Larry, What I can advise though, is to look at my library code and it may give you different perspectives.
Furthermore, copy, borrow, and steal what you like and make it your own. -FS. On Mar 4, 2013, at 3:17 PM, Frank Siebenlist <frank.siebenl...@gmail.com> wrote: > If your code is for production… do not use my code! > > It's pretty much written over the weekend and it's "security code", meaning > that it deserves much more scrutiny than "ordinary" code. > > As mentioned in the readme, it's more an "educational exercise", although it > was good to see you struggling as it validated my concerns about the java > library's approach ;-) > > Don't even know if I'm willing to maintain it either… > > Sorry for the bad news - I was just trying to sollicit feedback about > alternative interfaces for the secure hashing. > > Regards, FrankS. > > > On Mar 4, 2013, at 3:09 PM, larry google groups <lawrencecloj...@gmail.com> > wrote: > >> Frank, >> >> Any idea when you might release your code in a stable form? I am using >> this code at work so I am nervous about using code that is still >> marked SNAPSHOT. Lein reminds me not to use a SNAPSHOT: >> >> Could not find metadata org.clojars.franks42:clj.security.message- >> digest:0.1.0-SNAPSHOT/maven-metadata.xml in central (http:// >> repo1.maven.org/maven2) >> Could not find metadata org.clojars.franks42:clj.security.message- >> digest:0.1.0-SNAPSHOT/maven-metadata.xml in central-proxy (https:// >> repository.sonatype.org/content/repositories/centralm1/) >> Retrieving org/clojars/franks42/clj.security.message-digest/0.1.0- >> SNAPSHOT/maven-metadata.xml (1k) >> from https://clojars.org/repo/ >> Could not find artifact org.clojars.franks42:clj.security.message- >> digest:pom:0.1.0-20130304.220822-1 in central (http://repo1.maven.org/ >> maven2) >> Retrieving org/clojars/franks42/clj.security.message-digest/0.1.0- >> SNAPSHOT/clj.security.message-digest-0.1.0-20130304.220822-1.pom (3k) >> from https://clojars.org/repo/ >> Retrieving org/clojure/clojure/1.5.0/clojure-1.5.0.pom (6k) >> from http://repo1.maven.org/maven2/ >> Retrieving org/clojars/franks42/clj.security.message-digest/0.1.0- >> SNAPSHOT/clj.security.message-digest-0.1.0-20130304.220822-1.jar (6k) >> from https://clojars.org/repo/ >> Compiling 1 source files to /Users/lkrubner/projects/multi-platform- >> data-visualization/mpdv-clojure/target/classes >> Release versions may not depend upon snapshots. >> Freeze snapshots to dated versions or set the >> LEIN_SNAPSHOTS_IN_RELEASE environment variable to override. >> >> >> >> >> >> >> On Mar 4, 4:55 pm, Frank Siebenlist <frank.siebenl...@gmail.com> >> wrote: >>> Glad Larry has working code now... >>> >>> As I mentioned before in this thread, I'm working on this functional >>> interface for the message-digesting/secure-hashing, and this whole >>> discussion reads like a use case for the "why?" ;-) >>> >>> It "proofs" to me that there may be real value in a more user-friendly >>> approach than the one offered by java.security.MessageDigest. >>> >>> So instead of writing: >>> >>> (let [... >>> nonce-as-bytes (.getBytes nonce) >>> created-as-bytes (.getBytes created) >>> secret-as-bytes (.getBytes secret) >>> digest (.digest >>> (doto (java.security.MessageDigest/getInstance "sha1") >>> .reset >>> (.update nonce-as-bytes) >>> (.update created-as-bytes) >>> (.update secret-as-bytes))) >>> …] >>> >>> my library lets you write: >>> >>> (let [… >>> digest (md/digest :sha-1 :utf-8 nonce created secret) >>> …] >>> >>> and the advantages of the more functional approach is much more than just >>> saving a few lines of code! >>> >>> Although it still needs some more work, any feedback on >>> "https://github.com/franks42/clj.security.message-digest"; >>> is much appreciated. >>> >>> Regards, FrankS. >>> >>> On Mar 4, 2013, at 1:31 PM, larry google groups <lawrencecloj...@gmail.com> >>> wrote: >>> >>> >>> >>> >>> >>> >>> >>>> I finally got this to work. Many thanks for all of the help that I was >>>> given here. >>> >>>> The final, winning combination was: >>> >>>> (let [username (get-in @um/interactions [:omniture-api- >>>> credentials :username]) >>>> secret (get-in @um/interactions [:omniture-api-credentials :shared- >>>> secret]) >>>> random-number (math/round (* (rand 1 ) 1000000)) >>>> nonce (DigestUtils/md5Hex (str random-number)) >>>> nonce-encoded-base64 (base64-encode (.getBytes nonce)) >>>> date-formatter (new SimpleDateFormat "yyyy-MM-dd'T'HH:mm:ss") >>>> created (.format date-formatter (new Date)) >>>> nonce-as-bytes (.getBytes nonce) >>>> created-as-bytes (.getBytes created) >>>> secret-as-bytes (.getBytes secret) >>>> digest (.digest >>>> (doto (java.security.MessageDigest/getInstance >>>> "sha1") >>>> .reset >>>> (.update nonce-as-bytes) >>>> (.update created-as-bytes) >>>> (.update secret-as-bytes))) >>>> digest-base64 (base64-encode digest) >>>> header (apply str " UsernameToken Username=\"" username "\" >>>> PasswordDigest=\"" digest-base64 "\" Nonce=\"" nonce-encoded-base64 >>>> "\" Created=\"" created "\"")] >>>> header) >>> >>>> On Mar 4, 10:47 am, larry google groups <lawrencecloj...