SSL (TLS) in as3crypto - actionscript-3

I am facing some issues around SSL (HTTPS calls) in an Adobe Air application. There is a bug on Adobe's list and its the exact same issue that I've bumped into:- https://forums.adobe.com/thread/1116924
The recommended solution (unless Adobe fixes this - they haven't done so in over 2 years) is to use as3crypto's SSL.
Can anyone here help me with the same? Right now, my HTTPService, which uses the default built in Adobe's SSL capabilities, looks like:-
var params:Object = getPOSTParameters();
var _httpservice:HttpService = new HTTPService();
_httpservice.url = "https://myserver_url";
_httpservice.resultFormat = "text";
_httpservice.contentType="application/x-www-form-urlencoded";
_httpservice.method = "POST";
_httpservice.concurrency = "multiple";
_httpservice.requestTimeout=600000;
_httpservice.showBusyCursor = false;
_httpservice.addEventListener(IOErrorEvent.IO_ERROR, httpIOError);
_httpservice.addEventListener(HTTPStatusEvent.HTTP_RESPONSE_STATUS, httpResponseStatus);
var responder:Responder = new Responder(onResult, onError);
var token:AsyncToken = _httpservice.send(params);
token.addResponder(responder);
How should I go about implementing the same with as3crypto? Any example/ code pointers will be really helpful

There is no 100% working solution, at least I don't know it. When I needed https in Adobe Flash I used as3httpclient library where AS3Crypto used for implementig TLSSocket. It's much easier than write you own. But beware it's buggy and it isn't works in some cases.
EDIT:
There is documentation available here for me it was enough, there is no difference between http and https request (except URL).

Related

Standalone flash player navigateToURL using POST fails

Since Flash plugin has reached EOL, the only way to still use my RIA is to use the standalone version of Flash player.
I've noticed an issue with the following piece of code while testing the migration:
var request:URLRequest = new URLRequest("/utils/function");
request.contentType = "application/x-www-form-urlencoded";
request.method = URLRequestMethod.POST;
var data:URLVariables = new URLVariables();
data.x = encodeURIComponent(1);
data.y = encodeURIComponent(2);
data.z = encodeURIComponent('some value');
request.data = data;
navigateToURL(request, "_blank");
The standalone version of flash (v30.0.0.134) makes a GET request instead of the instructed POST method. The browser plugin (v32.0.0.238) opens the page correctly in a new tab as a POST request.
Why does the standalone flash convert my request in to a GET? Anybody out there who can shed some light on this issue?
I don't know if it qualifies as a answer, but we use this to make a POST request:
handleService.url='.../something.ashx';
handleService.method = URLRequestMethod.POST;
var prm:Object=new Object();
prm.par1 = "asd";
prm.content=encodedData;
prm.fileName=FileName;
handleService.send(prm);
Instead of going for a standalone version of flash, you can package the app as a Adobe AIR runtime. We still use some apps written in Flex and have no issues with them.
If running on windows, you can package it as a native runtime and works nice.

Flex mobile HTTPMultiService set user-agent

I'm developing a Flex mobile application and I'm using the Http Services within FlashBuilder (4.7) to send/receive data. I'm having some issues with how the server is setup to accept calls (from the mobile platform) and apparently setting the User-Agent in Android works just fine. But I can't seem to be able to find a way to set the User-Agent in FlashBuilder.
Any ideas?
Thanks
var request:URLRequest=new URLRequest('URL_OF_YOUR_SERVICE');
var userCredential:Object = new Object();
userCredential['user_email'] = 'YOUR_MAIL';
userCredential['user_password'] = 'YOUR_PASSWORD';
request.data=JSON.stringify(userCredential);// use this if your service accept json only else give Object directly
request.method = 'post';// specify here method GET or POST
var loader:URLLoader=new URLLoader();
loader.addEventListener(Event.COMPLETE, userLoginCompleteHandler);
loader.addEventListener(IOErrorEvent.IO_ERROR, onIOErrorHanlder);
try
{
loader.load(request);
}
catch(error:Error)
{
trace("Login Error:: "+ error.toString());
}
may this will help you, here i have defined userLoginCompleteHandler and onIOErrorHanlder event listner for result and fault.
No, you can't set the User-Agent header in Flex.
From this Adobe forums post:
Note again that since the underlying Flash API is flash.net.URLLoader there are certain headers that
you cannot send. For details, please see the docs for flash.net.URLRequestHeader.
The URLRequestHeader docs say:
In Flash Player and in Adobe AIR content outside of the application
security sandbox, the following request headers cannot be used:
... User-Agent, ...

