Sin ley

Blog on Ruby, AWS, Mono, .NET...

Fun with google-sharp

The last version of F-spot is using google-sharp to export pictures to Picasa Web. Some users reported that it didn't work for them and it seemed like the creative use I was doing with HttpWebRequest was the culprit.

Ideally, we should do what the Picasa2 client does on windows, but there's no information available on that. The problem is that the authentication takes place over HTTPS and I needed to figure out a way of getting the unencrypted data. Sebastien, our cryptoman, suggested looking for something that overrides winsock2 SSL layer, but I couldn't find anything. So he suggested the use of webscarab, a java web application review tool. I downloaded the jar and run the program like:

$ java -jar webscarab-selfcontained-20060718-1904.jar

This thing is really nice for debugging web applications. One of the goodies is that it works as a web proxy and can show you the unencrypted data that goes over HTTPS. How?

  • It creates one encrypted connection to the server.
  • It creates one encrypted connection to the client. This one uses a self-signed certificate for the server side.

The data that comes from the client or the server is first unencrypted and then encrypted again over a different connection. The pitfall is that the connection to the client is using a self-signed certificate.

I started a proxy on port 3128 and then made the windows computer point at that. Then run Picasa and try to log in to Picasa Web. No luck. Picasa2 didn't like the self-signed certificate that it got. I tried installing the self-signed certificate in the trusted roots store, but still couldn't get it to work.

I decided to use XSP and did the following:

  • Set up a certificate following the instructions in the Mono site. This certificate had a 'CN=www.google.com' and 'O=Google Inc'. Not that it matters, but just in case they were only checking those values.
  • Copied the Picasa2.exe to linux, overwriting the one installed from RPMs that does not support Picasa Web uploading.
  • Added this line to /etc/hosts:
    127.0.0.1   www.google.com
    
  • Modified XSP a little bit to display all the request data it got and run, as root:
    # xsp --https --port 443 --p12file yo.p12 --pkpwd secret
    

When I run Picasa and tried to log in to Picasa Web, it connected to XSP and I was finally able to see how they were authenticating. The two interesting URLs were:

  • https://www.google.com/accounts/ClientAuth
    Posting the user name and password here gives us back a LSID and a SID value.
  • https://www.google.com/accounts/IssueAuthToken
    Posting the SID, LSID and service name (lh2 for Picasa Web) gives us an AuthToken.

Now that we've got the AuthToken, we just need to append it to the query string as auth=AuthToken when getting Picasa Web API information from http://picasaweb.google.com/api/urls?version=1. If you get that URL without the AuthToken, you will only get the read-only stuff, but adding the AuthToken gives you the post value, which is the URL used when sending commands to the server and also a cookie that should be used on the rest of the session to prove that you're authorized.

The authentication process now requires 2 POSTs and 1 GET, while before it was trying to emulate a web browser and got a bunch of redirections and lots of cookies being set and unset. Oh, and now google-sharp works on windows with the MS runtime too!



blog comments powered by Disqus