Re: Review Request 11299: configurable to support different SHA algorithm

Ryan Baxter Wed, 07 Aug 2013 07:44:18 -0700

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/11299/#review24802
-----------------------------------------------------------




http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/oauth/OAuthRequest.java
<https://reviews.apache.org/r/11299/#comment48910>

    I think this is a bug and should always use SHA1 when hashing the body.  If 
you look at the spec for the oauth_body_hash extension [1] it calls out that 
SHA1 MUST be used when the signature type is HMAC-SHA1 or RSA-SHA1.  The only 
time the signature will not be one of those is if the signature type is plain 
text in which case addBodyHash would be false and we wouldn't add the parameter.
    [1] 
http://oauth.googlecode.com/svn/spec/ext/body_hash/1.0/oauth-bodyhash.html


- Ryan Baxter


On Aug. 7, 2013, 3:26 a.m., Zhi Hong Yang wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/11299/
> -----------------------------------------------------------
> 
> (Updated Aug. 7, 2013, 3:26 a.m.)
> 
> 
> Review request for shindig, Dan Dumont, Ryan Baxter, Rich Thompson, and 
> Stanton Sievers.
> 
> 
> Repository: shindig
> 
> 
> Description
> -------
> 
> the following setting are added to support different algorithms:
> 
> 1) shindig.crypo.preferredHashAlgorithm = SHA
> 
> this setting is used to set string hash algorithm, SHA, SHA-256, SHA-384, 
> SHA-512 is supported 
> 
> 2) shindig.crypo.preferredHMACAlgorithm = HMACSHA1
> 
> this setting is used to set string encrypt/decrypt algorithm, 
> HMACSHA1,HMACSHA256,HMACSHA384,HMACSHA512 is supported
> 
> 
> Diffs
> -----
> 
>   
> http://svn.apache.org/repos/asf/shindig/trunk/java/common/src/main/java/org/apache/shindig/auth/BlobCrypterSecurityTokenCodec.java
>  1503103 
>   
> http://svn.apache.org/repos/asf/shindig/trunk/java/common/src/main/java/org/apache/shindig/common/crypto/BasicBlobCrypter.java
>  1503103 
>   
> http://svn.apache.org/repos/asf/shindig/trunk/java/common/src/main/java/org/apache/shindig/common/crypto/Crypto.java
>  1503103 
>   
> http://svn.apache.org/repos/asf/shindig/trunk/java/common/src/main/java/org/apache/shindig/common/util/DigestType.java
>  PRE-CREATION 
>   
> http://svn.apache.org/repos/asf/shindig/trunk/java/common/src/main/java/org/apache/shindig/common/util/GenericDigestUtils.java
>  PRE-CREATION 
>   
> http://svn.apache.org/repos/asf/shindig/trunk/java/common/src/main/java/org/apache/shindig/common/util/HMACType.java
>  PRE-CREATION 
>   
> http://svn.apache.org/repos/asf/shindig/trunk/java/common/src/test/java/org/apache/shindig/auth/BlobCrypterSecurityTokenCodecTest.java
>  1503103 
>   
> http://svn.apache.org/repos/asf/shindig/trunk/java/common/src/test/java/org/apache/shindig/auth/BlobCrypterSecurityTokenTest.java
>  1503103 
>   
> http://svn.apache.org/repos/asf/shindig/trunk/java/common/src/test/java/org/apache/shindig/common/crypto/BlobCrypterTest.java
>  1503103 
>   
> http://svn.apache.org/repos/asf/shindig/trunk/java/common/src/test/java/org/apache/shindig/common/crypto/CryptoTest.java
>  1503103 
>   
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/DefaultGuiceModule.java
>  1503103 
>   
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/HashLockedDomainService.java
>  1503103 
>   
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/oauth/OAuthRequest.java
>  1503103 
>   
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/oauth2/handler/MacTokenHandler.java
>  1503103 
>   
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/HashShaLockedDomainPrefixGenerator.java
>  1503103 
>   
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/oauth/testing/FakeOAuthServiceProvider.java
>  1503103 
>   
> http://svn.apache.org/repos/asf/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/core/oauth/OAuthAuthenticationHandler.java
>  1503103 
>   
> http://svn.apache.org/repos/asf/shindig/trunk/java/social-api/src/test/java/org/apache/shindig/social/core/oauth/FakeOAuthRequest.java
>  1503103 
>   
> http://svn.apache.org/repos/asf/shindig/trunk/java/social-api/src/test/java/org/apache/shindig/social/core/oauth/OAuthAuthenticationHanderTest.java
>  1503103 
> 
> Diff: https://reviews.apache.org/r/11299/diff/
> 
> 
> Testing
> -------
> 
> Done. 
> 
> 
> Thanks,
> 
> Zhi Hong Yang
> 
>

Re: Review Request 11299: configurable to support different SHA algorithm

Reply via email to