Archive for February, 2020

Parsing the #U2F Signature response in #Javascript


This is my third blog post in my series of U2F, and if you haven’t already seen it – check out the github repo for the source code here;

It’s been refactored since the last post, so that the parser no longer pollutes the global namespace with it’s own variables, and keeps things cleaner.

So, it’s now wrapped up like this

class U2FParse {

parseRegistration (registrationData)
{ …

parseSign (signData)
{ …


So that you instatiate a new U2FParse class (which I’ve called “parser”), then parse either the registration response or the sign response.

Let’s look at how to get a signature response, assuming you already have the keyhandle from the registration;

function Sign()
let registeredKey = {
keyHandle: U2FRegistration.keyHandle,
version: ‘U2F_V2’
u2f.sign(‘https://localhost’, ‘SigningChallenge’, [registeredKey],
(response) => {

By running this code, the browser will prompt you to press the button on your U2F device, and the callback will be triggered, with the response object populated.

Now, we call the method;

U2FSign = parser.parseSign(response.signatureData);

Which does the following;

var bSignData = this._Base64ToArrayBuffer(signData);
return {
userPresence : bSignData[0],
userCounter : bSignData[4]
+ bSignData[3] * 256
+ bSignData[2] * 256 * 256
+ bSignData[1] * 256 * 256 * 256

The UserPresence is a number where 1 is present, and anything else is just plain wierd, but treat that as an error.

UserCounter is a 4 byte integer, that counts up how many times the user has logged in (signed a challenge).

My plan is to move this to server side code that can be accessed via Ajax, since I haven’t seen that done before, and I guess it may be useful to someone.

Categories: Uncategorized

Parsing U2F Registration Data in #Javascript


Following on from yesterday’s post, today, I’m taking U2F one step further, by parsing the returned data in Javascript.

If you want to just skip to the code; here is the repo on GitHub:

A high level overview of what is happening here, is that the u2f.register function call returns an object, a property of which is registrationData, which is a Web-Safe Base64 string, that encodes the raw FIDO data, as a byte array.

First, a quick seque – a web-safe base64 string is just a base64 string with the forward-slashes (/) converted to underscores (_) and plusses (+) converted to dashes (-), and any trailing equals (=) removed. It’s important to note the difference, because the standard (atob and btoa functions will fail if you don’t account for this)

In Javascript, the first challenge is to convert a Web-Safe Base64 array into a Uint8Array array, which is much easier to handle, when you are doing byte-operations.

So here’s the code;

_Base64ToArrayBuffer : function (base64) {
base64 = base64.replace(/_/g, ‘/’).replace(/-/g, ‘+’); // web safe
var binary_string = window.atob(base64);
var len = binary_string.length;
var bytes = new Uint8Array(len);
for (var i = 0; i < len; i++) {
bytes[i] = binary_string.charCodeAt(i);
return bytes;
_ArrayBufferToBase64 : function (arrayBuffer) {
var dView = new Uint8Array(arrayBuffer);
var arr =;
var arr1 ={
return String.fromCharCode(item);
var b64 = window.btoa(arr1.join(”));
return b64.replace(/\+/g, ‘-‘).replace(/\//g, ‘_’).replace(/=+$/, ”);

Now, we need to look at FIDO’s documentation on the raw message format to see what the data contains, here are the docs;

The parts of the registrationData that we are interested in are;

  • reserved byte [1 byte], which for legacy reasons has the value 0x05.
  • user public key [65 bytes]. This is the (uncompressed) x,y-representation of a curve point on the P-256 NIST elliptic curve.
  • key handle length byte [1 byte], which specifies the length of the key handle (see below). The value is unsigned (range 0-255).
  • key handle [length specified in previous field]. This a handle that allows the U2F token to identify the generated key pair. U2F tokens may wrap the generated private key and the application id it was generated for, and output that as the key handle.

There is very little validation done in the javascript, but we are trusting the U2F API to return un-tampered data.

So, we parse it as follows

var bRegData = U2FRegistration._Base64ToArrayBuffer(registrationData);
throw “Reserved byte is incorrect”;
U2FRegistration.userPublicKey = U2FRegistration._ArrayBufferToBase64(bRegData.slice(1,66));
U2FRegistration.keyHandleLength = bRegData[66];
U2FRegistration.keyHandle = U2FRegistration._ArrayBufferToBase64(bRegData.slice(67,U2FRegistration.keyHandleLength+67));

The Attestation certificate and signature are not captured from the data, since we are trusting the data to be valid.

