ColdFusion HMAC-SHA1 calculation issue

If you tried to calculate HMAC-SHA1 in ColdFusion, you might find a strange issue: if the key is provided as a byte array, it is not producing the proper results for some keys.

For instance, when calculating the HMAC with the simple message and key, it is working fine:

hmac("test", "key", "HMACSHA1")
671F54CE0C540F78FFE1E26DCF9C2A047AEA4FDA

The problem is when you want to use a byte array based key. The byte array is handled in Java, but Java is working on signed bytes. This means that values over 127 are turned into negative numbers.

If you want to use a hex-based or byte-based key, you have to use binaryDecode and provide the key as a string:

hmac("test", binaryDecode("1111EE", "hex"), "HMACSHA1")
62770B0AEFB3B99355F6EBD37DF1D01CBBB41EF8

If you want to check if your calculations are proper, you can use the jsSHA website.

I also noticed one more thing. ColdFusion is returning the hashed value using all capital letters. In some cases, when sending such hash to the API, it expects that it will be lower case. Just one more thing to check during the implementation 🙂