[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Handle-info] Problem authenticating for admin functions of Handle 8.1 REST API via Authoriztion: Handle
The problem I see here is that signatureRaw concatenates strings, then extracts the UTF-8 bytes from the results. Instead, extract bytes and concatenate bytes:
var serverNonceBytes = cnri.util.Encoder.Base64.bytes(nonce);
var clientNonceBytes = cnri.util.Encoder.Base64.bytes(cnonce);
var passwordBytes = cnri.util.Encoder.Utf8.bytes(pwd);
var bytesToDigest = concatBytes4(passwordBytes, serverNonceBytes, clientNonceBytes, passwordBytes);
var signatureBytes = libpolycrypt.sha1(bytesToDigest);
var signature = cnri.util.Encoder.Base64.string(signatureBytes);
function concatBytes4(a, b, c, d) {
var result = new Uint8Array(a.byteLength + b.byteLength + c.byteLength + d.byteLength);
result.set(new Uint8Array(a), 0);
result.set(new Uint8Array(b), a.byteLength);
result.set(new Uint8Array(c), a.byteLength + b.byteLength);
result.set(new Uint8Array(d), a.byteLength + b.byteLength + c.byteLength);
return result;
}
That said, if you are using HS_SECKEY, you should probably just use HTTP Basic Auth.
Robert
> On Jan 29, 2016, at 5:15 PM, Evguenia Krylova <evguenia.krylova@wisc.edu> wrote:
>
> Could someone post a complete example for authentication via Authorization: Handle using HS_SECKEY?
>
> Following Handle 8.1 docs, I tried using JS libraries of admin application to build the
> Authorization header, but it is not working. Here's how I did this.
>
> 1. Send a DELETE request for an existing handle with out authentication info.
> curl -k -v -X DELETE https://128.104.47.219:8000/api/handles/1712/test
>
> < HTTP/1.1 401 Unauthorized
> < WWW-Authenticate: Basic realm="handle"
> < WWW-Authenticate: Handle sessionId="1ee6f696alwg8bh2rrddhsw28", nonce="k51RBUk2rrCpDZkT/++o2w=="
> < Content-Type: application/json;charset=UTF-8
> < Content-Length: 41
> * Connection #0 to host 128.104.47.219 left intact
> {"responseCode":402,"handle":"1712/test"}
>
> 2. Use the info from the challenge response above to construct the Authorization header.
>
> pwd = "xxx"
> nonce = "k51RBUk2rrCpDZkT/++o2w=="
> cnonce = "/rF3GxOoWYeoQuuPXcRAJw=="
> signatureRaw = pwd+nonce+cnonce+pwd
> ("xxxk51RBUk2rrCpDZkT/++o2w==/rF3GxOoWYeoQuuPXcRAJw==xxx")
> signature = cnri.util.Encoder.Base64.string(libpolycrypt.sha1(cnri.util.Encoder.Utf8.bytes(signatureRaw))) =
> ("ECiTL+CMVnadRTFjfZbiNAPIMtY=")
>
> 3. Issue a DELETE request for the handle with Authorizaiton header.
>
> curl -k -v -X DELETE -H 'Authorization: Handle version="0", sessionId="1ee6f696alwg8bh2rrddhsw28", cnonce="/rF3GxOoWYeoQuuPXcRAJw==", id="310:1711/ekrylova", type="HS_SECKEY", alg="SHA1", signature="ECiTL+CMVnadRTFjfZbiNAPIMtY="' https://128.104.47.219:8000/api/handles/1712/test
>
> * Trying 128.104.47.219...
> * Connected to 128.104.47.219 (128.104.47.219) port 8000 (#0)
> * TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
> * Server certificate: anonymous
> > DELETE /api/handles/1712/test HTTP/1.1
> > Host: 128.104.47.219:8000
> > User-Agent: curl/7.43.0
> > Accept: */*
> > Authorization: Handle version="0", sessionId="1ee6f696alwg8bh2rrddhsw28", cnonce="/rF3GxOoWYeoQuuPXcRAJw==", id="310:1711/ekrylova", type="HS_SECKEY", alg="SHA1", signature="i5R9C5AXnANlkYU9zi1ahLHQh7s="
> >
> < HTTP/1.1 401 Unauthorized
> < WWW-Authenticate: Handle sessionId="1ee6f696alwg8bh2rrddhsw28", nonce="k51RBUk2rrCpDZkT/++o2w==", error="Identity not verified"
> < Content-Length: 0
> <
> * Connection #0 to host 128.104.47.219 left intact
>
>
> Ev
> _______________________________________________
> Handle-Info mailing list
> Handle-Info@cnri.reston.va.us
> http://www.handle.net/mailman/listinfo/handle-info
_______________________________________________
Handle-Info mailing list
Handle-Info@cnri.reston.va.us
http://www.handle.net/mailman/listinfo/handle-info