Javascript: Equivalent of PHP's hash_hmac() with RAW BINARY output?

Question

I am connecting to the Amazon Product Advertising API, and to sign my request I need to base64-encode the raw binary output of an HMAC-SHA256 hash.

In the PHP documentation for hash_hmac, the fourth parameter bool $raw_output controls whether the output is raw binary data (true) or lowercase hexits (false). My program works in PHP by simply setting that parameter to true.

However, I am now trying to port this over to Javascript. I tried using the CryptoJS.HmacSHA256() function, but it seems to be returning the lowercase hexits. How can I convert this to binary?

I have tried the following according to the CryptoJS documentation, but both outputs are identical:

var hash = CryptoJS.HmacSHA256("hello", "key");
console.log(hash.toString());
console.log(hash.toString(CryptoJS.enc.Base64));

Esailija · Accepted Answer · 2012-08-23 20:09:35Z

22

This is explained in their documentation. Try this:

var hash = CryptoJS.HmacSHA256("Message", "Secret Passphrase");

var base64 = hash.toString(CryptoJS.enc.Base64);

You need to include http://crypto-js.googlecode.com/svn/tags/3.0.2/build/components/enc-base64-min.js for this. If you didn't include this, CryptoJS.enc.Base64 will be undefined and fallback to the default.

Working demo: http://jsfiddle.net/ak5Qm/

edited Aug 23, 2012 at 20:09

answered Aug 23, 2012 at 20:04

Esailija

140k24 gold badges280 silver badges328 bronze badges

Sign up to request clarification or add additional context in comments.

10 Comments

Kevin C Over a year ago

I have already tried that, it doesn't seem to work. Please see my revised question for a better explanation.

Esailija Over a year ago

@Kevin did you include the base64-min.js? Since it works fine here: jsfiddle.net/ak5Qm

Esailija Over a year ago

@Kevin if you use google chrome, press ctrl+shift+j when your page loads and see if there are errors. You can also simply write CryptoJS.enc.Base64 in your console to see if it's undefined

Kevin C Over a year ago

It turns out I had my scripts included in the wrong order: enc-base64 THEN hmac-sha256, rather than vice versa. Switching this order solved the problem. Thanks again!

D.Tate Over a year ago

@Esailija I think the fiddle on longer works. Looks like Google moved those scripts

|

vincent baronnet · Accepted Answer · 2018-11-27 06:06:44Z

10

PHP:

base64_encode(hash_hmac('sha256', $value, $key, true));

Nodejs equivalent:

const crypto = require('crypto');
let token = crypto.createHmac("sha256", key).update(value).digest().toString('base64');

answered Nov 27, 2018 at 6:06

vincent baronnet

1621 silver badge6 bronze badges

Comments

muhawo · Accepted Answer · 2017-09-22 12:48:23Z

4

php code

echo base64_encode(hash_hmac('SHA1', 'shanghai', '0', true).'beijing');

php output

xvBv49PpaYvXAIfy3iOSDWNQj89iZWlqaW5n

node code

var crypto = require('crypto');
var buf1 = crypto.createHmac("sha1", "0").update("shanghai").digest();
var buf2 = Buffer.from('beijing');
console.log(Buffer.concat([buf1, buf2]).toString('base64'));

node output

xvBv49PpaYvXAIfy3iOSDWNQj89iZWlqaW5n

answered Sep 22, 2017 at 12:48

muhawo

512 bronze badges

1 Comment

Serdar D. Over a year ago

Your code is not clear, what is the key and what is the value?

AymKdn · Accepted Answer · 2023-04-16 17:26:54Z

1

For the web browser:

async hmac_sha1 (str, secret) {
  let enc = new TextEncoder("utf-8");
  let key = await window.crypto.subtle.importKey(
    "raw",
    enc.encode(secret),
    {
      name: "HMAC",
      hash: {name: "SHA-1"}
    },
    false,
    ["sign", "verify"]
  );
  let signature = await window.crypto.subtle.sign(
    "HMAC",
    key,
    enc.encode(str)
  );
  let b = new Uint8Array(signature);
  return Array.prototype.map.call(b, x => x.toString(16).padStart(2, '0')).join("");
}

answered Apr 16, 2023 at 17:26

AymKdn

3,99731 silver badges32 bronze badges

Comments

Mohit23x · Accepted Answer · 2019-09-15 09:16:13Z

0

You can also use this npm package to do the same in Javascript.

var jsSHA = require('jssha');

hmac_sha1(string, key){
    let shaObj = new jsSHA("SHA-1", "TEXT");
    shaObj.setHMACKey(key, "TEXT");
    shaObj.update(string);
    let hmac = shaObj.getHMAC("B64");
    return hmac;
};

answered Sep 15, 2019 at 9:16

Mohit23x

53 bronze badges

1 Comment

Roger Keulen Over a year ago

You can put your private key's also into my public library !

Yoann Buzenet · Accepted Answer · 2020-04-05 09:30:07Z

0

This worked for me :

var CryptoJS = require("crypto-js");
const raw_signature = hmacSHA1(baseString, signingKey);
const signature = raw_signature.toString(CryptoJS.enc.Base64);

It's giving the exact same result as, in PHP, :

$rawSignature = hash_hmac("sha1", $baseString, $signingKey, true);
$signature    = base64_encode($rawSignature);

answered Apr 5, 2020 at 9:30

Yoann Buzenet

1211 silver badge7 bronze badges

Collectives™ on Stack Overflow

Javascript: Equivalent of PHP's hash_hmac() with RAW BINARY output?

6 Answers 6

10 Comments

Comments

1 Comment

Comments

1 Comment

Comments

Your Answer

Linked

Hot Network Questions

Collectives™ on Stack Overflow

6 Answers 6

10 Comments

Comments

1 Comment

Comments

1 Comment

Comments

Your Answer

Sign up or log in

Post as a guest

Linked

Related