Clever Geek Handbook

HMAC SHA1 Digest in python

I am using the Move API to get some fitness data. Instead of making a regular API request, I would like to use storyline notifications .

It works, I receive a request from the API, but I cannot verify the hmac sha1 signature provided in the request.

The documentation says:

All notification requests are signed with an HMAC-SHA1 encoded Base64-encoded signature. The signature is calculated as HMAC_SHA1 (<your client secret>, <request body> | <timestamp> | <nonce>), in other words the client secret as the key and request body, timestamp and unrelated messages concatenated as data. HTTP headers are not included in the signature. The X-Moves-Signature, X-Moves-Timestamp, and X-Moves-Nonce headers contain the signature, timestamp, and nonce values. Unix timestamp, seconds since 01 Jan 1970 00:00:00 GMT.

My implementation:

from hmac import new as hmac_new
from hashlib import sha1

def check_signature(signature, timestamp, nonce, client_secret, request_body):
    msg = request_body + timestamp.encode('utf-8') + nonce.encode('utf-8')
    hmac = hmac_new(key=client_secret, msg=msg, digestmod=sha1)
    return hmac.digest().encode('base64') == signature

I receive a request from a flask and call my function like this:

check_signature(headers['X-Moves-Signature'], headers['X-Moves-Timestamp'], headers['X-Moves-Nonce'], settings['client-secret'], request.data)

values:

client-secret= mnMuu6rDMkeG5FL0Fm0ho2z14JUhMVWAntUnGz0VyXc446RtqP8J7ETfag0TQa58
request-body = {"userId": 34511428141091768, "storylineUpdates": [{"reason": "DataUpload", "endTime": "20150429T121602Z", "lastSegmentType": "place", "lastSegmentStartTime": "20150429T101434Z", "startTime": "20150429T101434Z"}]}
X-Moves-Nonce = eqVCO4bnNbN+8Hhiz7ZceA== 
X-Moves-Signature = BRMwYCxglul01wbyXpfpdtiJh2Y=
X-Moves-Timestamp = 1430309780
my-digest = paWR/3yiJ8NT8KukorGVJlpmQeM=
my-hexdigest = a5a591ff7ca227c353f0aba4a2b195265a6641e3
moves_signature = BRMwYCxglul01wbyXpfpdtiJh2Y=

I also tried http://www.freeformatter.com/hmac-generator.html and also got it a5a591ff7ca227c353f0aba4a2b195265a6641e3

.

(client secret is no longer valid).

As you can see from the values, my digest and move_signature symbols are not equal. Unfortunately, I cannot get a digest equal to one of the moves, but I cannot find the problem. Does anyone know how to fix this?

+3


source to share


No one has answered this question yet

See similar questions:

or similar:



More articles:


All Articles