Showing posts with label sha256. Show all posts
Showing posts with label sha256. Show all posts

Wednesday, November 9, 2022

[FIXED] How to validate DKIM body hash manually?

      , ,      No comments   

Issue

RFC5322 Procedure

This is an auto forwarded email. I'm trying to verify the bh field as per rfc5322. But the sha256 hash value received is not matching this value. The message body is: for forwarded mail Any suggestions to validate the bh= field correctly? I have included some sample header field data. Please do explain (relaxed) canonical procedure too

    DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1516798995;
        s=jan2017; d=headsup.co.in; i=sender@headsup.co.in;
        h=Date:From:To:Message-Id:Subject:MIME-Version:Content-Type; l=627;
        bh=ODw8icD/S+4UGcXgR4ocNpxXDh4PolWtd1IUXjh0AUs=;
        b=G2vTZ+uQ+krw49l+4aMnaeZjUvAJXPPRA8bvOhs3XZNbd2Ng+odB/F5PI3tRpdhr
        C0CJA5KPv4VncP2V1PjNdkgKLjs1eTzLSaqmPjhhQDc8mWQRT0rzcPP3V9v6BeXF987
        54Zns/QWtR+RbSacFXvUjyBEOlaWUVAmaVcqw5S8=

    //Message: for forwarded mail
  //Example Data
    Date: Wed, 24 Jan 2018 18:33:08 +0530
    From: sender <sender@headsup.co.in>
    To: "receiver" <receiver@gmail.com>
    Message-Id: <1612843d10d.d305604a24030.1212846966506749871@headsup.co.in>
    Subject: Test Arc Seal
    MIME-Version: 1.0
    Content-Type: multipart/alternative; 
        boundary="----=_Part_76205_1329960269.1516798988558"
    X-Priority: Medium  






//Cannonicalization code (relaxed)
package canonicalization;

import java.io.IOException;



public class Canonicalization {


        public String canonicalizeHeader(String name, String value) {
            name = name.trim().toLowerCase();
            value = value.replaceAll("\\s+", " ").trim();
            return name + ":" + value;
        }

        public String canonicalizeBody(String body) {

            if (body == null || "".equals(body)) {
                return "\r\n";
            }

            body = body.replaceAll("[ \\t\\x0B\\f]+", " ");
            body = body.replaceAll(" \r\n", "\r\n");

            // The body must end with \r\n
            if (!body.endsWith("\r\n")) {
                return body + "\r\n";
            }

            // Remove trailing empty lines ...
            while (body.endsWith("\r\n\r\n")) {
                body = body.substring(0, body.length() - 2);
            }

            return body;

        }
        public static void main(String[] args) {
            Canonicalization obj=new Canonicalization();
            System.out.println(obj.canonicalizeHeader("Date"," Wed, 24 Jan 2018 18:33:08 +0530"));
            System.out.println(obj.canonicalizeHeader("From"," sender <sender@headsup.co.in>"));
            System.out.println(obj.canonicalizeHeader("To"," \"receiver\" <receiver@gmail.com>"));

            System.out.println(obj.canonicalizeBody("for forwarded mail"));

        } 
}

Solution

The code works fine for emails sent in plaintext format (Content-Type: text/plain;)

But by default, emails are sent by Rich Text Format (Content-Type: multipart/alternative;), hence the body hashes did not match



Answered By - Shashank
Answer Checked By - Dawn Plyler (PHPFixing Volunteer)

Friday, July 1, 2022

[FIXED] How can I create a matching HMAC value to verify a Shopify WebHook in .NET?

      , , , ,      No comments   

Issue

I have set up an endpoint to receive webhook requests from Shopify.

The requests from Shopify include an HMAC header that is created from a shared secret key and the body of the request.

I need to calculate the HMAC on my server and match it to the value in the request header to ensure that the request is authentic.

I can't seem to create the appropriate mechanism in .NET to create a matching HMAC value.

My algorithm at this point is as follows:

public static string CreateHash(string data)
    {
        string sharedSecretKey = "MY_KEY";

        byte[] keyBytes = Encoding.UTF8.GetBytes(sharedSecretKey);
        byte[] dataBytes = Encoding.UTF8.GetBytes(data);

        //use the SHA256Managed Class to compute the hash
        System.Security.Cryptography.HMACSHA256 hmac = new HMACSHA256(keyBytes);
        byte[] hmacBytes = hmac.ComputeHash(dataBytes);

        //retun as base64 string. Compared with the signature passed in the header of the post request from Shopify. If they match, the call is verified.
        return System.Convert.ToBase64String(hmacBytes);
    }

The Shopify docs for verifying their webhooks can be found HERE but only PHP and Ruby samples are included.

Can anyone see what I might be doing wrong? Should I be just passing the entire JSON request body as a string into this method?


Solution

As you allude to in your question, you should be hashing the entire json request body in your method.

My .NET isn't too good, but Here's the part of the ruby example that shows you what to do:

post '/' do

  . . .

  data = request.body.read
  verified = verify_webhook(data, env["HTTP_X_SHOPIFY_HMAC_SHA256"])

  . . .

end

You can see that we're just grabbing the body of the request (as a string) and throwing it into the verify method verbatim. Give it a try and hopefully you'll have more luck.



Answered By - David Underwood
Answer Checked By - Senaida (PHPFixing Volunteer)

Total Pageviews

Featured Post

Why Learn PHP Programming

Why Learn PHP Programming A widely-used open source scripting language PHP is one of the most popular programming languages in the world. It...