Using CCHmac for creating message authentication codes

This is a second part of the first post about hashing data using SHA256. Here we will look into CCHmac (Hash-based Message Authentication Code) functions and see how to use it for creating authentication codes what can be used for data integrity checks and authentication of a message.

Message authentication codes

Hash-based message authentication code enables validating messages sent between two parties. For achieving that, the sender will use secret key for creating an authentication code of the message. Then transmits the message and the code to the other party. Then the receiver will use the same secret key (only they both know the key) for creating an authentication code of the received message. If the received authentication code matches with the created one, the receiver can be sure of the message’s integrity.

CCHmac interface

There are 3 functions which are used together for creating an authentication code. These are: CCHmacInit(), CCHmacUpdate() and CCHmacFinal(). Note that the update function can be called multiple times for processing the data in chunks. In addition, there is a convenience function what internally creates CCHmacContext object and uses listed functions for initialising, updating and finalising the process of creating an authentication code. We will concentrate on the convenience function.

@function CCHmac
@abstract Create the Message Authentication Code.
@param algorithm HMAC algorithm to perform.
@param key Raw key bytes.
@param keyLength Count of raw key bytes. It can also be zero.
@param data Raw data bytes.
@param dataLength Count of data bytes.
@param macOut Output buffer allocated by caller.
void CCHmac(CCHmacAlgorithm algorithm, const void *key, size_t keyLength, const void *data, size_t dataLength, void *macOut);
view raw CCHmac.h hosted with ❤ by GitHub

Arguments define the hashing algorithm, secret key, input data and an output buffer. It is important to note that the output buffer needs to be preallocated and the length depends on the chosen algorithm (for example SHA256 requires a buffer with length equal to CC_SHA256_DIGEST_LENGTH).

Data extension for CCHmac in Swift

import Foundation
import CommonCrypto
extension Data {
enum Algorithm {
case md5
case sha1
case sha224
case sha256
case sha384
case sha512
var digestLength: Int {
switch self {
case .md5: return Int(CC_MD5_DIGEST_LENGTH)
case .sha1: return Int(CC_SHA1_DIGEST_LENGTH)
case .sha224: return Int(CC_SHA224_DIGEST_LENGTH)
case .sha256: return Int(CC_SHA256_DIGEST_LENGTH)
case .sha384: return Int(CC_SHA384_DIGEST_LENGTH)
case .sha512: return Int(CC_SHA512_DIGEST_LENGTH)
extension Data.Algorithm: RawRepresentable {
typealias RawValue = Int
init?(rawValue: Int) {
switch rawValue {
case kCCHmacAlgMD5: self = .md5
case kCCHmacAlgSHA1: self = .sha1
case kCCHmacAlgSHA224: self = .sha224
case kCCHmacAlgSHA256: self = .sha256
case kCCHmacAlgSHA384: self = .sha384
case kCCHmacAlgSHA512: self = .sha512
default: return nil
var rawValue: Int {
switch self {
case .md5: return kCCHmacAlgMD5
case .sha1: return kCCHmacAlgSHA1
case .sha224: return kCCHmacAlgSHA224
case .sha256: return kCCHmacAlgSHA256
case .sha384: return kCCHmacAlgSHA384
case .sha512: return kCCHmacAlgSHA512
extension Data {
func authenticationCode(for algorithm: Algorithm, secretKey: String = "") -> Data {
guard let secretKeyData = .utf8) else { fatalError() }
return authenticationCode(for: algorithm, secretKey: secretKeyData)
func authenticationCode(for algorithm: Algorithm, secretKey: Data) -> Data {
let hashBytes = UnsafeMutablePointer<UInt8>.allocate(capacity: algorithm.digestLength)
defer { hashBytes.deallocate() }
withUnsafeBytes { (bytes) -> Void in
secretKey.withUnsafeBytes { (secretKeyBytes) -> Void in
CCHmac(CCHmacAlgorithm(algorithm.rawValue), secretKeyBytes, secretKey.count, bytes, count, hashBytes)
return Data(bytes: hashBytes, count: algorithm.digestLength)
view raw CCHmac.swift hosted with ❤ by GitHub

The method for creating authentication code is func authenticationCode(for algorithm: Algorithm, secretKey: Data) -> Data what is very easy to use for creating raw message authentication code. It can be converted into string by using Data's base64EncodedString().

Example project can be found on GitHub (CommonCryptoExample).


Wikipedia: HMAC
man page of CCHmac

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s