ColdFusion HMAC-SHA1 calculation issue

If you tried to calculate HMAC-SHA1 in ColdFusion, you might find a strange issue: if the key is provided as a byte array, it is not producing the proper results for some keys.

For instance, when calculating the HMAC with the simple message and key, it is working fine:

hmac("test", "key", "HMACSHA1")

The problem is when you want to use a byte array based key. The byte array is handled in Java, but Java is working on signed bytes. This means that values over 127 are turned into negative numbers.

If you want to use a hex-based or byte-based key, you have to use binaryDecode and provide the key as a string:

hmac("test", binaryDecode("1111EE", "hex"), "HMACSHA1")

If you want to check if your calculations are proper, you can use the jsSHA website.

I also noticed one more thing. ColdFusion is returning the hashed value using all capital letters. In some cases, when sending such hash to the API, it expects that it will be lower case. Just one more thing to check during the implementation 🙂