HMAC-SHA256 Algorithm for signature calculation

Question

I am trying to create a signature using the HMAC-SHA256 algorithm and this is my code. I am using US ASCII encoding.

final Charset asciiCs = Charset.forName("US-ASCII");
final Mac sha256_HMAC = Mac.getInstance("HmacSHA256");
final SecretKeySpec secret_key = new javax.crypto.spec.SecretKeySpec(asciiCs.encode("key").array(), "HmacSHA256");
sha256_HMAC.init(secret_key);
final byte[] mac_data = sha256_HMAC.doFinal(asciiCs.encode("The quick brown fox jumps over the lazy dog").array());
String result = "";
for (final byte element : mac_data)
{
    result += Integer.toString((element & 0xff) + 0x100, 16).substring(1);
}
System.out.println("Result:[" + result + "]");

The result that I am getting from the above code is:

f7bc83f430538424b13298e6aa6fb143ef4d59a14946175997479dbc2d1a3cd8

This is same as to that of shown in the wiki

HMAC_SHA256("key", "The quick brown fox jumps over the lazy dog") = 0x f7bc83f430538424b13298e6aa6fb143ef4d59a14946175997479dbc2d1a3cd8

except for the 0x.

I am looking for ideas/comments if I am doing everything right or may be I can improve my code.

thank you so much, i've been looking for JUST THAT piece of code for over a day... — Kierrow, Jul 21 '17 at 09:06
0x means that the value is hexadecimal, so your result is correct. — Chestii de Fotbal, Jul 06 '23 at 12:21

vtlinh · Answer 1 · 2015-06-09T02:10:16.027

103

Here is my solution:

public static String encode(String key, String data) throws Exception {
  Mac sha256_HMAC = Mac.getInstance("HmacSHA256");
  SecretKeySpec secret_key = new SecretKeySpec(key.getBytes("UTF-8"), "HmacSHA256");
  sha256_HMAC.init(secret_key);

  return Hex.encodeHexString(sha256_HMAC.doFinal(data.getBytes("UTF-8")));
}

public static void main(String [] args) throws Exception {
  System.out.println(encode("key", "The quick brown fox jumps over the lazy dog"));
}

Or you can return the hash encoded in Base64:

Base64.encodeBase64String(sha256_HMAC.doFinal(data.getBytes("UTF-8")));

The output in hex is as expected:

f7bc83f430538424b13298e6aa6fb143ef4d59a14946175997479dbc2d1a3cd8

edited Jun 09 '15 at 02:10

answered Aug 04 '12 at 00:09

vtlinh

1,427
3
11
16

11

You probably dont want to use `key.getBytes()` instead it would be prudent to specify the encoding i.e. `key.getBytes("UTF-8")` else you may fine yourself with runtime specific bugs :) – Dori Apr 10 '14 at 09:30
3

`Hex` is not available in native android API now any alternative for it? – MilapTank Dec 24 '15 at 10:37
On non-Android, can use [javax.xml.bind.DatatypeConverter](http://docs.oracle.com/javase/6/docs/api/javax/xml/bind/DatatypeConverter.html). Alternatively see custom implementation in this other question: http://stackoverflow.com/questions/9655181/how-to-convert-a-byte-array-to-a-hex-string-in-java – ruhong Mar 02 '16 at 07:13
3

Where does the Hex class come from? What is the import? – portfoliobuilder Jan 03 '17 at 23:42
https://commons.apache.org/proper/commons-codec/apidocs/org/apache/commons/codec/binary/Hex.html#encodeHexString(byte[]) – vtlinh Apr 19 '17 at 19:24
as of apache commons codec 1.10, this throws `NoSuchMethodError` for `Hex.encodeHexString()`. @Bikesh's suggestion works: `new String(Hex.encodeHex(...))` – ericn Jun 13 '17 at 15:55
3

to @Dori 's point, I had to use `key.getBytes(StandardCharsets.UTF_8)` and `data.getBytes(StandardCharsets.UTF_8)` to avoid throwing an `UnsupportedEncodingException`. https://docs.oracle.com/javase/8/docs/api/java/nio/charset/StandardCharsets.html – LaurelT Jan 11 '18 at 17:25
If you don't have access to Hex, you can do this for example; byte[] hashBytes = sha256_HMAC.doFinal(data.getBytes(StandardCharsets.UTF_8)); StringBuilder sb = new StringBuilder(); for (byte b : hashBytes) sb.append(String.format("%02x", b)); – Arnaud Kleinveld Apr 01 '22 at 08:10

score 45 · Accepted Answer · answered Aug 19 '11 at 16:46

45

The 0x just denotes that the characters after it represent a hex string.

