4

I want to know, is there any way to achieve hash_hmac("sha256", $token, $signkey, true) (php) in classic ASP?

I need it to verificate the signed_request from Facebook https://developers.facebook.com/docs/howtos/login/signed-request/

// Adding the verification of the signed_request below
$expected_sig = hash_hmac('sha256', $payload, $secret, $raw = true); 
if ($sig !== $expected_sig) {
  error_log('Bad Signed JSON signature!');
  return null;
}
scrowler
  • 24,273
  • 9
  • 60
  • 92
Jesper Ah
  • 41
  • 1
  • 3

3 Answers3

10

I have been using a file I found on an Amazon forum. This is the thread: https://forums.aws.amazon.com/message.jspa?messageID=147377

It uses a .wsc file, which is just a JScript file that defines a object you can use in your ASP code. Like this:

' ### be sure to have sha256.wsc in the same folder as this script
    Dim sha256
    Set sha256 = GetObject( "script:" & Server.MapPath("sha256.wsc") )
    sha256.hexcase = 0

    Dim result
    result = sha256.b64_hmac_sha256( secretkey, stringtosign )

This is a file which was originally used to sign request to the Amazon API. For reasons I don't understand this included this line of code in .wsc file:

d=d.replace ( /\s/g, "\n");

This converts all whitespace characters, including spaces, to '\n'. Hard to believe that spaces need to be converted to "\n". Anyway, I had to comment out this line to make the code work for me! And it does work. I have been using it for a while without problems.

From the sha256.wsc file:

/*
 * A JavaScript implementation of the Secure Hash Algorithm, SHA-256, as defined
 * in FIPS 180-2
 * Version 2.2 Copyright Angel Marin, Paul Johnston 2000 - 2009.
 * Other contributors: Greg Holt, Andrew Kepert, Ydnar, Lostinet
 * Distributed under the BSD License
 * See http://pajhome.org.uk/crypt/md5 for details.
 * Adapted into a WSC for use in classic ASP by Daniel O'Malley
 * (based on an SHA-1 example by Erik Oosterwaal)
 * for use with the Amazon Product Advertising API
 */

Direct link to the sha256.wsc file: https://forums.aws.amazon.com/servlet/JiveServlet/download/9-34858-139271-2601/sha256.wsc

I have been unable to find an official download site.

Sander_P
  • 1,787
  • 1
  • 13
  • 37
  • 3
    Thank you! Thank you! Thank you! I can't tell you how long I have been looking for this solution. If anyone needs the output in hex instead of base64 you can modify rstr2b64(rstr_hmac_sha256(str2rstr_utf8(k), str2rstr_utf8(d))); to read rstr2any(rstr_hmac_sha256(str2rstr_utf8(k), str2rstr_utf8(d)), "0123456789abcdef"); For uppercase hex just convert the second argument to upper. – Alex Barker Feb 07 '13 at 23:40
1

have a look at the microsoft capicom.dll. you can download it here

the reference can be found here

another option is to implement the function with a .net class and make that "com visible" so you can use the .net DLL from classic asp...

ulluoink
  • 2,775
  • 2
  • 17
  • 22
0

Check how to we are using a javascript implementation of cryptography algoritms in this repository: https://github.com/ictmanagement/redsysHMAC256_API_ASP

If you open this file: https://github.com/ictmanagement/redsysHMAC256_API_ASP/blob/master/include/dvim_apiRedsys_VB.asp, you will find how we get same result as php function hash_hmac("sha256", $token, $signkey, true) 

    '/******  MAC Function ******/
    'recibe String|WordArray , retorna WordArray
    Private Function mac256(ent, key) 
        Dim encWA
        Set encWA = ConvertUtf8StrToWordArray(ent)
        Dim keyWA
        Set keyWA = ConvertUtf8StrToWordArray(key)
        Dim resWA
        Set resWA = CryptoJS.HmacSHA256(encWA, keyWA)
        Set mac256 = resWA
    End Function
ictmanagement
  • 11
  • 2