oAuth 1.0 using CryptoPP

See more:

C++

cryptography

OAuth

I am trying to implement oAuth 1.0 in C++/MFC using the CryptoPP library to do the HMAC-SHA1. I can't repeat the example given in RFC 5849. As far as I can tell I have implemented it properly, but I'm getting a different signature.

//Example oAuth
verb="POST";
url="http://example.com/request";
parameters="b5=%3D%253D&"
           "a3=a&"
           "c%40=&"
           "a2=r%20b&";
postData = "c2&a3=2+q";
realm="Example";
key="9djdj82h48djs9d2";
secret="j49sk3j29djd";
currTime=137131201;
token="kkk9d7dh3k39sjv7";
token_secret="dh893hdasih9";
nonce="7d8f3e4a";

if(parameters.Right(1)=="&") parameters=parameters.Left(parameters.GetLength()-1);
if(postData.Left(1)=="&") postData=postData.Mid(2);
//oauth.Format("oauth_consumer_key=%s&oauth_token=%s&oauth_version=\"1.0\"&oauth_signature_method=HMAC-SHA1&oauth_nonce=%s&oauth_timestamp=%d",
oauth.Format("oauth_consumer_key=%s&oauth_token=%s&oauth_signature_method=HMAC-SHA1&oauth_nonce=%s&oauth_timestamp=%d",
             key, token, nonce, currTime);
oauth.Replace("&oauth_token=&","&");
oauth.Replace("&oauth_nonce=&","&");
if(!parameters.IsEmpty()) parameters = parameters+"&"+oauth;
else parameters = oauth;
if(!postData.IsEmpty()) parameters = parameters+"&"+postData;
parameters.Replace("+", "%20");

nParameters = SplitString(parameters, ¶meterList, "&", NULL, true);
Alphabetize(nParameters, ¶meterList);

for(i=0, parameters.Empty(); i<nParameters; i++){
    parameters+=parameterList[i];
    if(parameterList[i].Find('=')<1) parameters+="=";
    if(i<nParameters-1) parameters+="&";
}

//Prepare authentication string
signature_base = verb + L"&" + UrlEncode(url) + L"&" + UrlEncode(parameters);
//Example oAuth should be:
//POST&http%3A%2F%2Fexample.com%2Frequest&a2%3Dr%2520b%26a3%3D2%2520q%26a3%3Da%26b5%3D%253D%25253D%26c%2540%3D%26c2%3D%26oauth_consumer_key%3D9djdj82h48djs9d2%26oauth_nonce%3D7d8f3e4a%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D137131201%26oauth_token%3Dkkk9d7dh3k39sjv7

signature_key = UrlEncode(secret) + L"&" + UrlEncode(token_secret);
//Example oAuth should be:
//j49sk3j29djd&dh893hdasih9

try{
    CryptoPP::HMAC< CryptoPP::SHA1 > hmac((const byte*) signature_key.c_str(), signature_key.length());
    CryptoPP::StringSource(signature_base, true,
        new CryptoPP::HashFilter(hmac,
            new CryptoPP::Base64Encoder(
                new CryptoPP::StringSink(signature_base64)
            ) // Base64Encoder
        ) // HashFilter
    ); // StringSource
}catch(const CryptoPP::Exception& e){
    strError.Format("Cryptography Error: %s", e.what());
    throw strError;
}

signature = UrlEncode(signature_base64.c_str());
signature.Trim();
//Example oAuth should be:
//bYT5CMsGcbgUdFHObYMEfcx6bsw%3D

I'm getting the same signature base string as shown in section 3.4.1.1 and I'm assembling the key according to the directions in section 3.4.2. Unfortunately I'm getting r6%2FTJjbCOr97%2F%2BUU0NsvSne7s5g%3D for the signature as opposed to the value in the RFC.

What am I doing wrong?