0x1A == 1Ah == 26 == 1A

So the 0x is just to clarify what format the output is in, no need to worry about it.

answered Aug 19 '11 at 16:46

Louis Ricci

20,804
5
48
62

Base 16 hexadecimal number https://inst.eecs.berkeley.edu/~cs61bl/r//cur/bits/decimal-binary-hex.html – Arnaud Kleinveld Mar 29 '22 at 18:44

satnam · Answer 3 · 2021-03-11T17:52:29.823

26

If you're using Guava, its latest release now lets you use

 Hashing.hmacSha256()

One example of using this:

String hash = Hashing.hmacSha256("mykey".getBytes(StandardCharsets.UTF_8)).hashString("my_message", StandardCharsets.UTF_8).toString()

Further documentation here: https://guava.dev/releases/23.0/api/docs/com/google/common/hash/Hashing.html#hmacSha256-byte:A-

edited Mar 11 '21 at 17:52

answered Jan 12 '17 at 23:44

satnam

10,719
5
32
42

Can you expand upon this? I'd like to see more detail, assuming `String message` and `String secret`. – Tony Jun 16 '19 at 22:47
@Tony example added! – satnam Mar 11 '21 at 17:53

score 14 · Answer 4 · answered Feb 06 '12 at 22:31

The answer that you got there is correct. One minor thing in the code above, you need to init(key) before you can call doFinal()

    final Charset charSet = Charset.forName("US-ASCII");
    final Mac sha256_HMAC = Mac.getInstance("HmacSHA256");

    final SecretKeySpec secret_key = new javax.crypto.spec.SecretKeySpec(charSet.encode("key").array(), "HmacSHA256");
    try {
        sha256_HMAC.init(secret_key);
    } catch (InvalidKeyException e) {
        // TODO Auto-generated catch block
        e.printStackTrace();
    }
    ...

score 13 · Answer 5 · edited Oct 26 '21 at 12:19

13

This is working fine for me

I have add dependency

compile 'commons-codec:commons-codec:1.9'

ref: http://mvnrepository.com/artifact/commons-codec/commons-codec/1.9

my function

public String encode(String key, String data) {
    try {

        Mac sha256_HMAC = Mac.getInstance("HmacSHA256");
        SecretKeySpec secret_key = new SecretKeySpec(key.getBytes(StandardCharsets.UTF_8), "HmacSHA256");
        sha256_HMAC.init(secret_key);

        return Hex.encodeHexString(sha256_HMAC.doFinal(data.getBytes(StandardCharsets.UTF_8)));

    } catch (NoSuchAlgorithmException e) {
        e.printStackTrace();
    } catch (InvalidKeyException e) {
        e.printStackTrace();
    } catch (UnsupportedEncodingException e) {
        e.printStackTrace();
    }
    
    return null;
}

edited Oct 26 '21 at 12:19

Tvaroh

6,645
4
51
55

answered Mar 14 '16 at 07:54

Bikesh M

8,163
6
40
52

1

Actually this one is the simplest working solution that also nicely handles all possible exceptions. – tom Dec 04 '17 at 00:04
1

@tom how does it handle any exceptions? It prints a stack trace in case of an exception and makes them disappear silently. – bash0r Feb 13 '19 at 19:41
sorry, wrong phrasing, I meant it shows which exceptions can occur during the procedure you have to handle. – tom Feb 16 '19 at 01:37

score 9 · Answer 6 · edited Jun 20 '20 at 09:12

Try this

Sorry for being late, I have tried all above answers but none of them is giving me correct value, After doing the lot of R&D I have found a simple way that gives me exact value.

Declare this method in your class

private String hmacSha(String KEY, String VALUE, String SHA_TYPE) {
try {
    SecretKeySpec signingKey = new SecretKeySpec(KEY.getBytes("UTF-8"), SHA_TYPE);
    Mac mac = Mac.getInstance(SHA_TYPE);
    mac.init(signingKey);
    byte[] rawHmac = mac.doFinal(VALUE.getBytes("UTF-8"));
    byte[] hexArray = {(byte)'0', (byte)'1', (byte)'2', (byte)'3', (byte)'4', (byte)'5', (byte)'6', (byte)'7', (byte)'8', (byte)'9', (byte)'a', (byte)'b', (byte)'c', (byte)'d', (byte)'e', (byte)'f'};
    byte[] hexChars = new byte[rawHmac.length * 2];
    for ( int j = 0; j < rawHmac.length; j++ ) {
        int v = rawHmac[j] & 0xFF;
        hexChars[j * 2] = hexArray[v >>> 4];
        hexChars[j * 2 + 1] = hexArray[v & 0x0F];
    }
    return new String(hexChars);
}
catch (Exception ex) {
    throw new RuntimeException(ex);
}

