I'd grateful for help in creating a hash value that is "base64 encoded, hashed (SHA-256) with the secret key string that is a concatenation of the a few values I have (accountId, userId, and Time)"
The documentation given to us has a sample and shows us how to create the hash via PHP, but I need to know how to do this in using ColdFusion.
Below is the sample starting values and the correct output for those sample values. If I can recreate this then I can create what I need with real values.
Sample Values from Documentation (using PHP)
So, using the above sample values the documentation show that the string "1231234561379605500" will be converted to this hash, "DSJHPt7kUbRdB8U9XfCXXe4eTXDkiqpGud1Z0fO9EPg="
Does anyone know how to do that in ColdFusion? I'm too embarrassed to show what I've been trying.
Thanks in advance for help!
Ok, I've overcome my embarrassment. 🙂 Here is what I was trying...
<!--- Sample Values --->
<cfset lmsKey = 'abc123'>
<cfset acctId = "123">
<cfset userId = "123456">
<cfset time = "1379605500">
<cfset signatureString = "#acctId##userId##time#">
<cfset encryptSignature = Encrypt(signatureString,lmsKey,'SHA-256','Base64')>
The ColdFusion error I received is...
"The SHA-256 algorithm is not supported by the Security Provider you have chosen."
You need to use the function Hash instead of Encrypt -- encryption is de-cryptable whereas hash is not de-hashable (in theory) and SHA-256 is a hash algorithm.
Steve, Thanks! You are correct with your statement about using Hash vs Encrypt but it turns out Encrypt is what I needed because the partner doesn't actually decrypt, they just compare our hash to theirs, since we also send the acctId, userId & time in the URL. We both encrypt then they match, it's valid. And the Hash function doesn't let us add in a secret code whereas the Encrypt method does.
We're running CF9 so we needed to take the extra step that we found via this article from Ben Nadel to get us there. Crypto.cfc For Hmac-SHA1, Hmac-Sha256, and Hmac-MD5 Code Generation In ColdFusion. Evidently CF10+ introduced the hmac() function for generating secure, hashed message authentication codes (HMAC) which makes dealing with 3rd-Party APIs much easier.
So thanks all and I hope this helps others!
RE: We're running CF9...
An FYI on a completely different track, I'm not sure what type of applications you are hosting but CF9 end-of-life (standard life without premium fees for extended support) was 12/31/2014. You may want to create an upgrade plan -- especially if you host anything that requires security compliance (like credit cards).
Thanks Steve! Yeah, I'm told we'll be bypassing CF10 and upgrading to CF11. Very Excite!
As you are happy with the solution, please mark it as the correct answer. Thanks.