Can we please get hex & base64 HMAC-SHA1 and/or HMAC-SHA256 signature LSL functions?

[Gistya Eusebio]

Dear LL:

Can we please get hex & base64 HMAC-SHA1 and/or HMAC-SHA256 signature LSL functions? I use certain Amazon AWS features in some scripts I'm getting ready to release, but it requires web requests be signed with base64 HMAC-SHA1 or HMAC-SHA256. And despite my best efforts, I can't get my LSL-based HMAC-SHA1 routine to generate a signature for a typical-length request in under 800-900ms. We really need a function like llHMACSHA1base64(string msg, string key) so that we can take full advantage of things like AWS. There are open source libraries LL could use for this.

I haven't asked for much in my almost four years as a sim owner and seven as a land owner... But this would be hugely awesome.

[Luca Coeur]

Hi Gistya,

 

as far as I've heard LL employees aren't especially eager reading the forums so chances are your proposal will get lost. A better way might be to open a feature request in the Jira bugtracker. After that you can use the forum to get attention to that issue and by providing a link to the Jira in question other participants can vote on it. That way you might catch the attention of some LL staff. Maybe someone in the programming might consider it low hanging fruit if you even provide links to the libraries you mentioned so it could be done without breaking content and costing too much labour.

 

Best regards and good luck

 

[Talia Davidov]

except in their infinite wisdom they have closed the Jira system so only the LL declared special people can see existing entries, so coming back here to draw support to the jira and getting it voted on won't work.

 

[Lucia Nightfire]

If you file a feature request in the BUG category there is a good chance it will be closed as "Not Applicable" strictly because it literally isn't a bug. I was told this at an OH, when I asked why my feature requests were continually being closed. I also asked what the proper procedure was to file feature requests with the new jira system, but was declined a definitive answer.

[Gistya Eusebio]

Well, Maestro posts here, so there's a chance this might get seen. As a fellow software developer, I do not envy the position that the Lindens are in. I have a hard enough time fixing bugs and adding the core features to my one little set of scripts, without anyone begging me for various esoteric-sounding features. However I do believe that companies who listen to their customers, and platforms who give their developers the APIs they are asking for, are the ones that succeed down the road, and I've stuck with LL thusfar because they have acted on those of my requests that were the most important. I can see that they are trying to do the right thing in various areas; for example the new JSON features have been a god-send for my script. So, I think they are interested in heping us, and I will continue to press this particular issue (HMAC-SHA functions) until it gets implemented, especially because I know it's not all that much to ask for, given the fact there are a lot of open-source libraries.

The only potential issue I see with is it that it would be programatically difficult to initialize an ipad/opad key cache to save on processor usage, but even without that being done, I think it would still be far more efficient to do it as an LSL function than how we're doing it now, which is doing SHA1 in LSL itself.

Even if they just made a workable SHA1 function that would be a huge step. It's a shame they went to the trouble to make an SHA1 function (llSHA1String) but it doesn't work for HMAC due the facts that it relies on UTF8 encodings and that there's no escape character to represent the null character in LSL. It's still useful for generating a hash for script-to-script communications security, but we need one that can accept hexadecimal input and can provide output in base64 or hex. If it did the whole HMAC algorithm that would be the icing on the cake.

And while they're at it, we might as well throw in SHA2 support to future proof present-proof it.

[Darien Caldwell]

SHA1 has been available for a long while now:

https://wiki.secondlife.com/wiki/LlSHA1String

 

MD5 too

https://wiki.secondlife.com/wiki/LlMD5String