hmac hash not same in PHP and Go

Question

I am trying to generate a hmac for API authentication, but the documentation is on Go, I need to convert it to php way, I need the result to be the same as Go result.

On the Docs said: To build the string to sign, combine the HTTP method, request content type, date time, request URI, and the payload hash with the newline in between each parameter.

Go Way:

func ComputeHMAC(date string) string
   request := []string{"POST","application/json",'Thu, 17 Jan 2019 02:45:06 
              GMT',"/ayden/init",'qz0HpayQzMDnBfJMfUB5zJGU62nX2Uef66m6YIpDAWA='}
   request1 := strings.Join(request, "\n")
   request2 := []string{request1,"\n"}
   stringToSign := strings.Join(request2, "")

   shaSignature := computeHmac256(stringToSign, "secret")
}

func computeHmac256(message string, secret string) string {
   key := []byte(secret)   
   h := hmac.New(sha256.New, key)
   h.Write([]byte(message))
   result := h.Sum(nil)
   return base64.StdEncoding.EncodeToString(result)
 }

Hmac in GO: 6k44vpeNqYSgFkM2sZsJH+Ijg5amftPnqO3v45pMWN0=

What i tried in PHP:

$stringToSign = [
        'POST',
        'application/json',
        'Thu, 17 Jan 2019 02:45:06 GMT',
        '/ayden/init',
        'qz0HpayQzMDnBfJMfUB5zJGU62nX2Uef66m6YIpDAWA='
    ];

$string = implode("/n", $stringToSign);
$hmac = base64_encode(hash_hmac('sha256', $string, 'secret', true)); 
echo $hmac;

Hmac in PHP: 9mt4Ojzr9uVGaB6/jt96bbuEd0gJNh6Cph3q+dY3X38=

I`m a bit lost here, already spent many hours to figure this out, please help.

Something to do with GMT on a newline? Could also be the new line is wrong in php — CGSmith105, Jul 08 '20 at 03:38
on the docs said: To build the string to sign, combine the HTTP method, request content type, date time, request URI, and the payload hash with the newline in between each parameter. @CGSmith105 — berusjamban, Jul 08 '20 at 03:42
The Go code is invalid. It's missing a curly brace and return statement, the date value has whitespace that would not be allowed in an HTTP header, and single quotes are not allowed for string literals. After fixing all that [the output is not 6k44vpeNq...](https://play.golang.org/p/hVZZvtzCpf6). In PHP you're using `/n` instead of `\n` and you're missing the trailing newline. After fixing that [the output is identical to Go's](https://3v4l.org/A2sTt). — Peter, Jul 08 '20 at 06:49
Don't pass `true` as the final argument to the PHP `hash_mac` function. That changes the output format from hex digits to raw data. This is probably the only problem you have. — Jonathan Hall, Jul 08 '20 at 07:16

score 2 · Answer 1 · answered Jul 08 '20 at 03:42

2

you can try this function

func computeHmac256(src string, secret string) string {
    h := hmac.New(sha256.New, []byte(secret))
    h.Write([]byte(src))
    shaStr:= fmt.Sprintf("%x",h.Sum(nil))
    return base64.StdEncoding.EncodeToString([]byte(shaStr))
}

answered Jul 08 '20 at 03:42

lightbrother

21
3

1

hi thanks, but i need it on php – berusjamban Jul 08 '20 at 03:43

score 0 · Answer 2 · answered Jul 08 '20 at 03:51

0

php code

base64_encode(hash_hmac('sha256', $data, $secret));

I tested successfully on golang and php. The result is same.

answered Jul 08 '20 at 03:51

lightbrother

21
3

may i know what you pass on the $data? – berusjamban Jul 08 '20 at 04:03
Example 1: $data = "hello"; $secret="test"; Example 2: $data = "hello\n"; $secret="test"; – lightbrother Jul 08 '20 at 04:06
can you replicate the param like my question in php, do you get the same result? – berusjamban Jul 08 '20 at 04:14
I think your $data in golang and php are different. in golang is "strings.Join(request, "\n")", but in php "implode("/n", $stringToSign);" golang => \n ; php => /n – lightbrother Jul 08 '20 at 06:20

hmac hash not same in PHP and Go

2 Answers2