B4J Question Problem when signing with HMAC-SHA256

[kostefar]

I am having some issues getting myself logged in to a service, which I believe is due to something I´m not doing right with the signing. See the result that I´m getting with the below:

# echo  "test" | openssl dgst -sha256 -hmac "72d4b1c24f2344f29cab98607d41c2a5"
SHA2-256(stdin)= 0e804c9b90d393e8b907bf7ed7cfa6ca53db6fc7c2e0235418e697a7edb25716

The following is an attempt to do the same, but the result is not the same. Any idea what I´m doing wrong?

Dim bc As ByteConverter
    Dim m As Mac
    Dim k As KeyGenerator
    Dim Secret As String = "72d4b1c24f2344f29cab98607d41c2a5"
    Dim input As String = "test"
    Dim m As Mac
    Dim k As KeyGenerator
    Dim signature As String
    k.Initialize("HMACSHA256")
    k.KeyFromBytes(Secret.GetBytes("UTF8"))
    m.Initialise("HMACSHA256", k.Key)
    m.Update(input.GetBytes("UTF8"))
    Dim b() As Byte
    b = m.Sign
    Dim bc As ByteConverter
    signature=bc.HexFromBytes(b)
    signature = signature.ToLowerCase
    Log (signature)

Result:

2d869c0f5bac1f3cecb35c0a1fb85fec4b6d43b27a36d7837d173b09b3916ac2

 

[aeric]

Dim Mexcnonce As String

I think you didn't assign value and use this variable.

m.Update(input.GetBytes("UTF8"))

After you assign a value then update the Mac with the nonce, not input.

m.Update(Mexcnonce.GetBytes("UTF8"))

edit: Unless, Mexcnonce = input & ""

 

[kostefar]

I think you didn't assign value and use this variable.

After you assign a value then update the Mac with the nonce, not input.

m.Update(Mexcnonce.GetBytes("UTF8"))

edit: Unless, Mexcnonce = input & ""

Thanks aeric, it was in fact a mistake that I left the nonce line there and it has now been removed. As far as I understand, I do not need this to create an identical key to the one generated with "openssl dgst -sha256 -hmac "72d4b1c24f2344f29cab98607d41c2a5", or am I wrong?

I should add that nonce is not mentioned in the API that I´m trying to access - that part was left over from old code I had from another API where nonce was required, so I just renamed it. Timestamp is required though, but that´s not so important at this stage, where all I´m trying to do is getting the same signature, since I have the idea that the reason why I cannot log in is due to this, so I took out all the code regarding what needs to be sent, making a simple test, just to show that the signature looks different.

 

[aeric]

# echo "test" | openssl dgst -sha256 -hmac "72d4b1c24f2344f29cab98607d41c2a5"

I am not sure the correct way to call this in bash command. If you have extra space after the "echo" keyword, it seems make a difference. The result may be differ if you have different version of openssl.

 

[teddybear]

# echo  "test" | openssl dgst -sha256 -hmac "72d4b1c24f2344f29cab98607d41c2a5"
SHA2-256(stdin)= 0e804c9b90d393e8b907bf7ed7cfa6ca53db6fc7c2e0235418e697a7edb25716

Install openssl 1.1.1f or 1.1.1d.

 

[kostefar]

I am not sure the correct way to call this in bash command. If you have extra space after the "echo" keyword, it seems make a difference. The result may be differ if you have different version of openssl.

Thanks aeric. The thing is that in the API manual, there is an example with a secret and a string, where also the expected signature is showing. This signature is identical to what I get with the bash command, but the result with b4j is different.

 

[kostefar]

Install openssl 1.1.1f or 1.1.1d.
View attachment 155201

Though it does not matter, since my aim is to have the same result as with the bash (openssl), this is my version of openssl (from my raspberry pi):

 # openssl version
OpenSSL 3.0.12 24 Oct 2023 (Library: OpenSSL 3.0.12 24 Oct 2023)

But it´s interesting that you get a different hash than me, so a lot must have changed over the years, since your version is rather old.

 

[teddybear]

But it´s interesting that you get a different hash than me, so a lot must have changed over the years, since your version is rather old.

I didn't carefully read the first post, I just tested it on my machine and the result #5 was correct, same as you posted b4j code. actually the version is not problem,just the cmdline need to add -n .

echo -n "test" | openssl dgst -sha256 -hmac "72d4b1c24f2344f29cab98607d41c2a5"

 

[TILogistic]

???

What is the difference between "echo" and "echo -n"?

The manual page on Terminal for echo -n is the following: -n Do not print the trailing newline character. This may also be achieved by appending `\c' to the end of the string, as is do...

stackoverflow.com

 

[kostefar]

I didn't carefully read the first post, I just tested it on my machine and the result #5 was correct, same as you posted b4j code. actually the version is not problem,just the cmdline need to add -n .

echo -n "test" | openssl dgst -sha256 -hmac "72d4b1c24f2344f29cab98607d41c2a5"

Weird, here the -n does not matter. No clue why the results are different, but I found out that despite the difference between what I get from the bash and b4j, it actually works how it should. It was just my mistake to think that this part was the culprit, but thanks!