Generate HMAC SHA256 hash using key in C++ - c++

I am looking for some function or a way that would return HMAC SHA256 hash in C++ using secret key. I have seen documentation of Crypto++ and OpenSSL but it does not accept an extra parameter of secret key for computation. Can someone help me by providing some info, code snippets or links.


You can use POCO library
Sample code:
class SHA256Engine : public Poco::Crypto::DigestEngine
{
public:
enum
{
BLOCK_SIZE = 64,
DIGEST_SIZE = 32
};
SHA256Engine()
: DigestEngine("SHA256")
{
}
};
Poco::HMACEngine<SHA256Engine> hmac{secretKey};
hmac.update(string);
std::cout << "HMACE hex:" << Poco::DigestEngine::digestToHex(hmac.digest()) << std::endl;// lookout difest() calls reset ;)
Sample integration with POCO using cmake install:
mkdir build_poco/
cd build_poco/ && cmake -DCMAKE_BUILD_TYPE=Release -DCMAKE_INSTALL_PREFIX=./install ../poco/
CMakeLists.txt
CMAKE_MINIMUM_REQUIRED(VERSION 3.8)
PROJECT(SamplePoco)
SET(CMAKE_CXX_STANDARD 14)
SET(SOURCE_FILES
src/main.cpp
)
SET(_IMPORT_PREFIX lib/build_poco/install)
INCLUDE(lib/build_poco/install/lib/cmake/Poco/PocoFoundationTargets.cmake)
INCLUDE(lib/build_poco/install/lib/cmake/Poco/PocoNetTargets.cmake)
INCLUDE(lib/build_poco/install/lib/cmake/Poco/PocoJSONTargets.cmake)
INCLUDE(lib/build_poco/install/lib/cmake/Poco/PocoXMLTargets.cmake)
INCLUDE(lib/build_poco/install/lib/cmake/Poco/PocoCryptoTargets.cmake)
INCLUDE(lib/build_poco/install/lib/cmake/Poco/PocoUtilTargets.cmake)
INCLUDE(lib/build_poco/install/lib/cmake/Poco/PocoNetSSLTargets.cmake)
ADD_EXECUTABLE(SamplePoco ${SOURCE_FILES})
TARGET_LINK_LIBRARIES(SamplePoco
Poco::Foundation
Poco::Crypto
Poco::Util
Poco::JSON
Poco::NetSSL
)
TARGET_INCLUDE_DIRECTORIES(SamplePoco PUBLIC src/)
Sample implementation used here: https://github.com/gelldur/abucoins-api-cpp


Following is a sample of function to generate SHA256-HMAC using Crypto++
#include <string>
#include <string_view>
#include <cryptopp/filters.h>
using CryptoPP::StringSink;
using CryptoPP::StringSource;
using CryptoPP::HashFilter;
#include <cryptopp/hmac.h>
using CryptoPP::HMAC;
#include <cryptopp/sha.h>
using CryptoPP::SHA256;
std::string CalcHmacSHA256(std::string_view decodedSecretKey, std::string_view request)
{
// Calculate HMAC
HMAC<SHA256> hmac(reinterpret_cast<CryptoPP::byte const*>(decodedSecretKey.data()), decodedSecretKey.size());
std::string calculated_hmac;
auto sink = std::make_unique<StringSink>(calculated_hmac);
auto filter = std::make_unique<HashFilter>(hmac, sink.get());
sink.release();
StringSource(reinterpret_cast<CryptoPP::byte const*>(request.data()), request.size(), true, filter.get()); // StringSource
filter.release();
return calculated_hmac;
}
#include <iostream>
int main() {
std::cout << CalcHmacSHA256("key", "data");
}
The source is CME iLink2 specification


For consistency, following is a sample of function to generate SHA256-HMAC using OpenSSL
#include <openssl/sha.h>
#include <openssl/hmac.h>
#include <string>
#include <string_view>
#include <array>
std::string CalcHmacSHA256(std::string_view decodedKey, std::string_view msg)
{
std::array<unsigned char, EVP_MAX_MD_SIZE> hash;
unsigned int hashLen;
HMAC(
EVP_sha256(),
decodedKey.data(),
static_cast<int>(decodedKey.size()),
reinterpret_cast<unsigned char const*>(msg.data()),
static_cast<int>(msg.size()),
hash.data(),
&hashLen
);
return std::string{reinterpret_cast<char const*>(hash.data()), hashLen};
}
For the record, I like Crypto++ better as in case of Crypto++ generated binary is smaller. The drawback is that Crypto++ does not have a CMake module.


