HMAC SHA1 Digest in python

橙三吉。 提交于 2019-12-10 16:33:46

问题


I'm using the Moves API to get some fitness data. Instead of querying the API on a regular basis I would like to use the storyline notifications.

It works, I get a request from the API but I'm unable to verify the hmac sha1 signature provided in the request.

The Documentation says:

All notification requests are signed with Base64 encoded HMAC-SHA1 signature. The signature is calculated as HMAC_SHA1(<your client secret>,<request body>|<timestamp>|<nonce>), in other words the client secret as the key and request body, timestamp and nonce concatenated as the message data. HTTP headers are not included in the signature. The headers X-Moves-Signature, X-Moves-Timestamp and X-Moves-Nonce contain the signature, timestamp and nonce values. The timestamp is a unix timestamp, seconds since Jan 01 1970 00:00:00 GMT.

My Implementation:

from hmac import new as hmac_new
from hashlib import sha1

def check_signature(signature, timestamp, nonce, client_secret, request_body):
    msg = request_body + timestamp.encode('utf-8') + nonce.encode('utf-8')
    hmac = hmac_new(key=client_secret, msg=msg, digestmod=sha1)
    return hmac.digest().encode('base64') == signature

I get the request from flask and call my function likes this:

check_signature(headers['X-Moves-Signature'], headers['X-Moves-Timestamp'], headers['X-Moves-Nonce'], settings['client-secret'], request.data)

Values:

client-secret= mnMuu6rDMkeG5FL0Fm0ho2z14JUhMVWAntUnGz0VyXc446RtqP8J7ETfag0TQa58
request-body = {"userId": 34511428141091768, "storylineUpdates": [{"reason": "DataUpload", "endTime": "20150429T121602Z", "lastSegmentType": "place", "lastSegmentStartTime": "20150429T101434Z", "startTime": "20150429T101434Z"}]}
X-Moves-Nonce = eqVCO4bnNbN+8Hhiz7ZceA== 
X-Moves-Signature = BRMwYCxglul01wbyXpfpdtiJh2Y=
X-Moves-Timestamp = 1430309780
my-digest = paWR/3yiJ8NT8KukorGVJlpmQeM=
my-hexdigest = a5a591ff7ca227c353f0aba4a2b195265a6641e3
moves_signature = BRMwYCxglul01wbyXpfpdtiJh2Y=

I also tried http://www.freeformatter.com/hmac-generator.html and also received a5a591ff7ca227c353f0aba4a2b195265a6641e3.

(the client secret is not valid anymore).

As you can see from the values my digest and the moves_signature are not equal. Sadly I'm unable to get a digest that is equal to the one from moves but I'm unable to locate the problem. Does anybody have an idea on how to fix this?

来源:https://stackoverflow.com/questions/29947400/hmac-sha1-digest-in-python

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!