Using local file for Web Audio API in Javascript

I'm trying to get sound working on my iPhone game using the Web Audio API. The problem is that this app is entirely client side. I want to store my mp3s in a local folder (and without being user input driven) so I can't use XMLHttpRequest to read the data. I was looking into using FileSystem but Safari doesn't support it.
Is there any alternative?
Edit: Thanks for the below responses. Unfortunately the Audio API is horribly slow for games. I had this working and the latency just makes the user experience unacceptable. To clarify, what I need is sounething like -
var request = new XMLHttpRequest();
request.open('GET', 'file:///./../sounds/beep-1.mp3', true);
request.responseType = 'arraybuffer';
request.onload = function() {
context.decodeAudioData(request.response, function(buffer) {
dogBarkingBuffer = buffer;
}, onError);
}
request.send();
But this gives me the errors -
XMLHttpRequest cannot load file:///sounds/beep-1.mp3. Cross origin requests are only supported for HTTP.
Uncaught Error: NETWORK_ERR: XMLHttpRequest Exception 101
I understand the security risks with reading local files but surely within your own domain should be ok?
I had the same problem and I found this very simple solution.
audio_file.onchange = function(){
var files = this.files;
var file = URL.createObjectURL(files[0]);
audio_player.src = file;
audio_player.play();
};
<input id="audio_file" type="file" accept="audio/*" />
<audio id="audio_player" />
You can test here:
http://jsfiddle.net/Tv8Cm/
Ok, it's taken me two days of prototyping different solutions and I've finally figured out how I can do this without storing my resources on a server. There's a few blogs that detail this but I couldn't find the full solution in one place so I'm adding it here. This may be considered a bit hacky by seasoned programmers but it's the only way I can see this working, so if anyone has a more elegent solution I'd love to hear it.
The solution was to store my sound files as a Base64 encoded string. The sound files are relatively small (less than 30kb) so I'm hoping performance won't be too much of an issue. Note that I put 'xxx' in front of some of the hyperlinks as my n00b status means I can't post more than two links.
Step 1: create Base 64 sound font
First I need to convert my mp3 to a Base64 encoded string and store it as JSON. I found a website that does this conversion for me here - xxxhttp://www.mobilefish.com/services/base64/base64.php
You may need to remove return characters using a text editor but for anyone that needs an example I found some piano tones here - xxxhttps://raw.github.com/mudcube/MIDI.js/master/soundfont/acoustic_grand_piano-mp3.js
Note that in order to work with my example you're need to remove the header part data:audio/mpeg;base64,
Step 2: decode sound font to ArrayBuffer
You could implement this yourself but I found an API that does this perfectly (why re-invent the wheel, right?) - https://github.com/danguer/blog-examples/blob/master/js/base64-binary.js
Resource taken from - here
Step 3: Adding the rest of the code
Fairly straightforward
var cNote = acoustic_grand_piano.C2;
var byteArray = Base64Binary.decodeArrayBuffer(cNote);
var context = new webkitAudioContext();
context.decodeAudioData(byteArray, function(buffer) {
var source = context.createBufferSource(); // creates a sound source
source.buffer = buffer;
source.connect(context.destination); // connect the source to the context's destination (the speakers)
source.noteOn(0);
}, function(err) { console.log("err(decodeAudioData): "+err); });
And that's it! I have this working through my desktop version of Chrome and also running on mobile Safari (iOS 6 only of course as Web Audio is not supported in older versions). It takes a couple of seconds to load on mobile Safari (Vs less than 1 second on desktop Chrome) but this might be due to the fact that it spends time downloading the sound fonts. It might also be the fact that iOS prevents any sound playing until a user interaction event has occured. I need to do more work looking at how it performs.
Hope this saves someone else the grief I went through.
Because ios apps are sandboxed, the web view (basically safari wrapped in phonegap) allows you to store your mp3 file locally. I.e, there is no "cross domain" security issue.
This is as of ios6 as previous ios versions didn't support web audio api
Use HTML5 Audio tag for playing audio file in browser.
Ajax request works with http protocol so when you try to get audio file using file://, browser mark this request as cross domain request. Set following code in request header -
header('Access-Control-Allow-Origin: *');

