Signature mismatch, continued - test case

Adam Langley alangley at
Sun Aug 7 10:11:21 PDT 2005

On 8/7/05, Wechsler <wechsler at> wrote:
> Sorry to keep on with this issue, but I can't track any (used) part of
> my code that fails to meet spec, and I think I've grabbed enough data
> here for others to test.

Ok, I've checked the example over with Python, by hand.

First there's the decoding of the url. Check that you get this
*exactly* (take the SHA1 of it and the string you get from PHP if
('http', '', '/openid/response', '',

>From this you break the arguments apart:
['', 'openid.mode=id_res', 
'openid.issued=2005-08-07T15:25:54Z', 'openid.valid_to=2005-08-07T16:25:54Z', 

Check the signed feild and extract those values into the standard
key-value form as defined by the OpenID spec:
c = 'mode:id_res\nidentity:\nreturn_to:\nissued:2005-08-07T15:25:54Z\nvalid_to:2005-08-07T16:25:54Z\n'

Now decode the base64 on the signature
>>> binascii.a2b_base64('SRJKc2Sp+m28iU/t1jjAe+hct+A=')
in hex, that's:

Do the same with the MAC key from the assoc operation to get:

Now perform an HMAC_SHA1 with the MAC key above and the key-value data:
>>> import pythistle
>>> h = pythistle.HMAC_SHA1()
>>> h.set_key(binascii.a2b_base64('NR4dlSoj0tJ6LCsK6o/hxSL0Otw='))
>>> h.update(c)
>>> h.digest().encode('hex')

Check that it matches the signature (it does).

Be happy.


Adam Langley                                      agl at                       (+44) (0)7906 332512
PGP: 9113   256A   CC0F   71A6   4C84   5087   CDA5   52DF   2CB6   3D60

More information about the yadis mailing list