OpenSSL docs for HMAC, clearly state the requirement of a 'key' as part of context initialization.
int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int key_len,
const EVP_MD *md, ENGINE *impl);
HMAC() computes the message authentication code of the n bytes at d
using the hash function evp_md and the key key which is key_len bytes
long.


You can use cpp-cryptlite to generate HMAC SHA256 hash, Following is the code snippet:
std::string src_str = "abcdefg";
std::string secret_key = "xxxxxx"; // this value is an example
boost::uint8_t digest[32]; // cryptlite::sha256::HASH_SIZE
cryptlite::hmac<cryptlite::sha256>::calc(src_str, secret_key, digest);
// and digest is the output hash


I had to modify #DmytroOvdiienko's answer a bit to get hexadecimal output:
#include <iomanip>
...
std::string CalcHmacSHA256(std::string_view decodedKey, std::string_view msg)
{
std::array<unsigned char, EVP_MAX_MD_SIZE> hash;
unsigned int hashLen;
HMAC(
EVP_sha256(),
decodedKey.data(),
static_cast<int>(decodedKey.size()),
reinterpret_cast<unsigned char const*>(msg.data()),
static_cast<int>(msg.size()),
hash.data(),
&hashLen
);
std::stringstream out;
for (unsigned int i=0; i < hashLen; i++) {
out << std::setfill('0') << std::setw(2) << std::right << std::hex << (int)hash.data()[i];
}
return out.str();
}
int main(int, char**) {
std::string key = "ESiFg448MqOmhQyxbt6HEHHPnAA1OE8nX0o9ANIVMIvWLISQS0MivDrkZvnBxMEI";
std::string msg = "foo";
std::string_view key_view{key};
std::string_view msg_view{msg};
std::cout << CalcHmacSHA256(key_view, msg_view) << std::endl;
}
The <iomanip>, setfill, setw, right are needed to make sure single-digit hex values are prefixed with a 0. An alternative is to use boost:
#include <boost/format.hpp>
...
out << boost::format("%02x") % (int)hash.data()[i];

