-
Notifications
You must be signed in to change notification settings - Fork 107
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
#736 Generate hash and sign/verify data for secrettext values #1005
base: main
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Other than the change of where the unwrapping happens, looks fine.
begin | ||
exit(GenerateHash(InputString.Unwrap(), Key, HashAlgorithmType)); | ||
end; | ||
|
||
[NonDebuggable] | ||
procedure GenerateHash(InputString: Text; "Key": SecretText; HashAlgorithmType: Option HMACMD5,HMACSHA1,HMACSHA256,HMACSHA384,HMACSHA512): Text |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Update this function to take in SecretText for the InputString and unwrap the value only here. While the rest of the functions can pass either Text or SecretText until it gets to this.
Add overloads as needed.
We don't want to unwrap any SecretText outside of the location it is actually being used.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Move the logic to the procedure with secret text and have the other procedure call it, so you dont have to duplicate the code.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remember to do the same for other procedures.
@darjoo , @WaelAbuSeada The way they would do it is to simply write a brute force search comparing the secret text with different combinations and then adding a breakpoint inside an if statement chrcking if the password matches. |
begin | ||
exit(GenerateHash(InputString.Unwrap(), Key, HashAlgorithmType)); | ||
end; | ||
|
||
[NonDebuggable] | ||
procedure GenerateHash(InputString: Text; "Key": SecretText; HashAlgorithmType: Option HMACMD5,HMACSHA1,HMACSHA256,HMACSHA384,HMACSHA512): Text |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Move the logic to the procedure with secret text and have the other procedure call it, so you dont have to duplicate the code.
begin | ||
exit(GenerateHash(InputString.Unwrap(), Key, HashAlgorithmType)); | ||
end; | ||
|
||
[NonDebuggable] | ||
procedure GenerateHash(InputString: Text; "Key": SecretText; HashAlgorithmType: Option HMACMD5,HMACSHA1,HMACSHA256,HMACSHA384,HMACSHA512): Text |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remember to do the same for other procedures.
@TKaptian Could you let us know the scenarios you have that require this? What type of values are in the secrettext and why that needs to be hashed? |
@darjoo there's an thread on yammer about this topic: I think one good example is to use this for Basic Authentication that requires a Base64 hash. BCApps/src/System Application/App/Rest Client/src/Authentication/HttpAuthenticationBasic.Codeunit.al Line 56 in 9c9a045
I know that there exists better authentication methods than base64 but sometimes we aren't in the control of the external service and the external service only provides simple authentication methods. |
Summary
New overloaded procedures for Hash and Sign/Verify that accept SecretText value as hash/sign input value.
Work Item(s)
Fixes #736
Fixes AB#507370