HMAC-SHA1: How to do it properly in Java?
JavaHashSha1HmacJava Problem Overview
I'm hashing some values using HMAC-SHA1, using the following code in Java:
public static String hmacSha1(String value, String key) {
try {
// Get an hmac_sha1 key from the raw key bytes
byte[] keyBytes = key.getBytes();
SecretKeySpec signingKey = new SecretKeySpec(keyBytes, "HmacSHA1");
// Get an hmac_sha1 Mac instance and initialize with the signing key
Mac mac = Mac.getInstance("HmacSHA1");
mac.init(signingKey);
// Compute the hmac on input data bytes
byte[] rawHmac = mac.doFinal(value.getBytes());
// Convert raw bytes to Hex
byte[] hexBytes = new Hex().encode(rawHmac);
// Covert array of Hex bytes to a String
return new String(hexBytes, "UTF-8");
} catch (Exception e) {
throw new RuntimeException(e);
}
}
Hex() belongs to org.apache.commons.codec
In PHP there's a similar function hash_hmac(algorithm, data, key) that I use to compare the values returned by my Java implementation.
So the first try is:
hash_hmac("sha1", "helloworld", "mykey") // PHP
that returns: 74ae5a4a3d9996d5918defc2c3d475471bbf59ac
My Java function returns 74ae5a4a3d9996d5918defc2c3d475471bbf59ac as well.
Ok, it seems working. Then I try to use a more complex key:
hash_hmac("sha1", "helloworld", "PRIE7$oG2uS-Yf17kEnUEpi5hvW/#AFo") // PHP
that returns: e98bcc5c5be6f11dc582ae55f520d1ec4ae29f7a
While this time my Java impl returns: c19fccf57c613f1868dd22d586f9571cf6412cd0
The hash returned by my PHP code is not equal to the value returned by my Java function, and I can't find out why.
Any tips?
Java Solutions
Solution 1 - Java
On your PHP side, use single-quotes around the key so that the $ character is not treated as a variable reference. i.e.,
hash_hmac("sha1", "helloworld", 'PRIE7$oG2uS-Yf17kEnUEpi5hvW/#AFo')
Otherwise, the key you really get is PRIE7-Yf17kEnUEpi5hvW/#AFo (assuming the variable $oG2uS is not defined).
Solution 2 - Java
Recommend Apache Common Codec Library, quite simple and easy to use.
HmacUtils.hmacSha1Hex(key, string_to_sign);
Solution 3 - Java
Any $ symbol in double quotes ("") is regarded as a a variable in PHP. You can avoid the error by using either single quotes as pointed out by the previous commenter or you can escape the dollar sign as below
hash_hmac("sha1", "helloworld", "PRIE7\$oG2uS-Yf17kEnUEpi5hvW/#AFo")
Notice $ is now $
Solution 4 - Java
The other answers pointing out HmacUtils from Apache commons have been deprecated by now. Apache commons now recommends using:
new HmacUtils(HmacAlgorithms.HMAC_SHA_1, key).hmacHex(string_to_sign)
Solution 5 - Java
In Java, and using maven:
Add the below dependency into the pom.xml:
<!-- https://mvnrepository.com/artifact/commons-codec/commons-codec -->
<dependency>
<groupId>commons-codec</groupId>
<artifactId>commons-codec</artifactId>
<version>1.4</version>
</dependency>
and then try to sign it using this
HmacUtils.hmacSha1Hex(key, string_to_sign);