OpenID demo updated

Brad Fitzpatrick brad at danga.com
Wed May 18 09:43:00 PDT 2005


You see any problems with LJ's logic?

    if ($id_match && $is_trusted) {

        my $now = LJ::time_to_w3c(time(), 'Z');
        my $plain = join("::", $now, "assert_identity", $GET{"openid.is_identity"}, $GET{'openid.return_to'});
        my $message = sha1($plain);

        my $dsa_priv = Crypt::OpenSSL::DSA->read_priv_key("........../yadis_private.key");
        my $sign = $dsa_priv->sign($message);

        my $sign64 = encode_base64($sign);
        chop $sign64;  # remove \n

        $ret_url .= "openid.assert_identity=" . LJ::eurl($GET{"openid.is_identity"});
        $ret_url .= "&openid.sig=" . LJ::eurl($sign64);
        $ret_url .= "&openid.timestamp=" . LJ::eurl($now);
    } else {
        $ret_url .= "openid.user_setup_url=" . LJ::eurl("http://www.livejournal.com/misc/openid-approve.bml" .
                                                         "?trust_root=" . LJ::eurl($trust_root) .
                                                         "&return_to=" . LJ::eurl($ret_url_orig) .
                                                         "&post_grant=" . LJ::eurl($GET{"openid.post_grant"}) .
                                                        "&is_identity=" . LJ::eurl($GET{"openid.is_identity"}) .
                                                        "");
    }
    return BML::redirect($ret_url);


But no, I'm not verifying in my AJAX (nor classic) examples, but I was
yesterday (a couple times by hand) with the yadis version.

I'll check into it today.

- Brad


On Wed, 18 May 2005, Karl Koscher wrote:

>
> >LiveJournal now speaks OpenID.  (yadis with all those renaming changes)
> >
> >
> SupportOffice now does as well, although I ran into a few quirks.
>
> Does your demo do signature verification? Mine is failing only a
> fraction of the time, and I can't find anything different that happens
> only when it fails. It works for 46, 47, and 48 byte keys. The clocks
> are in sync, although it's failing after the timestamp check anyway. It
> even fails when checking it manually:
>
> mrsaturn at cerebellum mrsaturn $ echo
> "MC0CFFqCX/GlnukRUeqAcriOONjJK2VSAhUA53DbHVtSnNQ2fud7p8Ed8zcxB0c=" |
> decode-base64 > yadisSig
> mrsaturn at cerebellum mrsaturn $ echo -n
> "2005-05-18T09:49:47Z::assert_identity::http://www.livejournal.com/users/supersat/::http://www.supportoffice.org/accounts/yadisbind.php?site=lj&username=supersat&yvv=7245a7cf2493f50bec742d6eb08d1597"
> | openssl dgst -dss1 -verify lj-dsa.pem -signature yadisSig
> Verification Failure
>
> Other keys work fine, though:
>
> mrsaturn at cerebellum mrsaturn $ echo
> "MC4CFQCLvocBKJl1eYEgbHjE4nkIL5oyPwIVAMw293jeFO+Cx0kUPj4xDNIffJNA" |
> decode-base64 > yadisSig
> mrsaturn at cerebellum mrsaturn $ echo -n
> "2005-05-18T10:04:36Z::assert_identity::http://www.livejournal.com/users/supersat/::http://www.supportoffice.org/accounts/yadisbind.php?site=lj&username=supersat&yvv=7245a7cf2493f50bec742d6eb08d1597"
> | openssl dgst -dss1 -verify lj-dsa.pem -signature yadisSig
> Verified OK
>
> I'm using OpenSSL 0.9.7d, which isn't the latest and greatest, but a
> quick look at the changes file shows that there hasn't been any changes
> that would affect DSA signature verification. I could be overlooking
> something, though.
>
> Other quirks:
>
> LiveJournal doesn't like URLs in the form of
> http://www.livejournal.com/users/username. It needs a trailing slash,
> otherwise it thinks you're attempting to auth as "www".
>
> It also turns out that PHP renames the arguments from openid.* to
> openid_*, which is somewhat annoying.
>
> - Karl
> _______________________________________________
> yadis mailing list
> yadis at lists.danga.com
> http://lists.danga.com/mailman/listinfo/yadis
>
>


More information about the yadis mailing list