我想创建一个我爱纸杯蛋糕哈希(签名与密钥abcdeg)
我如何创建哈希,使用Node.js Crypto?
我想创建一个我爱纸杯蛋糕哈希(签名与密钥abcdeg)
我如何创建哈希,使用Node.js Crypto?
当前回答
尽管有所有签名和验证哈希算法的示例代码,但我仍然需要进行一些实验和调整才能使其工作。这是我的工作样本,我相信它涵盖了所有的边缘情况。
它是URL安全的(即不需要编码),它需要一个过期时间,并且不会意外抛出异常。有一个对Day.js的依赖,但是你可以用另一个日期库替换它,或者滚动你自己的日期比较。
用TypeScript编写:
// signature.ts
import * as crypto from 'crypto';
import * as dayjs from 'dayjs';
const key = 'some-random-key-1234567890';
const replaceAll = (
str: string,
searchValue: string,
replaceValue: string,
) => str.split(searchValue).join(replaceValue);
const swap = (str: string, input: string, output: string) => {
for (let i = 0; i < input.length; i++)
str = replaceAll(str, input[i], output[i]);
return str;
};
const createBase64Hmac = (message: string, expiresAt: Date) =>
swap(
crypto
.createHmac('sha1', key)
.update(`${expiresAt.getTime()}${message}`)
.digest('hex'),
'+=/', // Used to avoid characters that aren't safe in URLs
'-_,',
);
export const sign = (message: string, expiresAt: Date) =>
`${expiresAt.getTime()}-${createBase64Hmac(message, expiresAt)}`;
export const verify = (message: string, hash: string) => {
const matches = hash.match(/(.+?)-(.+)/);
if (!matches) return false;
const expires = matches[1];
const hmac = matches[2];
if (!/^\d+$/.test(expires)) return false;
const expiresAt = dayjs(parseInt(expires, 10));
if (expiresAt.isBefore(dayjs())) return false;
const expectedHmac = createBase64Hmac(message, expiresAt.toDate());
// Byte lengths must equal, otherwise crypto.timingSafeEqual will throw an exception
if (hmac.length !== expectedHmac.length) return false;
return crypto.timingSafeEqual(
Buffer.from(hmac),
Buffer.from(expectedHmac),
);
};
你可以这样使用它:
import { sign, verify } from './signature';
const message = 'foo-bar';
const expiresAt = dayjs().add(1, 'day').toDate();
const hash = sign(message, expiresAt);
const result = verify(message, hash);
expect(result).toBe(true);
其他回答
几年前,有人说update()和digest()是遗留方法,并引入了新的流API方法。现在,文档表明这两种方法都可以使用。例如:
var crypto = require('crypto');
var text = 'I love cupcakes';
var secret = 'abcdeg'; //make this your secret!!
var algorithm = 'sha1'; //consider using sha256
var hash, hmac;
// Method 1 - Writing to a stream
hmac = crypto.createHmac(algorithm, secret);
hmac.write(text); // write in to the stream
hmac.end(); // can't read from the stream until you call end()
hash = hmac.read().toString('hex'); // read out hmac digest
console.log("Method 1: ", hash);
// Method 2 - Using update and digest:
hmac = crypto.createHmac(algorithm, secret);
hmac.update(text);
hash = hmac.digest('hex');
console.log("Method 2: ", hash);
在节点v6.2.2和v7.7.2上进行了测试
见https://nodejs.org/api/crypto.html # crypto_class_hmac。给出使用流方法的更多示例。
尽管有所有签名和验证哈希算法的示例代码,但我仍然需要进行一些实验和调整才能使其工作。这是我的工作样本,我相信它涵盖了所有的边缘情况。
它是URL安全的(即不需要编码),它需要一个过期时间,并且不会意外抛出异常。有一个对Day.js的依赖,但是你可以用另一个日期库替换它,或者滚动你自己的日期比较。
用TypeScript编写:
// signature.ts
import * as crypto from 'crypto';
import * as dayjs from 'dayjs';
const key = 'some-random-key-1234567890';
const replaceAll = (
str: string,
searchValue: string,
replaceValue: string,
) => str.split(searchValue).join(replaceValue);
const swap = (str: string, input: string, output: string) => {
for (let i = 0; i < input.length; i++)
str = replaceAll(str, input[i], output[i]);
return str;
};
const createBase64Hmac = (message: string, expiresAt: Date) =>
swap(
crypto
.createHmac('sha1', key)
.update(`${expiresAt.getTime()}${message}`)
.digest('hex'),
'+=/', // Used to avoid characters that aren't safe in URLs
'-_,',
);
export const sign = (message: string, expiresAt: Date) =>
`${expiresAt.getTime()}-${createBase64Hmac(message, expiresAt)}`;
export const verify = (message: string, hash: string) => {
const matches = hash.match(/(.+?)-(.+)/);
if (!matches) return false;
const expires = matches[1];
const hmac = matches[2];
if (!/^\d+$/.test(expires)) return false;
const expiresAt = dayjs(parseInt(expires, 10));
if (expiresAt.isBefore(dayjs())) return false;
const expectedHmac = createBase64Hmac(message, expiresAt.toDate());
// Byte lengths must equal, otherwise crypto.timingSafeEqual will throw an exception
if (hmac.length !== expectedHmac.length) return false;
return crypto.timingSafeEqual(
Buffer.from(hmac),
Buffer.from(expectedHmac),
);
};
你可以这样使用它:
import { sign, verify } from './signature';
const message = 'foo-bar';
const expiresAt = dayjs().add(1, 'day').toDate();
const hash = sign(message, expiresAt);
const result = verify(message, hash);
expect(result).toBe(true);
crypto文档:http://nodejs.org/api/crypto.html
const crypto = require('crypto')
const text = 'I love cupcakes'
const key = 'abcdeg'
crypto.createHmac('sha1', key)
.update(text)
.digest('hex')
Gwerder的解决方案不会工作,因为hash = hmac.read();在流完成最终确定之前发生。这就是AngraX的问题所在。还有hmac。Write语句在本例中不需要。
而是这样做:
var crypto = require('crypto');
var hmac;
var algorithm = 'sha1';
var key = 'abcdeg';
var text = 'I love cupcakes';
var hash;
hmac = crypto.createHmac(algorithm, key);
// readout format:
hmac.setEncoding('hex');
//or also commonly: hmac.setEncoding('base64');
// callback is attached as listener to stream's finish event:
hmac.end(text, function () {
hash = hmac.read();
//...do something with the hash...
});
更正式的说法是,如果你愿意的话
hmac.end(text, function () {
可以写成
hmac.end(text, 'utf8', function () {
因为在这个例子中,text是一个utf字符串