<div dir="ltr">How you have encoded your private key could be crucial.<br><br>You will note that the RSAUtils...() methods that accept string keys assume that these are provided as base64 encoded. It's been a while since I worked with them but I believe the PCKS#8 format uses octet strings and you cannot just substitute one for the other. You would first have to Hex2Bin() the octet string then base64 encode the result.<br>
<br>This may seem a bit "round the houses", but bear in mind that the code Cameron has shared was never intended as a general purpose wrapper for OAuth.<br><br>As for validating signatures, this is a tricky exercise. There are some online resources that you can use to generate signatures which you could use to compare your signatures with other results, but I didn't find these to be much use. It's easy to tell that your signature is wrong. It's all but impossible to figure out /why/.<br>
<br><br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On 8 July 2014 15:32, Robert Martin <span dir="ltr"><<a href="mailto:rob@chreos.co.nz" target="_blank">rob@chreos.co.nz</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div>Brilliant !<br>
<br>
I am almost there. My test code, shown below, now runs but
returns
'oauth_problem=signature_invalid&oauth_problem_advice=Failed%20to%20validate%20signature'<br>
<br>
<br>
<br>
var<br>
HTTPStream : TStringStream;<br>
FormParams : TStringList;<br>
URL : AnsiString;<br>
HTTPResonse : AnsiString;<br>
begin<br>
FormParams := TStringList.Create;<br>
HTTPStream := TStringStream.Create('');<br>
try<br>
URL := '<a href="https://api.xero.com/api.xro/2.0/TaxRates" target="_blank">https://api.xero.com/api.xro/2.0/TaxRates</a>';<br>
<br>
try<br>
OAuthSignRequest(fIdHTTP.Request, 'TaxRates', URL,
FormParams);<br>
fIdHTTP.Get(URL, HTTPStream);<br>
except<br>
on e : EIdHTTPProtocolException do begin<br>
Memo1.Text := e.ErrorMessage;<br>
end;<br>
end;<br>
HTTPStream.Position := 0;<br>
HTTPResonse := HTTPStream.ReadString(HTTPStream.Size);<br>
<br>
if (HTTPResonse <> '') then begin<br>
Memo1.Text := HTTPResonse;<br>
end;<br>
finally<br>
HTTPStream.Free;<br>
FormParams.Free;<br>
end;<br>
<br>
<br>
//This is all the code in OAuthSignRequest(...)<br>
classFloOAuth.OAuthSignRequest(aRequest, aMethod, aURL,
aFormParams, fConsumerKey, fConsumerKey, PRIVATE_KEY);<br>
<br>
<br>
For my private key, I have opened xero_privatekey.pcks8 and set it
up as a constant (without header, footer and Carriage returns)<br>
<br>
<br>
I guess there is some sort of problem with either my Encoding or
my Private key (Which comes from xero_privatekey.pcks8, created by
OPenSSL as per xero instructions). I suspect its the encoding and
have rechecked the code, I discovered a number of places doing a
UTF8Encode() on string values which I had changed to AnsiString,
so I have changed them where appropriate to UTF8String.<br>
<br>
Do you my any change know if there is an easy way to validate me
signature? <br>
<br>
Cheers<br>
Rob<div><div class="h5"><br>
<br>
<br>
On 8/07/2014 2:45 p.m., Jolyon Smith wrote:<br>
</div></div></div><div><div class="h5">
<blockquote type="cite">
<div dir="ltr"><span style="color:rgb(121,121,121);font-family:Helvetica,sans-serif;font-size:15px;line-height:22px">From
the Xero API docs site:<br>
<br>
</span>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span style="color:rgb(121,121,121);font-family:Helvetica,sans-serif;font-size:15px;line-height:22px">Once
you have added a private app you will be given a consumer
key to use. <b>The consumer key is also used as the access
token. The consumer secret is not used for private apps</b>.</span></blockquote>
<div><span style="color:rgb(121,121,121);font-family:Helvetica,sans-serif;font-size:15px;line-height:22px"><br>
</span></div>
<div><font color="#797979" face="Helvetica, sans-serif"><span style="font-size:15px;line-height:22px">In the original
implementation from which the sample code was provided,
the application allows for Consumer Key, Access Token,
Consumer Secret and App Secret all to be configured
separately if/as required, and whatever is configured is
then passed to the request signing method. This was to
