Forum OpenACS Development: ns_hmac and byte array

Posted by Dave Bauer on 01/23/19 04:36 PM

I am updating an authorize.net integration with OpenACS and I need to create a hash using SHA512. It looks like the latest Naviserver has ns_hmac which will do exactly what I need.

The trick is, I need to take the key as represented by a hex string and covert that to a byte array to pass the byte array as the key to the hmac function.

Tcl doesn't really seem to have high-level access to byte arrays to pass to a procedure. Any ideas?

I tried something like this but it generates an invalid hash according to authorize.net

set b [binary format H* "abcd1234"]
set h [ns_hmac string -digest SHA512 $b "This is a test"]

It definitely gives a different result than a Python implementation using a byte array type.

2: Re: ns_hmac and byte array (response to 1)

Posted by Gustaf Neumann on 01/23/19 08:56 PM

Hi Dave,

actually, the code seems to make the right things. With a little debugging in naviserver activated, one can see that the binary string is correctly handled as a bytearray:

% set b [binary format H* "abcd1234"]
«Í4
%  set h [ns_hmac string -digest SHA512 $b "This is a test"]
hmac key (len 4): ab cd 12 34 
7d783715c6aedd1e9d0ee5f310da502a0540048a525d64964a9bb7e7b8c6782cacbfba8a2870cd7c9892a99da89404ca47f219dcb50c7ae5fb454704734473b8

Per default, the ouput encoding is hex, but one can specify as well base64url, base64, or binary. What result did you expect?

3: Re: ns_hmac and byte array (response to 2)

Posted by Dave Bauer on 01/24/19 12:40 AM

Thanks Gustaf, your example returns the same result as my Python example.

When I run this code on my Naviserver it returns a different result.
I am not sure if this is a result of a different library I have or some Naviserver encoding setting perhaps. Very curious.

set b [binary format H* "abcd1234"]
set h [ns_hmac string -digest SHA512 $b "This is a test"]

b results in the same value «Í4
but h contains a different result
ffc30b14fc4589bcb3fea23a8cd7825adc64cb5072462985d62f93d005b2fc89454614616f3f08a64fa63800217eb963d2bdc6284ff801edc1cd607e9473fa75

4: Re: ns_hmac and byte array (response to 2)

Posted by Dave Bauer on 01/24/19 12:47 AM

Gustaf, can you explain which code generates the "hmac key (len 4): ab cd 12 34" message? Thanks!

5: Re: ns_hmac and byte array (response to 4)

Posted by Gustaf Neumann on 01/24/19 09:53 AM

activate the line [1] in the source code, activate the function hexPrint (same file), recompile, reinstall, run the naviserver shell e.g. with "/usr/local/ns/bin/nsd -c" and type in the ns_hmac commands.

Do you see a different result, or do get the same result, but expecting a different one?

[1] https://bitbucket.org/naviserver/naviserver/src/227b2724a06eeab64a03c1e56d6d270a57e4d855/nsd/tclcrypto.c#lines-870

6: Re: ns_hmac and byte array (response to 5)

Posted by Dave Bauer on 01/24/19 02:47 PM

Gustaf,

I believe the result your code returns is the correct response.

My code is returning a different value, but it looks like its the same. I'll try adding the debugging code.
I checked and I am running Naviserver 4.99.16.

7: Re: ns_hmac and byte array (response to 6)

Posted by Gustaf Neumann on 01/24/19 08:39 PM

Dave, please test with 4.99.17 if possible (there were changes in the meantime, for both [1] and the crypto support in [2]. Upgrade could help. If not it might be a problem with the Tcl version.

[1] https://openacs.org/forums/message-view?message_id=5380070
[2] https://openacs.org/webpush-demo/webpush-demo.tcl

8: Re: ns_hmac and byte array (response to 7)

Posted by Dave Bauer on 01/25/19 01:41 AM

Gustaf, thank you!

I compiled Naviserver 4.99.17 with Tcl 8.5.19 to see if the issue resolved itself, and I am not getting the same result as your example.

It does appear the Naviserver version affected the results, and not the Tcl version.

9: Re: ns_hmac and byte array (response to 8)

Posted by Gustaf Neumann on 01/25/19 09:15 AM

Glad that this helped! Tcl bytearrays are more tricky than it looks at the first sight.

all the best
-g