Sha256 hmac

Hi,

we are connecting to a marketplace using an API and they require each request being signed by a SHA-256 HMAC in base64 encoding. This HMAC is generated by concatenating the request information together, separated by newline characters, and generating a SHA-256 HMAC from the resulting string and your Secret Key .

the function for the signature in php looks like following

<?php

$method = "POST";
$uri = "https://sellerapi.kaufland.com/v2/units/";
$body = "";
$timestamp = 1411055926; // Example timestamp
$secretKey = "a7d0cb1da1ddbc86c96ee5fedd341b7d8ebfbb2f5c83cfe0909f4e57f05dd508";

// Get the concatenated string
$string = implode("\n", [
    $method,
    $uri,
    $body,
    $timestamp,
]);

// Generate the HMAC signature
$hmac = hash_hmac('sha256', $string, $secretKey);

// Print the concatenated string and HMAC signature with a line break
print("HMAC signature:\n$hmac\n");

?>

with the SHA256 function in make I did not get the correct signature value.

the output should be following

HMAC signature: 407520bb32bd4b896a9e11a863091b3b815a116bf474a0f7d8ef8e8396fbe5b0

but it is

HMAC signature: 64ac1594393483633bcde0720dc5f9e61dcc045722794d0ba71066b9a7feb69e

the variable in make i try to set with following function:

{{sha256("POST https://sellerapi.kaufland.com/v2/units/ 1411055926"; ; "a7d0cb1da1ddbc86c96ee5fedd341b7d8ebfbb2f5c83cfe0909f4e57f05dd508")}}

thanks.
Christoph

Hiya @cmoosbrugger; such fun being authenticated…

  1. I don’t see the newlines “\n” in your sha256 string.
  2. I think you’re missing base64 in your sha256 call as the second parameter per https://www.make.com/en/help/functions/string-functions#sha256--text---encoding----key----key-encoding--.
  3. Though $body is blank, there should be a newline for it.

hi,

thanks for your input.

when in the functions file I also print the string before hashing it does not show newlines.

// Print the concatenated string and HMAC signature with a line break
print("Concatenated string:\n$string\n\n");
print("HMAC signature:\n$hmac\n");

the output of those two lines is following:

Concatenated string: POST https://sellerapi.kaufland.com/v2/units/ 1411055926 HMAC signature: 407520bb32bd4b896a9e11a863091b3b815a116bf474a0f7d8ef8e8396fbe5b0

even the empty body string is not there. this is why I was trying it this way.

next question for me would be on how to put new lines into the SHA256 make function? Can I just put there “\n” snippets?

regarding the missing base64 encoding do you mean the encoding for the teyt or the key?

thanks!

I created a scenario, find attached below, to test out things and found that we should not request base64 as part of the sha256 request, besides building up the $string more cleanly.

I initiated my variables and then brought them together as an array, which I think joined.

Create the hash_hmac.

Screenshot 2024-08-16 at 11.34.20

blueprint (1).json (12.1 KB)

Good luck!

1 Like

Awesome, this did the trick. Even though the final http request to the platform did not work right away.

as the platform documentation was not clear it was trial and error and finally I found out that when creating the signature, the full request URL (including the query params) must be added not only the base URL.

which is kind of weird but at least I got it to work now.

many thanks!

2 Likes

Congratulations @cmoosbrugger for the win. And yeah, I’ve found that experimenting with stuff is how I’ll get it solved, even finding undocumented things that work.