NetStream.send not working with NetGroup in RTMFP

We are running a Cumulus server to do a live voice and text chat.
The setting is that each client can post data to each other client in the same NetGroup via group.post(). Unfortunately, that function is extremely slow (half a second delay, at least), so we switched to using NetStream.send to call functions on other clients, passing the data through that. This works almost instantly.
However, we are now trying to build separate chat rooms, using different NetGroups. But when doing so, NetStream.send() doesn't work anymore, the functions are never called on the other clients, and no voice data is transferred. Basically, the whole publishing NetStream seems to be not working any more.
We have the following setup to establish a NetGroup and a publishing stream on each client:
var gspec:GroupSpecifier = new GroupSpecifier("Group1");
gspec.multicastEnabled = true;
gspec.postingEnabled = true;
gspec.serverChannelEnabled = true;
gspec.objectReplicationEnabled = true;
gspec.routingEnabled = true;
_group = new NetGroup(_netConnection, gspec.groupspecWithAuthorizations());
_group.addEventListener(NetStatusEvent.NET_STATUS, handleNetGroupStatus);
_sendStream = new NetStream(_netConnection, gspec.groupspecWithAuthorizations());
_sendStream.addEventListener(NetStatusEvent.NET_STATUS, handleNetStreamStatus);
_sendStream.client = this;
_sendStream.attachAudio(_mic);
_sendStream.publish("media");
And the following code is used to listen to the "media" stream:
case "NetGroup.Neighbor.Connect":
var netStream :NetStream = new NetStream(_netConnection, p_netStatusEvent.info.peerID);
netStream.addEventListener(NetStatusEvent.NET_STATUS, handleNetStreamStatus);
netStream.client = this;
netStream.play("media");
break;
The NetGroup connection itself works, and "NetGroup.Neighbor.Connect" is called on each client when a neighbor connects. But the _sendStream itself simply doesn't work. No data is received, no function called.
It does work when the publishing NetStream is constructed in the following way:
_sendStream = new NetStream(_netConnection, NetStream.DIRECT_CONNECTIONS);
However, we only want the NetStream to send to a single NetGroup, and according to the Adobe Documentation, using gspec.groupspecWithAuthorizations() in the constructor should allow exactly that.
Are we missing something here?
I found the answer:
You also have to make the receiving NetStream listen to gspec.groupspecWithAuthorizations() instead of p_netStatusEvent.info.peerID.
This does work. Unfortunately, this makes voice chat impossible, as it is incredibly slow (as slow as NetGroup.post()) and introduces many sound artifacts.
So, we'll have to find another solution for different chat rooms...

Is there any best way to implement Encryption in Flex 3

we have one application where we are pulling some confidential information from one of the product design tools. So we have used HTTPS as the channel and also we are encrypting the Request Parameters and Some data before we sent it to Web Services. So, Everything seems OK.
But when we gave the application for Security auditing they found we have hard coded the encryption key in source code. They have used Sothink SWF Decompiler to look into my SWF file. They caught the key and raised concern over it.
We have developed this application using Flex 3(SDK 3.4). Is there any best way to use Secret key without being hard coded in source code. If anybody come across this kind of problem, please let me know.
Anyone, please suggest me the best way to use the secret keys in SourceCode without being Hard coded.
Here is my sample code:
var currentResult:String = "";
var strDataToEncrypt:String = "";
var kdata:ByteArray;
var todayDate:Date = new Date();
kdata = Hex.toArray(Hex.fromString("secretKey here"));
strDataToEncrypt =username.toUpperCase() + "#$#" + password + "#$#" + todayDate.getTime().toString();
var data:ByteArray;
data = Hex.toArray(Hex.fromString(strDataToEncrypt))
var name:String = "des3-ecb";
var pad:IPad = new PKCS5;
var mode:ICipher = Crypto.getCipher(name, kdata, pad);
pad.setBlockSize(mode.getBlockSize());
mode.encrypt(data);
currentResult = Base64.encodeByteArray(data);
var token:String = currentResult;
There is no such thing as complete protection with Flash. Your keys have to be either in the code or loaded externally, and at some point anyone who is determined enough will be able to get them. All you can do is make this process so complex that it's not worth the hassle.
Have a look at this question for ways to make your source harder to decompile and read: How to protect swf file from being decompiled?
don't send your data as url parameters. send it with a post request.
if that's not possible you could try implementing a scheme with a public key. but be careful, chances are high that you implement something wrong which leads to even bigger security problems.