Related

Issues with SHA 512 HMAC message authentication using openssl

I need to authenticate to a websocket endpoint to subscribe to private data, the authentication steps are as follows:
Hash the challenge with the SHA-256 algorithm
Base64-decode your api_secret
Use the result of step 2 to hash the result of step 1 with the HMAC-SHA-512 algorithm
Base64-encode the result of step 3
I am using openssl in my C++ program for all the crypto and I am using some base64 encoding and decoding algorithms I found on stackoverflow, however I am unable to follow the authentication procedure and produce the correct result.
I am confident that the base64 decoder is correct as it produces the correct binary when I decode the secret furthermore the openssl sha256 algorithm is also correct as it produces the correct hash for the challenge, (I used cryptiis online base64 decoder and sha256 to verify this), something must be wrong with the way I am using the openssl HMAC or the base64 encoder for the final step.
#include <openssl/sha.h>
#include <cstdio>
#include <cstring>
void sha256(const char *string, char outputBuffer[65])
{
unsigned char hash[SHA256_DIGEST_LENGTH];
SHA256_CTX sha256;
SHA256_Init(&sha256);
SHA256_Update(&sha256, string, strlen(string));
SHA256_Final(hash, &sha256);
for (int i = 0; i < SHA256_DIGEST_LENGTH; ++i) {
sprintf(outputBuffer + (i * 2), "%02x", hash[i]);
}
outputBuffer[64] = 0;
}
#include <openssl/bio.h>
#include <openssl/evp.h>
#include <cstring>
#include <memory>
#include <string>
#include <vector>
namespace {
struct BIOFreeAll { void operator()(BIO* p) { BIO_free_all(p); } };
}
auto Base64Encode(const std::vector<unsigned char>& binary)
{
std::unique_ptr<BIO,BIOFreeAll> b64(BIO_new(BIO_f_base64()));
BIO_set_flags(b64.get(), BIO_FLAGS_BASE64_NO_NL);
BIO* sink = BIO_new(BIO_s_mem());
BIO_push(b64.get(), sink);
BIO_write(b64.get(), binary.data(), binary.size());
BIO_flush(b64.get());
const unsigned char* encoded;
const unsigned long len = BIO_get_mem_data(sink, &encoded);
return std::basic_string<unsigned char>{encoded, len};
}
// Assumes no newlines or extra characters in encoded string
std::vector<unsigned char> Base64Decode(const char* encoded)
{
std::unique_ptr<BIO,BIOFreeAll> b64(BIO_new(BIO_f_base64()));
BIO_set_flags(b64.get(), BIO_FLAGS_BASE64_NO_NL);
BIO* source = BIO_new_mem_buf(encoded, -1); // read-only source
BIO_push(b64.get(), source);
const int maxlen = strlen(encoded) / 4 * 3 + 1;
std::vector<unsigned char> decoded(maxlen);
const int len = BIO_read(b64.get(), decoded.data(), maxlen);
decoded.resize(len);
return decoded;
}
#include <openssl/hmac.h>
int main(int argc, const char * argv[])
{
const char* challenge = "c100b894-1729-464d-ace1-52dbce11db42";
static char buffer[65];
sha256(challenge, buffer);
printf("%s\n", buffer);
const char* encoded = "7zxMEF5p/Z8l2p2U7Ghv6x14Af+Fx+92tPgUdVQ748FOIrEoT9bgT+bTRfXc5pz8na+hL/QdrCVG7bh9KpT0eMTm";
std::cout << "encoded = " << encoded << std::endl;
const std::vector<unsigned char> decoded = Base64Decode(encoded);
std::cout << "decoded = " << decoded.data() << '\n';
// The data that we're going to hash using HMAC
std::basic_string<unsigned char> data = {decoded.data(), decoded.size()};
unsigned char* digest;
// Using sha512 hash engine here.
// You may use other hash engines. e.g EVP_md5(), EVP_sha224, EVP_sha512, etc
digest = HMAC(EVP_sha512(), data.c_str(), data.size(), reinterpret_cast<unsigned char*>(buffer), strlen(buffer), NULL, NULL);
// Be careful of the length of string with the choosen hash engine. SHA1 produces a 20-byte hash value which rendered as 40 characters.
// Change the length accordingly with your choosen hash engine
char mdString[128];
for(int i = 0; i < 64; ++i)
sprintf(&mdString[i*2], "%02x", (unsigned int)digest[i]);
printf("HMAC digest: %s\n", mdString);
const std::vector<unsigned char> binary{&digest[0], &digest[127] + 1};
const std::basic_string<unsigned char> encoded_result = Base64Encode(binary);
for (unsigned i = 0; i < 64; ++i)
{
std::cout << std::hex << std::setw(2) << (unsigned int)encoded_result[i];
}
std::cout << '\n';
return 0;
}
The code may not compile first time around as I have pulled the snippets from a larger repository, however if all put into one file it should compile (or require minor effort to successfully compile).
When the value of the initial challenge is
"c100b894-1729-464d-ace1-52dbce11db42"
and the api secret is
"7zxMEF5p/Z8l2p2U7Ghv6x14Af+Fx+92tPgUdVQ748FOIrEoT9bgT+bTRfXc5pz8na+hL/QdrCVG7bh9KpT0eMTm"
The line following HMAC digest should be the signed output, I am expecting it to be
"4JEpF3ix66GA2B+ooK128Ift4XQVtc137N9yeg4Kqsn9PI0Kpzbysl9M1IeCEdjg0zl00wkVqcsnG4bm
nlMb3A=="
whereas it is actually
"336e394b567a55634d46376478344b594354767267636d39456f584f51326c376f334f2f3348796f6939647a7a516a456e41786c3551537541453930422f424b".
What is more troublesome is that I am able to replicate the correct result using python and C# quite simply using the library functions, I am quite unsure as to where I am going wrong here.

You appear to be overly fond of hex encoding your data!
First of all, in your sha256 function you correctly hash the data to get the 32 byte digest, but then you hex encode this to get 64 hex characters (plus the null terminator) which you later use as the input to the HMAC. You need to use those original 32 bytes.
Then later, after you calculate the HMAC and base 64 encode the result, you hex encode that before printing it out. There’s no need to do that, base 64 already consists of printable characters.
Take out those two loops where you do the hex encoding (and change sha256 so you return the correct buffer) and it should work correctly.

Assertion `IsArray()' failed (RapidJSON)

