Statically link applications with liboauth on Darwin/OSX

2010-06-24T20:28:42+00:00

The result of the Google Group discussion on statically linking an application with liboauth (and it's dependent libraries) here's a script that does it:

Download script

#!/bin/bash
TOPDIR=/tmp/oauth-static
test -d $TOPDIR && rm -rf $TOPDIR
mkdir -p $TOPDIR
cd $TOPDIR

##############################################################################
# download sources
curl -o openssl-1.0.0a.tar.gz http://www.openssl.org/source/openssl-1.0.0a.tar.gz
curl -o curl-7.20.1.tar.gz http://curl.haxx.se/download/curl-7.20.1.tar.gz
curl -o liboauth-0.8.8.tar.gz http://liboauth.sourceforge.net/pool/liboauth-0.8.8.tar.gz

tar xzf openssl-1.0.0a.tar.gz
tar xzf curl-7.20.1.tar.gz
tar xzf liboauth-0.8.8.tar.gz

##############################################################################
# OpenSSL
cd openssl-1.0.0a
./Configure darwin-i386-cc
make

##############################################################################
# libcURL
cd $TOPDIR/curl-7.20.1
CFLAGS="-arch i386" \
./configure --disable-shared --without-nss --disable-ldap \
            --with-ssl=$TOPDIR/openssl-1.0.0a
make

##############################################################################
# liboauth
cd $TOPDIR/liboauth-0.8.8

####### NOTE: this uses system-wide libz or '/path/to/libz.a'
LIBZ="-lz"
test -d /Users/hborders/xcode-workspaces/personal/pdk-samples/simple/mac/palm-i386 && \
LIBZ="/Users/hborders/xcode-workspaces/personal/pdk-samples/simple/mac/palm-i386/lib/libz.a"

###### NOTE configure wants PKG_CONFIG to be set even if it's N/A
PKG_CONFIG="`which pkg-config || which true`" \
CFLAGS="-arch i386" \
CURL_CFLAGS="-I$TOPDIR/curl-7.20.1/include" \
CURL_LIBS="$TOPDIR/curl-7.20.1/lib/.libs/libcurl.a $LIBZ" \
HASH_CFLAGS="-I$TOPDIR/openssl-1.0.0a/include" \
HASH_LIBS="$TOPDIR/openssl-1.0.0a/libcrypto.a  $TOPDIR/openssl-1.0.0a/libssl.a $LIBZ" \
./configure --disable-shared --disable-curl --enable-libcurl

#build it
make

#run self-tests
make check

##############################################################################
# print some info about the example binary
echo "example binary:"
file tests/oauthexample

echo "example binary's library dependencies:"
LDD="ldd"
which otool >/dev/null && LDD="otool -L"
$LDD tests/oauthexample

documentation, floss, www

OAuth

2010-06-24T20:13:57+00:00

oAuth

oAuth is an open protocol to allow secure API authorization in a simple and standard method from desktop and web applications.

liboauth provides functionality to encode URLs and sign requests according to the oAuth standard, implemented in compatible POSIX-C.

oauth-utils is a collection¹⁾ of command-line tools implementing an oAuth consumer.

Documentation

liboauth doxygen - Source Code Documentation
oauth-tools has a built-in –help

manual pages are available for both

Download

liboauth is now maintained at http://liboauth.sf.net/ - Thanks to sourceforge.
and http://oauth.googlecode.com/svn/code/c/liboauth/ - Thanks to google.

Source

liboauth browse git repository
oauth-utils browse git repository
oauth-utils-0.3.2.tar.gz oauth-utils source (incl. configure script, without debian folder)
devel snapshot latest version of oauth-utils source (including debian, requires autotools)

Build debian packages

git clone git://mir.dnsalias.com/liboauth
cd liboauth
git branch upstream 
#make maintainer-clean
git-buildpackage
#make check
cd .. && sudo dpkg -i liboauth*.deb

git clone git://mir.dnsalias.com/oauth-utils
cd oauth-utils
git branch upstream
#make maintainer-clean
git-buildpackage
#make check # connects to http://term.ie/oauth/example !
cd .. && sudo dpkg -i oauth-utils*.deb

oauthsign usage and example

Both oauthsign and oauthverify are documented in un*x manual pages. You may want to ~~consult~~ proof-read man oauth-utils as well.

usage examples
perform requests with fixed tokens

oauthsign -c consumer-key -C "" -t access-token -T token-secret 'http://example.org/?do=admin'
oauthsign -X -d "do=requesttoken" 'http://example.org/' consumer-key ""

debug oAuth parameters - print oauth base-string:

oauthsign -b -c consumer-key -C "" -t access-token -T token-secret 'http://example.org/?do=admin'

test server walk-through
see also example.sh below.

