14 messages in com.googlegroups.bloggerdevRe: NO Secure signed token example??| From | Sent On | Attachments |
|---|---|---|
| cam...@gmail.com | 21 Feb 2007 08:20 | |
| Pete Hopkins ☠ | 21 Feb 2007 10:38 | |
| cam...@gmail.com | 21 Feb 2007 15:32 | |
| Pete Hopkins ☠ | 21 Feb 2007 16:01 | |
| cam...@gmail.com | 22 Feb 2007 02:27 | |
| cam...@gmail.com | 22 Feb 2007 09:17 | |
| Pete Hopkins ☠ | 22 Feb 2007 09:47 | |
| cam...@gmail.com | 22 Feb 2007 10:41 | |
| Pete Hopkins ☠ | 22 Feb 2007 16:16 | |
| cam...@gmail.com | 22 Feb 2007 16:56 | |
| Pete Hopkins ☠ | 27 Feb 2007 15:53 | |
| Pete Hopkins ☠ | 27 Feb 2007 17:04 | |
| cam...@gmail.com | 01 Mar 2007 08:12 | |
| Pete Hopkins ☠ | 01 Mar 2007 10:30 |
| Subject: | Re: NO Secure signed token example?? |
|---|---|
| From: | cam...@gmail.com (cam...@gmail.com) |
| Date: | 03/01/2007 08:12:21 AM |
| List: | com.googlegroups.bloggerdev |
HI,
OK You'll be pleased to know I am well on the way to success!! :)
Ryan, over on the Google Accounts Group pointed out that my system clock was in advance - future.
Also, I had not realsied that I needed to exchange the token first. I thought that session=1 in the orignal AuthSub request took care of that.
So, I have now ben able to securely request a users blog list, for exmample.
Once I get a few other things of my plate here, I'll write it up for the group, with all the catches to look out for.
Thanks so much for your help!
btw Pete - How do you get that skull'n'crossbones eh? ;)
Cheers Kosso
On Feb 28, 1:04 am, "Pete Hopkins ☠" <phop...@google.com> wrote:
An additional followup:
Signed AuthSub is broken right now againstwww.blogger.com, since the API proxying (see some of my previous threads on this group) rewrites the URL.
I'll get a fix out for this soon (we'll do the redirect for AuthSub, just as we did before the proxying went into place), but until then www2 is your friend.
-- Pete
On 2/27/07, Pete Hopkins ☠ <phop...@google.com> wrote:
Ok, I think problem solved. It's our fault, we have a bug in our docs. Thank your for your patience on this issue!
Above the table, we say:
Authorization: AuthSub token="token", sigalg="sigalg", data="data", sig="sig"
This is wrong.
In the raw HTTP example, we say:
Authorization: AuthSub token="token" sigalg="sigalg" data="data" sig="sig"
This is correct. Note the lack of commas. :-P
I'll file a bug on the various parties involved on our side. It's either a bug in the docs, or a bug in the header parser, but probably both.
I verifyed that your signature works once the commas are removed.
Again, apologies. I understand how frustrating this has been.
-- Pete
hi,
I tried changing the request url to www2. (but not the scope, as that gave an error)
however this www2 request threw a 401 error again, except with the result:
"Token was issued securely but request is unsigned"
whereaswww.blogger.com gave result: "1"
I have posted the same questions over on the Google Accounts API Group, but it seems a quiet over there ;)
cheers.
On Feb 23, 12:16 am, "Pete Hopkins ☠" <phop...@google.com> wrote:
Just to be super-sure, try the same code against:
just to rule out old Blogger.
Other than that, I'd recommending asking on the general GData group. I don't think I can help you any more, because I don't know much about the signing process other than the docs. Sorry I can't tell your more.
Also, you might want to try authenticating against other Google services to see if Blogger is acting differently. I think that our AuthSub implementation works, however, given that I believe that Flickr is using it sucessfully.
-- Pete
Hmm.. still not working.
