Computing an HMAC-SHA signature

Question

I'm writing a module for Amazon's SimpleDB. They require REST requests to be signed using HMAC-SHA algorithm. (Details here.)

I'm told that there is a function to computer this signature, but I can't find it in the documentation. What is the function called, and what do its arguments look like?

Answer 1

To sign strings with embedded newlines (AWS I'm talking to you!) you have to do the following (based on the AWS S3 example)

pre {
  raw_string = uri:unescape("GET%0A%0A%0AWed, 28 Mar 2007 01:29:59 +0000%0A/");
  sample_key = "uV3F3YluFJax1cknvbcGwgjvx4QpvB+leU8dUj2o";
  signature = math:hmac_sha1_base64(raw_string, sample_key);
  expected = "Db+gepJSUbZKwpx1FR0DLtEYoZA=";
  passfail = (signature eq expected) => "pass" | "fail";
}

The uri:decode() function returns a string with proper newlines, where \n\n\n does not. You might have to add trailing '=' to the signature.

Answer 2

EDITED: The following should work:

pre {
  message = "Four score and seven years ago";
  key = "Abe Lincoln";
  signature = math:hmac_sha256_base64(message, key);
}
notify("Signature is", signature);

The function is math:hmac_sha256_base64(<datastring>,<keystring>)

Answer 3

The HMAC is a standard function that can be found in crypto libraries for most platforms. Amazon shows several examples on the documentaion page you link to.

For Java, you can find it in javax.crypto.Mac

For .Net, look in System.Security.Cryptography

For KRL, I haven't found any built-in stock solution. Since it seems possible to embed javascript, the jsSHA implemenation could be useful. There is a sha1 function in the math library, and implementing HMAC according to RFC2104 doesn't seem that difficult.