in reply to HMAC Sha256 Help!

Just a guess, since you don't say what you expect to get as a result in $step2: Does hmac_sha256_hex($step1, pack("H*",$appkey)) help?

Update:

I am using hmac_sha256_hex as the app key string is in hex.

I believe the general naming convention in many of the Digest::* modules is that the suffix _hex on the function name refers to their return value, and not their arguments.

Replies are listed 'Best First'.
Re^2: HMAC Sha256 Help! (updated)
by ribble (Novice) on Jul 18, 2017 at 12:29 UTC

    thanks for the reply. Well I don' really know what the expected output should be either, thats my issue really.

    I tried with the pack function to get the hex key into bytes but with no success either.

    as for using hmac_sha256_hex, thanks for the information. I have now changed to hmac_sha256 instead, still no joy but I think thats now the correct hashing mechanism

    I really appreciate the assistance thanks.

    the full instructions to build the authorization header are:

    For GET endpoint:

    1. Build a string based on the request METHOD (GET) DATE/TIME APPLICATION ID PATH (API endpoint, e.g. /xxxxxxxxx/api/v1/users/<userID>/factors)

    2. Create an HMAC SHA256 hash of step 1 using the Application Key This step is executed by calling the HMAC and producing the hash value

    3. Encode the HMAC SHA256 hash from step 2 in Base64

    4. Concatenate the "Application ID", ":", and the "Base64 encoded HMAC SHA256 hash" from step 3 ApplicationID:Base64EncodedHMACSHA256Hash

    5. Encode the value from step 4 in Base64

    6. Concatenate "Basic " and the "Value of Step 5"

    the encoding is all ok, its the creation of the HMAC that seems to be my issue.

    currently I have it as

    #lets check the time
$datestring = strftime "%a, %e %b %Y %H:%M:%S GMT", gmtime;

#set the strings
$method="GET";
$appid="d6468df6c1e8419fb5ec50f62be9a28b";
$appkey="15c7a6e1a5bd73500db29dffd0e19b6c6228b044c64348a6f5d6d470c54fc
+208";
$path="/xxxxxxxxxxxx/xxxxxxx/api/v1/users/xxxxx/factors";

#build the hash string
$step1="$method\\n$datestring\\n$appid\\n$path";


#hmac sha256hash the string


$step2a= encode_base64(hmac_sha256($step1, pack("H*",$appkey)));


$step4="$appid:$step2a";



#encode value from step 4 into base 64
$step5 = encode_base64($step4);


#now add Basic and the value from step 5
$step6 = ("Basic $step5");

    [download]
[reply]
[d/l]
      Well I don' really know what the expected output should be either, thats my issue really.

      This does seem to be the central issue. Is there really no example transaction provided in the API documentation? Perhaps you could ask whomever published the API for one? Is there a reference implementation that you could look at? Even if it's in another programming language, you might be able to just read that, or, you could execute it and run a trace (Wireshark) of a successful request?

[reply]

        unfortunately the documentation is lacking

        I have the following example using go

        // makeHmac:
//    non-exportable helper to do SHA256 HMAC
func makeHmac(data string, key string) string {
    byteKey, _ := hex.DecodeString(key)
    byteData := []byte(data)
    sig := hmac.New(sha256.New, byteKey)
    sig.Write([]byte(byteData))
    return base64.StdEncoding.EncodeToString(sig.Sum(nil))
}

        [download]

        still none the wiser though!

        I do know that the app key provided should be treated as 32 2 byte values and not 64 1 byte values

        Its this handling of the 32 2 byte values I am unsure of

        thanks again for responding, its driving me slightly mad

[reply]
[d/l]

In Section Seekers of Perl Wisdom