python - hmac new sha1

Question

I am trying to get the same result as this online API service produces.

By entering key as the application key, and secret as the secret produces the following URL:

http://webservices.esd.org.uk/organisations/barrowbc?ApplicationKey=key&Signature=YXWJsGSKnLcENW1vm30EYObbCsA=

I have tried producing the same signature using the following code:

import hmac    
import urllib
import base64
from hashlib import sha1


def sign_url(url,key,secret):
    url = url + 'ApplicationKey=' + key
    signature = hmac.new(secret,url,sha1).digest().encode("base64") 
    signature = '&Signature=' + signature
    url = url + signature
    print(url)

sign_url('http://webservices.esd.org.uk/organisations/barrowbc','key','secret')

but this produces:

http://webservices.esd.org.uk/organisations/barrowbcApplicationKey=key&Signature=W//jgV+xdSbTBG6+i1TCGN/Kbsk=

The expected signature is

YXWJsGSKnLcENW1vm30EYObbCsA=

but my code outputs

W//jgV+xdSbTBG6+i1TCGN/Kbsk=

Answer 1

Your version is missing the required ? component before the Application= parameter. You probably want to add in a & if there are other parameters, however, and you need to remove the newline that .encode("base64") adds to the end of the value:

def sign_url(url, key, secret):
    sep = '&' if '?' in url else '?'
    url = '{}{}ApplicationKey={}'.format(url, sep, key)
    signature = hmac.new(secret, url, sha1).digest().encode("base64") 
    return '{}&Signature={}'.format(url, signature[:-1])

I note however that when the URL contains URL-encoded elements then the signature appears to be applied to the URL-decoded version (with + interpreted as spaces), so you really want to add a urllib.unquote_plus() (Python 2) / urllib.parse.unquote_plus() (Python 3) call when signing:

try:
    from urllib.parse import unquote_plus
except ImportError:
    from urlib import unquote_plus

def sign_url(url, key, secret):
    sep = '&' if '?' in url else '?'
    url = '{}{}ApplicationKey={}'.format(url, sep, key)
    signature = hmac.new(secret, unquote_plus(url), sha1).digest().encode("base64") 
    return '{}&Signature={}'.format(url, signature[:-1])

I've confirmed that this is what their PHP example code does and verified sample query parameters in the online signature tool, e.g. when entering the path and parameters foo%20bar?foo%20bar into the tool, CCuMYpCDznH4vIv95+NrN+RHEK0= is produced as the signature, but using foo+bar?foo+bar produces the exact same signature even though + should only be decoded as a space in form data.

I'd parse out the URL, add the ApplicationKey parameter to the parsed parameters, and then construct a new URL to sign.

Here's a version that does just that, and works both on Python 2 and on Python 3:

import hmac
import base64
from hashlib import sha1

try:
    # Python 3
    from urllib.parse import parse_qsl, unquote_plus, urlencode, urlparse
except ImportError:
    # Python 2
    from urlparse import urlparse, parse_qsl
    from urllib import unquote_plus, urlencode

def sign_url(url, key, secret):
    parsed = urlparse(url)
    query = parse_qsl(parsed.query)
    query.append(('ApplicationKey', key))
    to_sign = unquote_plus(parsed._replace(query=urlencode(query)).geturl())

    if not isinstance(secret, bytes):
        secret = secret.encode()
    if not isinstance(to_sign, bytes):
        to_sign = to_sign.encode()
    signature = base64.b64encode(hmac.new(secret, to_sign, sha1).digest())
    if not isinstance(signature, str):
        signature = signature.decode()

    query.append(('Signature', signature))
    return parsed._replace(query=urlencode(query)).geturl()