Geek Answers Handbook

Hashes are not like PHP and Paw REST Client

I am creating an HMAC API and I have problems testing hash with Paw.

On Paw, I have this payload:

GET:/hello/world:"":9a6e30f2016370b6f2dcfb6880501d7f2305d69bout

and the HMAC-SHA256 custom variable (actually a function like this that sets it to the X-Hash header.

 X-Hash: 4Cq2yehWumDcUk1dYyfhm6qWjJVBkOCB8o12f5l0WGE=

In my PHP API, I have the same thing:

 GET:/hello/world:"":9a6e30f2016370b6f2dcfb6880501d7f2305d69bout

and used:

 hash_hmac('sha256', $this->getPayload(), '9a6e30f2016370b6f2dcfb6880501d7f2305d69bout', false);

So, when comparing hashes:

 Paw: 4Cq2yehWumDcUk1dYyfhm6qWjJVBkOCB8o12f5l0WGE= PHP: 6961b9d1f6e986c49d963cbebd691fa68dfa59b4ce3b7f05320c2d43eae3c7c3

They are very different. Any idea why?

Update

Paw Code:

 function evaluate(context){ var loc = getLocation(context.getCurrentRequest().url); var payload = ""; payload += context.getCurrentRequest().method + ':'; payload += loc.pathname + ':'; payload += JSON.stringify(context.getCurrentRequest().body) + ':'; payload += "9a6e30f2016370b6f2dcfb6880501d7f2305d69bout"; // Private key return payload; }; function getLocation(href) { var match = href.match(/^(https?\:)\/\/(([^:\/?#]*)(?:\:([0-9]+))?)(\/[^?#]*)(\?[^#]*|)(#.*|)$/); return match && { protocol: match[1], host: match[2], hostname: match[3], port: match[4], pathname: match[5], search: match[6], hash: match[7] } }

PHP code (with lots of comments):

 if (strpos(strtoupper($authHeader), 'HMAC') !== 0) { echo 'out'; throw new HttpForbiddenException(); } else { $hmacSignature = $app->request->headers()->get('X-Hash'); $publicKey = $app->request->headers()->get('X-Public'); if ( empty($hmacSignature) || empty($publicKey) ) { echo 'out2'; throw new HttpForbiddenException(); } else { $this->hmacManager->setPublicKey($publicKey); print '$publickey = ' . $publicKey . '<br>'; // Validate if base64_encoded or not if( base64_decode($hmacSignature, true) !== FALSE ) { $binaryString = base64_decode($hmacSignature); $hmacSignature = bin2hex($binaryString); print 'decoding ' . '<br>'; } $this->hmacManager->setHmacSignature($hmacSignature); print '$hmacSignature = ' . $hmacSignature . '<br>'; $this->hmacManager->setRequestMethod($app->request->getMethod()); print 'method = ' . $app->request->getMethod() . '<br>'; $this->hmacManager->setRequestResourceUri($app->request->getResourceUri()); print 'uri = ' . $app->request->getResourceUri() . '<br>'; $requestBody = $app->request()->getBody(); if (Utils::isJson($requestBody)) { $requestBody = json_decode($requestBody); } $this->hmacManager->setRequestBody(json_encode($requestBody)); print 'body = ' . json_encode($requestBody) . '<br>'; print 'private key = ' . $this->hmacManager->getPrivateKey() . '<br>'; $payload = ''; $payload .= $this->hmacManager->getRequestMethod() . ":"; $payload .= $this->hmacManager->getRequestResourceUri() . ":"; $payload .= $this->hmacManager->getRequestBody() . ":"; $payload .= $this->hmacManager->getPrivateKey(); print 'PHP payload [' . $payload . ']'; $this->hmacManager->setPayload($payload); $hmacValue = $this->hmacManager->generateHmac(); $isValid = $this->hmacManager->isValid($this->hmacManager->generateHmac(), $hmacSignature); if ($isValid !== true) { echo 'out3'; throw new HttpForbiddenException(); } } }

generateHmac from another class:

 public function generateHmac() { print 'Generating HMAC' . '<br>'; $algorithm = $this->getAlgorithm(); print 'algo ' . $algorithm . '<br>'; $privateKey = $this->getPrivateKey(); print 'privk ' . $privateKey . '<br>'; if (empty($algorithm)) { throw new \RuntimeException('Algorithm must be set and not empty'); } elseif (empty($privateKey)) { throw new \RuntimeException('Private key must be set and not empty'); } print 'payload ' . $this->getPayload() . '<br>'; $hash = hash_hmac($this->getAlgorithm(), $this->getPayload(), $this->getPrivateKey(), false); print 'php hasj: ' . $hash . '<br>'; return $hash; }

Finally, here are the output statements:

 $publickey = 95f97b93560f951b4cae46c86d03d9b1a81d4ae8 decoding $hmacSignature = e02ab6c9e856ba60dc524d5d6327e19baa968c954190e081f28d767f99745861 method = GET uri = /hello/world body = "" private key = 9a6e30f2016370b6f2dcfb6880501d7f2305d69bout PHP payload [GET:/hello/world:"":9a6e30f2016370b6f2dcfb6880501d7f2305d69bout] Generating HMAC algo sha256 privk 9a6e30f2016370b6f2dcfb6880501d7f2305d69bout payload GET:/hello/world:"":9a6e30f2016370b6f2dcfb6880501d7f2305d69bout php hash: 6961b9d1f6e986c49d963cbebd691fa68dfa59b4ce3b7f05320c2d43eae3c7c3

Hope this helps!

+5
source share
2 answers

The paw hash is encoded in base64, and PHP in hexadecimal. So, first decrypt the paw hashes:

 $binary = base64_decode($pawHash); $hex = bin2hex($binary);

And then compare this to your own hash.

+4
source

We just added new Base 64-x dynamic conversion values , this should solve your problem.

Wrap the dynamic value of the HMAC signature inside the new Base 64 to Hex one, and you get a valid hexadecimal signature:

Hexadecimal HMAC signature with Paw

Here you can set this new dynamic value: Basic with hexadecimal dynamic value

+2
source

More articles:


All Articles