I am trying to implement oAuth 1.0 in C++/MFC using the CryptoPP library to do the HMAC-SHA1. I can't repeat the example given in
RFC 5849. As far as I can tell I have implemented it properly, but I'm getting a different signature.
verb="POST";
url="http://example.com/request";
parameters="b5=%3D%253D&"
"a3=a&"
"c%40=&"
"a2=r%20b&";
postData = "c2&a3=2+q";
realm="Example";
key="9djdj82h48djs9d2";
secret="j49sk3j29djd";
currTime=137131201;
token="kkk9d7dh3k39sjv7";
token_secret="dh893hdasih9";
nonce="7d8f3e4a";
if(parameters.Right(1)=="&") parameters=parameters.Left(parameters.GetLength()-1);
if(postData.Left(1)=="&") postData=postData.Mid(2);
oauth.Format("oauth_consumer_key=%s&oauth_token=%s&oauth_signature_method=HMAC-SHA1&oauth_nonce=%s&oauth_timestamp=%d",
key, token, nonce, currTime);
oauth.Replace("&oauth_token=&","&");
oauth.Replace("&oauth_nonce=&","&");
if(!parameters.IsEmpty()) parameters = parameters+"&"+oauth;
else parameters = oauth;
if(!postData.IsEmpty()) parameters = parameters+"&"+postData;
parameters.Replace("+", "%20");
nParameters = SplitString(parameters, ¶meterList, "&", NULL, true);
Alphabetize(nParameters, ¶meterList);
for(i=0, parameters.Empty(); i<nParameters; i++){
parameters+=parameterList[i];
if(parameterList[i].Find('=')<1) parameters+="=";
if(i<nParameters-1) parameters+="&";
}
signature_base = verb + L"&" + UrlEncode(url) + L"&" + UrlEncode(parameters);
signature_key = UrlEncode(secret) + L"&" + UrlEncode(token_secret);
try{
CryptoPP::HMAC< CryptoPP::SHA1 > hmac((const byte*) signature_key.c_str(), signature_key.length());
CryptoPP::StringSource(signature_base, true,
new CryptoPP::HashFilter(hmac,
new CryptoPP::Base64Encoder(
new CryptoPP::StringSink(signature_base64)
) ) ); }catch(const CryptoPP::Exception& e){
strError.Format("Cryptography Error: %s", e.what());
throw strError;
}
signature = UrlEncode(signature_base64.c_str());
signature.Trim();
I'm getting the same signature base string as shown in section 3.4.1.1 and I'm assembling the key according to the directions in section 3.4.2. Unfortunately I'm getting r6%2FTJjbCOr97%2F%2BUU0NsvSne7s5g%3D for the signature as opposed to the value in the RFC.
What am I doing wrong?