxt.Call^.url) then begin
     result := nil;
     exit;
   end;
   aURLlength := Ctxt.URISessionSignaturePos-1;
   PTimestamp := @Ctxt.Call^.url[aURLLength+(20+8)]; // points to Hexa8(Timestamp)
   aMinimalTimestamp := result.fLastTimestamp-fTimestampCoherencyTicks;
   if HexDisplayToCardinal(PTimestamp,aTimestamp) and
      (fNoTimestampCoherencyCheck or (integer(aMinimalTimestamp)<0) or // <0 just after login
       (aTimestamp>=aMinimalTimestamp)) then begin
     aExpectedSignature := fComputeSignature(result.fPrivateSaltHash,PTimestamp,
       pointer(Ctxt.Call^.url),aURLlength); <<<<<< ============================ !!! HERE !!!
     if HexDisplayToCardinal(PTimestamp+8,aSignature) and
        (aSignature=aExpectedSignature) then begin <<<<<< ====================== !!! HERE !!!
       if aTimestamp>result.fLastTimestamp then
         result.fLastTimestamp := aTimestamp;
       exit;
     end else begin
       {$ifdef WITHLOG}
       Ctxt.Log.Log(sllUserAuth,'Invalid Signature: expected %, got %',
         [Int64(aExpectedSignature),Int64(aSignature)],self);
       {$endif}
     end;
   end else begin
     {$ifdef WITHLOG}
     Ctxt.Log.Log(sllUserAuth,'Invalid Timestamp: expected >=%, got %',
       [aMinimalTimestamp,Int64(aTimestamp)],self);
     {$endif}
   end;
   result := nil; // indicates invalid signature
end;

I already tested several libraries to generate the hash and the CRC32, apparently they are being generated correctly but it always hangs in this piece of code that I informed.

I am not managing to evolve because apparently I followed without fail what is written in the documentation but the authentication is always rejected...

.
.
.

In this example it is not clear how I do this validation because I don't know for sure how the Timestamp thing works, I identified that there is a url on the server that gives me a timestamp but even with it I can't get a result that works

In order to enhance security, the session_signature parameter will contain, encoded as 3 hexadecimal 32-bit cardinals:

The Session ID (to retrieve the private key used for the signature);
A Client Time Stamp (in 256 ms resolution) which must be greater or equal than the previous time stamp received;
The URI signature, using the session private key, the user hashed password, and the supplied Client Time Stamp as source for its crc32 hashing algorithm.
Such a classical 3 points signature will avoid most man-in-the-middle (MITM) or re-play attacks.

Here is typical signature to access the root URL

root?session_signature=0000004C000F6BE365D8D454
In this case, 0000004C is the Session ID, 000F6BE3 is the client time stamp (aka nonce), and 65D8D454 is the signature, computed by the following Delphi expression:

(crc32(crc32(fPrivateSaltHash,PTimestamp,8),pointer(aURL),aURLlength)=aSignature);
For instance, a RESTful GET of the TSQLRecordPeople table with RowID=6 will have the following URI:

root/People/6?session_signature=0000004C000F6DD02E24541C

So my friend, I know I already looked at this documentation I've been trying for a few days and still haven't succeeded....
I've done this 1000x different ways but it doesn't give me a valid session_signature...
The last part for me was not clear...
"The URI signature, using the session private key, the user hashed password, and the supplied Client Time Stamp as source for its crc32 hashing algorithm."
I even found an example in java within the Mormot sources, could you make these steps a little clearer in the last part of the 3-factor code there?

I know that your time must be very busy, that you have to study, you have to research more I really am having a great difficulty in this part if you can at least give me a little help there to better understand the last part I thank you!

Just tell me where I'm going wrong and I'll do the rest

- - - - - - - - - - -
My Case
- - - - - - - - - - -

Urlbase: http://localhost:6666/
FuntionUrl: http://localhost:6666/root/Hello?session_signature=
UserName: SUPERVISOR
Passwrod: DBM

- - - - - - - - - - -
Step 1
- - - - - - - - - - -

Url Request 1:

http://localhost:6666/root/Auth?UserName=SUPERVISOR

clientNonce: 4a978da94aed4402310ce044f42d141fc9d79ea74fe5c067b5958a8fee7c1a3c

- - - - - - - - - - -
Step 2
- - - - - - - - - - -

Url Request 2: http://localhost:6666/root/Auth?UserName=SUPERVISOR&PassWord=DBM&ClientNonce=3f7b950a5f81731a0973fe12c8e48bf9c63c920b37cc585414cc4587bdf7aa12

sessionAuthentication:

{
    "result": "541010933+8A1C81841F28E13E0E5B5BFBC16AFB72200C99DEFC38018370AEC9E67180673C",
    "logonid": -1,
    "logonname": "SUPERVISOR",
    "logondisplay": "SUPERVISOR",
    "logongroup": 3,
    "timeout": 60,
    "server": "SPAMME_V07001_R001",
    "version": "7.1.1.4"
}

// SessionKey = value of ["result"] on sessionAuthentication

sessionKey: 541010933+8A1C81841F28E13E0E5B5BFBC16AFB72200C99DEFC38018370AEC9E67180673C

// sessionId = Copy of Digits on sessionKey before "+"

sessionId: 541010933

// privateKey = Copy of Digits on sessionKey after "+"

privateKey: 8A1C81841F28E13E0E5B5BFBC16AFB72200C99DEFC38018370AEC9E67180673C

// sessionIdHexa8 = Hexa of sessionId Pad Left (8,0)

sessionIdHexa8: 203f2bf5

// passwordHexa = SHA256 of PassWord

passwordHexa: 588b7c1c3ddda23b3e89b452e767139d68432cdc5581b3dd360901e12efe2201

// sessionPrivateKey
// long r = CRC32.calculate(sessionKey, 0);
// sessionPrivateKey = CRC32.calculate(passwordHexa, r);

sessionPrivateKey: 725205751

- - - - - - - - - - -
Step 3
- - - - - - - - - - -

Date to Generate Nonce: 2023-03-29 15:52:34.600516
dateToTimeStamp256: 6562952
nonce (dateToTimeStamp256 em Hexa): 00642488
signature: 2896200956
signatureHexa: aca084fc

Right now my biggest question is:

When generating CRC32, what do I use as a url?

I use the value [ http://localhost:6666/root/Hello ] ?
I use the value [ root/Hello ] ?
I use the value [ http://localhost:6666/root/Hello? ] ?
I use the value [ root/Hello? ] ?

sessionSignature: 203f2bf500642488aca084fc
sessionSignaturePrint: 203f2bf5-00642488-aca084fc

- - -

Url Request 3 :

http://localhost:6666/root/Hello?session_signature=203f2be900642479ba5015c6

{errorCode: 403, errorText: Authentication Failed: Invalid signature (0)}

I'm asking for help because I've tried everything exactly as stated in the manual, in the doc on the forums... And I can't find the problem