Search code examples
krl

KRL: Signing requests with HMAC_SHA1

I made a test suite for math:hmac_* KRL functions. I compare the KRL results with Python results. KRL gives me different results.

code: https://gist.github.com/980788 results: http://ktest.heroku.com/a421x68

How can I get valid signatures from KRL? I'm assuming that they Python results are correct.

UPDATE: It works fine unless you want newline characters in the message. How do I sign a string that includes newline characters?

Solution

  • I suspect that your python SHA library returns a different encoding than is expected by the b64encode library. My library does both the SHA and base64 in one call so I to do some extra work to check the results.

    As you show in your KRL, the correct syntax is:
    math:hmac_sha1_base64(raw_string,key);
    math:hmac_sha256_base64(raw_string,key);

    These use the same libraries that I use for the Amazon module which is testing fine right now.

    To test those routines specifically, I used the test vectors from the RFC (sha1, sha256). We don't support Hexadecimal natively, so I wasn't able to use all of the test vectors, but I was able to use a simple one:

    HMAC SHA1

    test_case = 2
    key = "Jefe"
    key_len = 4
    data = "what do ya want for nothing?"
    data_len = 28
    digest = 0xeffcdf6ae5eb2fa2d27416d5f184df9c259a7c79

    HMAC SHA256

    Key = 4a656665 ("Jefe")
    Data = 7768617420646f2079612077616e7420666f72206e6f7468696e673f ("what do ya want for nothing?")
    HMAC-SHA-256 = 5bdcc146bf60754e6a042426089575c75a003f089d2739839dec58b964ec3843

    Here is my code: 

    global {  
        raw_string = "what do ya want for nothing?";  
        mkey = "Jefe";  
    }

rule first_rule {
        select when pageview ".*" setting ()
        pre {
            hmac_sha1 = math:hmac_sha1_hex(raw_string,mkey);
            hmac_sha1_64 = math:hmac_sha1_base64(raw_string,mkey);
            bhs256c = math:hmac_sha256_hex(raw_string,mkey);
            bhs256c64 = math:hmac_sha256_base64(raw_string,mkey);

        }
        {
        notify("HMAC sha1", "#{hmac_sha1}") with sticky = true;
        notify("hmac sha1 base 64", "#{hmac_sha1_64}") with sticky = true;
            notify("hmac sha256", "#{bhs256c}") with sticky = true;
            notify("hmac sha256 base 64", "#{bhs256c64}") with sticky = true;
        }
}

    var hmac_sha1 = 'effcdf6ae5eb2fa2d27416d5f184df9c259a7c79';
    var hmac_sha1_64 = '7/zfauXrL6LSdBbV8YTfnCWafHk';
    var bhs256c = '5bdcc146bf60754e6a042426089575c75a003f089d2739839dec58b964ec3843';
    var bhs256c64 = 'W9zBRr9gdU5qBCQmCJV1x1oAPwidJzmDnexYuWTsOEM';

    The HEX results for SHA1 and SHA256 match the test vectors of the simple case.

    I tested the base64 results by decoding the HEX results and putting them through the base64 encoder here

    My results were:

    7/zfauXrL6LSdBbV8YTfnCWafHk=
    W9zBRr9gdU5qBCQmCJV1x1oAPwidJzmDnexYuWTsOEM=

    Which match my calculations for HMAC SHA1 base64 and HMAC SHA256 base64 respectively.

    If you are still having problems, could you provide me the base64 and SHA results from python separately so I can identify the disconnect?