Skip to content

Instantly share code, notes, and snippets.

@turret-io

turret-io/verify_hmac.go

Last active October 27, 2024 01:40
Show Gist options
  • Save turret-io/5925a5f142b0b7a0ff55 to your computer and use it in GitHub Desktop.
Save turret-io/5925a5f142b0b7a0ff55 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. turret-io revised this gist Sep 24, 2014. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion verify_hmac.go
    View file
    Original file line number Diff line number Diff line change
    @@ -42,7 +42,7 @@ func verifyTime(decodedJSON []byte) (map[string]string, error) {
    }

    func main() {
    url, err := url.Parse("/?data=eyJhY3Rpb24iOiJ0cmFuc3BvcnQiLCJjYXRlZ29yeSI6InBlb3BsZSIsIm5hbWUiOiJqb2Ugc21pdGgiLCJ0aW1lc3RhbXAiOiIxNDExNTAzOTEyIiwid2hlcmUiOiJwbHV0byJ9&signature=jtTsIpJ0cd-GlhiPNqtT_FPQ4g_J2VMT-mUxNQ4b3IfZ6NZomBa95a6kDAT2vrpe6zLhkZMQVJ32Qb8riL4JEQ==")
    url, err := url.Parse("[QUERYSTRING]")
    if err != nil {
    panic(err)
    }
  2. turret-io created this gist Sep 24, 2014.
    75 changes: 75 additions & 0 deletions verify_hmac.go
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,75 @@
    package main

    import (
    "crypto/hmac"
    "crypto/sha512"
    "encoding/base64"
    "encoding/json"
    "errors"
    "fmt"
    "net/url"
    "strconv"
    "time"
    )

    const sharedSecret = "sup3rs3cr3t!!"

    func verifyString(stringToVerify []byte, signature []byte, sharedSecret []byte) bool {
    h := hmac.New(sha512.New, sharedSecret)
    h.Write(stringToVerify)
    calculated := h.Sum(nil)
    return hmac.Equal(calculated, signature)
    }

    func verifyTime(decodedJSON []byte) (map[string]string, error) {
    payload := make(map[string]string)
    err := json.Unmarshal(decodedJSON, &payload)
    if err != nil {
    return nil, err
    }

    time64, err := strconv.ParseInt(payload["timestamp"], 10, 64)
    if err != nil {
    return nil, err
    }

    if (time.Now().Unix() - time64) > 30 {
    return nil, errors.New("Timestamp is too far in the past")
    }

    return payload, nil

    }

    func main() {
    url, err := url.Parse("/?data=eyJhY3Rpb24iOiJ0cmFuc3BvcnQiLCJjYXRlZ29yeSI6InBlb3BsZSIsIm5hbWUiOiJqb2Ugc21pdGgiLCJ0aW1lc3RhbXAiOiIxNDExNTAzOTEyIiwid2hlcmUiOiJwbHV0byJ9&signature=jtTsIpJ0cd-GlhiPNqtT_FPQ4g_J2VMT-mUxNQ4b3IfZ6NZomBa95a6kDAT2vrpe6zLhkZMQVJ32Qb8riL4JEQ==")
    if err != nil {
    panic(err)
    }

    decodedSignature, err := base64.URLEncoding.DecodeString(url.Query().Get("signature"))
    if err != nil {
    panic(err)
    }

    decodedJSON, err := base64.URLEncoding.DecodeString(url.Query().Get("data"))
    if err != nil {
    panic(err)
    }

    ok := verifyString(decodedJSON, decodedSignature, []byte(sharedSecret))
    if ok {
    fmt.Println("Signature verified")

    payload, err := verifyTime(decodedJSON)
    if err != nil {
    panic(err)
    }

    fmt.Println("Payload verified")
    fmt.Println(payload)

    } else {
    fmt.Println("Invalid signature")
    }
    }