support potential OAuth based API's other than Xero which
might not necessarily employ the same rules.</span></font></div>
<div><font color="#797979" face="Helvetica, sans-serif"><span style="font-size:15px;line-height:22px"><br>
</span></font></div>
<div><font color="#797979" face="Helvetica, sans-serif"><span style="font-size:15px;line-height:22px">i.e in that
application the Consumer Key and Token are configured with
the same value.</span></font></div>
<div><font color="#797979" face="Helvetica, sans-serif"><span style="font-size:15px;line-height:22px"><br>
</span></font></div>
<div><font color="#797979" face="Helvetica, sans-serif"><span style="font-size:15px;line-height:22px">In your case, for
a Xero private app, use the overload which does not
require any Consumer Secret but only Consumer Key, Token
(for Xero, using the same value as the Consumer Key) and
your application Private Key.</span></font></div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On 8 July 2014 14:14, Robert Martin <span dir="ltr"><<a href="mailto:rob@chreos.co.nz" target="_blank">rob@chreos.co.nz</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div>Hi Joylon<br>
<br>
Thanks for that. I will make it ANSI. Before I do I
have a couple of extra questions, hopefully that will be
it....<br>
<br>
I assume conkey and consecret are my consumer public
& private keys. However I am unsure about tok
(which I assume is a public token). In a public app I
would be assigned a token as part of the login process,
where do I get this from for a private login? Is it my
apps name?<br>
<br>
Cheers<br>
Rob
<div><br>
<br>
On 8/07/2014 12:56 p.m., Jolyon Smith wrote:<br>
</div>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>You can ignore the ProcessTags() calls -
essentially they just do variable substitution
within the strings involved.<br>
<br>
</div>
There is no login for private Xero apps, which are
tied to a specific Xero organisation. Â You need to
setup your application on the Xero API end for that
specific organisation, to generate the required key
and secrets etc which you use to do the signing of
your requests.<br>
<br>
<br>
<div>w.r.t Unicode, the code was written for
deployment with a pre-Unicode Delphi compiler.
 Some of the code was either written for or adapted
from libraries which were or had been ANSI-fied to
ensure consistent behaviour for use with Unicode
versions of Delphi, but the remaining code otherwise
assumes ANSI strings. Â If you are using a Unicode
Delphi version you should change <b>all </b>declarations
to ANSIString to maintain the intended behaviour and
be careful of implicit string conversions when
making calls into the routines.
<div><br>
<br>
To make it properly Unicode enabled may involve
more significant change than that.
<div><br>
</div>
</div>
</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">
<div>On 8 July 2014 11:43, Robert Martin <span dir="ltr"><<a href="mailto:rob@chreos.co.nz" target="_blank">rob@chreos.co.nz</a>></span>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div>Hi Cameron <br>
<br>
Sorry to bug you but.... I have the code
installed and compiling however I am a bit
unsure as to the process involved.<br>
<br>
For Public apps you go through a process of
logging in and getting a token. <br>
<div> <br>
For private applications do you just call
the API you want and encode the call using
'OAuthSignRequest(fHTTP.Request, 'POST',
lURL);' or do you need to do some sort of
log in as well?<br>
<br>
In the OAuthSignRequest method there are
calls to a function called ProcessTags( as
below...<br>
<br>
</div>
  conkey   :=
ProcessTags(OAuthConsumerKey,   Locals,
Partner);<br>
   consecret :=
ProcessTags(OAuthConsumerSecret, Locals,
Partner);<br>
   tok      :=
ProcessTags(OAuthTokenKey,      Locals,
Partner);<br>
   toksecret :=
ProcessTags(OAuthTokenSecret,   Locals,
Partner);<br>
<br>
I guess this function would be in the
classFloCommon.pas (not included) that we 'can
easily replace'. Unfortunately I have no
idea what this function does or what its
inputs are asside from it returning a string
and that all the parameters are globals !Â
Any hints?
