Verify SHA-256 generated using liquid

till · July 12, 2021, 11:57pm

Hello!

I’m trying to verify a SHA256 signature generated with PHP/Ruby in a Worker.

I tried using the signing requests example, but all verify() method always return false.

Could someone point out what I’m doing wrong?

// expiry=1626128829
// email=till%40layla[snip].com
// secret=851a819217ae1ef6f8b5e325a48f82e4e0b1c2e2df169bfd57156816af326c29

async function handleRequest(request) {
  const url = new URL(request.url);

  const encoder = new TextEncoder()
  const expiry = Number(url.searchParams.get("expiry"))
  const dataToAuthenticate = url.searchParams.get("email") + expiry

  const secretKeyData = encoder.encode("squad-taps-earphone-sleek")

  const key = await crypto.subtle.importKey(
    "raw",
    secretKeyData,
    { name: "HMAC", hash: "SHA-256" },
    false,
    ["verify"],
  )

  // 851a819217ae1ef6f8b5e325a48f82e4e0b1c2e2df169bfd57156816af326c29
  const textSecret = url.searchParams.get("secret")

  const verified = await crypto.subtle.verify(
    "HMAC",
    key,
    encoder.encode(textSecret),
    encoder.encode(dataToAuthenticate)
  )

  return new Response(verified ? 'verified' : 'not verified')
}

till · July 13, 2021, 2:47am

I was missing a hexStringToUint8Array().

async function handleRequest(request) {

  const encoder = new TextEncoder()
  const expiry = 1626128829
  const email = "[email protected]"
  const hash = "25ddbf5d07a6076d22eac4cb1e6d7e8e528655aba8aa9c7212c40d2c668f573a"

  const secretKey = "squad-taps-earphone-sleek"

  const key = await crypto.subtle.importKey(
    "raw",
    encoder.encode(secretKey),
    { name: "HMAC", hash: "SHA-256" },
    false,
    ["verify"],
  )

  const verified = await crypto.subtle.verify(
    "HMAC",
    key,
    hexStringToUint8Array(hash),
    encoder.encode(email + expiry),
  )

  return new Response(verified ? 'verified' : 'not verified')
}

function hexStringToUint8Array(hexString) {
  var arrayBuffer = new Uint8Array(hexString.length / 2);

  for (var i = 0; i < hexString.length; i += 2) {
    arrayBuffer[i/2] = parseInt(hexString.substr(i, 2), 16);
  }

  return arrayBuffer;
}

Topic		Replies	Views
Help comparing HMAC Workers	6	3923	February 21, 2022
SHA-256 Signature Recurly Mismatch Developers	2	1193	January 14, 2023
Verify Zoom Webhook in Worker Workers	5	1543	October 14, 2022
Web Crypto API - importKey or deriveKey not generating correctly Workers	4	4075	October 23, 2018
Node Crypto vs Web Crypto Workers	2	6121	September 1, 2020

Verify SHA-256 generated using liquid

Related topics