Bug #44766 for Net-OpenID-Consumer: No support for SHA256

Fri Apr 03 00:44:30 2009 MART [...] cpan.org - Ticket created

Subject:

No support for SHA256

There is currently no support for SHA256 in Net::OpenID::Consumer, which means that sites running Net::OpenID::Consumer can't accept login from MySpaceID and probably other providers too.

Sun Feb 14 08:58:24 2010 crew@cs.stanford.edu - Correspondence added

Subject:	[PATCH] support for SHA256
From:	crew [...] cs.stanford.edu

On Fri Apr 03 00:44:30 2009, MART wrote: Show quoted text

> There is currently no support for SHA256 in Net::OpenID::Consumer, > which means that sites running Net::OpenID::Consumer can't accept login > from MySpaceID and probably other providers too. >

I've managed to implement this in my world. Here are patches for Association.pm and Consumer.pm vs. 1.03. This switches to using Digest::SHA since that has support for all of the SHA functions. My one worry about that module is their OO interfaces don't appear to be thread-safe (no CLONE routine), however if one makes a point of never creating objects and sticking with the (hmac_)sha(1|256) functions, then, presumably, that shouldn't be an issue. (Or someone could write an SHA256 analog of Digest::SHA1 since we only need those two functions (sha256,hmac_sha256) from it anyway; but that hasn't happened yet, so Digest::SHA it is for now.) The changes are significant, at least in Association.pm (surprise). I was (sort of) trying to follow the old organization of the code, but it seems to me some refactoring may be called for anyway seeing as everything from new_server_assoc on down is really methods on the Consumer object (and hence should live in Consumer.pm), likewise for the documentation of the options for association types, which until such time as the Association objects get exposed, remain options on the Consumer constructor... also there's some argument for AssociationType and SessionType as separate modules/object-types but I didn't do that. Edit to taste...

Subject:

ass.pat

Download ass.pat
application/octet-stream 14.6k

Message body not shown because it is not plain text.

Subject:

cons.pat

Download cons.pat
application/octet-stream 3k

Message body not shown because it is not plain text.

Sun Feb 14 08:58:38 2010 The RT System itself - Status changed from 'new' to 'open'

Sun Feb 14 20:28:45 2010 crew@cs.stanford.edu - Correspondence added

Subject:	Re: [PATCH] SHA256 support
From:	crew [...] cs.stanford.edu

let's try this again but with the correct file types on the patches so that you're not having to check for virus silliness .

Subject:

cons.txt

--- Net/OpenID/Consumer-0-.pm 2010-02-12 20:49:39.000000000 -0800 +++ Net/OpenID/Consumer.pm 2010-02-14 05:10:47.323736639 -0800 @@ -22,6 +22,7 @@ 'last_errtext', # last error code we got 'debug', # debug flag or codeblock 'minimum_version', # The minimum protocol version to support + 'assoc_options', # options for Net::OpenID::Association->new_server_assoc ); use Net::OpenID::ClaimedIdentity; @@ -32,7 +33,7 @@ use Net::OpenID::URIFetch; use MIME::Base64 (); -use Digest::SHA1 (); +use Digest::SHA (); use Crypt::DH 0.05; use Time::Local; use HTTP::Request; @@ -50,6 +51,7 @@ $self->consumer_secret ( delete $opts{consumer_secret} ); $self->required_root ( delete $opts{required_root} ); $self->minimum_version ( delete $opts{minimum_version} ); + $self->assoc_options ( delete $opts{assoc_options} ); $self->{debug} = delete $opts{debug}; @@ -85,6 +87,32 @@ return $self->{$param}; } +sub assoc_options { + my Net::OpenID::Consumer $self = shift; + my $v; + if (scalar(@_) == 1) { + $v = shift; + unless (defined $v && !$v) { + $v = []; + } + elsif (ref $v eq 'ARRAY') { } + elsif (ref $v) { + # assume HASH and hope for the best + $v = [%$v]; + } + else { + Carp::croak("single argument must be HASH or ARRAY reference"); + } + $self->{assoc_options} = $v; + } + elsif (@_) { + Carp::croak("odd number of parameters?") + if scalar(@_)%2; + $self->{assoc_options} = [@_]; + } + return $self->{assoc_options}; +} + sub _debug { my Net::OpenID::Consumer $self = shift; return unless $self->{debug}; @@ -809,7 +864,7 @@ $signed_fields{$param} = $val; } - my $good_sig = OpenID::util::b64(OpenID::util::hmac_sha1($token, $assoc->secret)); + my $good_sig = $assoc->generate_signature($token); return $self->_fail("signature_mismatch") unless $sig64 eq $good_sig; } else { @@ -896,6 +951,10 @@ use constant VERSION_1_NAMESPACE => "http://openid.net/signon/1.1"; use constant VERSION_2_NAMESPACE => "http://specs.openid.net/auth/2.0"; +# allow above reference to OpenID::util::hmac_sha1_hex +# which should maybe go away? +use Digest::SHA qw(hmac_sha1_hex); + # I guess this is a bit daft since constants are subs anyway, # but whatever. sub version_1_namespace { @@ -917,23 +976,6 @@ return "http://specs.openid.net/auth/2.0/identifier_select"; } -# From Digest::HMAC -sub hmac_sha1_hex { - unpack("H*", &hmac_sha1); -} -sub hmac_sha1 { - hmac($_[0], $_[1], \&Digest::SHA1::sha1, 64); -} -sub hmac { - my($data, $key, $hash_func, $block_size) = @_; - $block_size ||= 64; - $key = &$hash_func($key) if length($key) > $block_size; - - my $k_ipad = $key ^ (chr(0x36) x $block_size); - my $k_opad = $key ^ (chr(0x5c) x $block_size); - - &$hash_func($k_opad, &$hash_func($k_ipad, $data)); -} sub parse_keyvalue { my $reply = shift;