<div><br>
<br>
Sorry to be a pain but this OAuth stuff is
like pulling teeth. <br>
<div> <br>
<br>
Cheers<br>
Rob<br>
<br>
<br>
<br>
On 8/07/2014 9:54 a.m., Cameron Hart
wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">this
code has been shared with Xero a
while ago on their forum.Â
there’s a copy on <a href="ftp://ftp.flow.net.nz/RELEASE/Code/" target="_blank">ftp://ftp.flow.net.nz/RELEASE/Code/</a></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Â </span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Â </span></p>
<div>
<table style="width:525.0pt" cellpadding="0" width="700" border="0">
<tbody>
<tr style="height:26.25pt">
<td colspan="4" style="padding:0cm 0cm 0cm 0cm;height:26.25pt">
<p class="MsoNormal"><b><span>Cameron
Hart </span></b><span></span></p>
</td>
</tr>
<tr>
<td style="width:17.25pt;padding:0cm 0cm 0cm 0cm" width="23"><br>
</td>
<td style="padding:0cm 0cm 0cm 0cm">
<p class="MsoNormal"><b><span>Flow
Software Limited </span></b><span></span></p>
</td>
<td rowspan="4" style="width:3.75pt;padding:0cm 0cm 0cm 0cm" valign="bottom" width="5">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><img src="cid:part4.04040100.00000508@chreos.co.nz" width="1" border="0" height="55"></span><span></span></p>
</td>
<td style="padding:0cm 0cm 0cm 0cm"><br>
</td>
<td style="padding:0cm 0cm 0cm 0cm"><br>
</td>
<td rowspan="4" style="padding:0cm 0cm 0cm 0cm">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><img src="cid:part5.09090108.02090400@chreos.co.nz" alt="Flow" width="158" border="0" height="38"></span><span></span></p>
</td>
</tr>
<tr>
<td style="padding:0cm 0cm 0cm 0cm"><br>
</td>
<td style="padding:0cm 0cm 0cm 0cm">
<p class="MsoNormal"><span>PO
Box 302 768, North Harbour
</span><span></span></p>
</td>
<td style="padding:0cm 0cm 0cm 0cm">
<p class="MsoNormal"><b><span>P
</span></b><span></span></p>
</td>
<td style="padding:0cm 0cm 0cm 0cm">
<p class="MsoNormal"><span>+64
9 476 3569</span><span></span></p>
</td>
</tr>
<tr>
<td style="padding:0cm 0cm 0cm 0cm"><br>
</td>
<td style="padding:0cm 0cm 0cm 0cm">
<p class="MsoNormal"><span>Auckland
0751, New Zealand </span><span></span></p>
</td>
<td style="padding:0cm 0cm 0cm 0cm">
<p class="MsoNormal"><b><span>M
</span></b><span></span></p>
</td>
<td style="padding:0cm 0cm 0cm 0cm">
<p class="MsoNormal"><span>+64
21 222 3569 </span><span></span></p>
</td>
</tr>
<tr>
<td style="padding:0cm 0cm 0cm 0cm"><br>
</td>
<td style="padding:0cm 0cm 0cm 0cm">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><a href="http://www.flowsoftware.co.nz" target="_blank"><span>www.flowsoftware.co.nz
</span></a></span><span></span></p>
</td>
<td style="padding:0cm 0cm 0cm 0cm">
<p class="MsoNormal"><b><span>E
</span></b><span></span></p>
</td>
<td style="padding:0cm 0cm 0cm 0cm">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><a href="mailto:cameron.hart@flowsoftware.co.nz" target="_blank"><span>cameron.hart@flowsoftware.co.nz
</span></a></span><span></span></p>
</td>
</tr>
</tbody>
</table>
</div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Â </span><span></span></p>
<div>
<table style="width:487.5pt" cellpadding="0" width="650" border="0">
<tbody>
<tr style="height:26.25pt">
<td style="padding:0cm 0cm 0cm 0cm;height:26.25pt">
<p class="MsoNormal"><span>This
message is intended for
the addressee named above.
