Fun with google-sharp
The last version of F-spot is using google-sharp
to export pictures to Picasa Web. Some users
reported that it didn't
work for them and it seemed like the creative use I was doing with HttpWebRequest was the
Ideally, we should do what the Picasa2 client does on windows, but there's no information
available on that. The
problem is that the authentication takes place over HTTPS and I needed to figure out a way of
getting the unencrypted data. Sebastien,
our cryptoman, suggested looking for something that overrides winsock2 SSL layer, but I
couldn't find anything. So he suggested the use of webscarab, a java web application review
tool. I downloaded the jar and run the program like:
$ java -jar webscarab-selfcontained-20060718-1904.jar
This thing is really nice for debugging web applications. One of the goodies is that it
works as a web proxy and can show you the unencrypted data that goes over HTTPS. How?
- It creates one encrypted connection to the server.
- It creates one encrypted connection to the client. This one uses a self-signed
certificate for the server side.
The data that comes from the client or the server is first unencrypted and then encrypted
again over a different connection. The pitfall is that the connection to the client is
using a self-signed certificate.
I started a proxy on port 3128 and then made the windows computer point at that. Then run
Picasa and try to log in to Picasa Web. No luck. Picasa2 didn't like the self-signed
certificate that it got. I tried installing the self-signed certificate in the trusted
roots store, but still couldn't get it to work.
I decided to use XSP and did the following:
When I run Picasa and tried to log in to Picasa Web, it connected to XSP and I was finally
able to see how they were authenticating. The two interesting URLs were:
Posting the user name and password here gives us back a LSID and a SID value.
Posting the SID, LSID and service name (lh2 for Picasa Web) gives us an AuthToken.
Now that we've got the AuthToken, we just need to append it to the query string as
getting Picasa Web API information from http://picasaweb.google.com/api/urls?version=1. If
you get that URL without the AuthToken, you will only get the read-only stuff, but adding
the AuthToken gives you the post value, which is the URL used when sending
commands to the server and also a cookie that should be used on the rest of the session
to prove that you're authorized.
The authentication process now requires 2 POSTs and 1 GET, while before it was trying to
emulate a web browser and got a bunch of redirections and lots of cookies being set and
unset. Oh, and now google-sharp works on windows with the MS runtime too!