HMAC secret validation doesn't verify if secret is hexadecimal
The HMAC secret provided as a parameter in the payload for API operation to create the subscription needs to be in a hexadecimal number format, but SecretValidator class allows it to be any even length string matching regex ^[a-zA-Z0-9]{8,30}+$.
If provided secret matches the requirements from SecretValidator but is not hexadecimal number then creating the subscription causes an exception in Register Service when trying to get the signed signature, more precisely parsing the secret in SignatureService class.
The API user gets an error “Failed challenge response check to GET ” which doesn’t indicate an issue with the provided secret.