sha1 hmac hexdigest signature

main.go

package main

import (
	"crypto/hmac"
	"crypto/sha1"
	"crypto/subtle"
	"encoding/hex"
	"fmt"
	"os"
)

func generateSignature(secretToken, payloadBody string) string {
	mac := hmac.New(sha1.New, []byte(secretToken))
	mac.Write([]byte(payloadBody))
	expectedMAC := mac.Sum(nil)
	return "sha1=" + hex.EncodeToString(expectedMAC)
}

func verifySignature(secretToken, payloadBody string, signatureToCompareWith string) bool {
	signature := generateSignature(secretToken, payloadBody)
	return subtle.ConstantTimeCompare([]byte(signature), []byte(signatureToCompareWith)) == 1
}

func main() {
	testPayloadBody := `{"message":"test content"}`
	testSignatureToCompareWith := `sha1=33a08e9b5e9c8d5e944d9288e9b499abb298344d`

	fmt.Println("signature match? :", verifySignature(os.Getenv("SECRET_TOKEN"), testPayloadBody, testSignatureToCompareWith))
}

main.rb

require 'openssl'
require 'rack' # gem install rack

test_payload_body='{"message":"test content"}'
test_signature_to_compare_with='sha1=33a08e9b5e9c8d5e944d9288e9b499abb298344d'

def generate_signature(secret_token, payload_body)
    return 'sha1=' + OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha1'), secret_token, payload_body)
end

def verify_signature(secret_token, payload_body, signature_to_compare_with)
    signature = generate_signature(secret_token, payload_body)
    return Rack::Utils.secure_compare(signature, signature_to_compare_with)
end

puts "signature match? : #{verify_signature(ENV['SECRET_TOKEN'], test_payload_body, test_signature_to_compare_with)}"

To compare signatures use constant time compares:

• Ruby: Rack::Utils.secure_compare (https://www.rubydoc.info/gems/rack/Rack/Utils.secure_compare)
• Go: https://golang.org/pkg/crypto/hmac/#Equal or subtle.ConstantTimeCompare (https://golang.org/pkg/crypto/subtle/#ConstantTimeCompare)

YOUR CODE WORKS LIKE A CHARM!

YOUR CODE WORKS LIKE A CHARM!

Awesome to hear @rayxyz ;)