Get a request-token for the consumer key with consumer-secret secret from the server and save it to /tmp/test.oaf:

oauthsign -X -f /tmp/test.oaf -w -e -c key -C secret http://term.ie/oauth/example/request_token.php

Exchange this request-token for an access token and replace the token+secret in /tmp/test.oaf:

oauthsign -X -f /tmp/test.oaf -w http://term.ie/oauth/example/access_token.php

Perform some requests with the consumer and access token/secrets in same file:

oauthsign -x -f /tmp/test.oaf "http://term.ie/oauth/example/echo_api.php?method=foo%20bar&bar=baz"
oauthsign -x -f /tmp/test.oaf -d method=foo%20bar -d "bar=baz &test%" --post http://term.ie/oauth/example/echo_api.php

output of oauthsign –help

oauthsign - command line utilities for oauth
Usage: ./src/oauthsign [OPTION]... URL [CKey] [CSec] [TKey] [Tsec]
Options:
  -h, --help                  display this help and exit
  -V, --version               output version information and exit
  -q, --quiet, --silent       inhibit usual output
  -v, --verbose               print more information
  --no-warn                   dont print any warnings.

  -b, --base-string           print OAuth base-string and exit
  -B, --base-url              print OAuth base-URL and exit
  -r, --request <type>        HTTP request type (HEAD, PUT, POST, GET [default],..)
  -p, --post                  same as -r POST
  -d, --data <key>[=<val>]    add url query parameters.
  -m, --signature-method <m>  oauth signature method (PLAINTEXT,
                              RSA-SHA1, HMAC-SHA1 [default])

  -c, --CK, --consumer-key    <text>
  -C, --CS, --consumer-secret <text>
  -t, --TK, --token-key       <text>
  -T, --TS, --token-secret    <text>

  -a, --callback <url>        specify oauth_callback url (or 'oob') // 1.0 Rev A
  -A, --verifier <text>       specify oauth_verifier // 1.0 Rev A

  -f, --file <filename>       read tokens and secrets from config-file
  -w                          write tokens to config-file
  -F <filename>               set config-file name w/o reading the file.
  -x                          make HTTP request and return the replied content
  -X                          make HTTP request and parse the reply for tokens
                              use '-X -w' to request and store tokens.
  --dry-run                   take no real actions (with -x, -w or -X)
  -e, --erase-tokens          clear [access|request] tokens.
  -E, --erase-all             wipe all tokens and reset method to HMAC-SHA1.
  --erase-consumer-key        unset consumer-key
  --erase-consumer-secret     unset consumer-secret
  --erase-token-key           unset token-key
  --erase-token-secret        unset token-secret

  The position of parameters -d, -f, -F, -e, -E and all tokens matters!

  Tokens are read from file at the moment the -f option is parsed overriding
  the current value(s). Optional trailing key/secret params are parsed last.
  eg.
    '-f config.txt -e -C secret -F out.txt -w' reads the settings from file,
  then deletes the access/request tokens and finally overrides the consumer-
  secret. Only the consumer-key is left from config.txt and will be saved
  to out.txt along with the new secret. If -X is given and the HTTP request
  succeeds, the received token and secret will be stored as well.

  The request URL is constructed by first parsing all query-parameters from
  the URL; then -d parameters are added, and finally oauth_XYZ params
  appended.

doc/example.sh from oauth-utils

#!/bin/bash

CONFIGFILE=${1:-"./oauthconf"}

OAUTHSIGN=./src/oauthsign
if ! test -x $OAUTHSIGN; then
  OAUTHSIGN=../src/oauthsign
fi
if ! test -x $OAUTHSIGN; then
  OAUTHSIGN=$(which oauthsign)
fi
if ! test -x $OAUTHSIGN; then
  echo " oauthsign executable not found."
  exit 1
fi

# default config
OPT=""
CONKEY="key"
CONSEC="secret"
BASEURL="http://term.ie/oauth/example/"
DOPARAM=""
RQT="request_token.php"
ACT="access_token.php"
#AUT="authenticate.php?"
TST="echo_api.php"
TSQ="?method=foo%20bar&bar=baz"

