altcha-org/altcha

Signature verification with spam filter does not match

blump opened this issue · 1 comments

Hi,
I'll start with Altcha. Thank you for all your hard work.
I'm now checking the hashes and signatures. I'm doing the verification in PHP after submitting the form.

When submitting a form without the spamfilter. I check the Challenge by concatenating the $payload['salt'] and the $payload['number'] : OK . The Signature with the result of the Challenge and my private key : OK

When adding the spamfilter option, I can't find the payload signature ...

Documentation step:
1 ) I retrieve the data from verificationData without modifying it, so I have a string with fields, etc ... that I hash with the SHA-256 algorithm also supplied with the payload. I transform the SHA-256 into sha256 because php ...

$hash = hash($payload['algorithm'],$payload['verificationData']);

  1. Then I sign this hash with the private key provided by Altcha :

$signature = hash_hmac($payload['algorithm'], $hash, $secretKey);

3 ) The signature does not match the one sent by the payload. No problem without spamfilter .

I don't know what I've missed in the doc . https://altcha.org/docs/api/challenge-api/

Thanks for your feedback.

ovx commented

Hi, I think the problem with the hash function in php, by default it returns hex string, but the input for hash_hmac expects binary data, so set the third argument to true indicating binary output (https://www.php.net/manual/en/function.hash.php). You can also see that implemented in the wordpress plugin (https://github.com/altcha-org/wordpress-plugin/blob/main/includes/core.php#L233).