Trouble creating auth string using PHP HMAC SHA1 and Base64

Question

So I am working with this API and using Laravel, and I am trying to build an auth string. This is the documentation I was given, but I am having a little trouble as this is something relatively new to me.

Here are the auth instructions:

The authentication parameter is a string and it can calculated by the caller or the caller can choose to save this value as a parameter together with connection ID and API key.

The authentication is a base64 string of a HMAC SHA1 hash. This is computed by using the binary of API Key in in

########################## format in all lower case and UTF8 encoding as the key and computer HMAC SHA1 hash on the binary of

Connection ID in ################################ format in all lower case and UTF8 encoding.

The result binary hash is then base64 encoded and the text result is what should be passed as the authentication parameter. In C# the code to calculate the authentication may look like:

 HMACSHA1 hmac = new HMACSHA1( UTF8Encoding.UTF8.GetBytes(apiKey.ToString("N").ToLower()) ); string authentication = Convert.ToBase64String( hmac.ComputeHash( UTF8Encoding.UTF8.GetBytes(connectionId.ToString("N").ToLower()) ) ); 

As an example the following credentials:

Connection ID: 5fecbc200f0e4a7cbf41040e11047e56

API Key: 2de51c4fd0f04b9fabeb95225e87da70

Should result in a computed authentication value of m5/Vc1RzhUETQvEtx/JdIglQpTg=

So what i have been trying is:

$a = strtolower('5fecbc200f0e4a7cbf41040e11047e56');
$b = strtolower('2de51c4fd0f04b9fabeb95225e87da70');
$z = hash_hmac("sha1", utf8_encode(decbin($b)), utf8_encode(decbin($a)), true);
dd(base64_encode($z));

Which outputs QjG3kzUs7U1UukNd++3t24pBWNk=

I have tried a few more variations, but I am just lost on this one. First time really decoding or encoding anything. Would greatly appreciate any tips, ideas, or snippets that can help me figure this out. Already spent a few hours on this and it's bugging me..

Answer 1

First: Get rid of utf8_encode() and just generally don't use it. It assumes that the input string is ISO-88591-1 and if it is anything else it will silently corrupt the data. This function has an incredibly misleading name, and I would go as far as to suggest that no one should ever use it or the corresponding utf8_decode() which will break your data in the same manner, but reversed.

If you need to convert string encodings in PHP use something that explicitly defines the input and output encodings, eg: mb_convert_encoding() . [you still don't need it for this]

Second: Whatever you think decbin() does, you're incorrect. It converts an integer into a literal, capital-S String composed of 0 and 1 characters .

Third: PHP strings have no inherent encoding and are roughly equivalent to byte arrays if you twisted my arm for a description. The bytes you put into them are the bytes you get out of them.

Fourth: I'm not exactly a C# expert [or intermediate, or even beginner ] but that example code is horrendous. What even is the significance of the N in connectionId.ToString("N") ? I can't find any documentation about this.

Start simple, use meaningful variable names, build up, and read the docs .

$connectionID = strtolower('5fecbc200f0e4a7cbf41040e11047e56');
$apiKey       = strtolower('2de51c4fd0f04b9fabeb95225e87da70');
$hash         = hash_hmac("sha1", $connectionID, $apiKey, true);
var_dump(base64_encode($hash));

Output:

string(28) "m5/Vc1RzhUETQvEtx/JdIglQpTg="