View ProjeQtOr On SourceForge.net
Support us on Capterra
ProjeQtOr free project management software - API write issue (PUT / POST) - ProjeQtOr
 
 

API write issue (PUT / POST)

More
07 Jul 2021 12:23 #1 by caccia
Hello,

We are trying to implement some actions using the REST API, in a Java application.
This works fine for GET actions, but fails for PUT or POST.

We seem to have a problem with the implementation of the AES-CTR encryption / decryption : the Java library expects an IV (Initialization Vector) parameter in the encryption function, but there doesn't seem to be such a parameter in the PHP-AES version. 

Do you know how we should set this IV parameter ? (tried setting it to NULL without success) 
Code used is attached below.

 

File Attachment:

File Name: Launch-java.txt
File Size:2 KB


Cheers
 
Attachments:

Please Log in or Create an account to join the conversation.

More
03 Dec 2021 18:29 - 03 Dec 2021 18:35 #2 by kobetsu
And this is the problem I think many persons reported on the forum. Projeqtor uses PHP library for AES:CTR create by Chris Veness (www.movable-type.co.uk/scripts/aes.html). This library uses it's own implementation of AES CTR and generate VI (key) base on password passed to function. Problem is this VI (key) is generated in a little complicated way.

I tried to connect C# to Projeqtor API and point was (probably like you and many others) how to encrypt data in C# using AES CTR. To do this you need to know VI key.

Take a look for projeqtor source code - you can find like like this:
$data=AesCtr::decrypt($dataEncoded, $user->apiKey, Parameter::getGlobalParameter('aesKeyLength'));

As you can see data you send to projeqtor via api are decrypted using function AesCtr:decrypt (from library I mentioned above) and as secret user_api_key is used. There is nowere passed VI key which we are looking for. Again this VI key is generated from user_api_key.

What is inside AesCtr:decrypt:
public static function encrypt($plaintext, $password, $nBits)
{
$blockSize = 16; // block size fixed at 16 bytes / 128 bits (Nb=4) for AES
if (!($nBits == 128 || $nBits == 192 || $nBits == 256)) return ''; // standard allows 128/192/256 bit keys
// note PHP (5) gives us plaintext and password in UTF8 encoding!

// use AES itself to encrypt password to get cipher key (using plain password as source for
// key expansion) - gives us well encrypted key
$nBytes = $nBits / 8; // no bytes in key
$pwBytes = array();
for ($i = 0; $i < $nBytes; $i++) $pwBytes[$i] = ord(substr($password, $i, 1)) & 0xff;
$key = Aes::cipher($pwBytes, Aes::keyExpansion($pwBytes));
$key = array_merge($key, array_slice($key, 0, $nBytes - 16)); // expand key to 16/24/32 bytes long
....

So as you see generally user_api_key (used as secret) is expanded and itself again ecrypted by AES. A little complicated to implemenet outside projeqtor.

Unless my analysis is wrong, projeqtor should use something standard (standard for whole world not PHP only).
Last edit: 03 Dec 2021 18:35 by kobetsu.

Please Log in or Create an account to join the conversation.

Moderators: babynusprotion
Time to create page: 0.041 seconds

Cookies settings

×

Functional Cookies

Ce site utilise des cookies pour assurer son bon fonctionnement et ne peuvent pas être désactivés de nos systèmes. Nous ne les utilisons pas à des fins publicitaires. Si ces cookies sont bloqués, certaines parties du site ne pourront pas fonctionner.

Other cookies

Ce site web utilise un certain nombre de cookies pour gérer, par exemple, les sessions utilisateurs.