Skip Menu |

This queue is for tickets about the Net-OAuth CPAN distribution.

Report information
The Basics
Id: 30112
Status: resolved
Priority: 0/
Queue: Net-OAuth
People
Owner: Nobody in particular
Requestors: rt.cpan [...] sartak.org
Cc:
AdminCc:
Bug Information
Severity: Normal
Broken in: 0.03
Fixed in: (no value)

History Show all quoted text
  Thu Oct 18 21:05:15 2007 rt.cpan [...] sartak.org - Ticket created
Subject: HMAC/RSA-SHA1 output not properly URI-encoded
Hi Keith, First of all, thanks for Net::OAuth (and OAuth?). :) The HMAC-SHA1 and RSA-SHA1 signatures are not being properly URI- encoded. Section 9.2.1 of the spec says: oauth_signature is set to the calculated [HMAC-SHA1] digest octet string, first base64-encoded per [RFC2045] section 6.8, then URL- encoded per Parameter Encoding. Section 9.3.1 of the spec says: oauth_signature is set to [the output of RSA signing], first base64- encoded per [RFC2045] section 6.8, then URL-encoded per Parameter Encoding. If you look at Net::OAuth's t/01-spec.t, line 72, you can see the following check: is($request->signature, 'Gcg/323lvAsQ707p+y41y14qWfY'); The / and + are not properly encoded. The actual signature should be: 'Gcg%2F323lvAsQ707p%2By41y14qWfY'. Ditto for t/02-rsa.t and its check on line 48. Shawn
  Thu Oct 18 21:24:06 2007 rt.cpan [...] sartak.org - Correspondence added
On Thu Oct 18 21:05:15 2007, SARTAK wrote: Show quoted text
> Hi Keith, > > First of all, thanks for Net::OAuth (and OAuth?). :) > > The HMAC-SHA1 and RSA-SHA1 signatures are not being properly URI- > encoded. Section 9.2.1 of the spec says: > > oauth_signature is set to the calculated [HMAC-SHA1] digest octet > string, first base64-encoded per [RFC2045] section 6.8, then URL- > encoded per Parameter Encoding. > > Section 9.3.1 of the spec says: > > oauth_signature is set to [the output of RSA signing], first base64- > encoded per [RFC2045] section 6.8, then URL-encoded per Parameter > Encoding. > > If you look at Net::OAuth's t/01-spec.t, line 72, you can see the > following check: > > is($request->signature, 'Gcg/323lvAsQ707p+y41y14qWfY'); > > The / and + are not properly encoded. The actual signature should be: > 'Gcg%2F323lvAsQ707p%2By41y14qWfY'. > > Ditto for t/02-rsa.t and its check on line 48. > > Shawn
Thinking more about it, this is likely the desired behavior. The URI- encoding would be for transmission across the wire. So this isn't a bug. :) Shawn
  Thu Oct 18 21:24:11 2007 rt.cpan [...] sartak.org - Status changed from 'new' to 'resolved'