I was testing the RapidJSON library earlier today to see if I could parse a document with nested values, and for some reason I couldn't come up with a solution to the errors I was getting. I searched around Google and Stack Overflow for an hour or two and couldn't find a fix. Here is the code along with the errors:
main.cpp:
#include <iostream>
#include <SFML/Graphics.hpp>
#include "rapidjson/document.h"
#include "include.hpp"
int main() {
unsigned int input = 1;
tile output;
output = LoadTile("../locations.json", input);
std::cout << output.x << std::endl;
return 0;
}
load.cpp
#include <iostream>
#include "rapidjson/document.h"
#include "rapidjson/filereadstream.h"
#include "include.hpp"
using namespace rapidjson;
tile LoadTile(std::string fileName, unsigned int number) {
FILE* file = fopen(fileName.c_str(), "r");
char buffer[2048];
FileReadStream stream(file, buffer, 2048);
Document doc;
doc.ParseStream(stream);
tile output;
Value& tileNumber = doc[number];
if(!tileNumber.IsObject()) {
output.overflow = true;
output.x = 0;
output.y = 0;
output.type = "\0";
}else{
output.x = tileNumber[0]["x"].GetInt();
output.y = tileNumber[0]["y"].GetInt();
output.type = tileNumber[0]["type"].GetString();
}
return output;
}
include.hpp:
#include <iostream>
#include <SFML/Graphics.hpp>
#include "rapidjson/document.h"
struct tile {
int x;
int y;
std::string type;
bool overflow = false;
};
tile LoadTile(std::string fileName, unsigned int number);
CMakeLists.txt:
cmake_minimum_required(VERSION 2.6)
project(test)
set(EXECUTABLE_NAME "test")
add_executable(${EXECUTABLE_NAME} main.cpp load.cpp include.hpp)
set(CMAKE_MODULE_PATH "${CMAKE_SOURCE_DIR}/cmake_modules" ${CMAKE_MODULE_PATH})
install(TARGETS ${EXECUTABLE_NAME} DESTINATION bin})
locations.json:
{
1:[
{"x":32},
{"y":32},
{"type":"water_c"}
]
}
Errors:
test: /home/.../rapidjson/document.h:1547:rapidjson::GenericValue<Encoding, Allocator>::operator[](rapidjson::SizeType) [with Encoding = rapidjson::UTF8<>; Allocator = rapidjson::MemoryPoolAllocator<>; rapidjson::SizeType = unsigned int]: Assertion `IsArray()' failed.
Aborted (core dumped)
I know it's not the JSON formatting, I've tried everything. Unless there's something really wrong with it. I'm running this on Xubuntu 16.10. Thanks to anyone that can help.

Your JSON is invalid. In JSON, keys must be strings, written with double quotes. More details here.
I suggest using JSONLint to validate JSON strings.
The valid JSON looks like this (1 in double quotes):
{
"1": [{
"x": 32
}, {
"y": 32
}, {
"type": "water_c"
}]
}

C++ SHA256 is different from command line SHA256

I'm trying to compute a SHA256 hash of the string iEk21fuwZApXlz93750dmW22pw389dPwOkm198sOkJEn37DjqZ32lpRu76xmw288xSQ9
When I run my C++ code, I get a string that's not even a valid SHA256 hash. However, when I run echo -n iEk21fuwZApXlz93750dmW22pw389dPwOkm198sOkJEn37DjqZ32lpRu76xmw288xSQ9 | openssl sha256, I get the correct hash. Here's my C++ code:
#include <iostream>
#include <time.h>
#include <sstream>
#include <string>
#include <iomanip>
#include <typeinfo>
#include <openssl/sha.h>
#include <cstdio>
#include <cstring>
std::string hash256(std::string string) {
unsigned char digest[SHA256_DIGEST_LENGTH];
SHA256_CTX ctx;
SHA256_Init(&ctx);
SHA256_Update(&ctx, string.c_str(), std::strlen(string.c_str()));
SHA256_Final(digest, &ctx);
char mdString[SHA256_DIGEST_LENGTH*2+1];
for (int i = 0; i < SHA256_DIGEST_LENGTH; i++)
std::sprintf(&mdString[i*2], "%02x", (unsigned int)digest[i]);
return std::string(mdString);
}
int main(int argc, char *argv[])
{
const char *hash = hash256("iEk21fuwZApXlz93750dmW22pw389dPwOkm198sOkJEn37DjqZ32lpRu76xmw288xSQ9").c_str();
std::cout << hash << std::endl;
return 0;
}
Another thing to note: When I run my code in an online compiler, such as Coliru, I get the correct hash. I am compiling with G++ on Cygwin with OpenSSL version OpenSSL 1.0.1g 7 Apr 2014

As pointed out by #Alan Stokes, you have Undefined Behavior due to a dangling reference to the internal structure of the string. Change your declaration of hash in main:
std::string hash = hash256("...");

