HMAC256 from C# to Javascript returns different results

Question

I want to create a HMAC256 key from a string with a HMAC key based on my C# project in Javascript. however, each project has different results and can't seem to find a way to make the results identical.

C# PROJECT

private string CalculateHMAC(string hmacKey, string signingstring) {
  byte[] key = PackH(hmacKey) //returns 32 bit array;
  byte[] data = Encoding.UTF8.GetBytes(signingstring);

  try {
    using(HMACSHA256 hmac = new HMACSHA256(key)) {
      // Compute the hmac on input data bytes
      byte[] rawHmac = hmac.ComputeHash(data);

      // Base64-encode the hmac
      return Convert.ToBase64String(rawHmac);
    }
  } catch (Exception e) {
    throw new Exception("Failed to generate HMAC : " + e.Message);
  }
}

JAVASCRIPT CODE

var hash = CryptoJS.HmacSHA256(byteString, hmacKeyinString);
var msg = hash.toString(CryptoJS.enc.Base64);

Thank you in advance.

Using CryptoJS in my javascript project

This is probably going to be really hard to work out, but have a close look at the string you are dealing with, and look for special characters - you may need to escape them before running the HMAC function - when I first tried something similar, I specifically had trouble with backslashes, both in a URL and in a date string. Try and run both functions on a tiny/simple/ASCII string and double-check that you get the same output. — MikeB, Jul 12 '19 at 10:34
@MikeBrockington Hi there, the string i'm using is this 'currency:mercacct:merRef:amount:sessionValidity:shipBeforeDate:shopperEmail:skinCode:GBP:Payments:22222.H1324.7622211:12100:2019-07-17:2019-07-17::231233332"' I'll get back to you with the exact same input. I have changed some information due to security reasons. — Sunil Rajshakha, Jul 12 '19 at 10:40
Have you tried it with a simple string like "test"? Also is your JS value UTF8? — Pieter, Jul 12 '19 at 10:44
Are you directly comparing the output - the other thing that caught me out was that the far end had a different idea of what data was part of the comparison... — MikeB, Jul 12 '19 at 10:44
@MikeBrockington Tried this and it has returned different values. — Sunil Rajshakha, Jul 12 '19 at 10:45
@MikeBrockington Yeah, for a simple string 'Answer' and a simple key '123456789' — Sunil Rajshakha, Jul 12 '19 at 10:48
Is `hash.toString` necessary - check what your output looks like before that. One way or another your functions aren't doing the same thing, probably need to tweak a parameter somewhere. — MikeB, Jul 12 '19 at 10:50
Try the same values with a few online HmacSHA256 hashers. That might help you determine whether to focus on C# or JS for the fix. I noted that online hashers differ and would suggest trying a few — Pieter, Jul 12 '19 at 10:53
@MikeBrockington Hash.toString is necessary to ensure that it's readable. Please read my other comment to Pieter. — Sunil Rajshakha, Jul 12 '19 at 12:40
@Pieter After looking at several hashers, it came apparent that my hmac key in c# is getting converted into an array of bytes[32] and inserted into (HMACSHA256 hmac = new HMACSHA256(key) For now, I have written up the array in javascript is there a way of passing through the array replacing hmacKeyinString? Currently getting an error, 'key.clamp is not a function' this is due to the fact that the function CryptoJS.HmacSHA256 doesn't allow arrays to be in the parameter. — Sunil Rajshakha, Jul 12 '19 at 12:40
Have a look at the answer here. It gives a detailed explanation that might help you. https://stackoverflow.com/questions/12185122/calculating-hmacsha256-using-c-sharp-to-match-payment-provider-example — Pieter, Jul 12 '19 at 13:27

Sunil Rajshakha · Answer 1 · 2019-07-16T08:40:26.497

1

fixed with this line of code

        var wordsKey = CryptoJS.enc.Hex.parse('yourkey');

        var hash = CryptoJS.HmacSHA256(convertString, wordsKey);
        var hashInBase64 = CryptoJS.enc.Base64.stringify(hash);

edited Jul 16 '19 at 08:40

answered Jul 15 '19 at 08:32

Sunil Rajshakha

39
1
7

HMAC256 from C# to Javascript returns different results

1 Answers1