@Stefan: Thanks a lot, that is the correct answer. I was using binary keys in between, but by then I was missing a newline in the normalized string. One should always try all combinations :-)
@Nick: I was using the PHP implementation at [1] which works well with the test vectors from [2] and yes, there is no spec and I share the doubts in [3]. Especially, if something like the header version should change at some point, the automated pulling by npm for newly built auth servers would probably break the sync as it takes Hawk 2.x and that would take a while to debug. And don't get me started on using the auth header within PHP in the first place as CGI does not forward them to the script ... security through obscurity [1] https://github.com/dflydev/dflydev-hawk [2] https://github.com/hueniverse/hawk [3] http://evertpot.com/hawk-problems/ Am 12.03.2015 um 18:13 schrieb Stefan Arentz: > The problem is in your key > 87b8937f61d38d0e29cd2d5600b3f4da0aa48ac41de36a0efe84bb4a9872ceb7 > > Your test vector decodes this hex string into a 64 byte binary value > and then uses that as the key. While you are using the key as-is. > > Bad: > > hmac.new('87b8937f61d38d0e29cd2d5600b3f4da0aa48ac41de36a0efe84bb4a9872ceb7', > "hawk.1.header\n1426168115\nPZ5oR8+A1cg=\nGET\n/simplesync/account/keys\nlocalhost\n443\n\n\n", > hashlib.sha256).digest().encode('base64') > 'NnjwluoNCZXutov27mON9WJYIoXawk5ERrEtHPvg5WY=\n' > > Good: > > hmac.new('87b8937f61d38d0e29cd2d5600b3f4da0aa48ac41de36a0efe84bb4a9872ceb7'.decode('hex'), > "hawk.1.header\n1426168115\nPZ5oR8+A1cg=\nGET\n/simplesync/account/keys\nlocalhost\n443\n\n\n", > hashlib.sha256).digest().encode('base64') > 'BcLvmko79juoZDTfdHDVpi/D5logg7xg9MdcraBo3zI=\n' > > (Second version has a .decode('hex') in there) > > S. > > On Thu, Mar 12, 2015 at 10:02 AM, Peter Mueller <[email protected] > <mailto:[email protected]>> wrote: > > Hi, > I am emulating the FxA protocol and I have trouble authenticating > a Hawk > request sent by the Desktop client to /account/keys on Server > using the > standard Hawk lib. > > After reading and trying a lot I am at a loss why I don't get the > correct mac value for the following parameters and I am thankful for > comments. Using a different Hawk-lib results in the same mac, so I > somehow build the wrong normalized string, but I don't know what goes > wrong. Ideas? > > I am using the given test vectors for KeyFetchToken, therefore the key > should be: > 87b8937f61d38d0e29cd2d5600b3f4da0aa48ac41de36a0efe84bb4a9872ceb7 > > Sent Apache Authorization Header from client: > Hawk > id="3d0a7c02a15a62a2882f76e39b6494b500c022a8816e048625a495718998ba60", > ts="1426168115", nonce="PZ5oR8+A1cg=", > mac="BcLvmko79juoZDTfdHDVpi/D5logg7xg9MdcraBo3zI=" > > Here are the variables I am using: > key = > "87b8937f61d38d0e29cd2d5600b3f4da0aa48ac41de36a0efe84bb4a9872ceb7"; > ts = "1426168115"; > nonce = "PZ5oR8+A1cg="; > method = "GET"; > resource = "/simplesync/account/keys"; > host = "localhost"; > port = "443"; > payload_hash = ""; // no hash given > extra = ""; > > which results in the following normalized String (without -----): > > |----------- > hawk.1.header > 1426168115 > PZ5oR8+A1cg= > GET > /simplesync/account/keys > localhost > 443 > > > > ----------- > and the following mac for my string = ||| > |NnjwluoNCZXutov27mON9WJYIoXawk5ERrEtHPvg5WY=| > > And the raw Request in full: > GET https://localhost/simplesync/account/keys HTTP/1.1 > Host: localhost > User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) > Gecko/20100101 > Firefox/36.0 > Accept: > text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > Accept-Language: de, en-US, en > Accept-Encoding: gzip, deflate > Authorization: Hawk > id="3d0a7c02a15a62a2882f76e39b6494b500c022a8816e048625a495718998ba60", > ts="1426168115", nonce="PZ5oR8+A1cg=", > mac="BcLvmko79juoZDTfdHDVpi/D5logg7xg9MdcraBo3zI=" > Content-Type: text/plain > Connection: keep-alive > Pragma: no-cache > Cache-Control: no-cache > > Thanks > Peter > > > > > _______________________________________________ > Sync-dev mailing list > [email protected] <mailto:[email protected]> > https://mail.mozilla.org/listinfo/sync-dev > > _______________________________________________ Sync-dev mailing list [email protected] https://mail.mozilla.org/listinfo/sync-dev
