2016, Monday December 19
By A.Bouchez on 2016, Monday December 19, 21:27 - mORMot Framework
JSON Web Token (
JWT) is an open standard (RFC 7519) that defines a compact
and self-contained way for securely transmitting information between parties as
a JSON object. This information can be verified and trusted because it is
digitally signed. JWTs can be signed using a secret (with the HMAC algorithm)
or a public/private key pair using RSA or ECDSA.
They can be used for:
- Authentication: including a
JWT to any HTTP request allows
Single Sign On user validation across different domains;
- Secure Information Exchange: a small amount of data can be stored in the
JWT payload, and is digitally signed to ensure its provenance and
See http://jwt.io for an introduction to
JSON Web Tokens.
Our mORMot framework now implements
HS256 (HMAC-SHA256) and
ES256 (256-bit ECDSA)
algorithms (with the addition of the
"none" weak algo);
- Validates all claims (validation dates, audiences, JWT ID);
- Thread-safe and high performance (2 µs for a
verification under x64), with optional in-memory cache if needed (e.g. for
- Stand-alone and cross-platform code (no external
with Delphi or FPC);
- Enhanced security and strong design - per instance, it is by design immune
- Full integration with the framework.
2016, Thursday November 10
By A.Bouchez on 2016, Thursday November 10, 19:36 - mORMot Framework
EKON20 is now over, and there
was a lot of people, great speakers, beautiful T-Shirt, and fresh beer!
I've published the slides of my mORMot conferences on
The "classic" Synopse/mORMot slides have also been uploaded to their latest
revision, so don't hesitate to check what's new!
The PDF are also available for
direct download from our server.
2016, Tuesday October 18
By A.Bouchez on 2016, Tuesday October 18, 13:21 - mORMot Framework
In order to follow best practice, our
.private key files are
always protected by a password. A random value with enough length and
entropy is always proposed by the
ECC tool when a key pair is
generated, and could be used directly.
It is always preferred to trust a computer to create true randomness (and
TAESPRNG was designed to be
the best possible seed, using hardware entropy if available), than using our
human brain, which could be defeated by dictionary-based password
Brute force cracking would be almost impossible, since
PBKDF2_HMAC_SHA256 Password-Based Key Derivation Function with
60,000 rounds is used, so rainbow tables (i.e. pre-computed passwords list)
will be inoperative, and each password trial would take more time than with a
regular Key Derivation Function.
The issue with strong passwords is that they are difficult to remember. If
you use not pure random passwords, but some easier to remember values with good
entropy, you may try some tools like https://xkpasswd.net/s which returns values like
But even then, you will be able to remember only a dozen of such passwords. In
a typical public key infrastructure, you may create hundredths of keys, so
remembering all passwords is no option for an average human being as (you and)
At the end, you end up with using a tool to store all your passwords (last
trend is to use an online service with browser integration), or - admit it -
store them in an
Excel document protected by a password. Most IT
people - and even security specialists - end with using such a mean of storage,
just because they need it.
The weaknesses of such solutions can be listed:
- How could we trust closed source software and third-party online
- Even open source like http://keepass.info/help/base/security.html
may appear weak (no PBKDF, no AFSplit, managed C#, SHA as PRNG);
- The storage is as safe as the "master password" is safe;
- If the "master password" is compromised, all your passwords are
- You need to know the master password to add a new item to the store.
ECC tool is able to work in "cheat mode", storing all
.private key files generated passwords in an associated
.cheat local file, encrypted using a
As a result:
- Each key pair will have its own associated
.cheat file, so you
only unleash one key at a time;
.cheat file content is meaningless without the
cheat.private key and its master password, so you can manage and
store them together with your
- Only the
cheat.public key is needed when creating a key pair,
so you won't leak your master password, and even could generate keys in an
automated way, on a distant server;
cheat.private key will be safely stored in a separated
place, only needed when you need to recover a password;
- It uses strong File Encryption, with proven PBKDF, AFSplit,
AES-PRNG, and ECDH/ECIES algorithms.