}

Use this like

Log.e("TAG", "onCreate: "+hmacSha("key","text","HmacSHA256"));

Verification

1.Android studio output 2. Online HMAC generator Output(Visit here for Online Genrator)

Rahul Raina · Answer 7 · 2019-04-30T05:07:19.847

Java simple code to generate encoded(HMAC-x) signatures. (Tried using Java-8 and Eclipse)

import java.io.UnsupportedEncodingException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;

import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;

import com.sun.org.apache.xml.internal.security.utils.Base64;

/**
 * Encryption class to show how to generate encoded(HMAC-x) signatures.
 * 
 */
public class Encryption {

    public static void main(String args[]) {

        String message = "This is my message.";
        String key = "your_key";
        String algorithm = "HmacMD5";  // OPTIONS= HmacSHA512, HmacSHA256, HmacSHA1, HmacMD5

        try {

            // 1. Get an algorithm instance.
            Mac sha256_hmac = Mac.getInstance(algorithm);

            // 2. Create secret key.
            SecretKeySpec secret_key = new SecretKeySpec(key.getBytes("UTF-8"), algorithm);

            // 3. Assign secret key algorithm.
            sha256_hmac.init(secret_key);

            // 4. Generate Base64 encoded cipher string.
            String hash = Base64.encode(sha256_hmac.doFinal(message.getBytes("UTF-8")));

            // You can use any other encoding format to get hash text in that encoding.
            System.out.println(hash);

            /**
             * Here are the outputs for given algorithms:-
             * 
             * HmacMD5 = hpytHW6XebJ/hNyJeX/A2w==
             * HmacSHA1 = CZbtauhnzKs+UkBmdC1ssoEqdOw=
             * HmacSHA256 =gCZJBUrp45o+Z5REzMwyJrdbRj8Rvfoy33ULZ1bySXM=
             * HmacSHA512 = OAqi5yEbt2lkwDuFlO6/4UU6XmU2JEDuZn6+1pY4xLAq/JJGSNfSy1if499coG1K2Nqz/yyAMKPIx9C91uLj+w==
             */

        } catch (NoSuchAlgorithmException e) {

            e.printStackTrace();

        } catch (UnsupportedEncodingException e) {

            e.printStackTrace();

        } catch (InvalidKeyException e) {

            e.printStackTrace();

        }

    }

}

NOTE: You can use any other Algorithms and can try generating HmacMD5, HmacSHA1, HmacSHA256, HmacSHA512 signatures.

score 2 · Answer 8 · answered Nov 30 '16 at 00:33

If but any chance you found a solution how to calculate HMAC-SHA256 here, but you're getting an exception like this one:

java.lang.NoSuchMethodError: No static method encodeHexString([B)Ljava/lang/String; in class Lorg/apache/commons/codec/binary/Hex; or its super classes (declaration of 'org.apache.commons.codec.binary.Hex' appears in /system/framework/org.apache.http.legacy.boot.jar)

Then use:

public static String encode(String key, String data) {
    try {
        Mac hmac = Mac.getInstance("HmacSHA256");
        SecretKeySpec secret_key = new SecretKeySpec(key.getBytes("UTF-8"), "HmacSHA256");
        hmac.init(secret_key);
        return new String(Hex.encodeHex(hmac.doFinal(data.getBytes("UTF-8"))));
    } catch (Exception e) {
        throw new RuntimeException(e);
    }
}

score 0 · Answer 9 · answered Feb 07 '16 at 10:36

Here is my solution:

public String HMAC_SHA256(String secret, String message)
{
    String hash="";
    try{
        Mac sha256_HMAC = Mac.getInstance("HmacSHA256");
        SecretKeySpec secret_key = new SecretKeySpec(secret.getBytes(), "HmacSHA256");
        sha256_HMAC.init(secret_key);

        hash = Base64.encodeToString(sha256_HMAC.doFinal(message.getBytes()), Base64.DEFAULT);
    }catch (Exception e)
    {

    }
    return hash.trim();
}

HMAC-SHA256 Algorithm for signature calculation

9 Answers9

Try this

Linked