digest.hmac_md5_base64
Available inall subroutines.
Returns the HMAC-MD5 of message using key, encoded as a Base64 string.
Parameters
| Parameter | Type | Description |
|---|---|---|
key | STRING | The secret key for HMAC computation |
message | STRING | The message to authenticate |
The key is used directly as the HMAC key. For keys longer than 64 bytes (the MD5 block size), the key is first hashed with MD5 before use, as specified in RFC 2104.
Return value
Returns a 24-character Base64-encoded string representing the 128-bit (16-byte) HMAC, using standard Base64 encoding (RFC 4648 Section 4) with padding.
Example output: NriaqnJWBjiFJwOsukhLKw==
If key is empty or not set, the function returns an empty string (not set).
Security
Unlike plain MD5, no practical attack breaks HMAC-MD5 as an authenticator. However, it is no longer recommended and should only be used when required for compatibility with legacy systems that cannot be upgraded.
Base64 encoding
This function uses standard Base64 encoding as defined in RFC 4648 Section 4:
| Property | Value |
|---|---|
| Alphabet | A-Za-z0-9+/ |
| Padding | = (always used) |
Example
declare local var.hmac STRING;set var.hmac = digest.hmac_md5_base64("secret-key", "hello world");# Result: NriaqnJWBjiFJwOsukhLKw==To verify this output using OpenSSL:
$ echo -n "hello world" | openssl dgst -md5 -hmac "secret-key" -binary | openssl base64NriaqnJWBjiFJwOsukhLKw==Security considerations
Prefer SHA-256 for new applications
# Recommended for new codeset var.signature = digest.hmac_sha256_base64(var.key, var.message);
# NOT recommended - only for legacy compatibilityset var.legacy_signature = digest.hmac_md5_base64(var.key, var.message);Constant-time comparison
When comparing HMAC values for authentication, always use digest.secure_is_equal to prevent timing attacks. String comparison with == leaks information about which bytes matched, potentially allowing an attacker to forge valid authentication tags:
if (!digest.secure_is_equal(var.expected, var.actual)) { error 401 "Invalid signature";}Related content
digest.hmac_md5- Returns hex-encoded output with0xprefix.digest.hmac_sha256_base64- HMAC-SHA256 with Base64 output (recommended).digest.secure_is_equal- Constant-time string comparison.