2016, Saturday September 24
By A.Bouchez on 2016, Saturday September 24, 20:10 - mORMot Framework
After weeks of implementation and testing, we introduce today a new feature
of our mORMot Open-Source Framework.
Asymmetric encryption, also known as public-key
cryptography, uses pairs of keys:
- Public keys that may be disseminated widely;
- Paired with private keys which are known only to the owner.
SynEcc unit features a full asymmetric encryption system, based on
cryptography (ECC), which may be used at application level (i.e. to
protect your application data, by signing or encrypting it), or at transmission
level (to enhance communication safety).
A full set of high-level features, including certificates and command line
tool, offers a stand-alone but complete public-key
2016, Tuesday September 6
By A.Bouchez on 2016, Tuesday September 6, 07:35 - mORMot Framework
There are still a few days for "very early birds" offer for EKON 20
conference, and meet us for 3 sessions (including a half-day
training/introduction to mORMot)!
Join us the 7-9th of November in Düsseldorf!
sessions are not restricted to mORMot, but will use
mORMot to illustrate some concepts and design ideas:
You can contact me if you want to join, so that I may give you an additional
Hope we can meet for a chat and (a few) beers!
2016, Saturday July 30
By A.Bouchez on 2016, Saturday July 30, 17:37 - mORMot Framework
Especially if you are dealing with a lot of data, you often need a way to
identify if a value is available in a value set.
A typical use case is if you have data sharded among
several nodes, and you want to avoid asking each node for each incoming
A naive approach could be to store all data in a memory list.
But here we are really talking about a lot of data, and it would simply not fit
into a memory list.
We may say that it is the purpose of a database to maintain such a
So you start a good CREATE TABLE on your RDBMS with a single indexed primary
key column, fill it with your data, and run a proper SELECT.
But it takes a lot of storage, insertion is slow, and this database becomes a
Then you consider using some NoSQL database like Redis.
It is faster than a RDBMS, but it tends to use a lot of memory, and it is still
resource consuming to update the values.
No comes Bloom
It allows to store the presence of high-number of values with a small memory
space, with a predefined ratio of potential
We just introduced a
TSynBloomFilter class in our Open Source
mORMot framework trunk, which features an optimized and self-tuning
Bloom Filter storage, with potential low-bandwidth synchronization over the
2016, Monday May 30
By A.Bouchez on 2016, Monday May 30, 16:58 - mORMot Framework
Some patches, provided by ALFred, did introduce some
new platforms under Linux:
- Linux x86 (aka Intel 32-bit)
- Linux x64 (aka Intel 64-bit)
- Linux AARCH32 (aka ARM 32-bit)
- Linux AARCH64 (aka ARM 64-bit)
It needs the latest trunk version of the FPC compiler, and the "Interface Enhanced
Here is a screenshot of Lazarus running all SOA tests (including
asynchronous callbacks via WebSockets
) on a remote ARM 64-bit
Thanks a lot, Alfred, for the hard work, and all the time spent during
There was some low-level asm involved here, to invoke an interface, or create a
fake interface implementation on the fly... not any easy task...
Any feedback is welcome on our forum, as
2016, Saturday May 14
By A.Bouchez on 2016, Saturday May 14, 11:14 - mORMot Framework
In any modern application, especially on
Client/Server nTier architecture as our little mORMot offers, we
often have to persist some private keys in a safe way.
Problem with such keys is that they consist in small amount of bytes (typically
16 or 32 bytes), easy to be left somewhere in disk or memory.
Given the abilities of recent forensic data recovery
methods, data can't be destroyed on magnetic or flash storage media
We have just added to our SynCrypto OpenSource library
the Anti-forensic Information Splitter algorithm, as proposed in
TKS1, and implemented in the LUKS
LUKS is the de-facto standard of platform-independent standard on-disk
format for use in various tools.
