IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
  • 1.  PluginUtils - usage in Infomap

    Posted Wed January 13, 2021 12:01 PM
    Dear community,

    I was wondering if somebody could help explaining why PluginUtils class sometimes is usable and sometimes is not.
    We are running 9.0.7.1, but same behavior was noticed on earlier versions.

    In documentation it is listed as globally available class: https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.7/com.ibm.isam.doc/config/concept/con_otp_customize_mapping_rules_gs_aac.html

    We are able to import and use this class in some mapping rule (like Post/Pre token), but in some it does not work.

    For example in infomap, following import
    importClass(Packages.com.tivoli.am.rba.extensions.PluginUtils);
    results in a stack trace:
    Caused by: org.mozilla.javascript.EvaluatorException: Function importClass must be called with a class; had "[JavaPackage com.tivoli.am.rba.extensions.PluginUtils]" instead.

    Same import works fine in some other places.

    Thanks,
    Dean





  • 2.  RE: PluginUtils - usage in Infomap

    Posted Wed January 13, 2021 12:09 PM

    Hello Dean,

    The 'com.tivoli.am.rba.extensions.PluginUtils' class is meant to be used in the JavaScript PIP as it's part of the 'RBA' (Risk Based Access also known as 'CBA', Contex Based Access') feature.

    For mapping rules other than JavaScript PIP you should use the following:

    com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils

    Is there a specific function from the PluginUtils class that you are trying to use in infomap that's not in the IDMappingExtUtils class?



    ------------------------------
    JACK YARBOROUGH
    ------------------------------



  • 3.  RE: PluginUtils - usage in Infomap

    Posted Wed January 13, 2021 12:24 PM
    Hi Jack,

    thanks a lot for you fast response. Ok, noted the difference.

    I actually need to calculate SHA256 hash of a string.
    In PluginUtils there is "hash" function which I wanted to try.
    Besides that, only alternative I saw is SHA256Sum in OAuthMappingExtUtils.
    I tried it, but I am not confident in the output I get.

    Following is my snippet:
    importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.OAuthMappingExtUtils);
    importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);

    let payload = "This is a payload";
    IDMappingExtUtils.traceString("\nPayload: " + payload);

    let payload_digest = String(new java.lang.String(OAuthMappingExtUtils.SHA256Sum(new java.lang.String(payload))))
    IDMappingExtUtils.traceString("\nDigest: " + payload_digest);


    Output:
    Payload: This is a payload
    Digest: W�����Z�YKC��X��!�� �+�De>�


    Is this function correct to use?

    Thanks,
    Dean

    ------------------------------
    Dean Ivosevic
    ------------------------------



  • 4.  RE: PluginUtils - usage in Infomap

    Posted Wed January 13, 2021 02:12 PM

    Hello Dean,

    That would be the correct output to use but since the output is going to be a Java Byte array (byte[]) the best thing would be to wrap it in the 'com.tivoli.am.fim.base64.BASE64Utility.encode(byte[])' class so that you'll get a base64 encoded String as the output.

    EG:

    importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.OAuthMappingExtUtils);
    importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
    importClass(Packages.com.tivoli.am.fim.base64.BASE64Utility);
    
    let payload = "This is a payload";
    IDMappingExtUtils.traceString("\nPayload: " + payload);
    
    let payload_digest = String(new java.lang.String(BASE64Utility.encode(OAuthMappingExtUtils.SHA256Sum(new java.lang.String(payload)))));
    IDMappingExtUtils.traceString("\nDigest: " + payload_digest);


    That way you get a string output.
    Hashes are base64 encoded by default by other programs due to them being binary in nature (byte arrays).



    ------------------------------
    JACK YARBOROUGH
    ------------------------------



  • 5.  RE: PluginUtils - usage in Infomap

    Posted Fri January 15, 2021 05:01 AM
    Hi Jack,

    thanks a lot! This really helps.

    Just for reference and completion, if somebody also needs this.
    If a hexadecimal SHA256 representation is needed, which is also common, the byte array needs to be transformed in hexadecimal string.
    I achieved this with following:

    let payload = "":
    let
    hash_byte = OAuthMappingExtUtils.SHA256Sum(new java.lang.String(payload));

    let
    hash_hex = [];
    for (let i = 0; i < hash_byte.length; i++){
    let hex = ('0' + (hash_byte[i] & 0xFF).toString(16)).slice(-2);
    hash_hex.push(hex);
    }
    hash_hex = hash_hex.join("");

    hash_hex = e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
    Which is aligned with the SHA256 test vector.


    Best,
    Dean

    ------------------------------
    Dean Ivosevic
    ------------------------------