Unable to validate X-Hub-Signature-256 from webhook #24646

vmaral · 2020-12-30T10:38:05Z

vmaral
Dec 30, 2020

I have set up a github webhook with content type as application/json and have provided a secret. My java code generates the different hash than what github provides. Any help will be highly appreciated. Thanks in advance.

Java code:

private static final String SIGNATURE_PREFIX = "sha256=";
private static final String HMAC_SHA_ALGORITHM = "HmacSHA256";
private boolean validateSignature(String signatureHeader, String payload, String encoding, String secretToken)

throws UnsupportedEncodingException {
    if (secretToken == null || secretToken.equals("")) {
        LOG.error("webhookSecret not configured. Skip signature validation");
        return false;
    }

    if (!signatureHeader.startsWith(SIGNATURE_PREFIX)) {
        LOG.errorf("Unsupported webhook signature type: {}", signatureHeader);
        return false;
    }
    byte[] signatureHeaderBytes;
    try {
        signatureHeaderBytes = decodeHex(signatureHeader.substring(SIGNATURE_PREFIX.length()).toCharArray());
    } catch (DecoderException e) {
        LOG.errorf("Invalid signature: {}", signatureHeader);
        return false;
    }
    byte[] expectedSignature = getExpectedSignature(payload.getBytes(encoding == null ? "UTF-8" : encoding), secretToken);
    LOG.info("generated signature: "+ bytesToHex(expectedSignature));
    return MessageDigest.isEqual(signatureHeaderBytes, expectedSignature);
}


private byte[] getExpectedSignature(byte[] payload, String secretToken) {

    SecretKeySpec key = new SecretKeySpec(secretToken.getBytes(), HMAC_SHA_ALGORITHM);
    Mac hmac;
    try {
        hmac = Mac.getInstance(HMAC_SHA_ALGORITHM);
        hmac.init(key);
    } catch (NoSuchAlgorithmException e) {
        throw new IllegalStateException("Hmac SHA must be supported", e);
    } catch (InvalidKeyException e) {
        throw new IllegalStateException("Hmac SHA must be compatible to Hmac SHA Secret Key", e);
    }
    return hmac.doFinal(payload);
}

private static String bytesToHex(byte[] hash) {
    StringBuilder hexString = new StringBuilder(2 * hash.length);
    for (int i = 0; i &lt; hash.length; i++) {
        String hex = Integer.toHexString(0xff &amp; hash[i]);
        if (hex.length() == 1) {
            hexString.append('0');
        }
        hexString.append(hex);
    }
    return hexString.toString();
}


public static byte[] decodeHex(final char[] data) throws DecoderException {
    final byte[] out = new byte[data.length &gt;&gt; 1];
    final int outOffset = 0;
    final int len = data.length;

    if ((len &amp; 0x01) != 0) {
        throw new DecoderException("Odd number of characters.");
    }

    final int outLen = len &gt;&gt; 1;
    if (out.length - outOffset &lt; outLen) {
        throw new DecoderException("Output array is not large enough to accommodate decoded data.");
    }

    // two characters form the hex value.
    for (int i = outOffset, j = 0; j &lt; len; i++) {
        int f = toDigit(data[j], j) &lt;&lt; 4;
        j++;
        f = f | toDigit(data[j], j);
        j++;
        out[i] = (byte) (f &amp; 0xFF);
    }

    return out;
}


protected static int toDigit(final char ch, final int index) throws DecoderException {
    final int digit = Character.digit(ch, 16);
    if (digit == -1) {
        throw new DecoderException("Illegal hexadecimal character " + ch + " at index " + index);
    }
    return digit;
}

Answered by vmaral

Dec 31, 2020

This is resolved. when I was copying payload it was adding some formatting chars (\n, \t) due to which payload was getting modified. It worked after stripping those.

View full answer

vmaral · 2020-12-31T12:07:05Z

vmaral
Dec 31, 2020
Author

This is resolved. when I was copying payload it was adding some formatting chars (\n, \t) due to which payload was getting modified. It worked after stripping those.

0 replies

madhumithra · 2021-05-04T15:11:12Z

madhumithra
May 4, 2021

even after removing formatting chars i couldnt generate correct signature
plz help

1 reply

jalendar515 Mar 14, 2023

        public String HMAC_SHA256_encode(String key, String message) {

        SecretKeySpec keySpec = new SecretKeySpec(
                key.getBytes(),
                "HmacSHA256");

        Mac mac = Mac.getInstance("HmacSHA256");
        mac.init(keySpec);
        byte[] rawHmac = mac.doFinal(message.getBytes());

        return Hex.encodeHexString(rawHmac);
    }

compare the return value with the x-hub-header-256 value with stripping "sha256="

BhendiGawaar · 2021-05-05T04:14:28Z

BhendiGawaar
May 5, 2021

@madhumithra Can you share more details such as how you have configured webhooks and code you are using to verify those?

0 replies

github-gael-soude · 2022-02-22T10:32:58Z

github-gael-soude
Feb 22, 2022

Hello

I have the same problem.
I am trying to check the HMAC SHA256 of the JSON body, but I can’t get the same value than the one received in the X-Hub-Signature-256 header.
Does somebody successfully checked the Hash value ?

    key                         = bytes(os.environ.get('API_TOKEN'), 'utf-8')
    msg                         = await request.body()
    sha_name, signature_github  = secret_header.split('=')
    signature_sha256    = hmac.new(key=key, msg=msg, digestmod=hashlib.sha256)

0 replies

ghost · 2022-08-28T09:18:13Z

ghost
Aug 28, 2022

Bumping this instead of making a new discussion.

I am also having trouble validating hashes properly. I am working with python and using the flask framework for my server.

@app.route("/github_webhook", methods=["POST"])
def github_webhook():
    if "X-Hub-Signature-256" in request.headers:
        compute_hash = hmac.new(github_secret, request.data, digestmod="sha256").hexdigest()
        if hmac.compare_digest(request.headers["X-Hub-Signature-256"], f"sha256={compute_hash}"):
            return "webhook hash validated!", 202
    return "webhook hash does not match!", 401

This code always results in a failure to match the hashes from actual webhooks sent by github. Testing locally and using postman to send the POST requests, i managed to get this to work IF i sent the request using the hash and json copy and pasted from the real github request except put all the json on a single line and removed all the white space between arrays in the json body (so basically minifying the json payload)

But the github webhooks recent deliveries tab shows the payload as pretty printed. Is this actually what the payload looks like when github creates the hash? there definitely seems to be a difference with how github is sending the payload, and how flask creates the request.data object. What is the correct way to match the hashes for the payloads?

0 replies

guizmaii · 2023-07-04T17:35:17Z

guizmaii
Jul 4, 2023

FYI, Scala implementation (requires Java 17+ for the HexFormat):

def generateHMAC(sharedSecret: String, data: String): String = {
  val secret = new SecretKeySpec(sharedSecret.getBytes(StandardCharsets.UTF_8), "HmacSHA256")
  val mac    = Mac.getInstance("HmacSHA256")
  mac.init(secret)
  val hash   = mac.doFinal(data.getBytes(StandardCharsets.UTF_8))
  HexFormat.of.formatHex(hash)
}

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

GitHub Community

Unable to validate X-Hub-Signature-256 from webhook #24646

{{title}}

Replies: 6 comments 1 reply

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

Unable to validate X-Hub-Signature-256 from webhook #24646

Replies: 6 comments · 1 reply

vmaral Dec 31, 2020 Author

Replies: 6 comments 1 reply

vmaral
Dec 31, 2020
Author