Problems calculating signature
Johannes Ernst
jernst+openid.net at netmesh.us
Tue Sep 5 18:01:26 UTC 2006
I'd be great if somebody volunteered to write down the complete set
of steps to do the OpenID crypto, and annotated it with an actual
numeric example for each step.
Our experience at NetMesh implementing OpenID for InfoGrid was
similar to Thom's -- it took at lot longer than expected until we got
it working, but then only 9 out of 10 times. It took a few months of
cursing (and lots of help) before we realized that there was a
leading-zero problem in one of the steps that would only occur rarely
depending on the mood of the random generator.
A numerically-annotated set of steps would be really helpful.
Actually, several annotations to catch things like leading zeros,
negative numbers etc. etc. would be even more so.
[Sorry Thom I can't help you with this issue, but I hope this helps
with the meta-issue ...]
On Sep 5, 2006, at 3:23, Thom McGrath wrote:
> Hi list,
>
> I've been developing an OpenID server & consumer for my web site (I
> prefer doing things myself) and everything is working wonderfully,
> except my signatures never come out the same as the "other end's"
> signature. I even brought my friend Kris in on this, who has worked
> with this stuff before, and the two of us combined could not figure
> it out.
>
> I'm pretty sure it's not the HMAC-SHA1 hashing algorithm because I
> copied it from the JanRain libraries. But I am completely stumped on
> this one, so it could be anything. So I've included the relevant
> code. Does anybody notice any problems?
>
> function createSignature ($key, $data)
> {
> $token = "";
> $a = explode(",",$data['openid_signed']);
> foreach ($a as $f) {
> $token .= $f . ':' . $data['openid_' . str_replace(".","_",$f)] .
> "\n";
> }
> return base64_encode(createHMACSHA1String($key,$token));
> }
>
> function createHMACSHA1String($key, $data)
> {
> if (strlen($key) > 64) {
> $key = sha1($key,true);
> }
>
> $key = str_pad($key, 64, chr(0x00));
> $ipad = str_repeat(chr(0x36), 64);
> $opad = str_repeat(chr(0x5c), 64);
> $hash1 = sha1(($key ^ $ipad) . $data, true);
> $hmac = sha1(($key ^ $opad) . $hash1, true);
> return $hmac;
> }
>
> $sig = createSignature(base64_decode($secret),$_GET);
>
> I've already done lots of debugging. The secret does match the one
> that came from the server during the 'associate' method. This code is
> in response to a 'checkid_setup' method. The reason the fields say
> 'openid_signed' instead of 'openid.signed' is because PHP converts
> the '.' characters to underscores. The proper keys are being
> calculated in the keyvalue string (sreg.nickname, not sreg_nickname).
>
> I have been testing this using a MyOpenID.com account I setup, so I'm
> assuming the server end is doing it's job correctly.
>
> Does anybody know what I'm doing wrong?
>
> --
> Thom McGrath, <http://www.thezaz.com/>
> "You realize you've created God in your own image when God hates all
> the same people you do."
>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
Johannes Ernst
NetMesh Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lid.gif
Type: image/gif
Size: 973 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20060905/29340fae/attachment-0002.gif>
-------------- next part --------------
http://netmesh.info/jernst
More information about the general
mailing list