Download auth SHA256 in PHP?

Question

Level 1

0 points

Download auth SHA256 in PHP?

I'm not sure if I'm calculating this properly; iTunes tries to load files as:

http://media-podcast.open.ac.uk/feeds2/l314-spanish/l314cuba2.m4v?time=124906621 5&userID=&signature=4bf4fd6c04deae3f58e797cbdf0b912d2e827afbf41e38e0fd9aedbde01e 8cd9

but when I compute the sha256 signature over "time=1249066215&userID=" I get a different result than the signature in the URL.

I compute the signature like this:
bin2hex(hash_hmac('SHA256', 'time=1249066215&userID=', $iTunesUSECRET, true));

Has anybody had problems with this?

Thanks,
Laurian

Mac OS X (10.5.7)

Posted on Jul 31, 2009 12:08 PM

Reply

Answer 1

Jul 31, 2009 2:51 PM in response to Laurian

Hi,

Debug authentication code is a little beyond what we can do here. I would suggest you look at the PHP code here:

http://omega1.uww.edu/itunesu/

Also we have sample code in perl, java and bash. Your code should match what these produce.

http://images.apple.com/support/itunesu/docs/iTunes_U_CodeSamples.zip

Reply

Answer 2

Laurian Author

Level 1

0 points

Aug 3, 2009 7:26 AM in response to Duncan Bernhardt

Hi,

I tested with the shell script (checksignature) from the samples you linked to, I'm getting the same value as the PHP I was using and I cannot match the signature generated by iTunes.

I'm doing this with a private iTunes U site; iTunes gives me this hit in the logs:

137.108.24.227 - - [03/Aug/2009:15:11:33 +0100] "GET /feeds2/l314-spanish/l314-spanish-a-la-vista-cristina-terzaghi-on-spanish-and-r omence.m4v?time=1249308692&userID=&signature=ec017a809069262fa785e417d379d4d038f 4c6b50f1a66136e191cf5be584566 HTTP/1.1" 200 338 "-" "QuickTime/7.6.2 (qtver=7.6.2;cpu=IA32;os=Mac 10.5.7)"

The checksignature script logs:

/feeds2/l314-spanish/l314-spanish-a-la-vista-cristina-terzaghi-on-spanish-and-ro mence.m4v
/web/ou-podcast01.open.ac.uk/feeds2/l314-spanish/l314-spanish-a-la-vista-cristin a-terzaghi-on-spanish-and-romence.m4v
time=1249308692&userID=&signature=ec017a809069262fa785e417d379d4d038f4c6b50f1a66 136e191cf5be584566
GET

1249308692
ec017a809069262fa785e417d379d4d038f4c6b50f1a66136e191cf5be584566
time=1249308692&userID=
242d5e188e0df14d4534e8fb17148d31c3ed74c554c02dfa2a66caca887f5621
1249312292
1249308721

In PHP with
bin2hex(hash_hmac('SHA256', 'time=1249308692&userID=', $iTunesUSECRET, true));
I get the same as the shellscript:

242d5e188e0df14d4534e8fb17148d31c3ed74c554c02dfa2a66caca887f5621

Which does not match the signature in the URL, is it possible that a private site to hash the signature over different parameters?

The shared key I'm using is working fine in signing webservices requests...

Thanks,
Laurian

Reply

Answer 3

Laurian Author

Level 1

0 points

Aug 3, 2009 7:41 AM in response to Duncan Bernhardt

Tested on the public site, my PHP works (and the checksignature shell script).

So this is a matter of private iTunes U. Any clue what might be different? the shared secret for the private site works in signing web service requests.

Reply

Answer 4

richwolf

Level 3

725 points

Aug 3, 2009 11:38 AM in response to Laurian

Laurian,

One thing to be mindful of is the following:

sha_256("A", key) != sha256("a", key)

This seems really obvious, but trust me, it's all too easy to forget. Consider:

url encode(myurl)

does that produce percent escapes that use lower-case (%3a) or upper-case (%3A)? Given your answer to that, what should happen here:

sha 256(url_encode(myurl), key)

??

Windows, for example, is notorious for using lower-case when it URL-encodes to hex values. However, Apple does URL-encoding the exact same way that Java does (that is, uppercase).

Reply