问题描述
如何获得Node的Crypto.createHmac( 'sha256', buffer)和CryptoJS.HmacSHA256(..., secret)之间的特征奇偶性"?
How to get to "feature parity" between Node's Crypto.createHmac( 'sha256', buffer) and CryptoJS.HmacSHA256(..., secret)?
我有一个第三方代码,该代码执行的方法如node1所示.我需要在浏览器中实现相同的结果.看来,区别在于secret是在节点侧进行base64解码的.但是我仍然无法获得相同的输出.
I have a 3rd party code that does what you can see here as the method node1. I would need to achieve the same result in the browser. Seemingly, the difference is in the that the secret is base64 decoded on the node side. But I still can't get the same output.
const CryptoJS = require('crypto-js')
const Crypto = require('crypto')
const message = "Message"
const secret = "Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw=="
function node1() {
return Crypto.createHmac("sha256", Buffer.from(secret, 'base64'))
.update(message, "utf8")
.digest("base64");
}
function node2() {
return Crypto.createHmac("sha256", Buffer.from(secret, 'base64').toString('base64'))
.update(message, "utf8")
.digest("base64");
}
function browser() {
const crypted = CryptoJS.HmacSHA256(message, secret)
return CryptoJS.enc.Base64.stringify(crypted)
}
console.log('node1', node1())
console.log('node2', node2())
console.log('browser-like', browser())
// node1 agitai8frSJpJuXwd4HMJC/t2tluUJPMZy8CeYsEHTE=
// node2 fxJQFWs5W3A4otaAlnlV0kh4yfQPb4Y1ChSVZsUAAXA=
// browser-like fxJQFWs5W3A4otaAlnlV0kh4yfQPb4Y1ChSVZsUAAXA=
因此,我可以在节点中重现幼稚的类似浏览器的行为.这使我有了在浏览器中使用atob来重现节点行为的想法.下面的sign方法是我在浏览器端的最佳猜测.
So, I can reproduce a naive browser-like behaviour in node. This gave me the idea to use atob in the browser, to reproduce node's behaviour. The following sign method is my best guess on the browser side.
function sign(message) {
const crypted = CryptoJS.HmacSHA256(message, atob(secret));
return CryptoJS.enc.Base64.stringify(crypted)
}
function signNotDecoded(message) {
const crypted = CryptoJS.HmacSHA256(message, secret);
return CryptoJS.enc.Base64.stringify(crypted)
}
console.log('browser', sign('Message'))
console.log('browser-like', signNotDecoded('Message'))
// browser dnVm5jBgIBNV6pFd4J9BJTjx3BFsm7K32SCcEQX7RHA=
// browser-like fxJQFWs5W3A4otaAlnlV0kh4yfQPb4Y1ChSVZsUAAXA=
因此,在浏览器中运行signDecoded()并在节点中运行browser()会得到相同的输出.再次在节点中运行node2()和browser()都提供相同的输出,但是sign()与node1()仍然不同.
So, running signDecoded() in the browser, and running browser() in node gives the same output. Running both node2() and browser() in node again provide the same output, but still sign() differs from node1().
基于上述内容,我很确定问题出在我使用atob的问题上,但是我想念在那里吗?
Based on the above, I'm quite sure that the problem is with my usage of atob, but what do I miss there?
推荐答案
更改
atob(secret)
收件人
CryptoJS.enc.Base64.parse(secret)
因为如果将原始字符串作为键传递给函数,它将被重新解析为UTF-8.
Because if you pass a raw string as key to the function it will be re-parsed as UTF-8.
这篇关于如何在浏览器中复制Node的Crypto.createHmac('sha256',buffer)?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!