Validating signed requests in C#

I'm trying to validate incoming signed requests in my C# server. The requests comes from a social platform(naver). All I get from them is a certificate(below).

I'm using DevDefinedOAuth

http://code.google.com/p/devdefined-tools/

They have a wiki article on this subject.

http://code.google.com/p/devdefined-tools/wiki/OAuthSignatureValidation

and Here's my code:

        public static bool isValidRequest2( HttpListenerRequest request )
        {
            X509Certificate2 cert = new X509Certificate2();
            cert.Import( Encoding.ASCII.GetBytes(
@"-----BEGIN CERTIFICATE-----
MIICqDCCAhGgAwIBAgIJANDx5Es1s04zMA0GCSqGSIb3DQEBBQUAMG0xCzAJBgNV
BAYTAktSMQowCAYDVQQIDAEgMQowCAYDVQQHDAEgMQwwCgYDVQQKDANOSE4xEjAQ
BgNVBAsMCUNvbW11bml0eTESMBAGA1UEAwwJbmF2ZXIuY29tMRAwDgYJKoZIhvcN
AQkBFgEgMB4XDTEwMDYxNDA1MzAzNVoXDTExMDYxNDA1MzAzNVowbTELMAkGA1UE
BhMCS1IxCjAIBgNVBAgMASAxCjAIBgNVBAcMASAxDDAKBgNVBAoMA05ITjESMBAG
A1UECwwJQ29tbXVuaXR5MRIwEAYDVQQDDAluYXZlci5jb20xEDAOBgkqhkiG9w0B
CQEWASAwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANX++6LgORv6caQ8LCVh
RYTXi2Lko7zn4wPeqvdCqNZsxcry2mNHn/ic+0XbhNgor5L0l048f0iicW/Qu4vw
RvkZy2N8dNE3Tb5dbPLNo+S+cExv/DhbQVFKGiOOvr4vQ+2Lgw7If5g3sh6/S8Gu
ot47cOrUkiLKBKJt614bue9zAgMBAAGjUDBOMB0GA1UdDgQWBBSB1ReDAnl4lRyl
Rfpl0EZ13E5LzzAfBgNVHSMEGDAWgBSB1ReDAnl4lRylRfpl0EZ13E5LzzAMBgNV
HRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAEYdZfQjvk/wvlFP4l3mDqS4NMac
txx1lyYGa0gX4DGhb7aGwBb3qwCdSX7szuYNHHq5Clf9TGQMqc49RFC2TGNRrpSw
BZFRmyzhMsqx/dLcNIBLfz4B+SUw+yiwNKo3krYCJfqgNy0cW8sF121yWI3tPzqr
kD8kEbCa5GvxmsdT
-----END CERTIFICATE-----" ) );

            DevDefined.OAuth.Framework.OAuthContext context = new DevDefined.OAuth.Framework.OAuthContext
            {
              //RawUri = request.Url,
              RawUri = CleanUri( request.Url ),
              Cookies = new NameValueCollection(),
              Headers = request.Headers,
              RequestMethod = request.HttpMethod,
              FormEncodedParameters = new NameValueCollection(),
              QueryParameters = new NameValueCollection( request.QueryString )
            };
            // do I need to set them manually?.. let's try..
            context.ConsumerKey = request.QueryString[ "oauth_consumer_key" ];
            context.Timestamp = request.QueryString[ "oauth_timestamp" ];
            context.Nonce = request.QueryString[ "oauth_nonce" ];
            context.Signature = request.QueryString[ "oauth_signature" ];

            var signer = new DevDefined.OAuth.Framework.Signing.OAuthContextSigner();

            DevDefined.OAuth.Framework.SigningContext signingContext = new DevDefined.OAuth.Framework.SigningContext();

            // use context.ConsumerKey to fetch information required for signature validation for this consumer.

            signingContext.Algorithm = cert.PublicKey.Key;
            //signingContext.ConsumerSecret; // if there is a consumer secret

            return ( signer.ValidateSignature( context, signingContext ) );
        }

And here's a sample request: (I changed the url a bit for security reasons)

• Url: http://www.maxmax.co.cc:7677/?oauth_signature=b58RqdQ0Atnrvvy6Qi81BRv1fhmXIQEl3hY++Wi7kiinSOhWq7mluhsapEi/GvCUG6RjrYVowwTcoi MqqmVCasFlON7zU7Yyi8nOUAoClpoft0BXbT5xyNUmLOxTk47tmjWVMLniaOieVUEQLwP2yycH6hiWkf2gFWGsu9LHZbE=&oauth_nonce=14611349243983507&oauth _version=1.0&oauth_body_hash=2jmj7l5rSw0yVb/vlWAYkK/YBwk=&oauth_signature_method=RSA-SHA1&oauth_consumer_key=naver.com&xoauth_sign ature_publickey=http://nsocialcontainer.com/server/naver_socialapp_public.cer&xoauth_public_key=http://nsocialcontainer.com/server /naver_socialapp_public.cer&opensocial_owner_id=1400000000010946792&opensocial_app_id=25992&oauth_timestamp=1296334075

• HttpMethod: GET

• UserAgent: Jakarta Commons-HttpClient/3.1

• QueryString

  • oauth_signature:b58RqdQ0Atnrvvy6Qi81BRv1fhmXIQEl3hY++Wi7kiinSOhWq7mluhsapEi/GvCUG6RjrYVowwTcoiMqqmVCasFlON7zU7Yyi8nOUAoClpoft0BX bT5xyNUmLOxTk47tmjWVMLniaOieVUEQLwP2yycH6hiWkf2gFWGsu9LHZbE=
  • oauth_nonce:14611349243983507 - oauth_version:1.0
  • oauth_body_hash:2jmj7l5rSw0yVb/vlWAYkK/YBwk=
  • oauth_signature_method:RSA-SHA1
  • oauth_consumer_key:naver.com
  • xoauth_signature_publickey:http://nsocialcontainer.com/server/naver_socialapp_public.cer
  • xoauth_public_key:http://nsocialcontainer.com/server/naver_socialapp_public.cer
  • opensocial_owner_id:1400000000010946792
  • opensocial_app_id:25992
  • oauth_timestamp:1296334075

• Headers

  • X-Forwarded-For:61.75.38.242
  • X-shindig-dos:on - Accept-Encoding:gzip, deflate
  • Host:www.maxmax.co.cc:7677
• body: ""

I get no error messages, no exceptions, but isValidRequest2() always returns 'false' even with valid requests.

I must be using it wrong. Any help will be greatly appreciated!! If you have any questions on this question, please ask.

Thanks!!!!

What version of the library are you using, perhaps try building from source off github here, if you haven't already:

https://github.com/bittercoder/DevDefined.OAuth

Also, it's worth noting that some opensocial platform implementations return Url's with additional ampersands (such as friendster used to) - see the bottom of this blog post here for details:

http://blog.bittercoder.com/PermaLink,guid,4f387bde-7ed6-480b-952b-bbc0ead9ebfb.aspx

If you are still having trouble, if you could provide a link to a full example of your consumer code (I suggest creating a gist: https://gist.github.com/gists) that would be really helpful in understanding what the problem is.