Crash in rjindael.cpp, function AESNI_Enc_Block when using RSA keys

I am new to crypto++ and just follow an example from its cryptest project (test.cpp). I generated both public and private keys using RSA. I try to use the keys, exactly as in the example. It works perfectly well in crypto++ own project and generates unhandled exception in mine. Below is the basic code, which breaks at decryption stage. any suggestions on why?
#include "stdafx.h"
#include <core/osrng.h>
#include <core/modes.h>
#include <core/hex.h>
#include <core/files.h>
#include <core/rsa.h>
#include <core/sha.h>
#include <core/cryptlib.h>
#include <iostream>
using namespace CryptoPP;
using namespace std;
static OFB_Mode<AES>::Encryption s_globalRNG;
RandomNumberGenerator & GlobalRNG()
{
return s_globalRNG;
}
string RSAEncryptString(const char *pubFilename, const char *seed, const char *message)
{
FileSource pubFile(pubFilename, true, new HexDecoder);
RSAES_OAEP_SHA_Encryptor pub(pubFile);
RandomPool randPool;
randPool.IncorporateEntropy((byte *)seed, strlen(seed));
string result;
StringSource(message, true, new PK_EncryptorFilter(randPool, pub, new HexEncoder(new StringSink(result))));
return result;
}
string RSADecryptString(const char *privFilename, const char *ciphertext)
{
FileSource privFile(privFilename, true, new HexDecoder);
RSAES_OAEP_SHA_Decryptor priv(privFile);
string result;
StringSource(ciphertext, true, new HexDecoder(new PK_DecryptorFilter(GlobalRNG(), priv, new StringSink(result))));
return result;
}
int _tmain(int argc, _TCHAR* argv[])
{
char privFilename[128] = "pri4096";
char pubFilename[128] = "pub4096";
char seed[1024] = "seed";
char message[1024] = "test";
try
{
string ciphertext = RSAEncryptString(pubFilename, seed, message);
string decrypted = RSADecryptString(privFilename, ciphertext.c_str());
}
catch(CryptoPP::Exception &e)
{
cout << "\nCryptoPP::Exception caught: " << e.what() << endl;
}
return 0;
}
In my project the program breaks at line
StringSource(ciphertext, true, new HexDecoder(new PK_DecryptorFilter(GlobalRNG(), priv, new StringSink(result))));
And debugger points to rjindael.cpp, function AESNI_Enc_Block, line 1005.

As pointed out by Yakk, I missed initialisation of the variable s_globalRNG. The following code fixes my problem.
//just below main()
std::string seed2 = IntToString(time(NULL));
seed2.resize(16);
s_globalRNG.SetKeyWithIV((byte *)seed2.data(), 16, (byte *)seed2.data());
thanks a lot!

MinGW and adding a Library

I want to use this library with MinGW and i've been trying to get the example to work.
Is this possible? I've had a look at using this but i've still not managed to do it.
Also, i'm welcome to alternative suggestions to sha1 hashing a string.
These are the errors I get when i try to compile sha1.cpp or the example program:
sha1.h:29:17: error: extra qualification 'SHA1::' on member 'lrot' [-fpermissive]
sha1.h:30:15: error: extra qualification 'SHA1::' on member 'storeBigEndianUint32' [-fpermissive]
sha1.h:31:15: error: extra qualification 'SHA1::' on member 'hexPrinter' [-fpermissive]
Thanks.
Part 2
#include <fstream>
#include <string.h>
#include <stdlib.h>
#include <iostream>
#include "sha1.h"
using namespace std;
int main(int argc, char *argv[])
{
const char* BYTES;
ifstream myFile("word.txt");
if (! myFile)
{
cout << "Error openning file" << endl;
return -1;
}
while (! myFile.eof())
{
getline(myFile, BYTES);
cout << BYTES << endl;
SHA1* sha1 = new SHA1();
sha1->addBytes(BYTES, strlen(BYTES));
unsigned char* digest = sha1->getDigest();
sha1->hexPrinter(digest, 20);
delete sha1;
free(digest);
}
myFile.close();
return 0;
}

I can vouch for Crypto++ and Botan. Both are great crypto libraries and I've used them both with Windows and mingw. They do sha1 and other hashes.

The problem is in the extra "SHA1::" in the following lines in the file SHA1.h:
static Uint32 SHA1::lrot( Uint32 x, int bits );
static void SHA1::storeBigEndianUint32( unsigned char* byte, Uint32 num );
static void SHA1::hexPrinter( unsigned char* c, int l );
They should be modified into
static Uint32 lrot( Uint32 x, int bits );
static void storeBigEndianUint32( unsigned char* byte, Uint32 num );
static void hexPrinter( unsigned char* c, int l );
This because the functions are being defined in the class SHA1 and is unnecessary to define again that they are in SHA1. Note that the same unmodified file may be accepted by Visual Studio (I had the same problem few years ago)