Use of SecretCallbackKey

[rog...@yahoo.es]

Hi,

We're trying to use SecretCallbackKey to protect a subscription of a sensor to provider's cloud, but we're not able to get the correct HMAC. We've applied pseudocode as described in documentation:

var md5Body = MD5(body)

var endpoint = endpoint_configured_in_subscription
var secretKey = secret_key_configured_in_subscription
var currentDate = value_http_header_Sentilo-Date
var contentToSign = concatenate('POST',md5Body, 'application/json',currentDate, endpoint)
var signature = HmacSHA512(contentToSign)
return base64UrlEncode(signature)

We only get a signature with the correct length using HmacSHA256 insted of HmacSHA512. This suggests us another confusion may be in the process.

But, any way chain send by sentilo doesn't check with ours.
Could we practice with an example case, to see the process step by step?

Thanks in advance,

Roger Xandri

[Sentilo IO]

Hi Roger,

Our documentation on this feature is frankly a bit incomplete, we'll update the section correspondingly in the imminent 1.9 release.

Consider please this NodeJS example that verifies the incoming subscription message:

const crypto = require('crypto');

const message = '{"message":"26","timestamp":"03/12/2020T07:36:27","topic":"/data/TITAN/TITAN-S01","type":"DATA","sensor":"TITAN-S01","provider":"TITAN","time":1606980987614,"publisher":"TITAN","publishedAt":1606980987614,"publisherTenant":"","tenant":"","sender":"TITAN"}'
const endpoint = 'http://192.168.3.153:1880/sentilo';
const secretKey = 'my_super_secret_key';
const headerXSentiloDate = '03/12/2020T07:36:27';
const headerXSentiloContentHmacValue = 'Ty4nx2nRmh3zU2RtSpIMD0qhUpmAlaKJsS5Cdkoe8llhlNJyYrjPuXToBVPglvwp/F3HSt4OHFIlVE0wtoAeDw==';

// Step 1 - hash the message and finally base64
let md5body = crypto.createHash('md5').update(message).digest('base64');


// Step 2 - concatenate all necessary the values
let values = ['POST', md5body, 'application/json', headerXSentiloDate, endpoint];
let contentToSign = values.join('\n');


// Step 3 - HMAC and and finally base64
let hmac = crypto.createHmac('sha512', secretKey);
hmac.update(contentToSign);
let result = hmac.digest('base64')


// Compare with the X-Sentilo-Content-Hmac header
console.log(result == headerXSentiloContentHmacValue);

Hope this helps,

Regards,

Sentilo Team

[rog...@yahoo.es]

Thanks for your quick response, but I still can't reach good results.

If I apply your code in https://www.tutorialspoint.com/execute_nodejs_online.php with this data:

const message = '{"message":"394","timestamp":"10/12/2020T10:05:50","topic":"/data/comet/comet_co2_sen001","type":"DATA","sensor":"comet_co2_sen001","provider"   :"comet","time":1607594750277,"publisher":"comet","publishedAt":1607594750277,"publisherTenant":"","tenant":"","sender":"comet"}'
const endpoint = 'http://5.40.64.36:8080/SubscripcioSentilo/test';
const secretKey = 'arantech.2020';
const headerXSentiloDate = '10/12/2020T10:05:50';
const headerXSentiloContentHmacValue = 'UPFKesNsvhjrr9Cnt+RJifS3erQWiG9XdEPw4FhEyKlQpMGhSH/1ozW5lh1akQ7QMx5GdNBWS0m3gDs6x7VMTw==';

Result is False. If I apply to your example, result is True, obviously.

Could someone try?

We own our Sentilo in our Servers, and I think we still use Sentilo 1.6. Maybe, something has been changed...

Thanks in advance,

Roger

El dia dijous, 3 de desembre de 2020 a les 12:57:04 UTC+1, io.se...@gmail.com va escriure:

[Sentilo IO]

Hi Roger,

Sorry, hard to say, if you're using 1.6 version maybe it's time to upgrade ... 

We've just released 1.9 version so you're several versions behind.

Regards,

Sentilo team.