Cannot create valid API signature using ColdFusion and HMAC-SHA1

Question

Cannot create valid API signature using ColdFusion and HMAC-SHA1

I reviewed a number of other related posts on this topic and was able to reproduce them without problems. However, I cannot get the expected signature result using my own data, no matter what I try to do. I would really appreciate any help. Here are the API requirements:

Convert signature data from ASCII string to byte array
Convert a private key from Base64 string to byte array
Use the byte array created in step 1 as the key for the HMAC-SHA1 subscriber
Compute the HMAC-SHA1 hash of the byte array created in step 2. The result is an array of bytes
Converting the byte array created in step 3 to a Base64 encoded string

According to the documentation:

Assuming your secret passkey is "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA =="
Assuming the data must be signed " http://membersuite.com/contracts/IConciergeAPIService/WhoAmI00000000-0000-0000-0000-00000000000011111111-1111-1111-1111-111111111111 "
The signature should be "2zsMYdHb / MJUeTjv5cQl5pBuIqU ="

I could not get this signature, despite trying to use various methods from other posts. For example:

<cffunction name="hmacEncrypt" returntype="binary" access="public" output="false"> <cfargument name="base64Key" type="string" required="true" default="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=="> <cfargument name="signMessage" type="string" required="true" default="http://membersuite.com/contracts/IConciergeAPIService/WhoAmI00000000-0000-0000-0000-00000000000011111111-1111-1111-1111-111111111111"> <cfargument name="encoding" type="string" default="UTF-8"> <cfset var messageBytes = JavaCast("string",arguments.signMessage).getBytes(arguments.encoding)> <cfset var keyBytes = binaryDecode(arguments.base64Key, "base64")> <cfset var key = createObject("java","javax.crypto.spec.SecretKeySpec")> <cfset var mac = createObject("java","javax.crypto.Mac")> <cfset key = key.init(keyBytes,"HmacSHA512")> <cfset mac = mac.getInstance(key.getAlgorithm())> <cfset mac.init(key)> <cfset mac.update(messageBytes)> <cfreturn mac.doFinal()> </cffunction>

Resetting the output of this function does not give me any errors, but it does not correspond to the expected result. Again, I would really appreciate any help or pushing in the right direction. I think part of my problem is how I encode the key and URL string, but I'm not sure. Thank you all in advance!

+2

coldfusion

daltec Oct 4 '16 at 3:37

source share

1 answer

Leigh · Accepted Answer · 2016-10-04T06:00:11+0000

key.init(keyBytes,"HmacSHA512")

Nearly. This UDF is hardcoded for use with the "HmacSHA512". Change it to "HmacSHA1" or, even better, make it a function parameter, such as "encoding".

Example:

 <cfset action = "http://membersuite.com/contracts/IConciergeAPIService/WhoAmI"> <cfset associationId = "00000000-0000-0000-0000-000000000000"> <cfset sessionId = "11111111-1111-1111-1111-111111111111"> <cfset stringToSign = action & associationId & sessionId> <cfset key = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=="> <cfset result = binaryEncode(hmacEncrypt(key, stringToSign, "US-ASCII"), "base64")> <cfset writeDump(result)>

Result:

 2zsMYdHb/MJUeTjv5cQl5pBuIqU=

NB: As with CF10 +, HMAC is now the main function:

 <cfset resultAsHex = hmac(stringToSign, binaryDecode(key, "base64"), "hmacsha1", "us-ascii")> <cfset resultAsBase64 = binaryEncode(binaryDecode(resultAsHex, "hex"), "base64")> <cfset writeDump(resultAsBase64)>

Cannot create valid API signature using ColdFusion and HMAC-SHA1

More articles: