0

Here is my curl code - it works fine:

    $url="XXXXXX";
    $key="XXXXXX";
    $data='[{"producerNumber":"0500555"}]';
    $relativeUrl = '/producer/npn';
    $date = gmdate('Y-m-d\TH:i:s\Z');
    $dataToSign = $relativeUrl.$data.$date.$key;
    $encoded= base64_encode(
                hash_hmac('sha256', $dataToSign, base64_decode($key), true)
            );
    $curl = curl_init();
    curl_setopt_array($curl, array(
              CURLOPT_URL => $url,
              CURLOPT_RETURNTRANSFER => true,
              CURLOPT_ENCODING => "",
              CURLOPT_MAXREDIRS => 10,
              CURLOPT_TIMEOUT => 30,
              CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
              CURLOPT_CUSTOMREQUEST => "POST",
              CURLOPT_POSTFIELDS => $data,
              CURLOPT_HTTPHEADER => array(
                "Content-Type: application/json",
                "Accept: application/json",
                "Accept: */*",
                "REQUEST_CLIENT_ID: XXXX",
                "REQUEST_DATE: " . $date,
                "REQUEST_SIGNATURE: " . $encoded,
              ),
            ));
    $response = curl_exec($curl);

The Mulesoft Http request fails with 403 forbidden.

<http:request method="POST" doc:name="Request" doc:id="82492d2a-cd5e-417d-8078-43daaa982c45" config-ref="HTTP_Request_configuration" path="/npn">
    <http:body ><![CDATA[[{"producerNumber":"0500555"}]]]></http:body>
    <http:headers><![CDATA[#[%dw 2.0
    import dw::Crypto
    import * from dw::core::Binaries
    output application/json
    ---
    {
        "Content-Type": "application/json",
        "Accept": "application/json",
        "Accept": "*/*",
        "REQUEST_CLIENT_ID": "XXXXX",
        "REQUEST_DATE": vars.datevalue,
        "REQUEST_SIGNATURE": toBase64(Crypto::HMACWith(fromBase64(vars.key as Binary),
        vars.relativeUrl ++ vars.producerNo ++ vars.datevalue ++ vars.key as Binary,"HmacSHA256"
      ))
    }]]]></http:headers>
</http:request>

This is the error I am getting:

ERROR 2025-02-20 17:00:38,760 [[MuleRuntime].uber.05: [car-api].uber@org.mule.runtime.core.privileged.processor.chain.AbstractMessageProcessorChain.initialise:648 @778984a7] [processor: post:\postNpn:application\json:car-api-config/processors/5; event: 7fb0dc10-efde-11ef-852b-8a2347d95a3e] org.mule.runtime.core.internal.exception.OnErrorPropagateHandler: 

Message               : HTTP POST on resource 'His is my URL so hiding it' failed: forbidden (403).
Element               : post:\postNpn:application\json:car-event-api-config/processors/5 @ car-events-api:car-events-api.xml:221 (Request)
Element DSL           : <http:request method="POST" doc:name="Request" doc:id="82492d2a-cd5e-417d-8078-43daaa982c45" config-ref="HTTP_Request_configuration" path="/npn">

<http:body><![CDATA[
[{"producerNumber":"123456"}]
]]></http:body>
<http:headers><![CDATA[
#[%dw 2.0
import dw::Crypto
import * from dw::core::Binaries
output application/json
---
{
    "Content-Type": "application/json",
    "Accept": "application/json",
    "Accept": "*/*",
    "REQUEST_CLIENT_ID": "moo-com",
    "REQUEST_DATE": vars.datevalue,
    "REQUEST_SIGNATURE": toBase64(Crypto::HMACWith(fromBase64(vars.key as Binary),
    vars.relativeUrl ++ vars.producerNo ++ vars.datevalue ++ vars.key as Binary,"HmacSHA256"
  ))
}]
]]></http:headers>
</http:request>

Error type            : HTTP:FORBIDDEN
FlowStack             : at post:\postNpn:application\json:car-api-config(post:\postNpn:application\json:car-event-api-config/processors/5 @ car-events-api:car-events-api.xml:221 (Request))
at car-events-api-main(car-events-api-main/processors/0 @ car-events-api:car-events-api.xml:35)

  (set debug level logging or '-Dmule.verbose.exceptions=true' for everything)
********************************************************************************

ERROR 2025-02-20 17:00:38,768 [[MuleRuntime].uber.05: [car-api].uber@org.mule.runtime.core.privileged.processor.chain.AbstractMessageProcessorChain.initialise:648 @778984a7] [processor: post:\postNpn:application\json:car-api-config/processors/5; event: 7fb0dc10-efde-11ef-852b-8a2347d95a3e] org.mule.runtime.core.internal.exception.OnErrorPropagateHandler: 


> ********************************************************************************
> Message               : HTTP POST on resource 'This is my URL so hiding it' failed: forbidden (403).
Element               : (None)
Element DSL           : (None)
Error type            : HTTP:FORBIDDEN
FlowStack             : (None)

  (set debug level logging or '-Dmule.verbose.exceptions=true' for everything)
********************************************************************************

Any help please!!

Improve this question
3
  • What language is the second code snippet? Please add that as a tag on the question. Commented Feb 20 at 23:29
  • Error messages and logs also have to be formatted with code block. This time I did it for you. Commented Feb 20 at 23:36
  • We have no way to know what is different between both request without the values. That should be part of a minimal reproducible example in your question. Add a capture of the actual HTTP requests from both versions. You can use HTTP Wire logging for the Mule application. If the requests are not HTTPS you could do a traffic capture of both requests with tcpdump, or maybe you can capture both requests from the server. Commented Feb 20 at 23:40

1 Answer 1

Reset to default
0

So the PHP code:

$key = "a2V5";
$dataToSign = "testdataa2V5";


$encoded= base64_encode(
                hash_hmac('sha256', $dataToSign, base64_decode($key), true)
            );
            
echo "Decoded key: " . $encoded . "\n";

Produces key like this: "pCjswUCZjUy896fPFTx0iJOua0FTdDXpaMNrbbVW1SQ="

After testing the mulesoft code with the same parameters:

%dw 2.0
import dw::Crypto
import * from dw::core::Binaries
import * from dw::util::Coercions
output application/json

var key = "a2V5"
var data = "testdataa2V5"
---
{
    "REQUEST_SIGNATURE": toBase64(Crypto::HMACWith(fromBase64(key as Binary),data as Binary,"HmacSHA256"))
}

We get different result: "YTQyOGVjYzE0MDk5OGQ0Y2JjZjdhN2NmMTUzYzc0ODg5M2FlNmI0MTUzNzQzNWU5NjhjMzZiNmRiNTU2ZDUyNA=="

To fix the issue you should use HMACBinary instead HMACWith since HMACWith computes an HMAC hash (with a secret cryptographic key) on input content, then transforms the result into a lowercase, hexadecimal string.

And you need HMACBinary which returns the content in binary and then you transform it to base64.

After repleacing HMACWith with HMACBinary we get the same results like PHP code.

Hope that helps.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.