innovaphone Forum

You are here

Help with Search (new window)
Picture of Uwe 2460
Registered 9 years 310 days
Uwe 2460 Wednesday, 14 April 2021, 09:10 AM
setting object pwd via WebSocket PbxAdminApi.UpdateObject message (using C#)
Hello,

and sorry - I have another password issue sad
After creation of new V13 PBX from template, I have to modify some PBX object passwords. I successfully connected to PbxAdminApi and retrieved ‘key’ and ‘pwd’ from _Admin_ object with MonitorAdminObject message.

==> {"mt":"MonitorAdminObject","api":"PbxAdminApi"}
<=={"mt":"MonitorAdminObjectInfo","api":"PbxAdminApi","pwd":"e38ac919256aef2e23954f8839fccd33","key":"102929b9de755c06ddf74516ab36f8d1"}

The object guid is retrieved via GetObject message (here: guid=F7BF20A14F6B60011A9F0800272FF27C). Now a new password needs to be set. According to SDK documentation (http://sdk.innovaphone.com/doc/appwebsocket/PbxAdminApi.htm#UpdateObject), the parameter ‘pwd’ is the password encrypted by key of the admin object.

Assuming, the new object password is “vo4NrA2O~KKxSt5” and the key is the above retrieved key, I would use following encryption:
string encryptedPwd = RC4.Encrypt("vo4NrA2O~KKxSt5", "102929b9de755c06ddf74516ab36f8d1");
The encryptedPwd is “15bc7c3e580d0934fa45e128061ce3” and UpdateObject message is then:
==>{"mt":"UpdateObject","api":"PbxAdminApi","guid":"F7BF20A14F6B60011A9F0800272FF27C","pwd":"15bc7c3e580d0934fa45e128061ce3","copyPwd":"15bc7c3e580d0934fa45e128061ce3"}
<=={"api":"PbxAdminApi","mt":"UpdateObjectResult"}

But the stored object password (different to above pwd) is obviously not correct after this. I also used other variants like decrypted key with retrieved ‘pwd’ before using it, all without success…

So the main question is, what means “password=pwd encrypted by key of the admin object”?


Kind regards
Uwe
Picture of Carmen Álvarez Méndez (innovaphone)
Moderator Registered 7 years 199 days
Carmen Álvarez Méndez (innovaphone) Wednesday, 14 April 2021, 11:09 AM
Re: setting object pwd via WebSocket PbxAdminApi.UpdateObject message (using C#)
Hi Uwe,

MonitorAdminObjectInfo return the encrypted PBX-Password (enc_pwd=RC4(PBX-Password, key)) using the key and the encrypted Key (enc_key=RC4(key, PBX-Password)) using the PBX-Password. So in this case what you receive is enc_pwd and enc_key.

You need to know the PBX-Password and with that you can decrypt the actual key:
key = RC4(enc_key, PBX-Password)

With that you can encrypt the Users' Passwords:
enc_user_pwd = RC4(user_pwd, key)

Greetings,
Carmen

Picture of Uwe 2460
Registered 9 years 310 days
Uwe 2460 Thursday, 15 April 2021, 11:24 AM
Re: setting object pwd via WebSocket PbxAdminApi.UpdateObject message (using C#)
Hi Carmen,

I’m still fighting with it.

When I fill up the PBX password to an 16 Byte and the object/user password to an 24 Byte, null padded string, them I get the encrypted user/object password that I would expect in config file.
I checked the encryption values with the PHP class published here https://wiki.innovaphone.com/index.php?title=Howto:Encrypt_or_Decrypt_PBX_user_passwords
, and it gets the same results.
But when I send this encrypted password in UpdateObject message, the pwd in config file is different (not correct).