#TODO: make these into config files and different tests.
if [ 1 == 0 ]; then     # test PLAINTEXT signature
  OPT="-m PLAINTEXT"
elif [ 1 == 0 ]; then   # test RSA-SHA1 signature
# NOTE: the way RSA-keys are passed to oauthsign
# will change in the future.
# so far oauthsign want a public key as CONSUMER SECRET
# and oauthverfiy expects a private key..
  OPT="-v -m RSA-SHA1"
  CONSEC="-----BEGIN PRIVATE KEY-----
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBALRiMLAh9iimur8V
A7qVvdqxevEuUkW4K+2KdMXmnQbG9Aa7k7eBjK1S+0LYmVjPKlJGNXHDGuy5Fw/d
7rjVJ0BLB+ubPK8iA/Tw3hLQgXMRRGRXXCn8ikfuQfjUS1uZSatdLB81mydBETlJ
hI6GH4twrbDJCR2Bwy/XWXgqgGRzAgMBAAECgYBYWVtleUzavkbrPjy0T5FMou8H
X9u2AC2ry8vD/l7cqedtwMPp9k7TubgNFo+NGvKsl2ynyprOZR1xjQ7WgrgVB+mm
uScOM/5HVceFuGRDhYTCObE+y1kxRloNYXnx3ei1zbeYLPCHdhxRYW7T0qcynNmw
rn05/KO2RLjgQNalsQJBANeA3Q4Nugqy4QBUCEC09SqylT2K9FrrItqL2QKc9v0Z
zO2uwllCbg0dwpVuYPYXYvikNHHg+aCWF+VXsb9rpPsCQQDWR9TT4ORdzoj+Nccn
qkMsDmzt0EfNaAOwHOmVJ2RVBspPcxt5iN4HI7HNeG6U5YsFBb+/GZbgfBT3kpNG
WPTpAkBI+gFhjfJvRw38n3g/+UeAkwMI2TJQS4n8+hid0uus3/zOjDySH3XHCUno
cn1xOJAyZODBo47E+67R4jV1/gzbAkEAklJaspRPXP877NssM5nAZMU0/O/NGCZ+
3jPgDUno6WbJn5cqm8MqWhW1xGkImgRk+fkDBquiq4gPiT898jusgQJAd5Zrr6Q8
AO/0isr/3aa6O6NLQxISLKcPDk2NOccAfS/xOtfOz4sJYM3+Bs4Io9+dZGSDCA54
Lw03eHTNQghS0A==
-----END PRIVATE KEY-----"
fi

# read config file - override above settings
if [ -e $CONFIGFILE ]; then
 . $CONFIGFILE
fi

echo " --- oauthsign test and example"
echo " --- connecting to $BASEURL"

TOKENFILE=`mktemp /tmp/oauth.XXXXXXXXXX` || exit 1

function cleanup {
  rm $TOKENFILE
}
trap cleanup EXIT

echo " +++ getting request token.."
$OAUTHSIGN -X $OPT -f $TOKENFILE -w -e -c "$CONKEY" -C "$CONSEC" \
    "${BASEURL}${DOPARAM}${RQT}" \
    || ( echo " !!! no request token returned."; exit 1;) || exit 1;

if [ -n "$AUT" ]; then
  REQTOK=$(cat $TOKENFILE | awk '/oauth_token_key=(.*)/{ print substr($1,17);}')
  echo " +++ Authorization."
  echo "visit: ${BASEURL}${DOPARAM}${AUT}&oauth_token=${REQTOK}"
  echo -n "to authorize this request token and press enter.."
  read
  echo
fi

echo " +++ exchanging request token for access token"
$OAUTHSIGN -X $OPT -f $TOKENFILE -w --quiet "${BASEURL}${DOPARAM}${ACT}" \
    || ( echo " !!! token exchange failed"; exit 1;) || exit 1;

echo " +++ making test request.."
$OAUTHSIGN -x $OPT -f $TOKENFILE "${BASEURL}${TST}${TSQ}" \
    || ( echo " !!! test request failed"; exit 1;) || exit 1

#echo " +++ and another one with parameter-arrays"
#$OAUTHSIGN -x -f $TOKENFILE -d "foo=bar bar" \
#    -d 'bar[1]=foo&%bar' -d 'bar[0]=bar#+b a r' --post \
#    "${BASEURL}${TST}" \
#    || ( echo " !!! test request failed"; exit 1;) || exit 1

exit 0

Note: As shown in above example RSA-keys can currently be given instead of a consumer-secret (public-key for oauthsign, private-key for oauthverify). This is going to change. Future versions may use –rsa-private, –rsa-public and also provide for reading the key from file.

oauthverify usage and example

oauthverify is the counter-part and very similar to oauthsign: It parses all request-parameters (those appended to the URL after a '?' and the ones given to oauthverify with -d command line option) one of which must be the oauth_signature to verify.

To recalculate the signature the consumer (and token) secrets must be specified (fi. -C and -T) or read from file. If a consumer-key, token-key or signature-method is set (eg. -c or -t, -m), they're required to match the ones in the parsed request-parameters. You can use –erase-consumer-key etc. to relax such a requirement when reading tokens along with the secrets from a file.

If the signature is correct and if the consumer/token key matches the given parameters (if any) oauthverify exits with a status code indicating success and prints the parsed request-parameters formatted as POST parameters (more output options to come: –print0 or -0, JSON is the contender)

Note that oauthverify does not keep track of consumers, token-mappings, timestamps and nonce (never more than once) identifiers. If the signature matches it prints them for others to use.

oauthverify -C secret `oauthsign -c key -C secret http://example.org`

Resources

dokuoauth - DokuWiki OAuth plugin
RFC 5849 – OAuth specs
http://www.marcworrell.com/article-2943-en.html - OAuth URI encoding
~~http://oauth-sandbox.mediamatic.nl/ - testsandbox~~
http://term.ie/oauth/example/ - test server
How to statically link liboauth with your app.

FLOSS, WWW

¹⁾ so far there's only oauthsign, oauthverify and an example shell script. other utils eg. oauthrawpost are in the making. see also mediamatic-picnic oAuth tools

rg42.org aka. Robin Gareus oss:oauth