问题
I'm using the Moves API to get some fitness data. Instead of querying the API on a regular basis I would like to use the storyline notifications.
It works, I get a request from the API but I'm unable to verify the hmac sha1 signature provided in the request.
The Documentation says:
All notification requests are signed with Base64 encoded HMAC-SHA1 signature. The signature is calculated as HMAC_SHA1(<your client secret>,<request body>|<timestamp>|<nonce>), in other words the client secret as the key and request body, timestamp and nonce concatenated as the message data. HTTP headers are not included in the signature. The headers X-Moves-Signature, X-Moves-Timestamp and X-Moves-Nonce contain the signature, timestamp and nonce values. The timestamp is a unix timestamp, seconds since Jan 01 1970 00:00:00 GMT.
My Implementation:
from hmac import new as hmac_new
from hashlib import sha1
def check_signature(signature, timestamp, nonce, client_secret, request_body):
msg = request_body + timestamp.encode('utf-8') + nonce.encode('utf-8')
hmac = hmac_new(key=client_secret, msg=msg, digestmod=sha1)
return hmac.digest().encode('base64') == signature
I get the request from flask and call my function likes this:
check_signature(headers['X-Moves-Signature'], headers['X-Moves-Timestamp'], headers['X-Moves-Nonce'], settings['client-secret'], request.data)
Values:
client-secret= mnMuu6rDMkeG5FL0Fm0ho2z14JUhMVWAntUnGz0VyXc446RtqP8J7ETfag0TQa58
request-body = {"userId": 34511428141091768, "storylineUpdates": [{"reason": "DataUpload", "endTime": "20150429T121602Z", "lastSegmentType": "place", "lastSegmentStartTime": "20150429T101434Z", "startTime": "20150429T101434Z"}]}
X-Moves-Nonce = eqVCO4bnNbN+8Hhiz7ZceA==
X-Moves-Signature = BRMwYCxglul01wbyXpfpdtiJh2Y=
X-Moves-Timestamp = 1430309780
my-digest = paWR/3yiJ8NT8KukorGVJlpmQeM=
my-hexdigest = a5a591ff7ca227c353f0aba4a2b195265a6641e3
moves_signature = BRMwYCxglul01wbyXpfpdtiJh2Y=
I also tried http://www.freeformatter.com/hmac-generator.html and also received a5a591ff7ca227c353f0aba4a2b195265a6641e3.
(the client secret is not valid anymore).
As you can see from the values my digest and the moves_signature are not equal. Sadly I'm unable to get a digest that is equal to the one from moves but I'm unable to locate the problem. Does anybody have an idea on how to fix this?
来源:https://stackoverflow.com/questions/29947400/hmac-sha1-digest-in-python