Error 500 trying to setup MultiPass

david's Avatar


12 Nov, 2009 04:35 PM


I'm trying to setup MultiPass on a trial account.

First, I'd like to say that finding documentation to make our Java-based web-site support MultiPass was challenging:
I had to create a UserVoice account to look at their documentation.

Now that I fixed the "Your sso key cannot be decrypted" message, I'm getting an error 500 each time I try to log in.
Any idea?

  1. 1 Posted by rick on 13 Nov, 2009 10:58 PM

    rick's Avatar

    I'm not seeing any 500 errors in the log. What site is this for? That error makes it sound like it's not being encrypted properly.

    The technical implementation is pretty simple, just encrypt a JSON hash with AES. We've had clients using C#, python, and PHP interoperate with Tender, but we definitely do need some better multipass documentation.

  2. 2 Posted by david on 14 Nov, 2009 02:33 PM

    david's Avatar

    The error 500 page was on algodeal support site (I deactivated multipass since). I got plenty of them.

    When my encryption algo. was not ok, I would see a clean error message on your login page saying that the hash could not be understood. The error 500 can after, when I think I managed to get the encryption right.

    Here is the Java Code I used (not as simple as the ruby you point me to ;-) ) Does it look ok ?

    byte[] hash = DigestUtils.sha(apiKey + siteKey);
    byte[] saltedHash = new byte[16];
    System.arraycopy(hash, 0, saltedHash, 0, 16);
    byte[] data = jsonHash.getBytes();
    byte[] INIT_VECTOR = "OpenSSL for Ruby".getBytes();
    for (int i = 0; i < 16; i++) {
        data[i] ^= INIT_VECTOR[i];
    Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
    cipher.init(Cipher.ENCRYPT_MODE, new SecretKeySpec(saltedHash, "AES"), new IvParameterSpec(INIT_VECTOR));
    return new String(new URLCodec("ASCII").encode(Base64.encodeBase64(cipher.doFinal(data))));
  3. 3 Posted by rick on 24 Nov, 2009 07:20 AM

    rick's Avatar

    Sorry this is such a pain. I've been tweaking the multipass code this weekend, and added a little debugger in the Extras that should help you out.

    Try reversing the api key and the site key. The ruby code creates the crypto key like this:

    @crypto_key = EzCrypto::Key.with_password(@site_key, @api_key)

    site_key is your permalink, and api_key is the login secret hash for your site.

    It seems that when EzCrypto is actually generating the key, it swaps the site and api keys.

    EzCrypto::Key.with_password looks like this:

    def self.with_password(password,salt,options = {})
      key_size = calculate_key_size(options[:algorithm])
      digester = EzCrypto::Digester.get_key(password,salt,key_size),options)

    It calls Digester.get_key, which looks like this:

    def self.get_key(password,salt,size)

    See, they get swapped out. All of this was in the original implementation, so I can't even explain why in the world it's like that :)

  4. Nicole closed this discussion on 04 Dec, 2009 10:38 PM.

Discussions are closed to public comments.
If you need help with Tender please start a new discussion.

Keyboard shortcuts


? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac