From f060b5a6e4cf45b332ddd5259a1e6d2b093dd1c5 Mon Sep 17 00:00:00 2001
From: joey <joey@0fa5a96a-9a0e-0410-b3b2-a0fd24251071>
Date: Mon, 29 Jan 2007 20:34:18 +0000
Subject: start on debugging this
---
doc/bugs/Error:_OpenID_failure:_time_bad_sig:.mdwn | 24 ++++++++++++++++++++++
1 file changed, 24 insertions(+)
(limited to 'doc/bugs')
diff --git a/doc/bugs/Error:_OpenID_failure:_time_bad_sig:.mdwn b/doc/bugs/Error:_OpenID_failure:_time_bad_sig:.mdwn
index fe09701a0..98689d53c 100644
--- a/doc/bugs/Error:_OpenID_failure:_time_bad_sig:.mdwn
+++ b/doc/bugs/Error:_OpenID_failure:_time_bad_sig:.mdwn
@@ -11,4 +11,28 @@ and [myopenid.com](http://www.myopenid.com/) servers I use.
I'm reporting this, but I'm not sure whether a problem is with your
ikiwiki or my OpenID servers. --Pawel
+> I've seen this too, once or twice (using myopenid), and reauthenticating
+> fixed it -- so I can't reproduce it reliably to work on it. I think I've
+> seen it both on this wiki and on the one running on my laptop.
+>
+> The perl openid client module seems
+> to fail with time_bad_sig if the time in the signature from the other end
+> is "faked". I'm not 100% sure what this code does yet:
+ # check age/signature of return_to
+ my $now = time();
+ {
+ my ($sig_time, $sig) = split(/\-/, $self->args("oic.time") || "");
+ # complain if more than an hour since we sent them off
+ return $self->_fail("time_expired") if $sig_time < $now - 3600;
+ # also complain if the signature is from the future by more than 30 seconds,
+ # which compensates for potential clock drift between nodes in a web farm.
+ return $self->_fail("time_in_future") if $sig_time - 30 > $now;
+ # and check that the time isn't faked
+ my $c_secret = $self->_get_consumer_secret($sig_time);
+ my $good_sig = substr(OpenID::util::hmac_sha1_hex($sig_time, $c_secret), 0, 20);
+ return $self->_fail("time_bad_sig") unless $sig eq $good_sig;
+ }
+
+> At least it doesn't seem to be a time sync problem since the test for too
+> early/too late times have different error messages.. --[[Joey]]
--
cgit v1.2.3