HMAC SHA1 Digest in python

Question

HMAC SHA1 Digest in python

I am using the Move API to get some fitness data. Instead of making a regular API request, I would like to use storyline notifications .

It works, I receive a request from the API, but I cannot verify the hmac sha1 signature provided in the request.

The documentation says:

All notification requests are signed with an HMAC-SHA1 encoded Base64-encoded signature. The signature is calculated as HMAC_SHA1 (<your client secret>, <request body> | <timestamp> | <nonce>), in other words the client secret as the key and request body, timestamp and unrelated messages concatenated as data. HTTP headers are not included in the signature. The X-Moves-Signature, X-Moves-Timestamp, and X-Moves-Nonce headers contain the signature, timestamp, and nonce values. Unix timestamp, seconds since 01 Jan 1970 00:00:00 GMT.

My implementation:

from hmac import new as hmac_new
from hashlib import sha1

def check_signature(signature, timestamp, nonce, client_secret, request_body):
    msg = request_body + timestamp.encode('utf-8') + nonce.encode('utf-8')
    hmac = hmac_new(key=client_secret, msg=msg, digestmod=sha1)
    return hmac.digest().encode('base64') == signature

I receive a request from a flask and call my function like this:

check_signature(headers['X-Moves-Signature'], headers['X-Moves-Timestamp'], headers['X-Moves-Nonce'], settings['client-secret'], request.data)

values:

client-secret= mnMuu6rDMkeG5FL0Fm0ho2z14JUhMVWAntUnGz0VyXc446RtqP8J7ETfag0TQa58
request-body = {"userId": 34511428141091768, "storylineUpdates": [{"reason": "DataUpload", "endTime": "20150429T121602Z", "lastSegmentType": "place", "lastSegmentStartTime": "20150429T101434Z", "startTime": "20150429T101434Z"}]}
X-Moves-Nonce = eqVCO4bnNbN+8Hhiz7ZceA== 
X-Moves-Signature = BRMwYCxglul01wbyXpfpdtiJh2Y=
X-Moves-Timestamp = 1430309780
my-digest = paWR/3yiJ8NT8KukorGVJlpmQeM=
my-hexdigest = a5a591ff7ca227c353f0aba4a2b195265a6641e3
moves_signature = BRMwYCxglul01wbyXpfpdtiJh2Y=

I also tried http://www.freeformatter.com/hmac-generator.html and also got it a5a591ff7ca227c353f0aba4a2b195265a6641e3

.

(client secret is no longer valid).

As you can see from the values, my digest and move_signature symbols are not equal. Unfortunately, I cannot get a digest equal to one of the moves, but I cannot find the problem. Does anyone know how to fix this?

+3

python flask hmac sha1 hmacsha1

faebser Apr 29. 15 at 14:56

source to share

No one has answered this question yet

See similar questions:

0

Moves API notifications: hash mismatch to specific users

or similar:

5504

Does Python have a ternary conditional operator?

5231

What are metaclasses in Python?

5116

How can I check if a file exists without exceptions?

4473

Calling an external command in Python

3790

How can I safely create a subdirectory?

3602

Does Python have a substring method "contains"?

3119

What is the difference between Python list methods that are appended and expanded?

2849

How to make a flat list from a list of lists?

2818

Finding the index of an element by specifying the list that contains it in Python

2568

How to find the current time in Python

HMAC SHA1 Digest in python

More articles: