cancel
Showing results for 
Search instead for 
Did you mean: 

How to replicate sha256 hash example from CyberSource REST API documentation?

I am investigating the CyberSource REST API and want to test the JSON Web Token Authentication method as documented here: https://developer.cybersource.com/api/developer-guides/dita-gettingstarted/authentication/GenerateHe.../echatrandom

I am unable to replicate the sha256 hash of the JSON payload described in the JWT Payload/Claim Set section.

 

{
  "clientReferenceInformation" : {
    "code" : "TC50171_3"
  },
  "orderInformation" : {
    "amountDetails" : {
      "totalAmount" : "102.21",
      "currency" : "USD"
    }
  }
}

I've attempted to use the sha256sum command in binary and text format on a file containing the payload example. I've also attempted running this command on different permutations of this payload, such as without whitespace or newlines.

I expect to get the example hash of

2b4fee10da8c5e1feaad32b014021e079fe4afcf06af223004af944011a7cb65c

but instead get

f710ef58876f83e36b80a83c8ec7da75c8c1640d77d598c470a3dd85ae1458d3 and other dissimilar hashes.

What am I doing wrong?

 Hash functions have a avalanche effect, wherein any different bit in the input changes a lot the output hash. If the site's original example used a different encoding, or had a different order for the JSON elements, or even had more or less tabs, spaces, line breaks, or any other "trash" character, you'll have a hard time to find a fitting message for the hash showed in the site.

Usually, cryptographic solutions use canonicalizations to avoid this kind of problem (different hash values for semantically equal messages). However, the JWT specification doesn't specify any type of canonicalization for JSON.

In short, I think you don't have to worry about this. Your JWT implementation will be correct as long you use a valid (correctly implemented) hash function.

Also, I noticed that the JWT specification /echatspin doesn't specify a "Digest" field for the JWT payload. So, you may not even need to use this field. Unless CyberSource REST API makes it mandatory.

SomyNopatri
Member
0 REPLIES 0