Java Digest Hash and PHP Hash are different

Question

I'm trying to authenticate a webhook from starling bank on a PHP 7.0.22 (Apache/2.4.6 (Red Hat Enterprise Linux)) server.

I've been told by support that the following java code is being used to generate the digest

private String calculateSignature(String sharedSecret, String requestJson) {
  try {
    String contentToDigest = sharedSecret + requestJson;
    MessageDigest messageDigest = MessageDigest.getInstance("SHA-512");
    byte[] digest = messageDigest.digest(contentToDigest.getBytes());
    return Base64.getEncoder().encodeToString(digest);
  } catch (NoSuchAlgorithmException e) {
    throw new RuntimeException("Error calculating digest for payload [" +  requestJson + "]", e);
  }
}

The sharedSecret I already have and the requestJson I take from the webhook POST using:

$requestJson=file_get_contents('php://input') ;

my php code to generate the hash is as follows:

$concatenated_string=$sharedSecret . json_encode($requestJson) ;
$generated_hash=base64_encode(hash('sha512', $concatenated_string ));

This doesn't give the same hash. Whilst hacking to try and find an answer, I've also tried the following :

 $concatenated_string=$sharedSecret . $requestJson ;

and different hash types and options:

 $generated_hash=base64_encode(hash('sha512', $concatenated_string, true ))
 $generated_hash=base64_encode(openssl_digest($concatenated_string, 'sha512')) ;

Answer 1

base64_encode and hash are effectively doing the same thing in this case:

https://stackoverflow.com/a/11195855/3323777

You should specify third argument as TRUE at your php code to match the java version:

raw_output - Setting to TRUE will return as raw output data, otherwise the return value is binhex encoded.

http://php.net/manual/ru/function.openssl-digest.php

I've ran your both snippets on java and php and found not difference when encoding a string "test". I advise you to output the json payloads to two files on both environments and use diff to compare them.