I'm trying to authenticate to Apple's AppStoreConnect API with an ES256 signed JWT (per their instructions at https://developer.apple.com/documentation/appstoreconnectapi) using PHP.
Sending my request always results in a 401 NOT_AUTHORIZED error.
I've verified that the the contents of my header and claims are correct - I even found a Ruby script online for generating an ES256 signed JWT and using my Apple provided Issuer, Key ID, Private Key, it works swimmingly - Apple accepts the token. That tells me that my credentials are good and I'm doing something wrong in php.
Unless I've simply stared at this code for too long, the JWT format is correct, base64 encoded correctly, and the bearer token is set correctly in the header.
To rule out an issue with request sending I've tried both GuzzleHTTP and CLI cURL - both a 401.
Here's the relevant code. You'll see that the create method is encoding the header and claims, signing the "payload", and concatenating all 3.
public function create(){ $header = $this->encode( json_encode([ 'kid' => 'my_key_id', 'alg' => 'ES256', 'typ' => 'JWT', ]) ); $claims = $this->encode( json_encode([ 'iss' => 'my_issuer_uuid', 'exp' => time() + (20 * 60), 'aud' => 'appstoreconnect-v1', ]) ); $signature = $this->encode( $this->sign("$header.$claims") ); return $header . '.' . $claims . '.' . $signature;}This code successfully returns an open ssl resource, $data has the expected contents.
public function sign($data){ if (!$key = openssl_pkey_get_private('file://my_key_file.p8')) { throw new \Exception('Failed to read PEM'); } if (!openssl_sign($data, $signature, $key, OPENSSL_ALGO_SHA256)) { throw new \Exception('Claims signing failed'); } return $signature;}Base64 URL encoding... $data has the expected contents.
public function encode($data){ return str_replace(['+', '/', '='], ['-', '_', ''], base64_encode($data));}At this point I'm stumped to what it is I'm doing wrong or missing. I'm hoping some extra eyes will find something! Using the token that my code dumps out:
curl https://api.appstoreconnect.apple.com/v1/users --Header "Authorization: Bearer <token>”...always returns a 401. I suspect there's something wrong in the signing portion of the code as it's the only part I haven't been able to verify (again, worked in Ruby), though looking at all the docs and examples for openssl_sign, I'm pretty sure it's right.
For reference, this is the Ruby script I mention https://shashikantjagtap.net/generating-jwt-tokens-for-app-store-connect-api/
I have an old web application with a few users registered that is using the unsecure hash("sha256", trim($_POST["password"])) to store the hashed password in MySQL database. Now I want to update the web application to use the more secure BCRYPT password_hash() however I don't want to email all registered users alerting them to change their password. So I was thinking on implementing BCRYPT on the sha256() hashed password this way:
To save the password I will sha256() hash the user's password:
$hashed_password = password_hash(hash("sha256", trim($_POST["password"])), PASSWORD_BCRYPT);Then I will save the BCRYPT hashed password in the database.
And to verify the user's password I would simply do this:
$hashed_password = "select hashed_password from users where email = 'abc@email.com'";if(password_verify(hash("sha256", trim($_POST["password"])), $hashed_password)){ echo "Welcome";}else{ echo "Wrong Password!";}This way I will just update the user's password in the MYSQL database by looping each registered user, then I will retrieve the sha256() hashed password, and finally I will just re-save it after it has been BCRYPTed with password_hash():
$new_password = password_hash($old_sha256_hashed_password, PASSWORD_BCRYPT);$mysql->save_user_password($new_password, $user_id);So users will still be able to login with their old password.
What do you think about this solution?
Is it still safe even if I sha256() hash the password before BCRYPT it?
I am implementing the sha256 algorithm in C. I don't need help with the algorithm. One of the tasks while implementing the algorithm is to pad bits to a message such that the message is either 512 bits long or its length is a multiple of 512 bits.
I initially thought that padding bits to a message would simply mean padding zeroes to it. But since the message is a character message(a string), I don't think my logic is correct.
I don't have a problem in the code. I just don't know how to pad bits to the string(msg in the code)
#include<stdio.h> #include<stdlib.h> int main(int argc,char *argv[]) { char *msg=(char*)malloc(sizeof(char)*512); printf("\n Enter a message"); scanf("%s",msg); //I don't know how to pad bits to msg return 0; }In this sample from Ktor website https://ktor.io/samples/feature/auth.html they use an account "test" with password "test" as example.
@UseExperimental(KtorExperimentalAPI::class)val hashedUserTable = UserHashedTableAuth( getDigestFunction("SHA-256") { "ktor${it.length}" }, table = mapOf( "test" to Base64.getDecoder().decode("GSjkHCHGAxTTbnkEDBbVYd+PUFRlcWiumc4+MWE9Rvw=") // sha256 for "test" ))I need to create another entry, but I can't figure out how they got that hash. I tried to sha256 the word "test", salted or not, tried to base64 the result... Nothing matches that hash so I'm unable to create another user.
Anyone could enlighten me here on how to create a compatible hash with that code?
We are trying to connect to Periodic's API using Swift 5. In order to do that, part of the process is encoding a concatenated string in HMAC SHA-256. In our code, we accomplish this by the following code:
let hmac = premac.digest(.sha256, key: "API KEY")Which is using the SwiftCrypto library to accomplish this. According to Periodic's CTO, we are getting close but the issue is that this function's output is giving us a HEX version when we really need the bytestring level.
We are unsure how to proceed.
Please note that by viewing our site you agree to our use of cookies (see Pribadi for details). You will only see this message once.