Here is the data I need to sign (for example)
GEThttp://www.blogger.com/feeds/default/blogs1172170821 10437417871261104475
I am able to sign this with no errors in PHP, using :-
$pkeyid = openssl_get_privatekey($priv_key);
where $priv_key is the contents of the myrsakey.pem Key file which I generated, along with mrsacert.pem Certificate file during the AuthSub registration of my system with Google.
then :-
openssl_sign($data, $signature, $pkeyid);
which provides me with the $signature variable
This is then encoded to base64 with :-
$sig = base64_encode($signature);
- which then gives me all I should need to add to the Authorization header of my request tohttp://www.blogger.com/feeds/default/blogs
ie:
Authorization: AuthSub token="CIbjnKvmChCt5qej_f____8B" , sigalg="rsa- sha1", data="GEThttp://www.blogger.com/feeds/default/blogs1172170821 10437417871261104475", sig="mVhcBCVkMMQYV6yrOcisaNX6TVN747AYihFpK2P1yDGfEck +vDTmmgMpRUMkp3x1CrYt8Dcp+vc87qbRUH/q/Fjt6y4/vQ11SI0lTV/ +lZXqlmp3HerbnXM2U+mdEShXc/rdC72LeZPPThNCOa1qXCXHhKgMAfqBalhnEJLUuVk="
But I am still getting a 401 error.
Once I have this working I should then be able to use this same method, using the (now stored) token variable to 'sign' any request I need to make, within the scope ofhttp://www.blogger.com/feeds
Any ideas? thx
I have realised what I am doing wrong.
I will doc this all when I get it working, but just to say that you need to 'sign' the 'data' with open_ssl using the 'key.pem' file which was also created when generating the 'certificate' (another .pem file) which is used during the registration process (using an xml file)
see here for how to 'sign' the data
:http://uk2.php.net/manual/en/function.openssl-sign.php
and here, for how to generate the key and cert
:http://www.ipsec-howto.org/x595.html
for the registration process here
:http://code.google.com/apis/accounts/RegistrationForWebApps.html
Now - this is still not working - the signed, encoded data seems too long.
Also, I would like to clear something up too:
In the docs for signing secure web app requests, there is a requirement to generate a:
"nonce: a random 64-bit, unsigned number encoded as an ASCII string in decimal"
Does anyone know how I would do this in PHP?
Is this simply a 20 digit random number?
Yeah. In cryptography-speak, a nonce is some uninterpreted data that just serves to differentiate requests as a means of combating replay attacks:
When the (timestamp, nonce) pair is unique, the server can know that if it sees a second request with the same timestamp and nonce it should disregard it as a replay.
Thanks for the updates about getting signed AuthSub working in PHP. They'll be a great resource for anyone else who's trying to get this to work!
-- Pete
Hi Pete. Thanks for replying.
I tried over on the Google Account API group the similar question, with how/what I am doing in the code:
Very similar 'pseudo' code to what you suggest, where 'sign' would be 'sha' (I think)
No, 'sign' is the openssl-sign function. Note that SHA-1 is, by itself, just a hash function. rsa-sha1 hashes the input with SHA-1 and then RSA encrypts the hash with a private key to make a signature. That's taken care of with openssl-sign.
-- Pete
however, what I am trying just is not working. (argh)
On Feb 21, 6:38 pm, "Pete Hopkins ☠" <phop...@google.com> wrote:
I haven't tried this in PHP, but a quick doc search shows that:
is probably what you want.
The docs could be more explicit, but the general algorithm is (in pseudo PHP):
$data = "GET " . $url . " " . time() . " " . random(); $sig = base64(sign($data, $key));
Is there any place where you're getting stuck in particular?
-- Pete
Hi,
OK. I am totally stuck here. I am amazed that I cannot find any examples anywhere of a client (php) which demonstrates the 'signing' of the data required to perform secure connections to Blogger, using my registered app.
I think it's a good idea for Google to move to a single login, but without the proper examples and assistance coming to help application providers like myself to upgrade their systems to support the Google logins then things are not going to happen. It was fairly easy for me to register my app to remove the 'Warning' on the login page, but why on earth is there no explanation at all of what to do when 'signing' the Authorization??
See here for docs to
that:http://code.google.com/apis/accounts/AuthForWebApps.html#signingrequests
Surely being secure and 'warning free' is what Google wants?
As the day draws near when my users will have to move over to the new system, if I dont get this fixed, then I'll just have to drop Blogger support and recommend another vendor who does support developers.
I'm pretty sure the answer/solution I need is so simple for someone in the know.
This is absolutely crucial. Please please please can anyone help?
If I can get it all working, I will happily share how to do it, as I am clearly not alone in needed this knowledge.
thanks, camoby