I am a contributor to the Apache XML-RPC project, which is a Java library for XML-RPC server and client. Members of our list have mentioned this requirement and have looked for ways to accomplish it with interoperability in mind.

The solution you propose seems proprietary and not designed for interop. Have you considered any proposals by the XML-Signature Working Group at http://www.w3.org/Signature/ or the XML-Encryption Working Group at http://www.w3.org/Encryption/2001/ ?

Basically, it might be a good idea to design these solutions with interop in mind from the beginning. I must confess that our project has not produced any code with digital signatures or encryption integrated, but there is an independent interceptors patch that has allowed at least one developer to buiild in his own proprietary encryption code for use with Kerberos.

I monitor this list and would be interested in more discussion in this area.

Ryan Hoegg
ISIS Networks

Miles Lott wrote:

I'm attempting to add key signing to your xmlrpc library (I'll feed
changes back upstream once I'm done). Once an xmlrpcmsg is about to be
sent, it is serialized, a private key is used to generate a signature of
the serialized data, and both are sent to the xmlrpc server. The server
uses the client's public key to verify that the msg came from the actual
client; if verification is sucessful, decode the xmlrpcmsg as normal.

In phpgroupware/groupwhere, a login function is called first. This
generates a sessionid and key as with their normal browser login. The
sessionid/key are then sent in Authorization: Basic header to verify
subsequent requests. Lastly, a logout packet is sent to clear the user
session. Public/private keys would be cool, though. I had not done
much in that implementation to encrypt subsequent requests...

My hang-up is how to send the payload signature. The way I'd prefer to do it
is a simple form variable; the XMLRPC spec states that the xmlrpc
message is the body of a HTTP-POST request, so I figure that leaves
HTTP-GET available for (ab)use. I'd like to do this in a manner that
works with other xmlrpc implementations (if not supporting the
verification, silently ignoring the signature).

I am not absolutely certain, but in my simple tests trying to write a
php-based daemon for xml-rpc I found that GET or POST requests send the
entire set of values on one line. The difference being the first line
of the request specifying GET or POST. In this library at least, the
variable HTTP_RAW_POST_DATA is used to decode the entire request. This
is most likely because PHP does not know what to do with a POST or GET
that is multiline as with XML-RPC. In other words, I think you could
still use POST. iirc, it looks something like this:

User-Agent: Frontier/5.1.2 (WinNT)
Host: betty.userland.com
Content-Type: text/xml
Content-length: XXX

<?xml version="1.0"?>

Have you heard of any other implementations that allow this, or similar
workarounds (perhaps passing the signature elsewhere)? Do you have any

This could be sent in an Authorization: Basic header so long as the
server knows how to decode it.  I wrote this into phpgroupware and now
groupwhere's implementation of its XML-RPC server since I did not find
any other way.  Your work would be very welcome if it first does not
break other implementations (of course).

phpxmlrpc mailing list

Reply via email to