PbxPassword (given) : pwd
_ADMIN_ key (given) : 150339cd1b3b219e2ccbb544a1aaaecb
ObjectPassword (given) : vo4NrA2O~KKxSt5
zero filled PbxPassword : pwd
zero filled PbxPassword (hex) : 70776400000000000000000000000000
zero filled ObjectPassword : vo4NrA2O~KKxSt5
zero filled ObjectPassword (hex) : 766f344e7241324f7e4b4b78537435000000000000000000
decrypted _ADMIN_ key (hex) : 3d0f25215b0f2521780f2521960f2521
encrypted object password (key is byte[]): f784872e0d61914004b534af23c1b233204a136dd607eb12
==> {"mt":"UpdateObject","api":"PbxAdminApi","guid":" ","cn":"Voicemail01","pwd":"f784872e0d61914004b534af23c1b233204a136dd607eb12","copyPwd":"f784872e0d61914004b534af23c1b233204a136dd607eb12"}

Expected in config file: f784872e0d61914004b534af23c1b233204a136dd607eb12
Result in config file: e7dc8b544717916a4a9a49e64984b303107e7158e5338a12 (not ok)

Is it correct to send the same pwd in UpdateObject Websocket message, that I finally would expect in config file?

Kind regards
Uwe
2013
Moderator Registered 16 years 129 days
Guntram Diehl (innovaphone) Saturday, 12 June 2021, 08:07 PM
Re: setting object pwd via WebSocket PbxAdminApi.UpdateObject message (using C#)
I checked the code and I actually think, the password sent with UpdateObject is the clear-text password, which is encrypted on the PBX side, before storing it, did you check this? The copyPwd is used differently as you do it. It is used to copy a password from another object, so it could contain, the name of an object from which to copy a password. I will try to check this with a simple js code, which I could provide you.
2013
Moderator Registered 16 years 129 days
Guntram Diehl (innovaphone) Tuesday, 15 June 2021, 09:26 AM in response to Uwe 2460
1 of 1 users consider this post helpful
Re: setting object pwd via WebSocket PbxAdminApi.UpdateObject message (using C#)
I tried this with a litte bit of javascript. Please have a look at the code: https://jsfiddle.net/igmdl/vu9g2etw/ The following messages are used when changing the password from "pwd" to "xyz". X {"mt":"AppChallenge"} R {"mt":"AppChallengeResult","challenge":"81883a3fc3b55916"} X {"mt":"AppLogin","app":"app","sip":"","digest":"d0b188cc32004d7cf48e3249b1849dcb26b0452846f25cd6d573b0b4d6f86a25"} R {"mt":"AppLoginResult","ok":true} X {"mt":"UpdateObject","api":"PbxAdminApi","cn":"App","guid":"*","pwd":"xyz"} R {"api":"PbxAdminApi","mt":"UpdateObjectResult"} Of course it is not ideal to send the password here as clear text. Should only be done with HTTPS, but of course it would be even better to have the password encrypted using the session key.
Picture of Uwe 2460
Registered 9 years 310 days
Uwe 2460 Monday, 12 July 2021, 05:59 PM
Re: setting object pwd via WebSocket PbxAdminApi.UpdateObject message (using C#)
Hello Guntram,

thanks for investigation and example and sorry for delayed feedback! Yes, setting pwd in clear text works. Somtimes the easiest way ist the right one. smile

Shouldn’t the SDK documentation be adapted, because it says „pwd: The password encrypted by key of the admin object“?
https://sdk.innovaphone.com/doc/appwebsocket/PbxAdminApi.htm#UpdateObject

kind regards
Uwe
2013
Moderator Registered 16 years 129 days
Guntram Diehl (innovaphone) Friday, 16 July 2021, 08:36 AM
Re: setting object pwd via WebSocket PbxAdminApi.UpdateObject message (using C#)
Yes you are right. I will update the UpdateObject documentation
2013
Moderator Registered 16 years 129 days
Guntram Diehl (innovaphone) Friday, 16 July 2021, 09:38 AM
Re: setting object pwd via WebSocket PbxAdminApi.UpdateObject message (using C#)
Documentation is fixed. I close this thread.
← You can define your color theme preference here