2016, Friday April 22
By A.Bouchez on 2016, Friday April 22, 11:29 - Open Source
You should have noticed that Delphi 10.1
Berlin has been released.
Our Open Source
projects, including mORMot and SynPDF and their
associated documentation have been updated to support this new
feedback is welcome, as usual!
2016, Saturday April 9
By A.Bouchez on 2016, Saturday April 9, 11:37 - mORMot Framework
Everyone knows about the pascal random()
It returns some numbers, using a linear
congruential generator, with a multiplier of 134775813,
in its Delphi implementation.
It is fast, but not really secure. Output is very predictable, especially if
you forgot to execute the RandSeed()
In real world scenarios, safety always requires random numbers, e.g. for
The less predictable, the better.
We just included a Cryptographically
Secure Pseudo-Random Number Generator (CSPRNG) into our
TAESPRNG class would use real system entropy to generate
a sequence of pseudorandom bytes, using AES-256, so returning highly
2016, Monday February 8
By A.Bouchez on 2016, Monday February 8, 16:55 - Pascal Programing
Marco Cantu, product manager of Delphi/RAD Studio, did publish the
official RAD Studio 2016 Product Approach and Roadmap.
The upcoming release has a codename known as "BigBen", and should be called
Delphi 10.1 Berlin, as far as I understand.
After this summer, another release, which codename is "Godzilla", will
support Linux as a compiler target, in its Delphi 10.2 Tokyo release.
This is a very good news, and some details are given.
I've included those official names to mORMot's internal compiler version
Thanks Marco for the information, and pushing in this direction!
My only concern is that it would be "ARC-enabled"...
2016, Saturday January 9
By A.Bouchez on 2016, Saturday January 9, 16:59 - mORMot Framework
Once your application is multi-threaded, concurrent data access should be
protected. We already wrote about how debugging multi-thread
applications may be hard.
Otherwise, a "race
condition" issue may appear: for instance, if two threads modify a variable
at the same time (e.g. decrease a counter), values may become incoherent and
unsafe to use. Another symptom of broken logic is the "deadlock", by which the whole
application appears to be blocked and unresponsive, when two threads have a
wrong use of the lock, so are blocking each-others.
On a server system, which is expected to run 24/7 with no maintenance, such
issues are to be avoided.
In Delphi, protection of a resource (which may be an object, or any
variable) is usually done via Critical
A critical section is an object used to make sure, that some part of
the code is executed only by one thread at a time. A critical section
needs to be created/initialized before it can be used and be released when it
is not needed anymore. Then, some code is protected using Enter/Leave
methods, which would lock its execution: in practice, only a single
thread would own the critical section, so only a single thread would
be able to execute this code section, and other threads would wait until the
lock is released. For best performance, the protected sections should be as
small as possible - otherwise the benefit of using threads may be voided, since
any other thread would wait for the thread owning the critical section
to release the lock.
We will now see that Delphi's
TCriticalSection may have
potential issues, and what our framework proposes to ease critical
section use in your applications.
2015, Friday December 11
By A.Bouchez on 2015, Friday December 11, 21:31 - mORMot Framework
We have seen previously how the ORM part of the framework is able to provide
Trail for change tracking.
It is a very convenient way of storing the change of state of the data.
On the other side, in any modern SOA solution, data is not at the center any
more, but services.
Sometimes, the data is not stored within your server, but in a third-party
Service-Oriented Architecture (SOA).
Being able to monitor the service execution of the whole system becomes sooner
or later mandatory.
Our framework allows to create an Audit Trail of any incoming or
outgoing service operation, in a secure, efficient and automated way.
2015, Saturday November 21
By A.Bouchez on 2015, Saturday November 21, 14:30 - Pascal Programing
There is a very trendy move, since a few years, to value so called "meta-programming".
In short, it is about the ability to treat programs as their data.
