PHP - Webhooks Authentication with HMAC using the hexadecimal format

Question

I'm working on a PHP Webhook receiver that works with the Onfleet API. For the Webhook Authentication they require the following:

Each webhook request contains a signature from Onfleet in X-Onfleet-Signature header. To authenticate the webhook request received on your webhook server, you will need to validate against this header. To validate against X-Onfleet-Signature, you will need to compare its value with an HMAC you have generated using the hexadecimal format of your webhook secrets and the full body of the webhook POST request in raw bytes.

I've never worked with hexadecimal format and raw bytes etc. My approach was to use something like this that used base64 encoding and see if I could adapt this as it should be pretty close hopefully:

$myWebhookSecret = 'abc123';

$payload = file_get_contents("php://input");

$yourHash = base64_encode(hash_hmac('sha512', $payload, $myWebhookSecret, true));

$onfleetSignature = $_SERVER['X-Onfleet-Signature'];    

if (hash_equals($onfleetSignature, $yourHash)) {
    $result = 'Success';
    http_response_code(200);
    
} else {
    $result = 'Failure';
    http_response_code(401);
    die;
}

I'm hoping I just need to convert this line:

$yourHash = base64_encode(hash_hmac('sha512', $payload, $myWebhookSecret, true));

to use the hexadecimal format here but not sure if PHP can do this or how?

Answer 1

This is what worked for me in the end:

$myWebhookSecret = 'abc123';

$payload = file_get_contents("php://input");

$secretInHex = hex2bin($myWebhookSecret);
$yourHash = hash_hmac('sha512', $payload, $secretInHex);

$onfleetSignature = $_SERVER['X-Onfleet-Signature'];    

if (hash_equals($onfleetSignature, $yourHash)) {
    $result = 'Success';
    http_response_code(200);

} else {
    $result = 'Failure';
    http_response_code(401);
    die;
}