@gmail.com> >>>> wrote: >>>>> I have been having problems making an API call to Omniture. I have >>>>> exchanged a dozen emails with a developer at Omniture, and he gave me >>>>> the impression that I was constructing my security codes incorrectly. >>>>> So now I am confronting my ignorance over how Java handles certain >>>>> conversions. >>> >>>>> The developer at Omniture sent me this explanation in an email: >>> >>>>> " The security digest is formed from a sha1 hash of the following >>>>> string concatenation: >>>>> digest = sha1( Binary Nonce + Created Time String + API Secret Hex >>>>> String (32 bytes) ) " >>> >>>>> I have been struggling with this for several days and I have tried at >>>>> least (literally) 200 variations on this bit of code: >>> >>>>> (let [username (get-in @um/interactions [:omniture-api- >>>>> credentials :username]) >>>>> secret (get-in @um/interactions [:omniture-api- >>>>> credentials :shared-secret]) >>>>> nonce (DigestUtils/md5Hex (random-string 32)) >>>>> nonce-encoded-base64 (Base64/encodeBase64 (.getBytes nonce)) >>>>> date-formatter (new SimpleDateFormat "yyyy-MM- >>>>> dd'T'HH:mm:ss'Z'") >>>>> created (.format date-formatter (new Date)) >>>>> digest-as-string (apply str (.getBytes nonce) created secret) >>>>> digest (.digest (java.security.MessageDigest/getInstance "sha1") >>>>> digest-as-string) >>>>> header (apply str " UsernameToken Username=\"" username "\" >>>>> PasswordDigest=\"" digest "\" Nonce=\"" nonce-encoded-base64 "\" >>>>> Created=\"" created "\"")] >>>>> header) >>> >>>>> This version gives me: >>> >>>>> "Exception in the main function: " #<ClassCastException >>>>> java.lang.ClassCastException: java.lang.String cannot be cast to [B> >>> >>>>> For a long time I was using this for the last 3 lines: >>> >>>>> digest-as-string (apply str nonce created secret) >>>>> digest (.digest (java.security.MessageDigest/getInstance "sha1") >>>>> (.getByes digest-as-string)) >>>>> header (apply str " UsernameToken Username=\"" username "\" >>>>> PasswordDigest=\"" digest "\" Nonce=\"" nonce-encoded-base64 "\" >>>>> Created=\"" created "\"") >>> >>>>> Here I wrapped the whole digest-as-string in (.getBytes) so there was >>>>> no Java error, but this simply did not work when I pinged Omniture. >>> >>>>> In his email, he seems to suggest that the nonce should be binary but >>>>> that the date and the secret should be strings: >>> >>>>> digest = sha1( Binary Nonce + Created Time String + API Secret Hex >>>>> String (32 bytes) ) " >>> >>>>> But, as I said, when I tried this I got the ClassCastException. >>> >>>>> No doubt some of my confusion is due to my ignorance of Java. >>> >>>>> I was able to take their sample PHP code and get that to successfully >>>>> ping their API, however, my company has an official policy of moving >>>>> to the JVM, and of course I have a personal preference to work with >>>>> Clojure. So I'd like to figure out how to get this to work in Clojure. >>>>> (Needless to say that Omniture doesn't offer sample code in Clojure.) >>> >>>>> I have been using clj-http to make the actual POST calls to Omniture. >>>>> Since I am on a Mac, I have been using the excellent Charles network >>>>> debugger (http://www.charlesproxy.com/) to watch the actual posts >>>>> being made. Everything looks correct, except that in the end the >>>>> requests fails, apparently because the digest is malformed. >>> >>>>> Any suggestions? >>> >>>> -- >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Clojure" group. >>>> To post to this group, send email to clojure@googlegroups.com >>>> Note that posts from new members are moderated - please be patient with >>>> your first post. >>>> To unsubscribe from this group, send email to >>>> clojure+unsubscr...@googlegroups.com >>>> For more options, visit this group at >>>> http://groups.google.com/group/clojure?hl=en >>>> --- >>>> You received this message because you are subscribed to the Google Groups >>>> "Clojure" group. >>>> To unsubscribe from this group and stop receiving emails from it, send an >>>> email to clojure+unsubscr...@googlegroups.com. >>>> For more options, visithttps://groups.google.com/groups/opt_out. >> >> -- >> -- >> You received this message because you are subscribed to the Google >> Groups "Clojure" group. >> To post to this group, send email to clojure@googlegroups.com >> Note that posts from new members are moderated - please be patient with your >> first post. >> To unsubscribe from this group, send email to >> clojure+unsubscr...@googlegroups.com >> For more options, visit this group at >> http://groups.google.com/group/clojure?hl=en >> --- >> You received this message because you are subscribed to the Google Groups >> "Clojure" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to clojure+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> > -- -- You received this message because you are subscribed to the Google Groups "Clojure" group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en --- You received this message because you are subscribed to the Google Groups "Clojure" group. To unsubscribe from this group and stop receiving emails from it, send an email to clojure+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
