ovx
commented
5 months ago Hi, I think the problem with the hash function in php, by default it returns hex string, but the input for hash_hmac expects binary data, so set the third argument to true indicating binary output (https://www.php.net/manual/en/function.hash.php). You can also see that implemented in the wordpress plugin (https://github.com/altcha-org/wordpress-plugin/blob/main/includes/core.php#L233).
Hi, I'll start with Altcha. Thank you for all your hard work. I'm now checking the hashes and signatures. I'm doing the verification in PHP after submitting the form.
When submitting a form without the spamfilter. I check the Challenge by concatenating the $payload['salt'] and the $payload['number'] : OK . The Signature with the result of the Challenge and my private key : OK
When adding the spamfilter option, I can't find the payload signature ...
Documentation step:
1 ) I retrieve the data from verificationData without modifying it, so I have a string with fields, etc ... that I hash with the SHA-256 algorithm also supplied with the payload. I transform the SHA-256 into sha256 because php ...
$hash = hash($payload['algorithm'],$payload['verificationData']);2) Then I sign this hash with the private key provided by Altcha :
$signature = hash_hmac($payload['algorithm'], $hash, $secretKey);3 ) The signature does not match the one sent by the payload. No problem without spamfilter .
I don't know what I've missed in the doc . https://altcha.org/docs/api/challenge-api/
Thanks for your feedback.