如果秘密作为文字variables传递,nodejs crypto hmac会产生不同的散列
我试图从它的encryption库中使用nodejs的createHmac函数。
问题:当给出(看似)相同的参数时,会产生不同的哈希值。 唯一的区别是“秘密”参数是stringvariables还是string文字。
以下SPA隔离这个问题。 我正在使用nwjs(node webkit)SDK flavor v 0.14.2在OS X El Cap上运行此代码。
任何帮助和build议感激地收到。
的index.html
<!DOCTYPE html> <html> <head> <title>Context Menu</title> <link href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-1q8mTJOASx8j1Au+a5WDVnPi2lkFfwwEAa8hDDdjZlpLegxhjVME1fgjWPGmkzs7" crossorigin="anonymous"> </head> <body style="width: 100%; height: 100%;"> <div id="wrapper"> </div> <script src="https://code.jquery.com/jquery-2.2.3.min.js" integrity="sha256-a23g1Nt4dtEYOj7bR+vTu7+T8VP13humZFBJNIYoEJo=" crossorigin="anonymous"></script> <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/js/bootstrap.min.js" integrity="sha384-0mSbJDEHialfmuBBQP6A4Qrprq5OVfW37PRR3j5ELqxss1yVqOtnepnHVP9aJ7xS" crossorigin="anonymous"></script> <script type="text/javascript" src="./index.js"></script> </body> </html> index.js
var nodeCrypto = require('crypto'); var payload = 'twas brillig and the slithy toves did gyre and gimble in the wabe'; // // simple UI to get a user-entered secret // and echo the results. // enter 'wibble' in input element to demo the problem to match hard coded literal // $('#wrapper').append ( $('<div>').addClass('form-group') .append ( $('<label>').attr('for','userinput').text('Tell me a secret:'), $('<input>').addClass('form-control').attr('type','text').attr('id','userinput') ), $('<p>').attr('id', 'hash'), $('<p>').attr('id', 'nash') ); $('input').on('change', function (ev) { // compute hash based on user input var hash = nodeCrypto.createHmac ('sha256', $(this).val()) .update (payload) .digest ('hex'); console.log ('hash: ' + hash); $('p[id=hash]').text('secret: ' + $(this).val() + ', hash: ' + hash); // logs hash: f7b4ae1aaa35b813571f00bca7c81d08176b56cb3a1d1f8c8ba95a17ba6f6f29 // as long as user enters 'wibble' // compute hash based on string literal var nash = nodeCrypto.createHmac ('sha256', 'wibble') .update (payload) .digest ('hex'); console.log ('nash: ' + nash); $('p[id=nash]').text('secret: wibble, hash: ' + nash); // logs hash: c9592948b3de038c9aa339f94b61928de803417183a6c95b1829a04c69fe6bf6 });
Screengrab 显示用户input与计算出的散列值
的package.json
{ "name": "hmac", "main": "index.html", "description": "nodejs crypto hmac test", "author": "xxx" }
关于隔离问题和为艰难但公平的人群写一个解释,这个解决scheme往往似乎是摆脱了所有问题。
所以对此“道歉”回答。 我只是松了一口气,有一个解决scheme。
一点点进一步的实验产生了这些见解:
- 迫使参数成为一个单独的对象通过
secret = new String(…)
导致节点的encryption库内部发生故障:
TypeError:不是缓冲区。
这是一个线索!
- 在将用户input转换为缓冲区之后,将其作为创buildHMAC的秘密,从而导致2个调用之间的一致行为。
更新了js
// compute hash based on user input var secretStr = $(this).val(); var hash = nodeCrypto.createHmac ('sha256', secretStr) .update (payload) .digest ('hex'); console.log ('hash: ' + hash); $('p[id=hash]').text('secret: ' + $(this).val() + ', hash: ' + hash); // logs hash: f7b4ae1aaa35b813571f00bca7c81d08176b56cb3a1d1f8c8ba95a17ba6f6f29 // as long as user enters 'wibble' // compute hash based on string literal var nash = nodeCrypto.createHmac ('sha256', 'wibble') .update (payload) .digest ('hex'); console.log ('nash: ' + nash); $('p[id=nash]').text('secret: wibble, nash: ' + nash); // logs nash: c9592948b3de038c9aa339f94b61928de803417183a6c95b1829a04c69fe6bf6 // compute hash based on Buffer initialised from user input var secretBuf = Buffer.from($(this).val()); var mash = nodeCrypto.createHmac ('sha256', secretBuf) .update (payload) .digest ('hex'); console.log ('nash: ' + nash); $('p[id=mash]').text('secret: wibble, mash: ' + nash); // logs mash: c9592948b3de038c9aa339f94b61928de803417183a6c95b1829a04c69fe6bf6