django base64 decode encode returns different value

Question

Hi. I was wondering if something can shed some light on where I might be going wrong with this.

I need to generate a signed Key for use with Gigya an openauth platform

This is a rework from their Ruby info, http://wiki.gigya.com/020_Developer_Guide/70_Server_Side_API_(REST)#tab-2

Here is what I have thus far.

#@ escape the status message and replace all + with %20 as spaces are CGI.escaped to +
>message_text = re.subn(r'\+',"%20","Hello")[0]  
user = 1

#@ here are the parameters you need to supply from your Gigya site's settings page.
> api_url = "http://socialize-api.gigya.com/socialize.setStatus"  
api_key = "2_qf6pKytdGqrvufl3TW2jY-D6nDaMFsHJ1mg4ZR-xtjyq-PtyyDnwFxRelMdvdAdM"  #not the   real key  
gigya_secret_key = "Vf6IE6X59tKwDYuvKgsOOA5W6Gon4l6b9C+xVx0zsbY=" 

#@ decode secret key and prepare nonce.
>gigya_secret = a2b_base64('f6IE6X59tKwDYuvKgsOOA5W6Gon4l6b9C+xVx0zsbY=')  
timestamp = int(time.time())
# timestamp = 1281427277

nonce = "%(a)d%(b)i" % {'a':1, 'b':timestamp,}  
http_method = "GET"  

#@ parameters are ordered alphabetically, base string include HTTP method call and its parameters, all separated with unescaped "&"
>parameters = 'apiKey=U\xfe\x88\x13\xa5\xf9\xf6\xd2\xb0\r\x8b\xaf*\x0b\x0e8\x0eV\xe8j'\xe2^\x9b\xf4/\x97\xc6\xfd3\xb1\xb6&nonce=11281427277&status=Hello&timestamp=1281427277&uid=1' 

>encoded_api = api_url.replace('//', '%3A').replace('/', '%2F') 
# http:%3Asocialize-api.gigya.com%2Fsocialize.setStatus

>encoded_par_1 = re.subn(r'\&', "%26", parameters)[0]
# apiKey=U\xfe\x88\x13\xa5\xf9\xf6\xd2\xb0\r\x8b\xaf*\x0b\x0e8\x0eV\xe8j'\xe2^\x9b\xf4/\x97\xc6\xfd3\xb1\xb6%26nonce=11281427277%26status=Hello%26timestamp=1281427277%26uid=1

encoded_parameters = re.subn(r'\=', "%3D", encoded_par_1)[0]  
# apiKey%3DU\xfe\x88\x13\xa5\xf9\xf6\xd2\xb0\r\x8b\xaf*\x0b\x0e8\x0eV\xe8j'\xe2^\x9b\xf4/\x97\xc6\xfd3\xb1\xb6%26nonce%3D11281427277%26status%3DHello%26timestamp%3D1281427277%26uid%3D1
>base_string = '%(a)s&%(b)s&%(c)s' % {'a':http_method, 'b':encoded_api, 'c':encoded_parameters, } 
# GET&http:%3Asocialize-api.gigya.com%2Fsocialize.setStatus&apiKey%3DU\xfe\x88\x13\xa5\xf9\xf6\xd2\xb0\r\x8b\xaf*\x0b\x0e8\x0eV\xe8j'\xe2^\x9b\xf4/\x97\xc6\xfd3\xb1\xb6%26nonce%3D11281427277%26status%3DHello%26timestamp%3D1281427277%26uid%3D1 

#@ hmac/sha1 encription for the gigya secret and the base_string 

>hmacsha1 = hmac.new(gigya_secret, base_string, hashlib.sha1)  

>hmacsha1 = binascii.b2a_base64(hmacsha1.digest())[:-1]  
# mMWb+7VE7L7+csYwwI00vWYu8IM=

>gigya_sign = urlquote(b2a_base64(hmacsha1).replace('\n', '').replace('\+', '%2B').replace('\/', '%2F')) 
# bU1XYis3VkU3TDcrY3NZd3dJMDB2V1l1OElNPQ%3D%3D

#@ finalized api request url with the signed signature
>request_url = '%(a)s?apiKey=%(b)s&nonce=%(c)s&status=%(d)s&timestamp=%(e)s&uid=%(f)s&sig=%(g)s' % {'a':api_url, 'b':api_key, 'c':nonce, 'd':message_text, 'e':timestamp, 'f':user, 'g':gigya_sign }
# request_url = http://socialize-api.gigya.com/socialize.setStatus?apiKey=2_qf6pKytdGqrvufl3TW2jY-D6nDaMFsHJ1mg4ZR-xtjyq-PtyyDnwFXralMdvdAdM&nonce=11281427277&status=Hello&timestamp=1281427277&uid=1&sig=bU1XYis3VkU3TDcrY3NZd3dJMDB2V1l1OElNPQ%3D%3D

Now I always seem to be getting the wrong result for the key.

Any help would be greatly appreciated.

Answer 1

I can't find the value for signature anywhere. It is possible that you encode the signature twice with Base64:

>hmacsha1 = binascii.b2a_base64(hmacsha1.digest())[:-1]  
# mMWb+7VE7L7+csYwwI00vWYu8IM=

>gigya_sign = urlquote(b2a_base64(hmacsha1).replace('\n', '').replace('\+', '%2B').replace('\/', '%2F')) 
# bU1XYis3VkU3TDcrY3NZd3dJMDB2V1l1OElNPQ%3D%3D

Note that you assign hmacsha1 with the Base64 encoded value of the digest in the first line (why do you omit the last character of the result?) and then you encode that again with b2a_base64.

I'm also wondering why you replace + and / manually; urlquote() should already do that (if not, I'd say that's a bug in urlquote() which should be fixed).