Databases
StackOverflow2013
Postsdbo
POHMAC SHA-256 and Facebook signed_request
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POHMAC SHA-256 and Facebook signed_request
    primarykey
    data
    text
    <p>So, I'm working on validating Facebook's signed_request using Java. Unfortunately, I keep running into issues with the validation process. I've looked at <a href="http://developers.facebook.com/docs/authentication/signed_request/" rel="nofollow">this documentation</a>, and emulated their algorithm, to no success. I've also followed <a href="http://www.sergiy.ca/how-to-implement-facebook-oauth-2.0-app-authorization-process-in-java/" rel="nofollow">this tutorial</a>, and continued to come up with my calculated signature being different from the one that Facebook sent.</p> <p>Or at least, that was what String.equals() was telling me.</p> <p>So I decided to poke at it some more.</p> <p>I set it up to iterate over the bytes in my calculated signature and the provided ones. Low and behold, the first 32 bytes of my signature matched theirs exactly. It was just missing another 400+ bytes of data.</p> <p>At that point, I decided I should probably get a better notion of what the heck was going on. I looked up SHA-256, and found that, indeed, <a href="http://en.wikipedia.org/wiki/SHA-2#Comparison_of_SHA_functions" rel="nofollow">it only creates 32 bytes of information</a>. So then I'm left with over 400 bytes of data which Facebook claims was generated using the HMAC SHA-256 algorithm. I thought I should compare the maximum length of SHA-256 with the length of the data I'm hashing, but that just showed that there was way, way, way a lot of room to spare (Message size: 575 bytes; Maximum Size: 2.305843009213694 x 10^18 bytes).</p> <p>Is Facebook making shit up? Or am I missing something?</p> <p><em>edit</em></p> <p>This is the function I use to hash the data. I pass in my facebook secret code (for key), and the base64url encoded JSON object (for data). It consistently returns a byte array of length 32 with data that matches the first 32 bytes of the signature provided by facebook.</p> <pre><code>private byte[] hmacSHA256(String data, String key) throws Exception { SecretKeySpec secretKey = new SecretKeySpec(key.getBytes("UTF-8"), "HmacSHA256"); Mac mac = Mac.getInstance("HmacSHA256"); mac.init(secretKey); mac.update(data.getBytes("UTF-8")); byte[] hmacData = mac.doFinal(); return hmacData; } </code></pre>
    singulars
    1. PO
      singulars
      1. PTAnswer
    1. This table or related slice is empty.
    1. PTQuestion
    1. USChaosphere2112
    1. USChaosphere2112
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PO
      singulars
      1. PTAnswer
    2. PO
      singulars
      1. PTAnswer
    1. VO
      singulars
      1. POHMAC SHA-256 and Facebook signed_request
      1. This table or related slice is empty.
      1. VTModeratorReview
    2. VO
      singulars
      1. POHMAC SHA-256 and Facebook signed_request
      1. This table or related slice is empty.
      1. VTUpMod
    1. This table or related slice is empty.
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload