Signature mismatch, continued - test case

Wechsler wechsler at phase.org
Sun Aug 7 08:53:26 PDT 2005 

Sorry to keep on with this issue, but I can't track any (used) part of 
my code that fails to meet spec, and I think I've grabbed enough data 
here for others to test.

I seem to be getting a signature mismatch in (very roughly) about 1 in 
20 requests.
I'm using association, but not DH.

Example failure:

Raw HTTP response to plain associate query

<pre>HTTP/1.0 200 OK
Date: Sun, 07 Aug 2005 15:25:48 GMT
Server: Apache
Set-Cookie: ljuniq=w5xja9hawbG0xMo:1123428348; expires=Thursday, 
06-Oct-2005 15:25:48 GMT; domain=.livejournal.com; path=/
Cache-Control: private, proxy-revalidate
Pragma: no-cache
ETag: "2d7ef09a2bf6be14781fc61d38079a8e"
Content-length: 190
Keep-Alive: timeout=30, max=100
Connection: keep-alive
Content-Type: text/plain
Content-Language: en
Expires: Sun, 07 Aug 2005 15:25:48 GMT

assoc_handle:1123428348:Lq2FrMJD6h7JUDue4nrH:0b21753db5
assoc_type:HMAC-SHA1
expires_in:1208052
expiry:2005-08-21T15:00:00Z
issued:2005-08-07T15:25:48Z
mac_key:NR4dlSoj0tJ6LCsK6o/hxSL0Otw=

</pre>

from which I decode the following openID data:

<pre>Array
(
     [assoc_handle] => 1123428348:Lq2FrMJD6h7JUDue4nrH:0b21753db5
     [assoc_type] => HMAC-SHA1
     [expires_in] => 1208052
     [expiry] => 2005-08-21T15:00:00Z
     [issued] => 2005-08-07T15:25:48Z
     [mac_key] => NR4dlSoj0tJ6LCsK6o/hxSL0Otw=
     [] =>
)
</pre>

and thus generate the checkid_setup link as follows:

<p><a 
href="http://www.livejournal.com/openid/server.bml?openid.mode=checkid_setup&openid.identity=http%3A%2F%2Fwechsler.livejournal.com%2F&openid.return_to=http%3A%2F%2Fphase.home.phase.org%2Fopenid%2Fresponse%3Foriginator%3Dwechsler.livejournal.com&openid.trust_root=http%3A%2F%2Fphase.home.phase.org%2F&openid.assoc_handle=1123428348%3ALq2FrMJD6h7JUDue4nrH%3A0b21753db5">Please 
click to confirm your login</a></p>

which sends me back the link:
http://phase.home.phase.org/openid/response?originator=wechsler.livejournal.com&openid.mode=id_res&openid.identity=http://wechsler.livejournal.com/&openid.return_to=http://phase.home.phase.org/openid/response%3Foriginator%3Dwechsler.livejournal.com&openid.issued=2005-08-07T15:25:54Z&openid.valid_to=2005-08-07T16:25:54Z&openid.assoc_handle=1123428348:Lq2FrMJD6h7JUDue4nrH:0b21753db5&openid.signed=mode,identity,return_to,issued,valid_to&openid.sig=SRJKc2Sp%2Bm28iU/t1jjAe%2Bhct%2BA%3D

For which I extract the association data from the DB:

Array
(
     [id] => 34
     [server] => http://www.livejournal.com/openid/server.bml
     [assoc_type] => HMAC-SHA1
     [assoc_handle] => 1123428348:Lq2FrMJD6h7JUDue4nrH:0b21753db5
     [issued] => 2005-08-07T15:25:48Z
     [replace_after] =>
     [expiry] => 2005-08-21T15:00:00Z
     [session_type] =>
     [dh_server_public] =>
     [enc_mac_key] =>
     [mac_key] => NR4dlSoj0tJ6LCsK6o/hxSL0Otw=
)

and get the HMAC response:

Smart Mode mismatch (wWmVcs9Nuyc14jLzVESOuyAw1Bc= vs 
SRJKc2Sp+m28iU/t1jjAe+hct+A=)

So, the core question is - is my maths wrong (my HMAC client meets all 
the RFC 2202 tests) or is it LJ? Or possibly PHP's sha1()?


TIA,
	Wechsler

More information about the yadis mailing list