Sorry, this isn’t specifically regarding SuiteScri...
# suitescripts
scottvonduhn
03/09/2021, 6:33 PMSorry, this isn’t specifically regarding SuiteScript, but NetSuite development related: Is anyone calling their Restlets (or SuiteTalk) from Java code, and already using HMAC-SHA256 for your Token-based authentication? We are looking at several clients and libraries in Java and finding that many of them have not been updated to support HMAC-SHA256, which will be a problem as HMAC-SHA1 will soon be deprecated, and no longer supported at all after 2021.2
NetSuite suggests ScribeJava in their help center, but even that requires creating a custom HMAC-SHA256 signature service, which I was able to do with a custom signing class and a custom class to implement the OAuth 1.0 interface, but would prefer something that does this out of the box if possible. Jersey’s OAuth1 libraries have no support, and can’t be easily extended.
I am trying to figure out what other options to look at or consider.
b
battk
03/09/2021, 6:38 PMi vote do a pull request to make the signature service configurable
battk
03/09/2021, 6:38 PMit looks like a simple change
p
PNJ
03/09/2021, 6:41 PMping me in the morning and i'll check what we did to change our java interfaces
PNJ
03/09/2021, 6:41 PMcan't remember off the top of my head what i did
s
stalbert
03/09/2021, 6:44 PMIt's disturbing to hear common Java libs are still stuck on SHA1?
☝️ 1
b
battk
03/09/2021, 6:48 PMsignpost appears to have hmacsha256
s
scottvonduhn
03/09/2021, 7:23 PMnice, i’ll add that to our list of alternative to evaluate
scottvonduhn
03/09/2021, 7:30 PM@battk I really contemplated doing a pull request for the jersey oauth1 signature library, but there’s no guarantee it will be accepted, and we don’t want to depend upon a forked version that could miss out on security and bug fixes in the future. And yeah, the change is simple (like 2 lines of code, and three comments).
scottvonduhn
03/11/2021, 8:11 PMUpdate: Well, even if I did a pull request to add this to the jersey repo, it wouldn’t help us. We are stuck on Jersey version 2.25.1, and can’t upgrade any further (to either 2.33 or 3.0.1) because we are using DropWizard 1.3x. Jersey version incompatibilities with DropWizard are terrible. I attempted to update our dependencies to a more recent version and nothing will compile. It’s many levels of dependency hell. And we have experienced this before, too. DropWizard expects to you use a very particular version of Jersey if you use it. Anything else fails.
It’s especially sad because nothing in the code has changed since that version in the oauth1-signature package, which is where the changes for HMAC-SHA256 would need to be made.
I think Scribe or signpost will be the only viable options that won’t require a huge refactor of our codebase.
scottvonduhn
03/11/2021, 8:12 PM@PNJ what client/signing library are you using for HMAC-SHA256?
scottvonduhn
04/08/2021, 4:36 PMLooks like there is an open issue on the ScribeJava project for the lack of HMAC-SHA256 support: https://github.com/scribejava/scribejava/issues/986
I created a pull request to try and fill that gap, so that we can all benefit from it without every NetSuite integrator having to maintain basically the same custom classes in their Java projects.