It may contain privileged
or confidential
information. If you are
not the intended recipient
of this message you must
not use, copy, distribute
or disclose it to anyone.
</span> <span></span></p>
</td>
</tr>
</tbody>
</table>
</div>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Calibri","sans-serif";color:#92c75f">Â </span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">
</span><span style="font-size:8.0pt;font-family:Webdings;color:#92c75f">P</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">
</span><span>Please consider the
environment before printing this
email</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">
</span><span></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Â </span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Â </span></p>
<div>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"" lang="EN-US">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"" lang="EN-US"> <a href="mailto:delphi-bounces@listserver.123.net.nz" target="_blank">delphi-bounces@listserver.123.net.nz</a>
[<a href="mailto:delphi-bounces@listserver.123.net.nz" target="_blank">mailto:delphi-bounces@listserver.123.net.nz</a>]
<b>On Behalf Of </b>Jolyon Smith<br>
<b>Sent:</b> Tuesday, 8 July 2014
9:14 a.m.<br>
<b>To:</b> NZ Borland Developers
Group - Delphi List<br>
<b>Subject:</b> Re: [DUG] Xero
private API (OAuth)</span></p>
</div>
<p class="MsoNormal">Â </p>
<div>
<p class="MsoNormal">This was a nut I
had to crack at Flow. Â I was
successful in this endeavour but I'm
not at liberty to share the fruits
of those labors. Â If you ask nicely
however, Cameron might be willing to
help.</p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">Â </p>
<div>
<div>
<p class="MsoNormal">On 8 July
2014 08:52, Robert Martin <<a href="mailto:rob@chreos.co.nz" target="_blank">rob@chreos.co.nz</a>>
wrote:</p>
</div>
<div>Hi<br>
<br>
I have been doing some work with
the Xero API and have public OAuth<br>
</div>
working fine. Â However I actually
need to use the private API which<br>
requires RSA-SHA1 Â which I believe
just means RSA signing. Â Is that
correct?
<div><br>
<br>
If so does anyone have any code
examples of RSA signing, I have
found<br>
LockBox 3 which is supposed to do
it but I just cant get it
installed,<br>
although the source has a XE2
project group the code is full of
errors !<br>
<br>
I am looking at using the openSLL
dll calls to do it myself as an<br>
alternative but sample code is
scarce. I will continue looking
but if<br>
anyone has any pointers I would be
grateful :)<br>
<br>
Cheers<br>
Rob<br>
<br>
_______________________________________________<br>
NZ Borland Developers Group -
Delphi mailing list<br>
Post: <a href="mailto:delphi@listserver.123.net.nz" target="_blank">delphi@listserver.123.net.nz</a><br>
Admin: <a href="http://delphi.org.nz/mailman/listinfo/delphi" target="_blank">http://delphi.org.nz/mailman/listinfo/delphi</a><br>
Unsubscribe: send an email to <a href="mailto:delphi-request@listserver.123.net.nz" target="_blank">
delphi-request@listserver.123.net.nz</a>
with Subject: unsubscribe</div>
</div>
<p class="MsoNormal">Â </p>
</div>
</div>
<div> <br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
NZ Borland Developers Group - Delphi mailing list
Post: <a href="mailto:delphi@listserver.123.net.nz" target="_blank">delphi@listserver.123.net.nz</a>
Admin: <a href="http://delphi.org.nz/mailman/listinfo/delphi" target="_blank">http://delphi.org.nz/mailman/listinfo/delphi</a>
Unsubscribe: send an email to <a href="mailto:delphi-request@listserver.123.net.nz" target="_blank">delphi-request@listserver.123.net.nz</a> with Subject: unsubscribe</pre>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
