C++ HMAC-SHA256 Signature Works in Python, Fails in C++ — Possible Xcode Runtime Issue?

Privacy & Security General
vanBaardewijk
vanBaardewijk OP
Created 2d
Replies 2
Boosts 0
Views 309
Participants 2

Hi all,

I’m building a macOS-native C++ trading bot, compiled via Xcode. It sends REST API requests to a crypto exchange (Bitvavo) that require HMAC-SHA256 signatures using a pre-sign string (timestamp + method + path + body) and an API secret.

Here’s the issue:

•	The exact same pre-sign string and API secret produce valid responses when signed using Python (hmac.new(secret, msg, hashlib.sha256)),
•	But when I generate the HMAC signature using C++ (HMAC(EVP_sha256, ...) via OpenSSL), the exchange returns an invalid signature error.

Environment:

•	Xcode 15.3 / macOS 14.x
•	OpenSSL installed via Homebrew
•	HMAC test vectors match Python’s output for basic strings (so HMAC lib seems correct)

Yet when using the real API keys and dynamic timestamped messages, something differs enough to break verification — possibly due to UTF-8 encoding, memory alignment, or newline handling differences in the Xcode C++ runtime?

Has anyone experienced subtle differences between Python and C++ HMAC-SHA256 behavior when compiled in Xcode?

I’ve published a GitHub repo for reproducibility: 🔗 https://github.com/vanBaardewijk/bitvavo-cpp-signature-test

Thanks in advance for any suggestions or insights.

Sascha

Replies  2
Boosts  0
Views  309
Participants  2
ssmith_c
ssmith_c OP
1d

the timestamp part of "pre-sign" varies from one implementation or invocation to the next - does it have to?

I suggest you use a fixed string for the timestamp value for all programs and then look at the requests in Wireshark to see what the differences are.

1
vanBaardewijk
vanBaardewijk OP
1d

Hi ssmith_c, Thanks for your patience and help so far.

Just wanted to update you — the Bitvavo API is rejecting valid HMAC signatures generated from multiple independent implementations: Python, C++ (OpenSSL), and even raw curl requests all produce identical signatures, yet the API responds with a “signature is invalid” error.

I even tried inspecting the traffic with Wireshark, but that didn’t shed any light — everything looks correct on the client side.

I’ve contacted Bitvavo support with detailed logs and test cases. They’re investigating on their end now.

So it seems the issue is definitely with Bitvavo’s signature verification rather than our code.

I’ll post any updates when I get them. Thanks again for your support!

regards, Sascha

0
C++ HMAC-SHA256 Signature Works in Python, Fails in C++ — Possible Xcode Runtime Issue?
First post date Last post date
 
 
Q