[phpxmlrpc] [Fwd: xmlrpc signing]

Miles Lott milos@groupwhere.org
29 Oct 2002 07:30:52 -0600 

> I'm attempting to add key signing to your xmlrpc library (I'll feed
> changes back upstream once I'm done).  Once an xmlrpcmsg is about to be
> sent, it is serialized, a private key is used to generate a signature of
> the serialized data, and both are sent to the xmlrpc server.  The server
> uses the client's public key to verify that the msg came from the actual
> client; if verification is sucessful, decode the xmlrpcmsg as normal.

In phpgroupware/groupwhere, a login function is called first.  This
generates a sessionid and key as with their normal browser login.  The
sessionid/key are then sent in Authorization: Basic header to verify
subsequent requests.  Lastly, a logout packet is sent to clear the user
session.  Public/private keys would be cool, though.  I had not done
much in that implementation to encrypt subsequent requests...

> My hang-up is how to send the payload signature.  The way I'd prefer to do it
> is a simple form variable; the XMLRPC spec states that the xmlrpc
> message is the body of a HTTP-POST request, so I figure that leaves
> HTTP-GET available for (ab)use.  I'd like to do this in a manner that
> works with other xmlrpc implementations (if not supporting the
> verification, silently ignoring the signature).

I am not absolutely certain, but in my simple tests trying to write a
php-based daemon for xml-rpc I found that GET or POST requests send the
entire set of values on one line.  The difference being the first line
of the request specifying GET or POST.  In this library at least, the
variable HTTP_RAW_POST_DATA is used to decode the entire request.  This
is most likely because PHP does not know what to do with a POST or GET
that is multiline as with XML-RPC.  In other words, I think you could
still use POST.  iirc, it looks something like this:

POST /RPC2 HTTP/1.0
User-Agent: Frontier/5.1.2 (WinNT)
Host: betty.userland.com
Content-Type: text/xml
Content-length: XXX
user=bob&password=secret

<?xml version="1.0"?>
<methodCall>
  <methodName>examples.getStateName</methodName>
  <params>
    <param>
      <value><i4>41</i4></value>
    </param>
  </params>
</methodCall>


> Have you heard of any other implementations that allow this, or similar
> workarounds (perhaps passing the signature elsewhere)?  Do you have any
> suggestions?

This could be sent in an Authorization: Basic header so long as the
server knows how to decode it.  I wrote this into phpgroupware and now
groupwhere's implementation of its XML-RPC server since I did not find
any other way.  Your work would be very welcome if it first does not
break other implementations (of course).

-- 

Miles Lott
GroupWhere
http://groupwhere.org