-
The documentation mentions 2 encryption components: TWebAESEncryption and TWebRSAEncryption. Unfortunately I cannot find these in the component palette.
Is there a replacement for that? -
Trying to compile the AES demo fails because the compiler cannot find a unit named Bcl.Utils. I found out it is installed in ...\Core Source\XData, but the compiler does not seem to access this directory. I then found out that adding the path to XData in the IDE under Tools\Options\TMS Web\LibraryPath makes the compiler also find the XData directory. So the demo compiled.
The question here is: Is this an allowed configuration? -
The AES demo uses a unit named CP.Func.AES. This unit is installed local to the demo. What is the intention to install this unit local to the project and not globally? Is the intended use to always put a copy of this unit into each project?
-
CP.Func.AES offers TAESFunc with an async and sync version of Encrypt/Decrypt. The sync versions simply don't seem to work.
-
General question: What is the best practice to hide/obfuscate a secret key in javascript when anyone can debug the javascript code? In the demo, the key is an extra Unit CP.Func.AES.Keys. To me, this seems a little bit too obvious for an intruder...
TWebAESEncryption and TWebRSAEncryption are classes, not components.
These are in the unit WEBLib.Crypto
The demo for WebCrypto is under Demo\Basics\WebCrypto
I'm not sure what other demo you refer to in TMS WEB Core.
Demos delivered with TMS XData need TMS XData to compile and run.
The official TMS Web Core documentation lists TWebAESEncryption as well as TWebRSAEncryption among the available "Non-Visual components". Is the documentation outdated?
The Unit WEBlib.Crypto is in the Core Source path, therefore not visible to the Delphi IDE. This again reemphasizes the issue with the 2 sets of sources...
I was refering to this demo:
C:\Users\Public\Documents\tmssoftware\TMS WEB Core Demos\Basics\AES\AESEncrypt.dproj
Based on these additional information, may I kindly ask to comment on the 5 topics above?
Many thanks,
Walter
Hi Walter,
I agree that TMS Web Core desperately needs to implement at least some basic crypto/hashing non-visual components.
I, too, saw references to TWebAESEncryption and TWebRSAEncryption in the Web Core Developer's guide showing them as being non-visual components. I don't know when it first appeared in the manual, but my version from June 2020 already had it. So if that was a mistake, I figured it would've been corrected by now. I also saw the AES demos that appeared a few weeks ago, and got really excited, only to be disappointed when they couldn't be compiled,
I've been a Web Core customer from the beginning (back in 2018 when it was launched), and was hoping and waiting for each new Web Core update to finally have a basic AES and SHA256 component, and then being disappointed when a new version comes out to see that there's still nothing. There are many possible uses for these and, quite frankly, I'm shocked that more people are not requesting it. But on the other hand, I probably shouldn't be surprised, because for most people, security is nothing more than an afterthought.
Good, it is indeed in the section that says indeed "Non Visual Components", so we have renamed that section "Non Visual Components and Classes". We have also explicitly mentioned "TWebAESEncryption class" now, so I hope this stops your confusion.
WEBLib.Crypto.pas is in the folder "Component Library Source" with an interface section IDENTICAL to the one in "Core Source" and the folder "Component Library Source" should be in your IDE library path so it should be visible to the IDE.
The demo AESEncrypt demonstrates encryption in combination with TMS XData so you should have TMS XData installed. The demo Demo\Basics\WebCrypto is a demo without this XData dependency.
You should NOT include keys that are expected to remain secret in JavaScript. Anything expected to remain secret belongs in the backend.
You are right Bruno, my bad, I seem to have messed up my installation experimenting with that "2 sets of sources" issue.
The demo compiles if you add the path to the XDATA sources in the IDE under "Tools\Options\TMS Web\LibraryPath". In my installation, the path to the XDATA sources is C:\Users\<yourusername>\Documents\tmssoftware\TMS WEB Core RSXE13\Core Source\XData. I extracted the relevant code for my purposes to this:
Interface
Type EncDecThenProc = Reference to Procedure(Const Result : String; Failed : Boolean);
Procedure Decrypt(Const Key, Encrypted : String; AndThen : EncDecThenProc);
Procedure Encrypt(Const Key, Decrypted : String; AndThen : EncDecThenProc);
{ Async encrypt and decrypt. After enc/dec is completed, the function in AndThen
will be called with the Result and an error flag Failed. If Failed is True,
then Result holds the error message. A call to Decrypt/Encrypt always returns
immediately. }
Implementation
Uses Bcl.Utils, CP.Func.AES;
Procedure Decrypt(Const Key, Encrypted : String; AndThen : EncDecThenProc);
Begin
If (not assigned(Key)) or (not assigned(Encrypted)) or
(Key='') or (Encrypted='') then AndThen('Arg missing',True)
Else TAESFunc.Decrypt(Key, TBclUtils.DecodeBase64Url(Encrypted),
Procedure(const AEncrypted: string)
Begin
AndThen(AEncrypted,False);
End,
Procedure(AError: string)
Begin
AndThen(AError,True);
End);
End;
{---------------------------------------}
Procedure Encrypt(Const Key, Decrypted : String; AndThen : EncDecThenProc);
Begin
If (not assigned(Key)) or (not assigned(Decrypted)) or
(Key='') or (Decrypted='') then AndThen('Arg missing',True)
Else TAESFunc.Encrypt(Key, Decrypted,
Procedure(const ABytes: TBytes)
Begin
AndThen(TBclUtils.EncodeBase64Url(ABytes),False);
End,
Procedure(AError: string)
Begin
AndThen(AError,True);
End);
End;
Just as a side note: I tested that demo, but unfortunately the websocket server that comes with the demo does not run on my Win 10 machine. I understand it is a service and so I tried to install the server using "chatserver /install", but it does not show up in the Windows services table. I recompiled the server, but the result is the same.
Yes, it is a service and it's most likely you need to install it with administrator rights. Run the command prompt as administrator, then navigate to the folder where the ChatServer.exe is. After that, you should be able to install the service with ChatServer.exe /install - upon successful installation, you will see the 'Service installed successfully' message.
Open the Services list, and make sure the service is running. The service name should be Web Crypto Server. If it's not visible, try to refresh the list first and check again. If it's not running, start the service manually.