Subject:

assoc.txt

Message body is not shown because it is too large.

Tue Jun 14 17:10:55 2011 CARNIL [...] cpan.org - Correspondence added

RT-Send-CC:

crew [...] cs.stanford.edu

Hi On Fri Apr 03 00:44:30 2009, MART wrote: Show quoted text

> There is currently no support for SHA256 in Net::OpenID::Consumer, > which means that sites running Net::OpenID::Consumer can't accept

login Show quoted text

> from MySpaceID and probably other providers too. >

This would be great if could be changed to use Digest::SHA from another point of view. Digest::SHA is in perl core since 5.9.3 and changing use of Digest::SHA1 to Digest::SHA would reduce external dependencies by one. In Debian we are tracking these, to trop libdigest-sha1-perl [1]. [1] http://wiki.debian.org/Teams/DebianPerlGroup/OpenTasks/Transitions/Diges tSHA1ToDigestSHA Regards Salvatore

Tue Jun 14 17:11:31 2011 CARNIL [...] cpan.org - Cc CARNIL added

Tue Jun 14 18:49:56 2011 crew@cs.stanford.edu - Correspondence added

From:

crew [...] cs.stanford.edu

I should note that the patch I provided actually *does* remove all references to Digest::SHA1 and *only* depends on Digest::SHA On Tue Jun 14 17:10:55 2011, CARNIL wrote: Show quoted text

> Hi > > This would be great if could be changed to use Digest::SHA from > another point of view. Digest::SHA is in perl core since 5.9.3 > and changing use of Digest::SHA1 to Digest::SHA would reduce > external dependencies by one.

Wed Oct 19 21:15:07 2011 crew [...] cs.stanford.edu - Stolen from MART

Sun Oct 23 14:14:33 2011 crew [...] cs.stanford.edu - Fixed in 1.030099_006 added

Sun Nov 06 14:34:59 2011 crew [...] cs.stanford.edu - Fixed in 1.11 added

Sat Nov 12 20:29:12 2011 crew [...] cs.stanford.edu - Correspondence added

I believe this is fixed in Net-OpenID-Consumer-1.11 If you want to try it out, please make sure you've also installed the latest Net-OpenID-Common. Feel free to re-open (or start a new ticket) if I'm mistaken about this. Thanks for the report and sorry this took so long to get to... - Roger Crew (new co-maintainer as of a few weeks ago)

Sat Nov 12 20:30:18 2011 crew [...] cs.stanford.edu - Status changed from 'open' to 'resolved'