[OpenID] Random failures when validating signatures

[Breno de Medeiros]

Are you handling signed types correctly? This would cause a 50/50 error rate.

On Thu, Nov 13, 2008 at 8:36 AM, Richard Davies
<richard at richarddavies.us> wrote:
> I've been working on a ColdFusion OpenID library (to implement a
> relying party). When validating the signature returned by the OpenID
> provider, sometimes it passes and sometimes it fails (about 50/50).
> (I've tested it against a couple of different providers so I'm
> confident that I'm actually receiving a valid signature.)
>
> Since my library sometimes reports that the signature is invalid (even
> though it isn't), I'm trying to figure out where the bug is in my
> library. I'm thinking it might be a character encoding issue when
> calculating the MAC key or the HMAC-SHA1 signature.
>
> Anyway, I'm having a hard time finding exactly where my bug is because
> I have to go through a series of calculations to come up with the
> signature, and I don't know if I've messed up somewhere until I reach
> the end of the process and compare it with the signature returned by
> the provider.
>
> Is there any sort of OpenID "debugger" anywhere? Ideally I'd like to
> be able to feed specific provider responses to a working OpenID
> algorithm that would show the correct values and calculations at
> various stages during the process of validating that response. Then I
> could compare those values of the one's my algorithm computes and
> hopefully figure out where in the process my bug is.
>
> Does anyone know of any tools that do that?
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>



-- 
--Breno

+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)