Skip Menu |
 

This queue is for tickets about the Net-OpenID-Consumer CPAN distribution.

Report information
The Basics
Id: 44766
Status: resolved
Priority: 0/
Queue: Net-OpenID-Consumer

People
Owner: crew [...] cs.stanford.edu
Requestors: MART [...] cpan.org
Cc: CARNIL [...] cpan.org
AdminCc:

Bug Information
Severity: Critical
Broken in:
  • 1.01
  • 1.02
  • 1.03
Fixed in:
  • 1.030099_006
  • 1.11



Subject: No support for SHA256
Download (untitled) / with headers
text/plain 191b
There is currently no support for SHA256 in Net::OpenID::Consumer, which means that sites running Net::OpenID::Consumer can't accept login from MySpaceID and probably other providers too.
Subject: [PATCH] support for SHA256
From: crew [...] cs.stanford.edu
Download (untitled) / with headers
text/plain 1.5k
On Fri Apr 03 00:44:30 2009, MART wrote: Show quoted text
> There is currently no support for SHA256 in Net::OpenID::Consumer, > which means that sites running Net::OpenID::Consumer can't accept login > from MySpaceID and probably other providers too. >
I've managed to implement this in my world. Here are patches for Association.pm and Consumer.pm vs. 1.03. This switches to using Digest::SHA since that has support for all of the SHA functions. My one worry about that module is their OO interfaces don't appear to be thread-safe (no CLONE routine), however if one makes a point of never creating objects and sticking with the (hmac_)sha(1|256) functions, then, presumably, that shouldn't be an issue. (Or someone could write an SHA256 analog of Digest::SHA1 since we only need those two functions (sha256,hmac_sha256) from it anyway; but that hasn't happened yet, so Digest::SHA it is for now.) The changes are significant, at least in Association.pm (surprise). I was (sort of) trying to follow the old organization of the code, but it seems to me some refactoring may be called for anyway seeing as everything from new_server_assoc on down is really methods on the Consumer object (and hence should live in Consumer.pm), likewise for the documentation of the options for association types, which until such time as the Association objects get exposed, remain options on the Consumer constructor... also there's some argument for AssociationType and SessionType as separate modules/object-types but I didn't do that. Edit to taste...
Subject: ass.pat
Download ass.pat
application/octet-stream 14.6k

Message body not shown because it is not plain text.

Subject: cons.pat
Download cons.pat
application/octet-stream 3k

Message body not shown because it is not plain text.

