Change context string of byte type in createcredentialresponse to string type and context string

[sofiawong]

This is the code for python
resp, _, authU = CreateCredentialResponse(unhexlify(logD.pub), data[0], defineStruct(data[1]), 
            b"pyopaque-v0.2.0-demo")

This is the javascript code
const { authU } = opaque.recoverCredentials({resp, sec, context: "pyopaque-v0.2.0-demo", ids})

Hi @stef , I found out that the context string has to be "pyopaque-v0.2.0-demo" and it has to be of byte type. My frontend in javascript is having some challenges in recoverCredentials as the authU in server does not match the authU in frontend. I have entered the credentials correctly. Even if I attempt to change the type of context string in frontend to byte (which js gives bytearray) is still not working.

I strongly hope that the input for context string can be changed to string type as I am having issues (I suppose the byte string in server & normal string in javascript is giving me inconsistent authU)

Look forward to your reply, as I am implementing this in my project. Thank you.

[stef]

hey, the problem is that different languages represent strings in different formats/encodings, and yes python3 is damn annoying with this. so the python3 wrapper always converts the string to utf8 before passing it on to the underlying library. javascript stores strings internally as utf16 according to a quick online search, and it has to be converted to utf8 if you want to interact with python3. the emscripten preamble contains functions to handle utf8 you can do something like this:

var str = "pyopaque-v0.2.0-demo";
var len = (str.length << 2) + 1;
utf8string = stackAlloc(len);
stringToUTF8(str, utf8string, len);
const { authU } = opaque.recoverCredentials({resp, sec, context: utf8string, ids})

this same problem will probably also affect all pwdUs (passwords) and idU and idS as well.

alternatively, the python wrapper only converts to utf8 if the context is a string, if it is already a byte array, it will just take that, so in theory you could on the python side do this and also be ok:

resp, _, authU = CreateCredentialResponse(unhexlify(logD.pub), data[0], defineStruct(data[1]), 
            "pyopaque-v0.2.0-demo".encode('utf16'))

hth,

pls close this issue if this solves your problem.

[stef]

what i don't understand though, why is my demo code working? in the python code i have only:

https://github.com/stef/libopaque/blob/master/demos/auth-py-js/app.py#L46 which is

   context = b"pyopaque-v0.2.0-demo"
   # server responds to credential request
   resp, _, authU = CreateCredentialResponse(req, rec, ids, context)

and in the js code https://github.com/stef/libopaque/blob/master/demos/auth-py-js/static/index-worker.js#L33

i have:

      var credentials = module.recoverCredentials({
        resp: module.hexToUint8Array(resp_base16),
        sec: request.sec,
        context: context,
        ids: { idS: idS, idU: idU },
      });

where context is a js string.

is it possible that idU/idS/pwdU are some kind of strings that have different representations in py3 than in js? in my demo everything is really just ascii only, maybe that's the reason it works, and you use strings that fall outside of ascii?

[sofiawong]

what i don't understand though, why is my demo code working? in the python code i have only:

https://github.com/stef/libopaque/blob/master/demos/auth-py-js/app.py#L46 which is

   context = b"pyopaque-v0.2.0-demo"
   # server responds to credential request
   resp, _, authU = CreateCredentialResponse(req, rec, ids, context)

and in the js code https://github.com/stef/libopaque/blob/master/demos/auth-py-js/static/index-worker.js#L33

i have:

      var credentials = module.recoverCredentials({
        resp: module.hexToUint8Array(resp_base16),
        sec: request.sec,
        context: context,
        ids: { idS: idS, idU: idU },
      });

where context is a js string.

is it possible that idU/idS/pwdU are some kind of strings that have different representations in py3 than in js? in my demo everything is really just ascii only, maybe that's the reason it works, and you use strings that fall outside of ascii?

I use pickle to store the userauth btw instead of using pysodium Cuz all of my strings are in utf. I havent try changing to ascii yet. I am still trying. Yea, I find it weird tht how is the code from my side not working. Recover credentials can function but when it comes to last step - Server auth users, the inputs for userauth are diff... @stef

[stef]

what you can do is recompile libopaque.so - the core library, with -DTRACE - which dumps verbosely all important values. run your client and server, capture all traces and check if the pwdU, idU, idS and context are the same on both.

[sofiawong]

@stef Do u mind sharing more about the one underlined? For example, what is it about? What is encrypted channel?

I have tight time constraints so I would be looking at alternative ways. Ty.

[stef]

i have a blog post about this, i hope it helps: https://www.ctrlc.hu/~stef/blog/posts/How_to_use_OPAQUE_for_setting_up_a_secure_channel.html

[stef]

i think the easiest to debug your issue is to enable tracing in the library and look at the traces.

[sofiawong]

i think the easiest to debug your issue is to enable tracing in the library and look at the traces.

@stef , thanks for the reply. The error mentioned it can't find the file.

The commands in my dockerfile.

The error

[stef]

you need to install libsodium and libsodium-dev

[stef]

did you manage to get it working with libsodium?

[sofiawong]

I moved the make clean debug and ld_library_path .. after ldconfig. Not sure, if these are the traces you mention. Will update again.

did you manage to get it working with libsodium?

[stef]

closing this issue. pls reopen and explain why if you disagree. thank you for all!