HMAC SHA1 using Java

18 January 2008 17:59 (EST)
Working with OpenID CFC project I found another way to create HMAC:SHA1 string using Java:

<cffunction name="HMAC_SHA1" returntype="binary" access="public" output="false">
   <cfargument name="signKey" type="string" required="true" />
   <cfargument name="signMessage" type="string" required="true" />

   <cfset var jMsg = JavaCast("string",arguments.signMessage).getBytes("iso-8859-1") />
   <cfset var jKey = JavaCast("string",arguments.signKey).getBytes("iso-8859-1") />

   <cfset var key = createObject("java","javax.crypto.spec.SecretKeySpec") />
   <cfset var mac = createObject("java","javax.crypto.Mac") />

   <cfset key = key.init(jKey,"HmacSHA1") />

   <cfset mac = mac.getInstance(key.getAlgorithm()) />
   <cfset mac.init(key) />
   <cfset mac.update(jMsg) />

   <cfreturn mac.doFinal() />

</cffunction>

So I am going to include this code to next release of the project.

Discussion (8 comments)

Reena Reena: 18 January 2008 20:47 (EST)

what is HMAC:SHA1.
reply
www.yakhnov.ru OpenIDwww.yakhnov.ru: 19 January 2008 02:18 (EST)

SHA stands for Secure Hash Algorithm. The SHA hash functions are five cryptographic hash functions designed by the National Security Agency (NSA) and published by the NIST as a U.S. Federal Information Processing Standard.

In cryptography, a keyed-Hash Message Authentication Code, or HMAC, is a type of message authentication code (MAC) calculated using a specific algorithm involving a cryptographic hash function in combination with a secret key.
reply
Gabriel Gabriel: 5 March 2008 07:46 (EST)

This is fantastic!!!!
Using it for Google Checkout calculation. Thank you!!!!
reply
rednael rednael: 20 November 2008 01:15 (EST)

Good post,

Please also read the following article:
http://blog.rednael.com/2008/09/30/SecuringYourPasswordTransfersWithKeyedHashingHMACCramMD5.aspx

It's a walkthrough example of implementing HMAC-MD5 / Cram-MD5 on a website. The same technique can be used for various client-server situations.
The article explains the benefits of using such a password system and shows you how to implement it using the .Net library at server side (examples in C#), and using Paj’s MD5 Javascript functions at client-side.
reply
Jason Jason: 12 May 2009 07:48 (EST)

Thanks for this post! Do you know where I might find the equivalent code to decrypt the string? I have been trying to figure it out for a while, but cannot get it to work.
reply
Joseph Wilson Joseph Wilson: 18 December 04:01 (EST)

Okay, if I have a string ABCDEFG and a key of ABCDEFGHIJ then how do I invoke this method?

I guess what I really need to know is how the string and key are passed to the .cfc file.

Thanks
reply
Kirill Kirill: 10 March 21:54 (EST)

Thanks!! That has solved my problems. I tried ColdFusion's Encode function on Enterprise Edition srever, but it would not convert it to HMAC:SHA1 anyway. By the way I used BinaryEncode() with Base64 param to make it string!
reply
Maarten Maarten: 17 June 17:25 (EST)

Great! But I do not have the java classes stated in this article. How and where can I download and install them?

Thanks
reply
Dmitry Yakhnov Dmitry Yakhnov: 17 June 22:42 (EST)

All these Java classes are native to CF starting from version 7 (or even MX).
reply
Add your comment
*
*
*
*
*

Captcha Code Please enter the number on the left.
Sorry for asking you to do so.
Reload image
Dmitry Yakhnov

I am Senior ColdFusion Developer at Tupela Ltd. AS developing Travellerspoint online travel community and Technical Director at Yakhnov Studio.

Find Me on: