我正在尝试使用nodejs的加密库中的createHmac函数。
问题:当给定(看似)相同的参数时,它会产生不同的哈希值。唯一的区别是“secret”参数是字符串变量还是字符串文字。
以下 SPA 隔离了该问题。我使用 nwjs (node webkit) SDK 风格 v 0.14.2 在 OS X El Cap 上运行此代码。
感谢您收到的任何帮助和建议。
index.html
<!DOCTYPE html>
<html>
<head>
<title>Context Menu</title>
<link href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"
rel="stylesheet"
integrity="sha384-1q8mTJOASx8j1Au+a5WDVnPi2lkFfwwEAa8hDDdjZlpLegxhjVME1fgjWPGmkzs7"
crossorigin="anonymous">
</head>
<body style="width: 100%; height: 100%;">
<div id="wrapper">
</div>
<script src="https://code.jquery.com/jquery-2.2.3.min.js"
integrity="sha256-a23g1Nt4dtEYOj7bR+vTu7+T8VP13humZFBJNIYoEJo="
crossorigin="anonymous"></script>
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/js/bootstrap.min.js"
integrity="sha384-0mSbJDEHialfmuBBQP6A4Qrprq5OVfW37PRR3j5ELqxss1yVqOtnepnHVP9aJ7xS"
crossorigin="anonymous"></script>
<script type="text/javascript" src="./index.js"></script>
</body>
</html>
index.js
var nodeCrypto = require('crypto');
var payload = 'twas brillig and the slithy toves did gyre and gimble in the wabe';
//
// simple UI to get a user-entered secret
// and echo the results.
// enter 'wibble' in input element to demo the problem to match hard coded literal
//
$('#wrapper').append (
$('<div>').addClass('form-group')
.append (
$('<label>').attr('for','userinput').text('Tell me a secret:'),
$('<input>').addClass('form-control').attr('type','text').attr('id','userinput')
),
$('<p>').attr('id', 'hash'),
$('<p>').attr('id', 'nash')
);
$('input').on('change', function (ev) {
// compute hash based on user input
var hash = nodeCrypto.createHmac ('sha256', $(this).val())
.update (payload)
.digest ('hex');
console.log ('hash: ' + hash);
$('p[id=hash]').text('secret: ' + $(this).val() + ', hash: ' + hash);
// logs hash: f7b4ae1aaa35b813571f00bca7c81d08176b56cb3a1d1f8c8ba95a17ba6f6f29
// as long as user enters 'wibble'
// compute hash based on string literal
var nash = nodeCrypto.createHmac ('sha256', 'wibble')
.update (payload)
.digest ('hex');
console.log ('nash: ' + nash);
$('p[id=nash]').text('secret: wibble, hash: ' + nash);
// logs hash: c9592948b3de038c9aa339f94b61928de803417183a6c95b1829a04c69fe6bf6
});
屏幕截图 Shows user input together with computed hashes
package.json
{
"name": "hmac",
"main": "index.html",
"description": "nodejs crypto hmac test",
"author": "xxx"
}
最佳答案
有一些关于隔离问题并为顽固但公平的人群编写解释的纪律,这通常看起来会自己找出解决方案。
因此,对这个“询问和回答”表示歉意。找到解决方案我就放心了。
进一步的实验产生了这些见解:
- 通过 强制参数成为一个单独的对象
secret = new String(...)
导致 Node 加密库内部出现故障:
TypeError: not a buffer.
这是一条线索!
- 将用户输入转换为缓冲区,然后将其作为 key 传递给 createHmac 后,两次调用之间的行为将保持一致。
更新了js
// compute hash based on user input
var secretStr = $(this).val();
var hash = nodeCrypto.createHmac ('sha256', secretStr)
.update (payload)
.digest ('hex');
console.log ('hash: ' + hash);
$('p[id=hash]').text('secret: ' + $(this).val() + ', hash: ' + hash);
// logs hash: f7b4ae1aaa35b813571f00bca7c81d08176b56cb3a1d1f8c8ba95a17ba6f6f29
// as long as user enters 'wibble'
// compute hash based on string literal
var nash = nodeCrypto.createHmac ('sha256', 'wibble')
.update (payload)
.digest ('hex');
console.log ('nash: ' + nash);
$('p[id=nash]').text('secret: wibble, nash: ' + nash);
// logs nash: c9592948b3de038c9aa339f94b61928de803417183a6c95b1829a04c69fe6bf6
// compute hash based on Buffer initialised from user input
var secretBuf = Buffer.from($(this).val());
var mash = nodeCrypto.createHmac ('sha256', secretBuf)
.update (payload)
.digest ('hex');
console.log ('nash: ' + nash);
$('p[id=mash]').text('secret: wibble, mash: ' + nash);
// logs mash: c9592948b3de038c9aa339f94b61928de803417183a6c95b1829a04c69fe6bf6
关于javascript - 如果 secret 作为文字与变量传递,nodejs crypto hmac 会产生不同的哈希值,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/36897843/