Auth data validation for Telegram WebApp HMAC-SHA256 in Java

Jamon
January 5, 2024
169 views
1 vote
2 Answers

I’m trying to write auth data validation for the Telegram web app (HMAC-SHA256), according to this question:
Data validating from Telegram Web App and CryptoJS

I wrote the code in Java:

 @Test
public void hmacTest() {
    String initData = "[initData]";
    List<NameValuePair> params = URLEncodedUtils.parse(initData, Charset.forName("UTF-8"));

    List<NameValuePair> preparedData = new java.util.ArrayList<>(params
            .stream()
            .filter(e -> !e.getName().equals("hash"))
            .toList());

    preparedData
            .sort(Comparator.comparing(NameValuePair::getName));

    String dataCheckString = String.join("n", preparedData
            .stream()
            .map(e -> e.getName() + "=" + e.getValue())
            .toList());
    
    String botToken = "[botToken]";
    String botTokenData = "WebAppData";
    String hmacSecret = new HmacUtils(HmacAlgorithms.HMAC_SHA_256, botToken).hmacHex(botTokenData);

    String calculatedHash = new HmacUtils(HmacAlgorithms.HMAC_SHA_256, hmacSecret).hmacHex(dataCheckString);
    String presentedHash = params.get(3).getValue();
    
    boolean result = calculatedHash.equals(presentedHash);
}

However, hash matching fails. Could you please help with the code – what am I doing wrong?

Thanks!

Answers

Chosen as BEST ANSWER
- Jamon
- September 24, 2023 at 5:45 pm
- 0 votes
0
In the end, I solved the problem myself)

Solution:
```
    String botTokenData = "WebAppData";
    byte[] hmacSecret = new HmacUtils(HmacAlgorithms.HMAC_SHA_256, botTokenData).hmac(botToken);

    String calculatedHash = new HmacUtils(HmacAlgorithms.HMAC_SHA_256, hmacSecret).hmacHex(dataCheckString);
```

(Edit)

@Jmon it helped a lot. Thanks. I also generated similar code without commomns-codec library.

try {
        
        Mac sha256_hmac = Mac.getInstance("HmacSHA256");            
        sha256_hmac.init(new SecretKeySpec("WebAppData".getBytes(StandardCharsets.UTF_8),"hmacsha256"));
        
        byte[] hmacSecret  = sha256_hmac.doFinal(botToken.getBytes(StandardCharsets.UTF_8));
        
        Mac sha256_hmac1 = Mac.getInstance("HmacSHA256");
        sha256_hmac1.init(new SecretKeySpec(hmacSecret ,"HmacSHA256"));

        String generatedHash = Hex.encodeHexString(sha256_hmac1.doFinal(dataToCheck.getBytes(StandardCharsets.UTF_8)));


    } catch (NoSuchAlgorithmException | InvalidKeyException e) {
        //handle exception
        
    }

Please signup or login to give your own answer.

Click here to cancel reply.