HMAC SHA1 ColdFusion

Question

Please help! I have been pulling out my hair over this one. :)

I have a site that I need to HMAC SHA1 for authentication. It currently works with another language but now I need to move it to ColdFusion. For the life of me I cannot get the strings to match. Any assistance would be much appreciated.

Data: https%3A%2F%2Fwww%2Etestwebsite%2Ecom%3Fid%3D5447
Key: 265D5C01D1B4C8FA28DC55C113B4D21005BB2B348859F674977B24E0F37C81B05FAE85FB75EA9CF53ABB9A174C59D98C7A61E2985026D2AA70AE4452A6E3F2F9

Correct answer: WJd%2BKxmFxGWdbw4xQJZXd3%2FHkFQ%3d
My answer: knIVr6wIt6%2Fl7mBJPTTbwQoTIb8%3d

Both are Base64 encoded and then URL encoded.

Answer 1

Doing an HMAC-SHA1 thing myself. Best I can say is that I found this old function. Has worked great for what I am doing thus far. Forgot where I found it though so I can't credit the author.

For your Base 64 stuff... run this function on your encryption, then just do a cfset newString = toBase64(oldString) on what is returned.

<cffunction name="hmacEncrypt" returntype="binary" access="public" output="false">
   <cfargument name="signKey" type="string" required="true" />
   <cfargument name="signMessage" type="string" required="true" />
   <cfargument name="algorithm" type="string" default="HmacSHA1" />
   <cfargument name="charset" type="string" default="UTF-8" />

   <cfset var msgBytes = charsetDecode(arguments.signMessage, arguments.charset) />
   <cfset var keyBytes = charsetDecode(arguments.signKey, arguments.charset) />
   <cfset var keySpec = createObject("java","javax.crypto.spec.SecretKeySpec")  />
   <cfset var mac = createObject("java","javax.crypto.Mac") />

   <cfset key = keySpec.init(keyBytes, arguments.algorithm) />
   <cfset mac = mac.getInstance(arguments.algorithm) />
   <cfset mac.init(key) />
   <cfset mac.update(msgBytes) />

   <cfreturn mac.doFinal() />
</cffunction>

Answer 2

A shorter encryption method (based on Barney's method) that outputs a string:

<cffunction name="CFHMAC" output="false" returntype="string">
   <cfargument name="signMsg" type="string" required="true" />
   <cfargument name="signKey" type="string" required="true" />
   <cfargument name="encoding" type="string" default="utf-8" />
   <cfset var key = createObject("java", "javax.crypto.spec.SecretKeySpec").init(signKey.getBytes(arguments.encoding), "HmacSHA1") />
   <cfset var mac = createObject("java", "javax.crypto.Mac").getInstance("HmacSHA1") />
   <cfset mac.init(key) />
   <cfreturn toBase64(mac.doFinal(signMsg.getBytes(arguments.encoding))) />
</cffunction>

In addition

1. ColdFusion 10 supports HMAC-SHA1 for Encrypting and Hashing natively.
2. There is a library called CF_HMAC distributed by Adobe
3. There are several libraries that deal with HMAC in relation while signing files for Amazon. Among them are cf-amazon-s3, Barney's S3 URL Builder, and RIAForge S3