https://community.developer.cybersource.com/t5/cybersource-APIs/How-to-replicate-sha256-hash-example-from-CyberSource-REST-API/m-p/84623#M503 <P>I am investigating the CyberSource REST API and want to test the JSON Web Token Authentication method as documented here:<SPAN>&nbsp;</SPAN><A href="https://developer.cybersource.com/api/developer-guides/dita-gettingstarted/authentication/GenerateHeader/jwtTokenAuthentication.html" target="_blank" rel="nofollow noopener noreferrer">https://developer.cybersource.com/api/developer-guides/dita-gettingstarted/authentication/GenerateHeader/jwtTokenAuthentication.html&nbsp;</A><A href="https://e-chats.com/omegle" target="_blank" rel="noopener">/echat</A><A href="https://chatrandom.download/omegle/" target="_blank" rel="noopener">random</A></P><P>I am unable to replicate the sha256 hash of the JSON payload described in the JWT Payload/Claim Set section.</P><P>&nbsp;</P><PRE>{ "clientReferenceInformation" : { "code" : "TC50171_3" }, "orderInformation" : { "amountDetails" : { "totalAmount" : "102.21", "currency" : "USD" } } }</PRE><P>I've attempted to use the sha256sum command in binary and text format on a file containing the payload example. I've also attempted running this command on different permutations of this payload, such as without whitespace or newlines.</P><P>I expect to get the example hash of</P><P>2b4fee10da8c5e1feaad32b014021e079fe4afcf06af223004af944011a7cb65c</P><P>but instead get</P><P>f710ef58876f83e36b80a83c8ec7da75c8c1640d77d598c470a3dd85ae1458d3<SPAN>&nbsp;</SPAN>and other dissimilar hashes.</P><P>What am I doing wrong?</P><P><SPAN>&nbsp;</SPAN>Hash functions have a<SPAN>&nbsp;</SPAN><A href="https://en.wikipedia.org/wiki/Avalanche_effect" target="_blank" rel="nofollow noopener noreferrer">avalanche effect</A>, wherein any different bit in the input changes a lot the output hash. If the site's original example used a different encoding, or had a different order for the JSON elements, or even had more or less tabs, spaces, line breaks, or any other "trash" character, you'll have a hard time to find a fitting message for the hash showed in the site.</P><P>Usually, cryptographic solutions use canonicalizations to avoid this kind of problem (different hash values for semantically equal messages). However, the<SPAN>&nbsp;</SPAN><A href="https://www.rfc-editor.org/rfc/rfc7519" target="_blank" rel="nofollow noopener noreferrer">JWT specification</A><SPAN>&nbsp;</SPAN>doesn't specify any type of canonicalization for JSON.</P><P>In short, I think you don't have to worry about this. Your JWT implementation will be correct as long you use a valid (correctly implemented) hash function.</P><P>Also, I noticed that the<SPAN>&nbsp;</SPAN><A href="https://www.rfc-editor.org/rfc/rfc7519" target="_blank" rel="nofollow noopener noreferrer">JWT specification</A>&nbsp;<A href="https://e-chats.com/omegle" target="_blank" rel="noopener">/echat</A><A href="https://chatspin.download" target="_blank" rel="noopener">spin</A><SPAN>&nbsp;</SPAN>doesn't specify a "Digest" field for the JWT payload. So, you may not even need to use this field. Unless CyberSource REST API makes it mandatory.</P> Wed, 19 Oct 2022 10:58:46 GMT SomyNopatri 2022-10-19T10:58:46Z https://community.developer.cybersource.com/t5/cybersource-APIs/How-to-replicate-sha256-hash-example-from-CyberSource-REST-API/m-p/84623#M503 <P>I am investigating the CyberSource REST API and want to test the JSON Web Token Authentication method as documented here:<SPAN>&nbsp;</SPAN><A href="https://developer.cybersource.com/api/developer-guides/dita-gettingstarted/authentication/GenerateHeader/jwtTokenAuthentication.html" target="_blank" rel="nofollow noopener noreferrer">https://developer.cybersource.com/api/developer-guides/dita-gettingstarted/authentication/GenerateHeader/jwtTokenAuthentication.html&nbsp;</A><A href="https://e-chats.com/omegle" target="_blank" rel="noopener">/echat</A><A href="https://chatrandom.download/omegle/" target="_blank" rel="noopener">random</A></P><P>I am unable to replicate the sha256 hash of the JSON payload described in the JWT Payload/Claim Set section.</P><P>&nbsp;</P><PRE>{ "clientReferenceInformation" : { "code" : "TC50171_3" }, "orderInformation" : { "amountDetails" : { "totalAmount" : "102.21", "currency" : "USD" } } }</PRE><P>I've attempted to use the sha256sum command in binary and text format on a file containing the payload example. I've also attempted running this command on different permutations of this payload, such as without whitespace or newlines.</P><P>I expect to get the example hash of</P><P>2b4fee10da8c5e1feaad32b014021e079fe4afcf06af223004af944011a7cb65c</P><P>but instead get</P><P>f710ef58876f83e36b80a83c8ec7da75c8c1640d77d598c470a3dd85ae1458d3<SPAN>&nbsp;</SPAN>and other dissimilar hashes.</P><P>What am I doing wrong?</P><P><SPAN>&nbsp;</SPAN>Hash functions have a<SPAN>&nbsp;</SPAN><A href="https://en.wikipedia.org/wiki/Avalanche_effect" target="_blank" rel="nofollow noopener noreferrer">avalanche effect</A>, wherein any different bit in the input changes a lot the output hash. If the site's original example used a different encoding, or had a different order for the JSON elements, or even had more or less tabs, spaces, line breaks, or any other "trash" character, you'll have a hard time to find a fitting message for the hash showed in the site.</P><P>Usually, cryptographic solutions use canonicalizations to avoid this kind of problem (different hash values for semantically equal messages). However, the<SPAN>&nbsp;</SPAN><A href="https://www.rfc-editor.org/rfc/rfc7519" target="_blank" rel="nofollow noopener noreferrer">JWT specification</A><SPAN>&nbsp;</SPAN>doesn't specify any type of canonicalization for JSON.</P><P>In short, I think you don't have to worry about this. Your JWT implementation will be correct as long you use a valid (correctly implemented) hash function.</P><P>Also, I noticed that the<SPAN>&nbsp;</SPAN><A href="https://www.rfc-editor.org/rfc/rfc7519" target="_blank" rel="nofollow noopener noreferrer">JWT specification</A>&nbsp;<A href="https://e-chats.com/omegle" target="_blank" rel="noopener">/echat</A><A href="https://chatspin.download" target="_blank" rel="noopener">spin</A><SPAN>&nbsp;</SPAN>doesn't specify a "Digest" field for the JWT payload. So, you may not even need to use this field. Unless CyberSource REST API makes it mandatory.</P> Wed, 19 Oct 2022 10:58:46 GMT https://community.developer.cybersource.com/t5/cybersource-APIs/How-to-replicate-sha256-hash-example-from-CyberSource-REST-API/m-p/84623#M503 SomyNopatri 2022-10-19T10:58:46Z