You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cloudstack.apache.org by Phillip Kent <ph...@xmlsoup.com> on 2015/12/16 17:41:42 UTC
API verification failure for asterisk character - signature hash conflict?
Hello all,
I have run into an odd error and wondered if it's a known problem.
This is only observed for CloudStack v4.3.2 as that is the only one I have
access to.
The failure happens when I include a '*' (asterisk) in an API call.
For example, I call 'updateNetwork' and change the vaue of displaytext.
I'll do that in Cloudmonkey and show the URL string that is generated. I
have X'd out the API endpoint, and in any case it doesn't relate to the
observed problem as the confict occurs in the signature generation....
> update network id=d4626cb1-5a70-4fa1-94f7-e9db93bc26c1 displaytext='*'
URL:
https://XXXXXXXXXXXXXXXX?signatureversion=3&apiKey=KphWuXMkIhYIEYtIncnZNVZxIBIqjy3PaLXoLzfOLFHvyW_AWK29lcQoZDrI8bBAzXivyVHRxGUU6fbK5Ji2gw®ion=europe&expires=2015-12-16T17%3A55%3A02%2B0000&id=d4626cb1-5a70-4fa1-94f7-e9db93bc26c1&command=updateNetwork&signature=SnoxC9OhRnOew%2FSi3WDKSGyeH9E%3D&displaytext=%2A&response=json
Error 401 Authentication error
errorcode = 401
errortext = unable to verify user credentials and/or request signature
uuidList:
If I try that call using a string for displaytext that doesn't contain an
asterisk, it always works (so far as I tested).
I tested the Python-generated signature against the Java-based generator
that is used inside Cloudstack
(cloudstack/test/src/com/cloud/test/utils/SignRequest.java). If I take the
command string generated by Cloudmonkey and pass that through the Java code
then I get a DIFFERENT signature and I tested that signature will pass the
CloudStack verification.
Can anyone reproduce this problem in their own CloudStack implementation?
Thanks, Phillip.
Re: API verification failure for asterisk character - signature hash conflict?
Posted by Phillip Kent <ph...@xmlsoup.com>.
Hi all, looked into this some more and pretty sure the problem is that
Python's urllib.quote_plus() does an escape on * , while Java's URL encoder
doesn't escape it, hence the conflict with the signatures. If you add "
safe = '*' " to the Python code that solves the problem.
Going to the standard RFC 2396 [http://www.rfc-editor.org/rfc/rfc2396.txt]
it recommends that the following characters shouldn't be escaped unless
there is specific reason to do so: "-" | "_" | "." | "!" | "~" | "*" | "'"
| "(" | ")" .
I notice that both Java and Python apply an escape to ( and ), so the Java
implementation doesn't seem fully compliant either.
So the takeaway from this seems to be that the CloudStack documentation
needs to emphasise that code which calls the API must act consistently with
the Java implementation (java.net.URLEncoder ?).
Phillip
On Wed, Dec 16, 2015 at 4:41 PM, Phillip Kent <ph...@xmlsoup.com>
wrote:
> Hello all,
>
> I have run into an odd error and wondered if it's a known problem.
>
> This is only observed for CloudStack v4.3.2 as that is the only one I have
> access to.
>
> The failure happens when I include a '*' (asterisk) in an API call.
>
> For example, I call 'updateNetwork' and change the vaue of displaytext.
>
> I'll do that in Cloudmonkey and show the URL string that is generated. I
> have X'd out the API endpoint, and in any case it doesn't relate to the
> observed problem as the confict occurs in the signature generation....
>
> > update network id=d4626cb1-5a70-4fa1-94f7-e9db93bc26c1 displaytext='*'
>
> URL:
> https://XXXXXXXXXXXXXXXX?signatureversion=3&apiKey=KphWuXMkIhYIEYtIncnZNVZxIBIqjy3PaLXoLzfOLFHvyW_AWK29lcQoZDrI8bBAzXivyVHRxGUU6fbK5Ji2gw®ion=europe&expires=2015-12-16T17%3A55%3A02%2B0000&id=d4626cb1-5a70-4fa1-94f7-e9db93bc26c1&command=updateNetwork&signature=SnoxC9OhRnOew%2FSi3WDKSGyeH9E%3D&displaytext=%2A&response=json
> Error 401 Authentication error
> errorcode = 401
> errortext = unable to verify user credentials and/or request signature
> uuidList:
>
> If I try that call using a string for displaytext that doesn't contain an
> asterisk, it always works (so far as I tested).
>
> I tested the Python-generated signature against the Java-based generator
> that is used inside Cloudstack
> (cloudstack/test/src/com/cloud/test/utils/SignRequest.java). If I take the
> command string generated by Cloudmonkey and pass that through the Java code
> then I get a DIFFERENT signature and I tested that signature will pass the
> CloudStack verification.
>
> Can anyone reproduce this problem in their own CloudStack implementation?
>
> Thanks, Phillip.
>
>
>
>
>