11

I am trying to implement an authentication solution with PHP and Objective-C. Both languages create their own HMAC-SHA1 encoded strings with the same key and the same secret.

Apparently they seem to differ in their way how they do it.

On Objective-C side I am using OAuthCustomer as signing class which produces the correct looking encoded string:

/3n/d4sKN6k3I7nBm1qau59UukU=

On PHP side I am using the built-in function hash_hmac('sha1',...) with base64 encoding which produces this:

ZmY3OWZmNzc4YjBhMzdhOTM3MjNiOWMxOWI1YTlhYmI5ZjU0YmE0NQ==

Then I have tried to use another function (mentioned here) and this produces with base64 encoding this:

NWY1ODUwOWE3NGI4NWU5ZTIxMDYzMTNmNzk3NTYxMDQ4OWE1MmUzNQ==

I have absolutely no idea how I can fix this issue and I don't even know why this happens.

Thanks a bunch for help,

Paul

Community
  • 1
  • 1
Paul
  • 1,295
  • 2
  • 11
  • 26
  • 3
    The output of `hash_hmac()` is a hex-string. You've base64_encoded that hexstring, which is probably wrong. Set the 4th param to hash_hmac to true first. – mario Dec 23 '10 at 21:28
  • Thanks. I changed it but the output wasn't really different (keys and secrets are dynamic so it changed a little bit): N2ZmYWNlZjc2YjYwZGIzMzA0ZjBmMDhiNDhkMzUyNTJhYjViYTY1Nw== – Paul Dec 23 '10 at 21:31
  • No, you didn't. That's still a hexstring when decoded. – mario Dec 23 '10 at 21:33
  • You're a genius. I changed the 3rd value of the md5 function to true because I missed a bracket. Now it works as it is supposed. Thank you! :) – Paul Dec 23 '10 at 21:39
  • @mario: Make it an answer, get some points! – President James K. Polk Dec 25 '10 at 13:49
  • @GregS: Christmas laziness. **Also**: you have just three more points than me! :} – mario Dec 25 '10 at 13:59

1 Answers1

29

Okay, I'll add a faux answer. (On Stackoverflow every question should be decorated by an answer.)

The hash functions in PHP mostly return hex-strings, not the real data. (For whatever reason). There is usually a function parameter to make it compatible to what other implementations expect:

 hash_hmac("sha1", $data, $key, $raw_output=TRUE);

 md5($str, $raw_output=TRUE);

 hash("sha1", $data, $raw_output=TRUE);
mario
  • 144,265
  • 20
  • 237
  • 291