Rodrigo Ney Rodrigo Ney - 4 months ago 40
Python Question

Python and Java MAC SHA256 encoding generating VERY SIMILAR KEY

I'm creating a signed request (

SHA256
and
base64
) using
Java
and validating this request in
Python
. The keys that I generated are really similar:

Java:

UjuGTll3GF7H8MHWyJc41NAEcd-OZOeJLT9PiAevcsw


Python :

UjuGTll3GF7H8MHWyJc41NAEcd+OZOeJLT9PiAevcsw


The only diference happens with char
+
and char
-
. I cannot change the java code because I don't have access to it, I only know that it uses
javax.crypto.Mac
. However, my python code is:

import hmac
import hashlib
hmac.new(api_secret, url, hashlib.sha256).digest().encode('base64')


The variables
api_secret
and
url
have the same input in both languages (
Java
and
Python
)

What am I missing?

Answer

digest() returns a string, so encode is just the standard encode method. According to the list of standard encodings, specifying base64 as the encoding means that base64.encodestring will be used. The alphabet used by that function includes + and /, which are the last two characters in the standard Base64 alphabet:

>>> base64.encodestring(chr(248))
'+A==\n'

If you want an encoded string that uses - and _ instead of + and /, you need to use base64.urlsafe_b64encode:

>>> base64.urlsafe_b64encode(chr(248))
'-A=='

So you'd need to do something like:

base64.urlsafe_b64encode(hmac.new(api_secret, url, hashlib.sha256).digest())

For this to work, though, you need to check that the Java code is also producing _ instead of /, like urlsafe_b64encode.

Comments