</div>
<div>
<div>
<p color="#000000" align="left">No virus
found in this message.<br>
Checked by AVG - <a href="http://www.avg.com" target="_blank">www.avg.com</a><br>
Version: 2014.0.4716 / Virus Database:
3986/7813 - Release Date: 07/07/14</p>
</div>
</div>
</blockquote>
<br>
</div>
<div> <br>
_______________________________________________<br>
NZ Borland Developers Group - Delphi mailing
list<br>
Post: <a href="mailto:delphi@listserver.123.net.nz" target="_blank">delphi@listserver.123.net.nz</a><br>
Admin: <a href="http://delphi.org.nz/mailman/listinfo/delphi" target="_blank">http://delphi.org.nz/mailman/listinfo/delphi</a><br>
Unsubscribe: send an email to <a href="mailto:delphi-request@listserver.123.net.nz" target="_blank">delphi-request@listserver.123.net.nz</a>
with Subject: unsubscribe<br>
</div>
</blockquote>
</div>
<br>
</div>
<div> <br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
NZ Borland Developers Group - Delphi mailing list
Post: <a href="mailto:delphi@listserver.123.net.nz" target="_blank">delphi@listserver.123.net.nz</a>
Admin: <a href="http://delphi.org.nz/mailman/listinfo/delphi" target="_blank">http://delphi.org.nz/mailman/listinfo/delphi</a>
Unsubscribe: send an email to <a href="mailto:delphi-request@listserver.123.net.nz" target="_blank">delphi-request@listserver.123.net.nz</a> with Subject: unsubscribe</pre>
<br>
<fieldset></fieldset>
<br>
<p color="#000000" align="left">No virus found in this
message.<br>
Checked by AVG - <a href="http://www.avg.com" target="_blank">www.avg.com</a><br>
Version: 2014.0.4716 / Virus Database: 3986/7813 -
Release Date: 07/07/14</p>
</div>
</blockquote>
<br>
</div>
<br>
_______________________________________________<br>
NZ Borland Developers Group - Delphi mailing list<br>
Post: <a href="mailto:delphi@listserver.123.net.nz" target="_blank">delphi@listserver.123.net.nz</a><br>
Admin: <a href="http://delphi.org.nz/mailman/listinfo/delphi" target="_blank">http://delphi.org.nz/mailman/listinfo/delphi</a><br>
Unsubscribe: send an email to <a href="mailto:delphi-request@listserver.123.net.nz" target="_blank">delphi-request@listserver.123.net.nz</a>
with Subject: unsubscribe<br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
NZ Borland Developers Group - Delphi mailing list
Post: <a href="mailto:delphi@listserver.123.net.nz" target="_blank">delphi@listserver.123.net.nz</a>
Admin: <a href="http://delphi.org.nz/mailman/listinfo/delphi" target="_blank">http://delphi.org.nz/mailman/listinfo/delphi</a>
Unsubscribe: send an email to <a href="mailto:delphi-request@listserver.123.net.nz" target="_blank">delphi-request@listserver.123.net.nz</a> with Subject: unsubscribe</pre>
<br>
<fieldset></fieldset>
<br>
<p color="#000000" align="left">No virus
found in this message.<br>
Checked by AVG - <a href="http://www.avg.com" target="_blank">www.avg.com</a><br>
Version: 2014.0.4716 / Virus Database: 3986/7813 - Release Date:
07/07/14</p>
</blockquote>
<br>
</div></div></div>
<br>_______________________________________________<br>
NZ Borland Developers Group - Delphi mailing list<br>
Post: <a href="mailto:delphi@listserver.123.net.nz">delphi@listserver.123.net.nz</a><br>
Admin: <a href="http://delphi.org.nz/mailman/listinfo/delphi" target="_blank">http://delphi.org.nz/mailman/listinfo/delphi</a><br>
Unsubscribe: send an email to <a href="mailto:delphi-request@listserver.123.net.nz">delphi-request@listserver.123.net.nz</a> with Subject: unsubscribe<br></blockquote></div><br></div>