3
$key = "12345678876543211234567887654321";
$iv = "1234567887654321";
$plaindata = "This is a test string";

$enc = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $key, $plaindata, MCRYPT_MODE_CBC, $iv));

$str = hash_hmac("sha256", utf8_encode($iv . '.' . $enc), utf8_encode($key));

echo($str);

This gives me e63d4ab83f90cfec1acdaf831091b6394167ae728b657e44afad1e7553843eeb

How can I get the same result in ColdFusion9 Development Edition?

user812120
  • 585
  • 1
  • 10
  • 21
  • http://henrylearnstorock.blogspot.ca/2011/11/do-you-want-coldfusion-to-support-hmac.html – Henry May 04 '12 at 01:46

2 Answers2

2

I found a solution on this page http://www.isummation.com/blog/calculate-hmac-sha256-digest-using-user-defined-function-in-coldfusion/

Your need to call the function like this

<cfoutput>#LCase(HMAC_SHA256(iv & "." & Encrypted_Data, key))#</cfoutput>

Worked like a charm.

user812120
  • 585
  • 1
  • 10
  • 21
0

Don't have the time to work it out entirely, but I think that HMAC SHA1 ColdFusion should be able to get you there. If for some reason you can't get it perfectly right (had that once) you might also consider using php-cli with cfexecute. It's not the fastest solution, but if necessary it allows you to use the php functions.

Edit: Copied the function from the previous answer and added a comment about the line that needed to be changed.

<cffunction name="hmacEncrypt" returntype="binary" access="public" output="false">
 <cfargument name="signKey" type="string" required="true" />
 <cfargument name="signMessage" type="string" required="true" />

 <cfset var jMsg = JavaCast("string",arguments.signMessage).getBytes("iso-8859-1") />
 <cfset var jKey = JavaCast("string",arguments.signKey).getBytes("iso-8859-1") />

 <cfset var key = createObject("java","javax.crypto.spec.SecretKeySpec") />
 <cfset var mac = createObject("java","javax.crypto.Mac") />

 <!--- this line had to be changed to the 256 version --->
 <cfset key = key.init(jKey,"hmacSHA256") />

 <cfset mac = mac.getInstance(key.getAlgorithm()) />
 <cfset mac.init(key) />
 <cfset mac.update(jMsg) />

<cfreturn mac.doFinal() />

Community
  • 1
  • 1
David Mulder
  • 26,123
  • 9
  • 51
  • 114
  • HMAC SHA1 unfortunately does not produce the same results :( – user812120 Apr 27 '12 at 08:26
  • The reason for this might possibly be given in this answer: http://stackoverflow.com/a/1610356/1266242 – David Mulder Apr 27 '12 at 09:19
  • Still no luck :( All I get is this cfcustomer2dreturn2ecfm939104368$funcHEX2BIN@3541d281 – user812120 Apr 27 '12 at 09:54
  • Another thing you might try is updating to ColdFusion 10 and try that implementation: http://help.adobe.com/en_US/ColdFusion/10.0/CFMLRef/WS932f2e4c7c04df8f744b691e1353e37d519-8000.html – David Mulder Apr 27 '12 at 11:46
  • I am using the trial version 9. Could this be the reason? – user812120 Apr 27 '12 at 12:09
  • No, but in coldfusion 10 there is a ready made HMAC function. Another option you have is to switch to openbd (as using the trial seems to suggest you haven't developed anything big yet) where you can use inline java. Oh, I just realized the difference, see my edited answer above. – David Mulder Apr 27 '12 at 12:23
  • @user812120 - Per your other question at http://stackoverflow.com/questions/10301041/php-coldfusion9-aes-encryption-different-results/10309883#comment13311399_10309883 you will also need to adjust the padding on the string to be encrypted using PKCS #5 prior to passing the `$plaindata` variable into the PHP encryption so that the encryption output is equivalent to the ColdFusion encryption output. This will need to match BEFORE you run the encrypted string through the hashing function (which David Mulder has already provided above. – Justin Scott Apr 28 '12 at 04:24
  • Also, I am curious as to why you're hashing the encryption output? The encryption algorithm has protection in place to prevent tampering, so a checksum hash shouldn't be necessary. – Justin Scott Apr 28 '12 at 04:27