5

Please help! I have been pulling out my hair over this one. :)

I have a site that I need to HMAC SHA1 for authentication. It currently works with another language but now I need to move it to ColdFusion. For the life of me I cannot get the strings to match. Any assistance would be much appreciated.

Data: https%3A%2F%2Fwww%2Etestwebsite%2Ecom%3Fid%3D5447
Key: 265D5C01D1B4C8FA28DC55C113B4D21005BB2B348859F674977B24E0F37C81B05FAE85FB75EA9CF53ABB9A174C59D98C7A61E2985026D2AA70AE4452A6E3F2F9

Correct answer: WJd%2BKxmFxGWdbw4xQJZXd3%2FHkFQ%3d
My answer: knIVr6wIt6%2Fl7mBJPTTbwQoTIb8%3d

Both are Base64 encoded and then URL encoded.

Ilmari Karonen
  • 49,047
  • 9
  • 93
  • 153
Chris
  • 61
  • 1
  • 3

3 Answers3

9

Doing an HMAC-SHA1 thing myself. Best I can say is that I found this old function. Has worked great for what I am doing thus far. Forgot where I found it though so I can't credit the author.

For your Base 64 stuff... run this function on your encryption, then just do a cfset newString = toBase64(oldString) on what is returned.

<cffunction name="hmacEncrypt" returntype="binary" access="public" output="false">
   <cfargument name="signKey" type="string" required="true" />
   <cfargument name="signMessage" type="string" required="true" />
   <cfargument name="algorithm" type="string" default="HmacSHA1" />
   <cfargument name="charset" type="string" default="UTF-8" />

   <cfset var msgBytes = charsetDecode(arguments.signMessage, arguments.charset) />
   <cfset var keyBytes = charsetDecode(arguments.signKey, arguments.charset) />
   <cfset var keySpec = createObject("java","javax.crypto.spec.SecretKeySpec")  />
   <cfset var mac = createObject("java","javax.crypto.Mac") />

   <cfset key = keySpec.init(keyBytes, arguments.algorithm) />
   <cfset mac = mac.getInstance(arguments.algorithm) />
   <cfset mac.init(key) />
   <cfset mac.update(msgBytes) />

   <cfreturn mac.doFinal() />
</cffunction>
Leigh
  • 28,765
  • 10
  • 55
  • 103
Steve K.
  • 91
  • 1
  • 1
    exactly what I needed. Thanks. FYI: colfdusion 10 has a hmac() function built in, ain't that nice :) – jan Apr 02 '12 at 14:28
4

A shorter encryption method (based on Barney's method) that outputs a string:

<cffunction name="CFHMAC" output="false" returntype="string">
   <cfargument name="signMsg" type="string" required="true" />
   <cfargument name="signKey" type="string" required="true" />
   <cfargument name="encoding" type="string" default="utf-8" />
   <cfset var key = createObject("java", "javax.crypto.spec.SecretKeySpec").init(signKey.getBytes(arguments.encoding), "HmacSHA1") />
   <cfset var mac = createObject("java", "javax.crypto.Mac").getInstance("HmacSHA1") />
   <cfset mac.init(key) />
   <cfreturn toBase64(mac.doFinal(signMsg.getBytes(arguments.encoding))) />
</cffunction>

In addition

  1. ColdFusion 10 supports HMAC-SHA1 for Encrypting and Hashing natively.
  2. There is a library called CF_HMAC distributed by Adobe
  3. There are several libraries that deal with HMAC in relation while signing files for Amazon. Among them are cf-amazon-s3, Barney's S3 URL Builder, and RIAForge S3
Leigh
  • 28,765
  • 10
  • 55
  • 103
SamGoody
  • 13,758
  • 9
  • 81
  • 91
  • Nice. Just be careful with `String.getBytes()` as it uses the default encoding (not always what you want). I would make charset an optional parameter, default of UTF-8. Then pass it into either [charsetDecode](http://help.adobe.com/en_US/ColdFusion/9.0/CFMLRef/WSc3ff6d0ea77859461172e0811cbec22c24-7f64.html) or getBytes(charset) – Leigh Aug 22 '12 at 20:10
  • FYI, since this post still comes up frequently, fixed getBytes() encoding gotcha – Leigh Dec 14 '15 at 00:37
1

Steve - Thanks for your response. I actually was using the hmacEncrypt function already. I did figure out my issue though. I was passing in a HEX key instead of a string. It accepted the key because technically it was a string. To get it back to a string I used another function along with the one above. The one below changes the HEX into a string. I didn't write the function below nor do I remember where it came from to get the author credit, but it worked great. 

<cffunction name="Hex2Bin" returntype="any" hint="Converts a Hex string to binary">
    <cfargument name="inputString" type="string" required="true" hint="The hexadecimal string to be written.">
    <cfset var outStream = CreateObject("java", "java.io.ByteArrayOutputStream").init()>
    <cfset var inputLength = Len(arguments.inputString)>
    <cfset var outputString = "">
    <cfset var i = 0>
    <cfset var ch = "">
    <cfif inputLength mod 2 neq 0>
    <cfset arguments.inputString = "0" & inputString>
    </cfif>
    <cfloop from="1" to="#inputLength#" index="i" step="2">
        <cfset ch = Mid(inputString, i, 2)>
        <cfset outStream.write(javacast("int", InputBaseN(ch, 16)))>
    </cfloop>
    <cfset outStream.flush()>
    <cfset outStream.close()> 
    <cfreturn outStream.toByteArray()>
</cffunction>
Chris
  • 61
  • 1
  • 3
  • 1
    (*This was originally posted as answer, but was deleted by the mods*): "[Ronald-c](http://stackoverflow.com/users/475420/roland-c) said: I wrote Hex2Bin years ago for someone on the CFC mailing list! Just as an FYI, as of CF7, you can now do this: `BinaryDecode(inputString, "hex")`. It's much simpler (and more performant) since they added the built-in function." – Leigh Nov 03 '13 at 19:52