Android Question (SOLVED) HTTP POST with parameters' MD5 hash in the HEADER

peacemaker

peacemaker

Expert
Licensed User
Longtime User
Hi, All

I cannot debug this positing :-(
For an API for POST requests i must follow the rules:
1) make MD5 hash of the parameters line (like "param1=1&param2=2") plus a secret word. This hash sub works correct for sure (GET requests without parameters are OK).
2) but this hash is sent not by one more parameter, but by the request header "Signature".
3) URLencoding i do only in the single point, before calculating the parameters' hash and making GET URL.


B4X: 
Private Sub Requests(GetReq As Boolean, NewJob As HttpJob, Params As Map, Files As List)
    If Starter.InternetConnected = False Then Return
    Dim j As HttpJob = NewJob
    If Params.IsInitialized Then
        If Params.Size > 0 Then
            For i = 0 To Params.Size - 1
                Params.Put(Params.GetKeyAt(i), su.EncodeUrl(Params.GetValueAt(i), "UTF8"))
            Next
        End If
    End If
    Dim U As String = Get_URL(j.JobName, GetReq, Params)    'URL-encoded parameters line with URL for GET requests only
    '------------
 
    If GetReq Then
        j.Download(U)
    Else
        j.PostMultipart(U, Params, Files)
    End If
    j.GetRequest.SetContentEncoding("application/x-www-form-urlencoded")
    Add_Signature(j, Params)
    j.GetRequest.Timeout = 60000
    Wait For (j) JobDone(j As HttpJob)
    If j.Success Then
....
End sub

Sub Add_Signature (j As HttpJob, m As Map)
    Dim key As String = "secret_word"
    If m.IsInitialized = False Or m.Size = 0 Then
        Dim pars As String = ""
    Else
        Dim pars As String     'just URL-encoded parameters line without URL
            For i = 0 To m.Size - 1
                pars = pars & "&" & m.GetKeyAt(i) & "=" & m.GetValueAt(i)
            Next
        pars = pars.SubString(1)
        Log(pars)
    End If
    Dim hash As String = others.GetMD5hash(pars & key)
    j.GetRequest.SetHeader("Signature", hash)
End Sub

Private Sub Get_URL(method As String, get As Boolean, m As Map) As String
    Dim URL1, URL2 As String
    If m.IsInitialized = False Or m.Size = 0 Then    'no parameters
        URL1 = URL & method
    else If get = False Then    'for POST
        URL1 = URL & method
    Else
        'for GET with parameters
        For i = 1 To m.Size - 1
            URL2 = URL2 & "&" & m.GetKeyAt(i) & "=" & m.GetValueAt(i)
        Next
        URL1 = URL & method & "?" & m.GetKeyAt(0) & "=" & m.GetValueAt(0)
        If URL2 <> "" Then
            URL1 = URL1 & URL2
        End If
    End If
    Return URL1
End Sub

Why the signature is always incorrect at the server side check ?
 
Last edited:
Sort by date Sort by votes
peacemaker

peacemaker

Expert
Licensed User
Longtime User
GET request with a single parameter is OK with such signature in the HEADER
https://10.0.2.2:8089/common_api/1.0/get_cars_info?locked_cars=false

The trouble is with only POST request with parameters.
The API is described so:

B4X: 
Request:

POST https://ip:port/common_api/1.0/create_order HTTP/1.1
Signature: <...>
Content-Type: application/x-www-form-urlencoded
Content-Length: 156

phone=89123456789&source=SOURCE&source_time=20120501100000&source_lon=53.147836&source_lat=56.896817

Reply:

{
  "code":0,
  "descr":"OK",
  "data":{
    "order_id":12345
  }
}

But for such POST request with parameters I always get:
B4X: 
{data={}, descr=Wrong signature, code=4}

HTTP sniffer shows my POST request as:
B4X: 
POST /common_api/1.0/create_order HTTP/1.1
Content-Encoding: application/x-www-form-urlencoded
Signature: 78aeb39f7892a601ae9ee0c4c70349e1
Content-Type: multipart/form-data; boundary=---------------------------1461124740692
Host: 10.0.2.2:8089
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: okhttp/3.5.0
Content-Length: 599

-----------------------------1461124740692
Content-Disposition: form-data; name="phone"

11111111111
-----------------------------1461124740692
Content-Disposition: form-data; name="source_time"

20180128105118
-----------------------------1461124740692
Content-Disposition: form-data; name="source"

testsourcewithoutspaces
-----------------------------1461124740692
Content-Disposition: form-data; name="source_lat"

58.436788
-----------------------------1461124740692
Content-Disposition: form-data; name="source_lon"

35.343460
-----------------------------1461124740692--
 
Last edited:
Upvote 0
peacemaker

peacemaker

Expert
Licensed User
Longtime User
SOLVED. PostString is needed instead of PostMultipart.
 
Last edited:
Upvote 0
You must log in or register to reply here.

Similar Threads

cdsincfl
  • Question
Android Question MD5 hash does not match Google Drive MD5 hash
Replies
3
Views
2K
cdsincfl
cdsincfl
peacemaker
  • Question
Android Question Google Drive API: MD5 hash of files to synchronize
Replies
1
Views
2K
peacemaker
peacemaker
M
  • Question
Android Question Mismatch in MD5 result when comparing with PHP
Replies
2
Views
3K
Meigionel TS
M
Douglas Farias
  • Article
Android Code Snippet Security PHP+MD5+TOKEN Config
Replies
2
Views
6K
Peter Simpson
Peter Simpson
S
  • Question
How to get md5 of a file?
Replies
2
Views
5K
sdaly
S
Top