It is a very powerful paradigm in functional languages, and it was also
introduced to OOP languages, even in SmallTalk a long time
before this concept was trendy in Ruby, C# or Java.
In OOP compiled languages, reflection is used to achieve a similar behavior
at run-time, mainly via RTTI (Run-Time Type
RTTI since its version 1, as it was heavily used e.g. for all UI
In our framework, we rely on RTTI for its main features:
MVC - and even in some other parts, like
Desktop UI generation.
But RTTI could easily be abused.
Here are some thoughts, started as a comment in a
good old Mason's blog article about how RTTI performance may be a
My comment was to get rid of RTTI, and follow a SOLID
implementation with explicit OOP code, like use of
2015, Tuesday November 17
By A.Bouchez on 2015, Tuesday November 17, 21:01 - mORMot Framework
If you compare with existing client/server SOA solutions (in Delphi, Java,
C# or even in Go or other frameworks), mORMot's
callback mechanism sounds pretty unique and easy to work with.
Most Events Oriented solutions do use a set of dedicated
messages to propagate the events, with a centralized Message
Bus (like MSMQ or
JMS), or a
P2P/decentralized approach (see e.g. ZeroMQ or NanoMsg). In practice, you are expected to
class per message, the
class fields being
the message values. You would define e.g. one
class to notify a
successful process, and another
class to notify an error. SOA
services would eventually tend to be defined by a huge number of individual
classes, with the temptation of re-using existing classes in several
interface-based approach allows to gather all events:
- In a single
interface type per notification, i.e.
probably per service operation;
- With one method per event;
- Using method parameters defining the event values.
Since asynchronous notifications are needed most of the time, method
parameters would be one-way, i.e. defined only
const - in such case, an evolved algorithm would
transparently gather those outgoing messages, to enhance scalability when
processing such asynchronous events. Blocking request may also be defined
var/out, as we will see below, inWorkflow
Behind the scene, the framework would still transmit raw messages over IP
sockets (currently over a
WebSockets connection), like other systems, but events notification would
benefit from using interfaces, on both server and client sides.
We will now see how...
2015, Friday October 23
By A.Bouchez on 2015, Friday October 23, 14:19 - Pascal Programing
As we already notified in
this blog, Embarcadero has been finally bought by IDERA.
received a letter from Randy Jacops, IDERA CEO.
Written in my mother language, in perfect French. Nice!
The letter states that they have 20,000 customers...
It sounds more realistic than the numbers usually given for Delphi
Even if it counts for all their tools.
In our forums, we have 1,384 registered users (real humans: we
do not accept bots via a Turing test during
It sounds like if Open Source projects are able to gather a lot of users.
And certainly because we maintain support from Delphi 6 up to Seattle (and even
Delphi 5 for some part of our libraries)... we have for sure users using
FPC/Lazarus (which we also started to support), and others which did not
upgrade to the latest Delphi version!
In Randy's letter, the community has a special place.
I hope future of Delphi would see Open Source projects brought by the community
as a chance, not as
I'm currently working on a cloud of
mORMot servers, serving content coming from high numbers of
Object Pascal powered servers, under Windows or Linux (with FPC), are working
24/7 with very low resource use.
A lot of BigData stream is gathered into
MongoDB servers, following the CQRS
It is so easy to deploy those servers (including their high performance
embedded SQlite3 database), that almost everyone in my company did install
their own "cloud", mainly for testing purpose of the objects we are
Real-time remote monitoring of the servers is very easy and integrated. You
could even see the log changing in real-time, or run your SQL requests on the
databases, with ease.
When I compare to previous projects I had to write or maintain using Java or
.Net, I can tell you that it is "something else".
The IT administrators were speechless when they discovered how it worked: no
need of containers, no need of virtual machines (but for infrastructure
The whole stack is
SOA oriented, in an
Event-Driven design (thanks to WebSockets callbacks). It follows
DDD principles, thanks to the perfect readability of the object pascal
Delphi, and Open Source, could be great to create Internet Of
2015, Monday October 5
By A.Bouchez on 2015, Monday October 5, 11:55 - Pascal Programing
Andy reported that
he was not able to validate its IDE fix pack for Delphi 10 Seattle, due to
its Win64 compiler not being deterministic anymore.
