Ruby and PHP HMACs not agreeing

Question

I'm trying to create an HMAC in Ruby and then verify it in PHP.

Ruby:

require 'openssl'
message = "A522EBF2-5083-484D-99D9-AA97CE49FC6C,1234567890,/api/comic/aWh62,GET"
key     = "3D2143BD-6F86-449F-992C-65ADC97B968B"
hash    = OpenSSL::HMAC.hexdigest('sha256', message, key)
p hash

PHP:

<?php
  $message = "A522EBF2-5083-484D-99D9-AA97CE49FC6C,1234567890,/api/comic/aWh62,GET";
  $key     = "3D2143BD-6F86-449F-992C-65ADC97B968B";
  $hash    = hash_hmac("sha256", $message, $key);
  var_dump($hash);
?>

For the Ruby, I get: 20e3f261b762e8371decdf6f42a5892b530254e666508e885c708c5b0bfc03d3

For the PHP, I get: e5f6995ba1496b2fb144329b2d1b3b23c8fa3211486e57bfaec5d993a1da9d15

I and some colleagues are at a complete loss, any help would be greatly appreciated.

I suspect that the strings are encoded differently. – Dana the Sane Aug 26 '09 at 19:44 — Dana the Sane, Aug 26 '09 at 19:44

score 31 · Accepted Answer · answered Aug 26 '09 at 20:46

31

ruby's OpenSSL::HMAC.hexdigest expects first key and then message.

irb(main):002:0> OpenSSL::HMAC.hexdigest('sha256','3D2143BD-6F86-449F-992C-65ADC97B968B','A522EBF2-5083-484D-99D9-AA97CE49FC6C,1234567890,/api/comic/aWh62,GET')
=> "e5f6995ba1496b2fb144329b2d1b3b23c8fa3211486e57bfaec5d993a1da9d15"

answered Aug 26 '09 at 20:46

Michael Krelin - hacker

138,757
24
193
173

2

Well, I'll be damned. Thanks:) – Jim Keener Aug 26 '09 at 21:14

score 0 · Answer 2 · answered Jan 31 '11 at 14:39

0

I noticed that

hash = HMAC::SHA256(key) 
hash << a
hash << b
hash << c

gives different result than PHP's

hash_hmac('sha256',$a.$b.$c, $key)

beware of this caveat. To get correct, just do

hash = HMAC::SHA256(key)
hash << "#{a}#{b}#{c}"

answered Jan 31 '11 at 14:39

cmouse

672
1
6
22

Ruby and PHP HMACs not agreeing

2 Answers2

Linked