Partners and Developers

sahil_197 · ‎09-22-2021

Hi

I have created hmac in java using below mentioned function in java:

private static String generateHmac(String message, String secret) {
String algorithm = "HmacSHA256";
String hash = "";
try {
Mac sha256_hmac = Mac.getInstance(algorithm);
SecretKeySpec secret_key = new SecretKeySpec(secret.getBytes(), algorithm);
sha256_hmac.init(secret_key);
hash = Base64.encodeBase64String(sha256_hmac.doFinal(message.getBytes()));
}catch (NoSuchAlgorithmException | InvalidKeyException e) {
throw new RuntimeException(e);
}
return hash;
}

message = "code=0907a61c0c8d55e99db179b68161bc00&shop=some-shop.myshopify.com&state=0.6784241404160823&timestamp=1337178173"

Secret=

req hmac = 700e2dadb827fcc8609e9d5ce208b2e9cdaab9df07390d2cbca10d7c328fc4bf

generated hmac = jxGGv65OkiJzVKaQR9PqrKr5xXgDZFAv/LUWFWj9eqY=

But generated hmac is different than the required.

Please help here.

AlanGuerin · ‎10-01-2021

Hi @sahil_197,

I'm unable to verify your work due to the missing shop and secret, but based on your example:

Use Base16 encoding instead of Base64 when verifying the HMAC for OAuth requests/redirects. Your required HMAC looks to be encoded in base16, while the generated HMAC is in base64.
You should explicitly set the UTF-8 charset rather than relying on it being the default charset.

Shameless plug: I created an open source library to handle HMAC verification here: https://github.com/shopstack-projects/shopstack-security-hmac/. Scenario #3 in the README should be helpful to you. Feel free to use it, and feedback/questions are welcome!