Problems calculating signature
Thom McGrath
lists at thezaz.com
Tue Sep 5 10:23:44 UTC 2006
Hi list,
I've been developing an OpenID server & consumer for my web site (I
prefer doing things myself) and everything is working wonderfully,
except my signatures never come out the same as the "other end's"
signature. I even brought my friend Kris in on this, who has worked
with this stuff before, and the two of us combined could not figure
it out.
I'm pretty sure it's not the HMAC-SHA1 hashing algorithm because I
copied it from the JanRain libraries. But I am completely stumped on
this one, so it could be anything. So I've included the relevant
code. Does anybody notice any problems?
function createSignature ($key, $data)
{
$token = "";
$a = explode(",",$data['openid_signed']);
foreach ($a as $f) {
$token .= $f . ':' . $data['openid_' . str_replace(".","_",$f)] .
"\n";
}
return base64_encode(createHMACSHA1String($key,$token));
}
function createHMACSHA1String($key, $data)
{
if (strlen($key) > 64) {
$key = sha1($key,true);
}
$key = str_pad($key, 64, chr(0x00));
$ipad = str_repeat(chr(0x36), 64);
$opad = str_repeat(chr(0x5c), 64);
$hash1 = sha1(($key ^ $ipad) . $data, true);
$hmac = sha1(($key ^ $opad) . $hash1, true);
return $hmac;
}
$sig = createSignature(base64_decode($secret),$_GET);
I've already done lots of debugging. The secret does match the one
that came from the server during the 'associate' method. This code is
in response to a 'checkid_setup' method. The reason the fields say
'openid_signed' instead of 'openid.signed' is because PHP converts
the '.' characters to underscores. The proper keys are being
calculated in the keyvalue string (sreg.nickname, not sreg_nickname).
I have been testing this using a MyOpenID.com account I setup, so I'm
assuming the server end is doing it's job correctly.
Does anybody know what I'm doing wrong?
--
Thom McGrath, <http://www.thezaz.com/>
"You realize you've created God in your own image when God hates all
the same people you do."
More information about the general
mailing list