LibCurl Functions to produce tokens or hash shared-secret - c

Does LibCurl provide some functionality to produce tokens or hash/salt a string and shared secret? My c++ program will upload files to the server and my server script will authenticate that the HTTP post is coming from my c++ application and not someone else. So I'll send a auth token or hash in the query string that the server script can compare with its own to authenticate the request.
I've seen that you can authenticate using curl --user name:password http://www.example.com but can't a user just read the binary executable and see the username and password?
Although, maybe I am reinventing the wheel with my auth approach. Does LibCurl or another c++ provide the ability to perform shared-secret authentication?

I haven't tried this, but since the command line supports a netrc file as described here https://stackoverflow.com/a/27894407/1542667. This is more secure when using the command line as you don't make your password visible to everyone on the same host via the ps command.
It looks like you could use the same approach for libcurl
https://curl.haxx.se/libcurl/c/CURLOPT_NETRC_FILE.html

Related

First Box.com integration. How do I query for a list of folders?

I have the oAuth stuff working as expected. No challenges there. I now need to use the access token to do something. Nothing I have tried works. I'm sure it's very simple, but I am not sure how to translate the examples in curl to http post/get requests.
Box.com help says:
curl https://api.box.com/2.0/folders/FOLDER_ID \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN"
How do i write that using http post/get?
As long as the requests are being sent via standard http functionality I don't believe my platform matters. Regardless, I'm using Apex to write this in Salesforce.com.
Note: I know there is an app on the AppExchange to integrate Box.com and Salesforce. For my purposes I don't want to rely on apps that are unique to a specific platform.
Any help is appreciated.
It's simply a GET request with headers and optionally XML / JSON as POST payload, not sure what's your specific problem? Have you actually tried writing some code?
Simple example: http://www.salesforce.com/us/developer/docs/api_asynch/Content/asynch_api_quickstart_login.htm
Bit more advanced: http://developer.force.com/cookbook/recipe/scheduling-an-apex-call-from-the-command-line
CURL is a powerful tool and the list of it's commandline options is not for the faint of heart. Still - use it as a reference, especially "-H" meaning HTTP header. I think the "\" is just indicating that it's a multiline command, you can ignore it.

Connecting to a webservice that requires a username, password and a .cer file using Axis2/C

--First a little background:--
I have already managed to connect to a Microsoft web service using C#. To use this web service, I have to supply a username and a password in the C# code. I also have to install a certificate (in .cer format) into the "Root Certificate Authorities" section of the system's certificates.
(By the way, the C# class I use to connect to the service was automatically generated for me with the command line tool "svcutil.exe https://address.of.service")
--Here is my question:--
How can I connect to this web service using Axis2/C? The example in the documentation is of a completely different nature -- it asks for a certificate, key file, and a passphrase. In my case, it is username, password, and a .cer file.
So I'm not sure where to even begin. I don't know where my .cer file, username and password should go exactly. Any ideas?
If at all possible stay away from Axis2, perhaps use gSOAP instead.
That said, figure out which of the HTTP libraries you are building Axis2 with (I believe it can use a number of different ones depending on which OS you are building etc).
Also you might want to update your question with the reference to the sample program you are talking about and relevant excerpt from the C# client for reference.

libcurl c/c++ Kerberos authentication

Does anybody have any experience with libcurl (C/C++) and Kerberos authentication?
I am able to set everything up and post data - however, now we have switched on SSO (via SPNEGO on a JBoss server) I am unable to authenticate properly, with authorization being downgraded to Basic.
At this stage I am using curl_easy_setopt(curl,CURLOPT_HTTPAUTH, CURLAUTH_GSSNEGOTIATE) and have also set the CURLOPT_KRBLEVEL to "private".
Looking at the headers in wireshark, the response from curl doesn't provide any credentials - which is throwing an EncryptionKey exception on the JBoss server. I am able to authenticate on the server via .NET using cached credentials and a httprequest object. Only problem is we can't use .NET on this project.
Thanks in advance for any help.
As an additional point. I have just seen that under libcurl Kerberos is only supported for ftp. I am trawling the source to try and confirm if this is the case. Anybody know of any other libraries that we might be able to use to perform our POST?
Ok - for anybody that reaches this point...
I downloaded this version: http://curl.haxx.se/download.html win 32 generic.
It is compiled to run under ssh, ntlm and kerberos etc. The download includes the relevant DLL's you will need to create apps for any environment that requires cached credentials.
If you want specific code - pertaining to using callbacks, chunking etc, drop me a line and I can forward it to you. Given the flexibility of the curl library - it would be a bit much to just drop a ton of code here. Once you have the curl.exe up and running, there is a cmd line switch that can output the equivalent code to a text file (although it doesn't include information regarding any writecallback functions etc - just the easy setup options required). Thanks to n.m for your help - much appreciated. G

How to get a SPNEGO / Kerberos Session key -and implement HTTP Authentication:Negotiate on my own client

I was recently exposed to a new authentication method i had no idea of.
After reading a bit and researching to understand it,I understood it has something to do with SPNEGO, or maybe it is just spnego.
Im running windows xp on a large network, when my browser opens it automatically
connects to a web-service in the network, which requires authentication:
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Negotiate
then my browser sends automatically (along with more headers ofcourse):
Authorization: Negotiate (encrypted string).
I concluded this Handshake uses the SPNEGO protocol.
What i need to do, is to create my own client (actually,its a bot that uses this webservice that requires that authentication). I Need to get that encrypted string (exactly like my browser gets it, probably by using some SPNEGO protocol) without any user interaction (again, as my browser).
the thing is, that i don't have enough time to study the spnego protocol and how to implement one.
I'm using c/c++, but if i have no option c# would be okay as well.
Are there any functions / classes / codes or maybe even good tutorials to help me implement it shortly?
curl works with Kerberos/spnego. I'm not sure how well this functionality works on Windows, you should try and see. It works well enough on Linux. You can look at the source to see how it is done.

HTTP authentication and filesend in C

i have some parsed data in two files. i need to send these to a webserver of a website. i also need to be logged into the webserver first. i am new to this web interaction thing. i just need to know how might i go about doing this. i am learning the libcurl library so i guess it can send standard HTTP POST messages. i will make a simple webserver to test it myself. can anyone tell me what kind of interaction is needed. by that i mean how do i send the username and password information, know that i am logged in and then be send the files. may be some examples of Form Posts which i believe is what i shud be doing right now.
Depending on the type of authentication being performed, the libcurl library may have functionality already built into it to support what you are trying to do. Check out the curl_easy_setopt function--specifically the section dealing with authentication.
For basic authentication, you can do the following.
curl_easy_setopt( curl, CURLOPT_HTTPAUTH, CURLAUTH_BASIC );
curl_easy_setopt( curl, CURLOPT_USERPWD, "username:password" );
You can use for example an old Wininet.dll (http://msdn.microsoft.com/en-us/library/aa385473%28VS.85%29.aspx) or more recent Winhttp.dll on the client side. The last one (WinHTTP) has two C/C++ API and COM Interface. Moreover, in WinHTTP you have more Authentication options (http://msdn.microsoft.com/en-us/library/aa383144%28VS.85%29.aspx).
On the other side old Wininet.dll has function like InternetWriteFile. In InternetConnect (Wininet.dll) you can give lpszUsername and lpszPassword.
In WinHTTP you should use WinHttpSetOption and WinHttpSetCredentials to give Username and password.
Search for both Wininet and WinHTTP and you will find enough Information to decide which one is better for your requirements.

Resources