[phpxmlrpc-devel] Re: [phpxmlrpc] [Fwd: xmlrpc signing]

[Ryan Hoegg]

Hi,

I am a contributor to the Apache XML-RPC project, which is a Java 
library for XML-RPC server and client.  Members of our list have 
mentioned this requirement and have looked for ways to accomplish it 
with interoperability in mind.

The solution you propose seems proprietary and not designed for interop. 
 Have you considered any proposals by the XML-Signature Working Group at 
http://www.w3.org/Signature/ or the XML-Encryption Working Group at 
http://www.w3.org/Encryption/2001/ ?

Basically, it might be a good idea to design these solutions with 
interop in mind from the beginning.  I must confess that our project has 
not produced any code with digital signatures or encryption integrated, 
but there is an independent interceptors patch that has allowed at least 
one developer to buiild in his own proprietary encryption code for use 
with Kerberos.

I monitor this list and would be interested in more discussion in this area.

--
Ryan Hoegg
ISIS Networks
http://www.isisnetworks.net

Miles Lott wrote:

>>I'm attempting to add key signing to your xmlrpc library (I'll feed
>>changes back upstream once I'm done).  Once an xmlrpcmsg is about to be
>>sent, it is serialized, a private key is used to generate a signature of
>>the serialized data, and both are sent to the xmlrpc server.  The server
>>uses the client's public key to verify that the msg came from the actual
>>client; if verification is sucessful, decode the xmlrpcmsg as normal.
>>    
>>
>
>In phpgroupware/groupwhere, a login function is called first.  This
>generates a sessionid and key as with their normal browser login.  The
>sessionid/key are then sent in Authorization: Basic header to verify
>subsequent requests.  Lastly, a logout packet is sent to clear the user
>session.  Public/private keys would be cool, though.  I had not done
>much in that implementation to encrypt subsequent requests...
>
>  
>
>>My hang-up is how to send the payload signature.  The way I'd prefer to do it
>>is a simple form variable; the XMLRPC spec states that the xmlrpc
>>message is the body of a HTTP-POST request, so I figure that leaves
>>HTTP-GET available for (ab)use.  I'd like to do this in a manner that
>>works with other xmlrpc implementations (if not supporting the
>>verification, silently ignoring the signature).
>>    
>>
>
>I am not absolutely certain, but in my simple tests trying to write a
>php-based daemon for xml-rpc I found that GET or POST requests send the
>entire set of values on one line.  The difference being the first line
>of the request specifying GET or POST.  In this library at least, the
>variable HTTP_RAW_POST_DATA is used to decode the entire request.  This
>is most likely because PHP does not know what to do with a POST or GET
>that is multiline as with XML-RPC.  In other words, I think you could
>still use POST.  iirc, it looks something like this:
>
>POST /RPC2 HTTP/1.0
>User-Agent: Frontier/5.1.2 (WinNT)
>Host: betty.userland.com
>Content-Type: text/xml
>Content-length: XXX
>user=bob&password=secret
>
><?xml version="1.0"?>
><methodCall>
>  <methodName>examples.getStateName</methodName>
>  <params>
>    <param>
>      <value><i4>41</i4></value>
>    </param>
>  </params>
></methodCall>
>
>
>  
>
>>Have you heard of any other implementations that allow this, or similar
>>workarounds (perhaps passing the signature elsewhere)?  Do you have any
>>suggestions?
>>    
>>
>
>This could be sent in an Authorization: Basic header so long as the
>server knows how to decode it.  I wrote this into phpgroupware and now
>groupwhere's implementation of its XML-RPC server since I did not find
>any other way.  Your work would be very welcome if it first does not
>break other implementations (of course).
>