Signature mismatch, thanks

meepbear * meepbear at
Sun Aug 7 12:57:13 PDT 2005

>The code's in PHP, which appears to *lack* an HMAC function, so I had to 
>write my own - it's at, with all the tests. 
>I'm gonna go throw it at various PHP groups to see if they can figure it 
Mhash has an SHA1-HMAC but PHP does have a native SHA1() which you can build 
on top of to calculate an HMAC:


function cryptGenHMAC($data, $key) {
	return (extension_loaded('mhash')) ? mhash(MHASH_SHA1, $data, $key) : 
cryptSHA1_HMAC($data, $key);

// Original author unknown (changed to support SHA1-HMAC)
function cryptSHA1_HMAC($data, $key) {
	$blocksize = 64;
	if (strlen($key) > $blocksize)
		$key = pack('H*', sha1($key));
	$key = str_pad($key, $blocksize, "\0");
	$ipad = str_repeat(chr(0x36), $blocksize);
	$opad = str_repeat(chr(0x5c), $blocksize);
	return pack('H*', sha1(($key^$opad).pack('H*',sha1(($key^$ipad).$data))));


One advantage is that the code above isn't dependent on an extension so even 
if GMP isn't there your consumer will still work since you can fallback from 
DH to regular HMAC which wouldn't be the case with your HMAC class.

More information about the yadis mailing list