Going back to our U2F registration code, we callout to U2FRegistration.parse after registration;

let registerRequest = {
challenge: ‘RegisterChallenge’,
version: ‘U2F_V2’
u2f.register(‘https://localhost&#8217;, [registerRequest], [],
(response) => {

The next step will be signing, in which we will use the KeyHandle above. But that’s for another day.


Categories: Uncategorized

#U2F Authentication using #Javascript (#opensource)

U2F is a new standard in hardware dongles that will become more prevalent as stronger 2FA Auth becomes more commonplace, due to PSD2 regulations etc.

I’m just learning, so this demo does nothing much at the moment, other than trigger the registration procedure on the U2F device, and, so far – it runs entirely in client side javascript.

It requires the U2F library from Google.

let registerRequest = {
challenge: ‘RegisterChallenge’,
version: ‘U2F_V2’
u2f.register(‘https://localhost&#8217;, [registerRequest], [],
(response) => {

I’ll be develping this over a few days, if I get time to experiment!


Categories: Uncategorized

Read a QR code in C# using the library


QR codes are all around us, and with a few lines of code you can take an image of a QR code, and interpet it as text. The same code also works with barcodes, and all these formats; UPC-A, UPC-E, EAN-8, EAN-13, Code 39, Code 93, Code 128, ITF, Codabar, MSI, RSS-14 (all variants), QR Code, Data Matrix, Aztec and PDF-417.

The code is open source at , but there’s not much to it; just these few lines of code;

const string imageUrl = “;;
// Install-Package ZXing.Net -Version 0.16.5
var client = new WebClient();
var stream = client.OpenRead(imageUrl);
if (stream == null) return;
var bitmap = new Bitmap(stream);
IBarcodeReader reader = new BarcodeReader();
var result = reader.Decode(bitmap);


Categories: Uncategorized

UK #VRM #API #OpenSource website


I thought I’d take a moment to talk honestly, and describe how I got to where I am in business. Lots of people look back with rose coloured glasses from whence they came, claiming it was all a plan, and every decision they made was planned to get to the point they are at now.

Perhaps thats the case for them, it wasn’t for me. I wake up every morning with five business ideas in my head. Luckily I have the technical ability try some of them out, and I swear, 99% fail miserably. I don’t invest much in each idea. Perhaps a day or two, and a few hundred pounds at most, so I can afford it, in both time and money, but I keep going.

One idea,  worked for me, and you can perhaps see it in the domain name, that I had little faith at the time. I bought a cheap domain name, and I didn’t even create a new database for it, I lumped it in with other projects. I put it on the same server as everthing else.

It made no money for a year, perhaps one customer, maybe two. Then I discovered that the API only worked on the DVLNI (Northern Ireland), and it was overpriced. I spend a little time on it, making it work against the DVLA (UK), and dropped the price by half. Then it started getting picked up by users from all over the UK.

Once the momentum started, I decided to invest more time and money in it, and I quickly expanded the site accross europe, and the USA. Once it hit the USA, then the serious money started. A few major customers, and I was on a roll.

From there, I focused on quality, making sure the API was fast, accurate and reliable, and that made the difference. I added a few more countries along the way, and improved my sales pitch.

Revisiting where I started, I’m almost ashamed of my UK domain name, it sucks. I got a better domain, but I’m not sure if I wanted to rebrand. So I just put a free website up there, at  – it’s open source on Github, feel free to clone or fork it.

Perhaps I’m nearing the end of this run, but from humble beginnings, I’m happy with where it has taken me.


Categories: Uncategorized

Access #Azure #CLI from SQL server


If you want to automate Azure tasks directly from a scheduled job in SQL server, such as transferring a database backup to Azure blob storage once a backup is complete, then you may run into this issue;

You run a simple command like

xp_cmdshell ‘az storage account list’

And you get an error message

ERROR: Please run ‘az login’ to setup account.

but that doesnt work, since it’ll try to open a web browser.

So, the trick is, assuming you’ve logged in under your user account correctly, copy the “.azure” folder (it’s hidden), and move it to the windows user profile used by SQL server.

