Closed asiridissa closed 10 months ago
Correct. The JSON body would hashed to a hex value by SHA256.
As I remember, we agreed to do SHA256 on the total INPUT_STRING
to generate the HMAC.
Doing hash only on the body is something I don't recall from our discussions.
@spedsta Can you please provide pseudocode to explain this body only hashing with HMAC creation?
(#8 contains code sample that you may use)
I also feel uncertain about this. The HMAC function will already perform a SHA256 on the entire string, and there's no savings in efficiency or code to do it otherwise. Here is a slightly simplified version of the code we have right now (we aren't done implementing everything):
const value = [nonce, timestamp, JSON.stringify(orderedParams), reqBody].join(':')
const sigAsByteArray = Utilities.computeHmacSignature(Utilities.MacAlgorithm.HMAC_SHA_256, value, secret)
return byteArrayToHexString(sigAsByteArray)
Including two references on HMAC implementation here: https://docs.aws.amazon.com/IAM/latest/UserGuide/create-signed-request.html https://dotnettutorials.net/lesson/hmac-authentication-web-api/#google_vignette We've also seen both the URI and hashed message body methodology (either base64 or SHA256) in other API implementations.
Please advise on direction and update swagger description if anything different decided. We are ok with any changes.
Here is the part of the same AWS documentation. It mentioned 3 reasons to sign the request or do the HMAC. https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html#why-requests-are-signed
Here is my explanation of how our solution covers the mentioned topics.
key
to hash the HMAC INPUT_STRING
. This is unique for the requester.
So this will prove the identity of the requester. We can decide on using a stronger key (ex :32 chars long, include numbers, letters, symbols etc.).key
makes the HMAC unique for requester. Because we are using the telegram JSON as a part of HMAC INPUT_STRING
, integrity of the message content is protected.timestamp
. I believe we should do the same.
We talked about this but did not came to a conclusion.I suggest that we don't need to do body hashing before the HMAC hashing because, we can fulfill the requirements of message authentication with only one SHA256 hashing on HMAC function.
Decided to get the body
string as it is in to the INPUT_STRING
.
Not going to do the SHA256 digest of the body
before the final HMAC function.
Closing this issue with updating swagger 0.5.a3.
In Swagger there is a note added about HMAC
body
parameter as follows.Did we make a decision to use SHA256 digest of the JSON body to feed in to the HMAC function?