Subject: Re: [PATCH] SHA256 support
From: crew [...] cs.stanford.edu
Download (untitled) / with headers
text/plain 124b
let's try this again but with the correct file types on the patches so that you're not having to check for virus silliness .
Subject: cons.txt
Download cons.txt
text/plain 3k
--- Net/OpenID/Consumer-0-.pm 2010-02-12 20:49:39.000000000 -0800 +++ Net/OpenID/Consumer.pm 2010-02-14 05:10:47.323736639 -0800 @@ -22,6 +22,7 @@ 'last_errtext', # last error code we got 'debug', # debug flag or codeblock 'minimum_version', # The minimum protocol version to support + 'assoc_options', # options for Net::OpenID::Association->new_server_assoc ); use Net::OpenID::ClaimedIdentity; @@ -32,7 +33,7 @@ use Net::OpenID::URIFetch; use MIME::Base64 (); -use Digest::SHA1 (); +use Digest::SHA (); use Crypt::DH 0.05; use Time::Local; use HTTP::Request; @@ -50,6 +51,7 @@ $self->consumer_secret ( delete $opts{consumer_secret} ); $self->required_root ( delete $opts{required_root} ); $self->minimum_version ( delete $opts{minimum_version} ); + $self->assoc_options ( delete $opts{assoc_options} ); $self->{debug} = delete $opts{debug}; @@ -85,6 +87,32 @@ return $self->{$param}; } +sub assoc_options { + my Net::OpenID::Consumer $self = shift; + my $v; + if (scalar(@_) == 1) { + $v = shift; + unless (defined $v && !$v) { + $v = []; + } + elsif (ref $v eq 'ARRAY') { } + elsif (ref $v) { + # assume HASH and hope for the best + $v = [%$v]; + } + else { + Carp::croak("single argument must be HASH or ARRAY reference"); + } + $self->{assoc_options} = $v; + } + elsif (@_) { + Carp::croak("odd number of parameters?") + if scalar(@_)%2; + $self->{assoc_options} = [@_]; + } + return $self->{assoc_options}; +} + sub _debug { my Net::OpenID::Consumer $self = shift; return unless $self->{debug}; @@ -809,7 +864,7 @@ $signed_fields{$param} = $val; } - my $good_sig = OpenID::util::b64(OpenID::util::hmac_sha1($token, $assoc->secret)); + my $good_sig = $assoc->generate_signature($token); return $self->_fail("signature_mismatch") unless $sig64 eq $good_sig; } else { @@ -896,6 +951,10 @@ use constant VERSION_1_NAMESPACE => "http://openid.net/signon/1.1"; use constant VERSION_2_NAMESPACE => "http://specs.openid.net/auth/2.0"; +# allow above reference to OpenID::util::hmac_sha1_hex +# which should maybe go away? +use Digest::SHA qw(hmac_sha1_hex); + # I guess this is a bit daft since constants are subs anyway, # but whatever. sub version_1_namespace { @@ -917,23 +976,6 @@ return "http://specs.openid.net/auth/2.0/identifier_select"; } -# From Digest::HMAC -sub hmac_sha1_hex { - unpack("H*", &hmac_sha1); -} -sub hmac_sha1 { - hmac($_[0], $_[1], \&Digest::SHA1::sha1, 64); -} -sub hmac { - my($data, $key, $hash_func, $block_size) = @_; - $block_size ||= 64; - $key = &$hash_func($key) if length($key) > $block_size; - - my $k_ipad = $key ^ (chr(0x36) x $block_size); - my $k_opad = $key ^ (chr(0x5c) x $block_size); - - &$hash_func($k_opad, &$hash_func($k_ipad, $data)); -} sub parse_keyvalue { my $reply = shift;
Subject: assoc.txt
Download assoc.txt
text/plain 14.6k

Message body is not shown because it is too large.

RT-Send-CC: crew [...] cs.stanford.edu
Download (untitled) / with headers
text/plain 649b
Hi On Fri Apr 03 00:44:30 2009, MART wrote: Show quoted text
> There is currently no support for SHA256 in Net::OpenID::Consumer, > which means that sites running Net::OpenID::Consumer can't accept
login Show quoted text
> from MySpaceID and probably other providers too. >
This would be great if could be changed to use Digest::SHA from another point of view. Digest::SHA is in perl core since 5.9.3 and changing use of Digest::SHA1 to Digest::SHA would reduce external dependencies by one. In Debian we are tracking these, to trop libdigest-sha1-perl [1]. [1] http://wiki.debian.org/Teams/DebianPerlGroup/OpenTasks/Transitions/Diges tSHA1ToDigestSHA Regards Salvatore
From: crew [...] cs.stanford.edu
Download (untitled) / with headers
text/plain 409b
I should note that the patch I provided actually *does* remove all references to Digest::SHA1 and *only* depends on Digest::SHA On Tue Jun 14 17:10:55 2011, CARNIL wrote: Show quoted text
> Hi > > This would be great if could be changed to use Digest::SHA from > another point of view. Digest::SHA is in perl core since 5.9.3 > and changing use of Digest::SHA1 to Digest::SHA would reduce > external dependencies by one.
Download (untitled) / with headers
text/plain 342b
I believe this is fixed in Net-OpenID-Consumer-1.11 If you want to try it out, please make sure you've also installed the latest Net-OpenID-Common. Feel free to re-open (or start a new ticket) if I'm mistaken about this. Thanks for the report and sorry this took so long to get to... - Roger Crew (new co-maintainer as of a few weeks ago)


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.