The generated code did vary, from one build to other.
Sadly, on our side, we identified that the code generated by the
Win64 compiler of Delphi 10 Seattle is broken.
We have observed some weird code generation with the Win64 platform as a
target. Some unexpected exception do occur (like a
But it is a random issue, very difficult to reproduce. After a
recompile, no problem any more. Or a problem at another place... A typical
And, to be clear, no such problem when using an older version of Delphi...
We hope that the corresponding QC entry
would be quickly fixed.
So we will stay away from Delphi 10's Win64 compiler, and use Delphi XE8
instead, in the meanwhile.
Update: Issue fixed!
Allen Bauer recognized that "It was an uninitialized memory
allocation" in the QC, and that he is pushing to include the fix into the
upcoming Seattle 10 Update 1.
Nice seeing such a quick reaction. Delphi is not dead, even
if Embarcadero was just acquired!
2015, Monday September 28
By A.Bouchez on 2015, Monday September 28, 16:54 - mORMot Framework
Spare Parts Catalog is, as its name suggests, a software for creating
and publishing spare parts catalogs.
It uses mORMot for
client-server communication and ORM, and SynPdf for the
Sounds like a powerful solution.
It is also a testimony that you could use big databases (20 GB of blobs) with a
SQlite3 engine, and access them via REST using mORMot,
without the hassle of setting up a regular RDBMS.
If you (or Google Translate or
via this direct link on translate.ru) know a little of Russian, it is worth
previous blog article, about how the software author interacted with our
Open Source project.
In fact, Chaa did provide a lot of feedback, patches and new features
(like direct authentication via Active Directory).
Open Source could be great!
Thanks Chaa for the feedback, and interest!
2015, Friday September 25
By A.Bouchez on 2015, Friday September 25, 14:51 - mORMot Framework
In Delphi code, NULLable types do not exist as such. There is no
int? type, as in C#.
But at SQL and JSON levels, the NULL value does exist and should be converted
as expected by the ORM.
In SQLite3 itself, NULL is handled as stated in http://www.sqlite.org/lang_expr.html
IS NOT operators).
It is worth noting that NULL handling is not consistent among all existing
database engines, e.g. when you are comparing NULL with non NULL values... so
we recommend using it with care in any database statements, or only with proper
(unit) testing, when you switch from one database engine to another.
By default, in the mORMot ORM/SQL code, NULL will appear only in
case of a BLOB storage with a size of
Otherwise, you should not see it as a value,
in most kinds of ORM properties.
Null-oriented value types have been implemented in our framework, since the
object pascal language
does not allow defining a nullable type (yet).
We choose to store those values as
variant, with a set of
TNullable dedicated types, as defined in
TNullableInteger = type variant;
TNullableBoolean = type variant;
TNullableFloat = type variant;
TNullableCurrency = type variant;
TNullableDateTime = type variant;
TNullableTimeLog = type variant;
TNullableUTF8Text = type variant;
2015, Monday September 21
By A.Bouchez on 2015, Monday September 21, 17:26 - Pascal Programing
a link found on Internet.
Jefferies is also leading a US$425m covenant-lite credit to back
Idera's acquisition of Embarcadero Technologies. Idera is
backed by TA Associates. The deal, which
launches on Thursday, includes a US$25m revolving credit, a US$300m first-lien
term loan and a US$100m second-lien term loan.
Perhaps some company name change!
I wonder what it may lead for Delphi's future. May be some time to "optimize"
the acquisition, and "manage" a new line of products.
But if Embarcadero is worth buying, it means that Delphi's is worth
They may find out that they should focus on the compiler stuff, and that
Open Source is a chance, not a