Re: [OAUTH-WG] Fwd: [Technical Errata Reported] RFC5849 (2550)

[Eran Hammer-Lahav <eran@hueniverse.com>]

Verified as correct.

EHL

> -----Original Message-----
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
> Of Peter Saint-Andre
> Sent: Thursday, November 18, 2010 6:26 PM
> To: OAuth WG
> Subject: [OAUTH-WG] Fwd: [Technical Errata Reported] RFC5849 (2550)
> 
> Folks, is this erratum accurate?
> 
> 
> -------- Original Message --------
> Subject: [Technical Errata Reported] RFC5849 (2550)
> Date: Tue, 12 Oct 2010 09:42:17 -0700 (PDT)
> From: RFC Errata System <rfc-editor@rfc-editor.org>
> To: eran@hueniverse.com, iesg@iesg.org
> CC: alasdair@lovefilm.com, rfc-editor@rfc-editor.org
> 
> 
> The following errata report has been submitted for RFC5849, "The OAuth 1.0
> Protocol".
> 
> --------------------------------------
> You may review the report below and at:
> http://www.rfc-editor.org/errata_search.php?rfc=5849&eid=2550
> 
> --------------------------------------
> Type: Technical
> Reported by: Alasdair McIntyre <alasdair@lovefilm.com>
> 
> Section: GLOBAL
> 
> Original Text
> -------------
> Section 3.1
> oauth_signature="bYT5CMsGcbgUdFHObYMEfcx6bsw%3D"
> 
> Section 3.4.1.1
> oauth_signature="bYT5CMsGcbgUdFHObYMEfcx6bsw%3D"
> 
> Section 3.4.1.3.1
> oauth_signature="djosJKDKJSD8743243%2Fjdk33klY%3D"
> 
> 
> 
> Corrected Text
> --------------
> Section 3.1
> oauth_signature="r6%2FTJjbCOr97%2F%2BUU0NsvSne7s5g%3D"
> 
> Section 3.4.1.1
> oauth_signature="r6%2FTJjbCOr97%2F%2BUU0NsvSne7s5g%3D"
> 
> Section 3.4.1.3.1
> oauth_signature="r6%2FTJjbCOr97%2F%2BUU0NsvSne7s5g%3D"
> 
> 
> Notes
> -----
> (Apologies - this supercedes Errata ID 2549).
> 
> The signatures in sections 3.1, 3.4.1.1, and 3.4.1.3.1 of the RFC have
> mistakenly been calculated as if with "GET". I have supplied the correct
> "POST" signatures in the corrected text.
> 
> For reference, here is the perl script I used to calculate the signatures:
> 
> #!/usr/bin/perl
> use strict;
> use warnings;
> use Digest::HMAC_SHA1;
> use URI::Escape;
> use MIME::Base64;
> 
> my $unsafe = '^-._~A-Za-z0-9';
> my $client_secret = 'j49sk3j29djd';
> my $token_secret = 'dh893hdasih9';
> my $key = join('&', $client_secret, $token_secret);
> 
> my $uri_base = 'http%3A%2F%2Fexample.com%2Frequest';
> my $params = join('', qw(
>     a2%3Dr%2520b%26a3%3D2%2520q%26a3%3Da%26b5%3D
>     %253D%25253D%26c%2540%3D%26c2%3D%26oauth_con
>     sumer_key%3D9djdj82h48djs9d2%26oauth_nonce%3
>     D7d8f3e4a%26oauth_signature_method%3DHMAC-SH
>     A1%26oauth_timestamp%3D137131201%26oauth_tok
>     en%3Dkkk9d7dh3k39sjv7
> ));
> 
> foreach my $method ('GET', 'POST') {
>     my $base_sig = join('&', $method, $uri_base, $params);
>     my $bin_sig = Digest::HMAC_SHA1::hmac_sha1($base_sig, $key);
>     my $b64_sig = MIME::Base64::encode_base64($bin_sig, '');
>     my $enc_sig = URI::Escape::uri_escape($b64_sig, $unsafe);
>     printf "%-8s %s\n", $method, $enc_sig; }
> 
> Instructions:
> -------------
> This errata is currently posted as "Reported". If necessary, please use "Reply
> All" to discuss whether it should be verified or rejected. When a decision is
> reached, the verifying party (IESG) can log in to change the status and edit
> the report, if necessary.
> 
> --------------------------------------
> RFC5849 (draft-hammer-oauth-10)
> --------------------------------------
> Title               : The OAuth 1.0 Protocol
> Publication Date    : April 2010
> Author(s)           : E. Hammer-Lahav, Ed.
> Category            : INFORMATIONAL
> Source              : IETF - NON WORKING GROUP
> Area                : N/A
> Stream              : IETF
> Verifying Party     : IESG