Welcome to the SRP Forum! Please refer to the SRP Forum FAQ post if you have any questions regarding how the forum works.
srp_Hash() returning different output than expected
As part of implementing oauth, I have to hash and encode a random string of characters which are later verified by the third party.
I'm receiving an error
I was thinking I was somehow sending the wrong thing, but after testing using Postman, it appears that srp_hash is providing a subtly different output to their version.
I'm calling srp_hash using these parameters
For example, this string
Utillising an online code generator, the same string is returned as
In case it's not obvious, "+" is replaced with "-" and "/" is replaced with "_".
The requirements are specified as
The online tool for performing the hash that returns a value that works can be found here pkce-generator/
Is there anything obvious I've overlooked?
Hold that thought!
As I finished typing, I noticed the "Base64URL" and googled the differences.
I can make the appropriate changes now, but I'll leave this here in case someone else can learn from my ignorance.
And I guess it's worth asking, does srp_hash have an undocumented Base64URL option?
I'm receiving an error
Transformed code verifier does not match code challenge
which basically means when I pass the string and they hash/encode it, it doesn't match the encoded version I sent previously.I was thinking I was somehow sending the wrong thing, but after testing using Postman, it appears that srp_hash is providing a subtly different output to their version.
I'm calling srp_hash using these parameters
codeChallenge = SRP_Hash(theCode, 'SHA-256', 'BASE64')For example, this string
czskhjhwhonrgvamtk8224474843883642743586266462367
is returned from srp_hash as fjZ+3wGKt75TgQTB9tYlxn62rZjlnZ/mLmbwBmua/As
Utillising an online code generator, the same string is returned as
fjZ-3wGKt75TgQTB9tYlxn62rZjlnZ_mLmbwBmua_As
In case it's not obvious, "+" is replaced with "-" and "/" is replaced with "_".
The requirements are specified as
The “code challenge” is created by performing a SHA256 hash on the code verifier and then Base64url encoding the hash
The online tool for performing the hash that returns a value that works can be found here pkce-generator/
Is there anything obvious I've overlooked?
Hold that thought!
As I finished typing, I noticed the "Base64URL" and googled the differences.
I can make the appropriate changes now, but I'll leave this here in case someone else can learn from my ignorance.
And I guess it's worth asking, does srp_hash have an undocumented Base64URL option?
Comments
I haven't had my morning coffee. You said SRP_Hash, not SRP_Encode. Correct, we forgot to update the documentation on that page. But anything supported by SRP_Encode is supported in the the Encode parameter. I updated that page. Sorry for the confusion.
Also, is there a way to tell it to omit the padding? I see that srp_encode() can omit crlf$ which almost does the job but not quite.
As before, I can handle this all myself now, but it would be nice if the one call, (to srp_encode() at least), did the complete job.
Feel free to slap me if I'm just missing something in my reading/understanding.
I'm saying the srp_encode() doesn't switch the "/", nor, as far as I can tell, does it omit the padding quite right.
Here's my last example.
theCode = "tjttmhuvzkwynnjtlmwvc7424722627734625744455425364324"codeHashed = SRP_Hash(theCode, 'SHA-256') characterSet = '' useCRLFs = false$ codeChallenge = SRP_Encode(codeHashed, 'BASE64URL', characterSet, useCRLFs)Output expected/desired
Note, this time the "+" wasn't converted whereas in other examples it was, but the "/" wasn't. This example didn't have a "/" so I don't know if it would have worked or not.
2.2.15.4 should not only fix this, but allow you use to use 'BASE64URL' directly in SRP_Hash. The default line break setting for 'BASE64URL' is now 0, so you shouldn't get an '=' either.