We are trying to calculate a HMAC-SHA256 digest in ColdFusion and we are using the HMAC CFC, but in one case it is producing a different result for the digest compared to ones generated in different languages - have tried the same data using Ruby & PHP and get the expected result. I have also tried the CF_HMAC custom tag it is based on and get the same results.
I understand that from CF8 encrypt()
supports HMAC-SHA256, but it's only available in Enterprise (which we don't have) and isn't even available in developer version for me to test.
So my question is can I do this by accessing Java from CF?
This is what I ended up doing:
secret = createObject('java', 'javax.crypto.spec.SecretKeySpec' ).Init(my_key.GetBytes(), 'HmacSHA256');
mac = createObject('java', "javax.crypto.Mac");
mac = mac.getInstance("HmacSHA256");
mac.init(secret);
digest = mac.doFinal(my_data.GetBytes());
This gives you the byte array, which you can then convert to a string.
Here's an example of DEfusion's answer with different input/output formats. My key is hex, my data is lower ascii (so UTF-8 will do), and I need base64 output, so I pass the appropriate format arguments to BinaryDecode and CharsetDecode:
<cfset keybytes = BinaryDecode(SECRET_KEY, "Hex")>
<cfset databytes = CharsetDecode(data, "UTF-8")>
<cfset secret = createObject("java", "javax.crypto.spec.SecretKeySpec").Init(keybytes,"HmacSHA256")>
<cfset mac = createObject("java", "javax.crypto.Mac")>
<cfset mac = mac.getInstance("HmacSHA256")>
<cfset mac.init(secret)>
<cfset digest = mac.doFinal(databytes)>
<cfset result = BinaryEncode(digest, "Base64")>