For our C/C++ app we are using Security Transforms API for doing some basic encryption/decryption.
And now we need to calculate SHA256 of data, and though documentation claims that Security Transforms also provides a way of hashing, but seems there is no details of how to do it. And seems google doesn't bring any example or details on it as well.
So question is:
Is it really possible to calculate SHA256 using Security Transforms?
And if no, then is there any other API (provided by Apple) to calculate SHA256 using C/C++?
Following a code example:
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig-more#rsa-sha256" /> <ds:Reference URI=""> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/09/xmldsig#enveloped-signature" /> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /> <ds:DigestValue>...</ds:DigestValue> </ds:Reference></ds:SignedInfo><ds:SignatureValue>...</ds:SignatureValue><ds:KeyInfo> <ds:KeyName>...</ds:KeyName></ds:KeyInfo>
There is a SignatureMethod Algorithm (http://www.w3.org/2000/09/xmldsig#rsa-sha256) and a DigestMethod Algorithm (http://www.w3.org/2000/09/xmldsig-more#rsa-sha256).
As far as I am correctly informed, SignatureMethod Algorithm means that the content of the XML is first hashed (by SHA256) and then signed by RSA.
Now I read an article about increasing security Level by changing to SHA512.
What would be the most effect on my code? Would it be more slow? And what are the main arguments for SHA512 to definitely change. Thank you.
Thanks for your help!
I am trying to use Dropbox's API, and I got it to successfully send me alerts via webhooks, but now I want to verify the signatures every time they send me an alert.
From dropbox's documentation, they write:
"Every notification request will include a header called X-Dropbox-Signature that includes an HMAC-SHA256 signature of the request body, using your app secret as the signing key. This lets your app verify that the notification really came from Dropbox."
So I successfully catch that signature, and I use NodeJS built in crypto module to try to create my own signature with HMAC SHA256 and then compare my signature against the signature Dropbox sends me.
Here is my code for doing so:
var sign = req.get("X-Dropbox-Signature"); console.log(sign); var hmac = crypto.createHmac(algorithm, secret); hmac.update(JSON.stringify(req.body)); hash = hmac.digest('hex'); console.log(hash);
Where algorithm is just 'sha256'and secret is my secret key that I got from my dropbox apps page.I have to use JSON.stringify(req.body) because req.body is an object and hmac.update takes a string. I am wondering if that is where my error comes from?
I console log the sign which is the signature from dropbox, and then I console log the signature which I created using hmac, but it is a different signature.
Any suggestions to what I may be doing wrong?
I'm making some experiments with hashing. I'm getting a problem while doing a simple test.
This is my code:
String newWord = readFile("C:\\Users\\javip\\Desktop\\Workspace SSII\\listado-general.txt").get(5);System.out.println(newWord);String qwerty = "qwerty2";System.out.println(qwerty);System.out.println(newWord.equals(qwerty));String sha256hex = DigestUtils.sha256Hex(newWord); System.out.println(DigestUtils.sha256Hex(qwerty));System.out.println(DigestUtils.sha256Hex(sha256hex));
And here it is what my console prints:
What am I doing wrong? I know by comprobation in some SHA256 encrypters of Intenet that
is the correct hash for "qwerty2" using SHA256.