HMAC generation differences with SHA1 between Vault and Python

Hello,

I am currently working on seting up a Vault (Community Edition) server, which my company would like to use to generate HMAC values.

For this I had set up a test server with the Transit secrets engine enabled, then imported a key into it. The server is currently running on a Raspberry Pi 4 and outside of dev mode. For test purposes TLS is disabled since the server is only available internally in the companies network.

I tested sending a request for HMAC generation using a python script. An example script using test data can be seen below. This script is both sending a request to Vault to generate an HMAC and generating one by using Pythons hmac and hashlib modules. Both generations are based on the same test input (a binary type object, which gets converted for Vault) and are using the SHA1 algorithm.

import requests
import base64
import json
import hmac
import hashlib

vault_url=".../v1/transit/hmac/test-key"
vault_token="..."

challenge=b'example'

#preparing vault request data
encoded_challenge=base64.b64encode(challenge).decode()

header={
        'X-Vault-Token': vault_token,
        'Content-Type': 'application/json'
}

payload={
        'input':encoded_challenge,
        'algorithm': 'sha1'
}

#sending request
response = requests.post(vault_url, headers=header, data=json.dumps(payload), verify=False)

#encoding result to be shown as bytes
hmac_result =response.json()['data']['hmac']
hmac_result = hmac_result.replace('vault:v1:','')
hmac_result = base64.b64decode(hmac_result)

#generating hmac via python
key = bytes.fromhex("10e27289adab1826b70b369a3bd4acca973e6165ad58e49425eb4312a433e42c")
python_hmac=hmac.digest(key, challenge, hashlib.sha1)

print('vaults hmac:',hmac_result)
print('pythons hmac:',python_hmac)

As shown in the screenshot below, the results from Vault and Python are different.

I already tried examining Vaults logs (both server logs on debug level and audit logs), where I didn’t find any hints on this problem. I also tried using Vaults debug command, but I don’t have enough experience with Vaullt to be able to use it properly.

Therefore I want to ask if somebody could assist in this problem and might have an idea about the reason why there could be this differences and how I could avoid them.

Best regards,
Tim Lange

It doesn’t look like Transit HMAC supports sha1, so it’s likely defaulting to sha2-256. Can you try again with one of the supported algorithms?

• algorithm (string: "sha2-256") – Specifies the hash algorithm to use. This can also be specified as part of the URL. Currently-supported algorithms are:
  • sha2-224
  • sha2-256
  • sha2-384
  • sha2-512
  • sha3-224
  • sha3-256
  • sha3-384
  • sha3-512