Signature mismatch, continued - test case

Wechsler wechsler at
Sun Aug 7 08:53:26 PDT 2005

Sorry to keep on with this issue, but I can't track any (used) part of 
my code that fails to meet spec, and I think I've grabbed enough data 
here for others to test.

I seem to be getting a signature mismatch in (very roughly) about 1 in 
20 requests.
I'm using association, but not DH.

Example failure:

Raw HTTP response to plain associate query

<pre>HTTP/1.0 200 OK
Date: Sun, 07 Aug 2005 15:25:48 GMT
Server: Apache
Set-Cookie: ljuniq=w5xja9hawbG0xMo:1123428348; expires=Thursday, 
06-Oct-2005 15:25:48 GMT;; path=/
Cache-Control: private, proxy-revalidate
Pragma: no-cache
ETag: "2d7ef09a2bf6be14781fc61d38079a8e"
Content-length: 190
Keep-Alive: timeout=30, max=100
Connection: keep-alive
Content-Type: text/plain
Content-Language: en
Expires: Sun, 07 Aug 2005 15:25:48 GMT



from which I decode the following openID data:

     [assoc_handle] => 1123428348:Lq2FrMJD6h7JUDue4nrH:0b21753db5
     [assoc_type] => HMAC-SHA1
     [expires_in] => 1208052
     [expiry] => 2005-08-21T15:00:00Z
     [issued] => 2005-08-07T15:25:48Z
     [mac_key] => NR4dlSoj0tJ6LCsK6o/hxSL0Otw=
     [] =>

and thus generate the checkid_setup link as follows:

click to confirm your login</a></p>

which sends me back the link:,identity,return_to,issued,valid_to&openid.sig=SRJKc2Sp%2Bm28iU/t1jjAe%2Bhct%2BA%3D

For which I extract the association data from the DB:

     [id] => 34
     [server] =>
     [assoc_type] => HMAC-SHA1
     [assoc_handle] => 1123428348:Lq2FrMJD6h7JUDue4nrH:0b21753db5
     [issued] => 2005-08-07T15:25:48Z
     [replace_after] =>
     [expiry] => 2005-08-21T15:00:00Z
     [session_type] =>
     [dh_server_public] =>
     [enc_mac_key] =>
     [mac_key] => NR4dlSoj0tJ6LCsK6o/hxSL0Otw=

and get the HMAC response:

Smart Mode mismatch (wWmVcs9Nuyc14jLzVESOuyAw1Bc= vs 

So, the core question is - is my maths wrong (my HMAC client meets all 
the RFC 2202 tests) or is it LJ? Or possibly PHP's sha1()?


More information about the yadis mailing list