Want to know what that is?, just run;

xp_cmdshell ‘echo %userprofile%’

Once you’ve copied the .azure folder, then the commands will run as normal

Categories: Uncategorized

#Opensource #javascript library to help localize your multi-lingual website


When developing a multi-lingual website, there are common elements that can be costly to translate if you are paying per-word, and it’s too risky to resort to automatic translation. How embarassing would it be to have Turkey (the country) translated as Tacchina (a bird)?

However, the folks at Unicode Inc, have a freely downloadable zip file, that contains common translations in every conceiveable language, known as the CLDR, and this is a javascript file that leverages the CLDR, so you don’t have to translate a list of countries (or languages, time zones, etc.)

So, to get to the point, You can clone the repo from github here;

It’s open source, so feel free to fork, and develop upon this library, as long as you keep the copyright notices in place

The simple example here, is to load the italian localisation file (it.xml), and then use it to display a drop down of countries as follows;

Localize.Load(“it.xml”).then( language => initializeWith(language));

function initializeWith(language)
var territories = language.localeDisplayNames.territories.territory;
var countries = territories.filter(country => country.type.length==2
&& country.alt == null);

var CountriesSelect = document.getElementById(“countries”);
for(var i in countries)
var country= countries[i];
var el = document.createElement(“option”);
el.text = country[“#text”];
el.value = country.type;

Of course, if you are interested in creating a multi-lingual website, you should also check out – especially if you have a .NET based website.

Categories: Uncategorized

Manage your #API firewall from within the dashboard


We’ve always had a way to limit access by IP on our websites like – however, it has always been on request, and that both takes time, and more importantly, if a customer didn’t know about the feature, their API access can be open to the world.

So, in order to make best practice easy, we’ve added a “Firewall” feature to the dashboard, where you can add and remove IP addresses from the firewall.

By default, if you don’t have any IP addresses in the Firewall, it is open to any user on the Internet, but if you want to lock it down – and you should – you can add your server IPs and office IPs to this list. The change takes effect immediately.

You can also use the bin icon to remove IP addresses that you no longer need, so you can keep the list tidy, and your access secure.



Categories: Uncategorized

Determine the age of an Italian car from it’s number plate


The first two letters of an italian number plate increment slowly over years, and it’s possible to roughly estimate the age of an italian car by the first two letters of it’s number plate. Assuming it’s in the modern format of AA-NNN-AA rather than AA-NNNNN (Where A is Alpha and N is Numeric).

This is a rough table based on over 10,000 examples.

Prefix Year
AB 1994
AC 1995
AF 1995
AG 1995
AH 1995
AJ 1995
AK 1996
AL 1996
AP 1997
AS 1997
AT 1997
AV 1997
AW 1998
AX 1998
AY 1998
BA 1998
BB 1998
BC 1998
BD 1998
BE 1999
BG 1999
BH 1999
BJ 1999
BK 1999
BL 1999
BM 1999
BN 2000
BP 2000
BR 2001
BT 2001
BV 2001
BX 2001
BY 2001
BZ 2001
CA 2001
CB 2002
CE 2002
CF 2002
CG 2003
CJ 2003
CK 2003
CL 2004
CN 2004
CS 2004
CT 2004
CV 2004
CW 2004
CX 2004
CY 2004
CZ 2005
DA 2005
DB 2005
DC 2005
DD 2005
DE 2006
DF 2006
DG 2006
DH 2006
DJ 2006
DK 2006
DL 2006
DM 2007
DN 2007
DP 2007
DR 2007
DS 2008
DV 2008
DW 2008
DX 2008
DY 2008
DZ 2008
EA 2009
EB 2009
EC 2009
ED 2009
EF 2009
EG 2010
EH 2010
EJ 2010
EK 2011
EL 2011
EM 2011
EN 2011
EP 2012
ER 2012
ES 2012
ET 2013
EW 2013
EX 2013
EY 2014
EZ 2014
FA 2014
FB 2014
FC 2015
FE 2015
FF 2015
FG 2015
FH 2015
FJ 2016
FK 2016
FL 2016
FM 2017
FR 2017
FT 2018
FV 2018
FW 2018
FX 2019
GA 2020
Categories: Uncategorized
%d bloggers like this: