tag:help.tenderapp.com,2008-11-12:/discussions/problems/1140-error-500-trying-to-setup-multipassTender: Discussion 2011-04-07T06:08:58Ztag:help.tenderapp.com,2008-11-12:Comment/5787522009-11-13T22:58:14Z2009-11-13T22:58:14ZError 500 trying to setup MultiPass<div><p>I'm not seeing any 500 errors in the log. What site is this for?
That error makes it sound like it's not being encrypted
properly.</p>
<p>The technical implementation is pretty simple, just <a href=
"http://github.com/entp/multipass/blob/master/lib/multipass.rb#L32-49">
encrypt a JSON hash with AES</a>. We've had clients using C#,
python, and PHP interoperate with Tender, but we definitely do need
some better multipass documentation.</p></div>ricktag:help.tenderapp.com,2008-11-12:Comment/5787522009-11-14T14:33:02Z2009-11-14T14:35:47ZError 500 trying to setup MultiPass<div><p>The error 500 page was on algodeal support site (I deactivated
multipass since). I got plenty of them.</p>
<p>When my encryption algo. was not ok, I would see a clean error
message on your login page saying that the hash could not be
understood. The error 500 can after, when I think I managed to get
the encryption right.</p>
<p>Here is the Java Code I used (not as simple as the ruby you
point me to ;-) ) Does it look ok ?</p>
<pre>
<code>byte[] hash = DigestUtils.sha(apiKey + siteKey);
byte[] saltedHash = new byte[16];
System.arraycopy(hash, 0, saltedHash, 0, 16);
byte[] data = jsonHash.getBytes();
byte[] INIT_VECTOR = "OpenSSL for Ruby".getBytes();
for (int i = 0; i < 16; i++) {
data[i] ^= INIT_VECTOR[i];
}
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.ENCRYPT_MODE, new SecretKeySpec(saltedHash, "AES"), new IvParameterSpec(INIT_VECTOR));
return new String(new URLCodec("ASCII").encode(Base64.encodeBase64(cipher.doFinal(data))));</code>
</pre></div>davidtag:help.tenderapp.com,2008-11-12:Comment/5787522009-11-24T07:20:13Z2009-11-24T07:21:05ZError 500 trying to setup MultiPass<div><p>Sorry this is such a pain. I've been tweaking the multipass code
this weekend, and added a little debugger in the Extras that should
help you out.</p>
<p>Try reversing the api key and the site key. The ruby code
creates the crypto key like this:</p>
<pre>
<code>@crypto_key = EzCrypto::Key.with_password(@site_key, @api_key)</code>
</pre>
<p><code>site_key</code> is your permalink, and
<code>api_key</code> is the login secret hash for your site.</p>
<p>It seems that when EzCrypto is actually generating the key, it
swaps the site and api keys.</p>
<p><code>EzCrypto::Key.with_password</code> <a href=
"http://github.com/pelle/ezcrypto/blob/master/lib/ezcrypto.rb#L83-85">
looks like this:</a></p>
<pre>
<code>def self.with_password(password,salt,options = {})
key_size = calculate_key_size(options[:algorithm])
digester = EzCrypto::Digester.get_key(password,salt,key_size)
Key.new(digester,options)
end</code>
</pre>
<p>It calls <code>Digester.get_key</code>, which <a href=
"http://github.com/pelle/ezcrypto/blob/master/lib/ezcrypto.rb#L549-551">
looks like this:</a></p>
<pre>
<code>def self.get_key(password,salt,size)
digest(salt+password,size)
end</code>
</pre>
<p>See, they get swapped out. All of this was in the <a href=
"http://github.com/pelle/ezcrypto/commit/8994e800b35d0308264b4caa075dd24dbeca0879">
original implementation</a>, so I can't even explain why in the
world it's like that :)</p></div>rick