SHA256 Hash Base64 Encoding Not Matching

Question

I'm attempting to connect to a new API endpoint to pull some reports and this endpoint requires a signature that is hashed via SHA256 and Base64 encoded.  I've downloaded the HMAC Encrypt macro from the gallery and I'm running a very simple workflow to verify the output is matching the sample C# script the reporting vendor provides and I'm not able to get them to match up.  I've been banging my head against the wall on this so any direction for experimentation or alternate solutions would be greatly appreciated.  I'm sure I'm doing something wrong in my Alteryx workflow, wondering if the Byte Array in C# is really the same as the string representation.  Also I know the HMAC macro is using the R Tool, wonder if another code base would somehow be different.  Anyhow, details below and workflow attached.

Shared Secret (from my test environment)
v5u1qqfqGioWmiQvtiG9+cLYIx5QCG2c9k+IajzauZs=

To Encode:
Matt

C# Base64 Encoded SHA256 Hash:
YafvPashQCWhsGjDUKiNPWPqvTpi/yN91GyPghJXI8k=

Alteryx Base64 Encoded SHA256 Hash:
xXbQAmTEI4c3orTCczJ0CH9+z6Ksr+zvNCLx7soHXS0=

SHA256 Encoding Example.yxmd

KevinP · Accepted Answer

@mnorris the discrepancy you are encountering is being caused by differences in how you are decoding your base64 encoded shared secret. In your C# code you are decoding the secret to a byte array and then using that array to hash your string text. In your Alteryx workflow you are decoding the secret to binary data and then encoding it as latin-1 text. This text is then used by the HMAC macro to encode your string which results in very different values. I was able to produce both values you achieved with some relatively minor modifications to the same python code.

Note: The following examples can by pasted directly into the python tool in Designer.

This python code replicates your C# code and outputs 'YafvPashQCWhsGjDUKiNPWPqvTpi/yN91GyPghJXI8k=':

from ayx import Alteryx
import pandas as pd
import hashlib
import hmac
import base64

message = bytes('Matt', 'utf-8')
secret = base64.b64decode('v5u1qqfqGioWmiQvtiG9+cLYIx5QCG2c9k+IajzauZs=')

signature = base64.b64encode(hmac.new(secret, message, digestmod=hashlib.sha256).digest()).decode('utf-8')

sigArray=[signature]
output=pd.DataFrame(sigArray, columns = ['signature'])
Alteryx.write(output,1)

This python example replicates your Alteryx workflow and outputs 'xXbQAmTEI4c3orTCczJ0CH9+z6Ksr+zvNCLx7soHXS0=':

from ayx import Alteryx
import pandas as pd
import hashlib
import hmac
import base64

message = bytes('Matt', 'utf-8')
tmpSecret = base64.b64decode('v5u1qqfqGioWmiQvtiG9+cLYIx5QCG2c9k+IajzauZs=').decode('latin-1')
secret = bytes(tmpSecret, 'utf-8')

signature = base64.b64encode(hmac.new(secret, message, digestmod=hashlib.sha256).digest()).decode('utf-8')

sigArray=[signature]
output=pd.DataFrame(sigArray, columns = ['signature'])
Alteryx.write(output,1)

This python example replicates the behavior of the HMAC macro:

from ayx import Alteryx
import pandas as pd
import hashlib
import hmac
import base64

message = bytes('Matt', 'utf-8')
secret = bytes('Shared secret as unicode text', 'utf-8')

signature = base64.b64encode(hmac.new(secret, message, digestmod=hashlib.sha256).digest()).decode('utf-8')

sigArray=[signature]
output=pd.DataFrame(sigArray, columns = ['signature'])
Alteryx.write(output,1)

The problem with using the HMAC macro or this final python code example is that we don't know the initial text value of the shared secret, or how it was encoded to achieve the base64 value. Because of this we aren't able to decode it back to its original text value in order to get the correct hash. As such unless you know this original value your best option is probably to use the python example above that replicates your C# code as a basis for creating the token you need. This of course assumes that the C# code has been tested and produces a valid result that allows you to connect to your API.