Goal
I would like to realize the same HMAC as transit does but manually.
Methodology
Based on this subject, I wanted to try to realize the same HMAC as Vault do it in a transparent way with the transit module.
Key creation
curl --header "X-Vault-Token: <my-token>" --request POST --data '{"exportable":true}' http://127.0.0.1:8200/v1/transit/keys/nota
HMAC Input
curl --header "X-Vault-Token: <my-token>" --request POST --data '{"input":"Benjamin"}' http://127.0.0.1:8200/v1/transit/hmac/nota/sha2-256
I got as HMAC output : "hmac":"vault:v1: gydrd9I34QfKaVWkcQpe9XkQMKcfcSPJX3wdm4MyMyI=
Key Export
curl --header "X-Vault-Token: <my-token>" http://127.0.0.1:8200/v1/transit/export/hmac-key/nota/1
Key output is : "1":"BCUP9OOhYJJLkdJOpQBWCjtCMPaj4hSEg8aAqfF0T5c="
Until here everything worked perfectly as described into the documentation.
The goal is now to try to do the HMAC by myself, outside of the vault. So I made a Go script to try to make it works, but it didn’t work as planned…
Go Script
import (
"crypto/sha256"
"encoding/base64"
"fmt"
"crypto/hmac"
)
func main() {
fmt.Println("Starting...")
rawInput := base64.StdEncoding.EncodeToString([]byte("Benjamin"))
input,_ := base64.StdEncoding.DecodeString(rawInput)
key_raw, _ := base64.StdEncoding.DecodeString("BCUP9OOhYJJLkdJOpQBWCjtCMPaj4hSEg8aAqfF0T5c=")
hf := hmac.New(sha256.New, key_raw)
hf.Write(input)
retBytes := hf.Sum(nil)
retStr := base64.StdEncoding.EncodeToString(retBytes)
fmt.Print(retStr)
}
And the returned HMAC is : qxflJNRlCV5ubTr8S+In7F4DUfoC4z6IoE0q2duRbSs=
Unfortunately it isn’t the same as the expected (gydrd9I34QfKaVWkcQpe9XkQMKcfcSPJX3wdm4MyMyI=) 
Suggested issue
I guess that what I am doing wrong is the formating of the key and/or the input.
But after 5 hours spent on this issue, I haven’t any idea left…
Would anyone has some insight on it ?
Thanks !
