> On Aug. 7, 2013, 2:39 p.m., Ryan Baxter wrote: > > http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/oauth/OAuthRequest.java, > > line 553 > > <https://reviews.apache.org/r/11299/diff/6/?file=338121#file338121line553> > > > > I think this is a bug and should always use SHA1 when hashing the body. > > If you look at the spec for the oauth_body_hash extension [1] it calls out > > that SHA1 MUST be used when the signature type is HMAC-SHA1 or RSA-SHA1. > > The only time the signature will not be one of those is if the signature > > type is plain text in which case addBodyHash would be false and we wouldn't > > add the parameter. > > [1] > > http://oauth.googlecode.com/svn/spec/ext/body_hash/1.0/oauth-bodyhash.html
Agree, fix it. - Zhi Hong ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/11299/#review24802 ----------------------------------------------------------- On Aug. 8, 2013, 6:38 a.m., Zhi Hong Yang wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/11299/ > ----------------------------------------------------------- > > (Updated Aug. 8, 2013, 6:38 a.m.) > > > Review request for shindig, Dan Dumont, Ryan Baxter, Rich Thompson, and > Stanton Sievers. > > > Repository: shindig > > > Description > ------- > > the following setting are added to support different algorithms: > > 1) shindig.crypo.preferredHashAlgorithm = SHA > > this setting is used to set string hash algorithm, SHA, SHA-256, SHA-384, > SHA-512 is supported > > 2) shindig.crypo.preferredHMACAlgorithm = HMACSHA1 > > this setting is used to set string encrypt/decrypt algorithm, > HMACSHA1,HMACSHA256,HMACSHA384,HMACSHA512 is supported > > > Diffs > ----- > > > http://svn.apache.org/repos/asf/shindig/trunk/java/common/src/main/java/org/apache/shindig/auth/BlobCrypterSecurityTokenCodec.java > 1503103 > > http://svn.apache.org/repos/asf/shindig/trunk/java/common/src/main/java/org/apache/shindig/common/crypto/BasicBlobCrypter.java > 1503103 > > http://svn.apache.org/repos/asf/shindig/trunk/java/common/src/main/java/org/apache/shindig/common/crypto/Crypto.java > 1503103 > > http://svn.apache.org/repos/asf/shindig/trunk/java/common/src/main/java/org/apache/shindig/common/util/DigestType.java > PRE-CREATION > > http://svn.apache.org/repos/asf/shindig/trunk/java/common/src/main/java/org/apache/shindig/common/util/GenericDigestUtils.java > PRE-CREATION > > http://svn.apache.org/repos/asf/shindig/trunk/java/common/src/main/java/org/apache/shindig/common/util/HMACType.java > PRE-CREATION > > http://svn.apache.org/repos/asf/shindig/trunk/java/common/src/test/java/org/apache/shindig/auth/BlobCrypterSecurityTokenCodecTest.java > 1503103 > > http://svn.apache.org/repos/asf/shindig/trunk/java/common/src/test/java/org/apache/shindig/auth/BlobCrypterSecurityTokenTest.java > 1503103 > > http://svn.apache.org/repos/asf/shindig/trunk/java/common/src/test/java/org/apache/shindig/common/crypto/BlobCrypterTest.java > 1503103 > > http://svn.apache.org/repos/asf/shindig/trunk/java/common/src/test/java/org/apache/shindig/common/crypto/CryptoTest.java > 1503103 > > http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/DefaultGuiceModule.java > 1503103 > > http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/HashLockedDomainService.java > 1503103 > > http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/oauth2/handler/MacTokenHandler.java > 1503103 > > http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/HashShaLockedDomainPrefixGenerator.java > 1503103 > > http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/oauth/testing/FakeOAuthServiceProvider.java > 1503103 > > http://svn.apache.org/repos/asf/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/core/oauth/OAuthAuthenticationHandler.java > 1503103 > > http://svn.apache.org/repos/asf/shindig/trunk/java/social-api/src/test/java/org/apache/shindig/social/core/oauth/FakeOAuthRequest.java > 1503103 > > http://svn.apache.org/repos/asf/shindig/trunk/java/social-api/src/test/java/org/apache/shindig/social/core/oauth/OAuthAuthenticationHanderTest.java > 1503103 > > Diff: https://reviews.apache.org/r/11299/diff/ > > > Testing > ------- > > Done. > > > Thanks, > > Zhi Hong Yang > >
