Geek Answers Handbook

Create Google reCAPTCHA secure token in ColdFusion

Google allows you to create a “secure token” for reCAPTCHA, which means that you can use the same key / secret for multiple domains. No need to create a key / secrets for each domain you are looking at.

Here, their documents, as you can see, have no idea how the token is encrypted, except for an example in Java . My question is how this will be written in ColdFusion. I had a crack for 4 hours, but I just can't get it to work. Other examples I reviewed:

Any ColdFusion encryption guru knows how to do this?

UPDATE

Thank you, Lee, think that we are moving on, but still see an “invalid runoff”. Here is what I have:

json_token = '{"session_id":"#createUUID()#","ts_ms":#dateDiff("s", dateConvert("utc2Local", "January 1 1970 00:00"), now())#}'; secret_key_hash = hash(secret_key,"SHA", "UTF-8"); secret_key_binary = binaryDecode(secret_key_hash, "hex"); secret_key_aes = arraySlice(secret_key_binary,1,16); secret_key_base64 = binaryEncode( javacast("byte[]", secret_key_aes), "base64"); secure_token = Encrypt(json_token,secret_key_base64,"AES/ECB/PKCS5Padding",'base64');

We use ColdFusion 9 on Java 1.7, the arraySlice method is not available or the underlying java.subList (). So we are using arraySlice UDF from cflib.org.

I also saw comments on the PHP implementation about URL encoding, so I also tried this at the end, with no effect:

  secure_token = Replace(secure_token,"=","","ALL"); secure_token = Replace(secure_token,"+","-","ALL"); secure_token = Replace(secure_token,"/","_","ALL");
+2
source share
1 answer

NB: Posting this as I already wrote it before the question was closed. Although in the future, please indicate the code that you tried in the question. This would help clarify the problem (and probably avoid closing it as "too wide")

no understanding of how the token is encrypted

If you're just stuck on the encryption part, it looks like standard AES encryption (ECB mode and PKCS5Padding) from the java example . The only tricky part is the processing of the encryption key.

 byte[] key = siteSecret.getBytes("UTF-8"); key = Arrays.copyOf(MessageDigest.getInstance("SHA").digest(key), 16);

In java code, the getKey() method decodes a key string and hashes it using SHA1 , which produces 20 bytes (or 160 bits). Since this is not a valid AES key size , the code captures the first sixteen (16) bytes for use as the 128-bit AES encryption key. The rest of the Java code is just basic AES encryption, which you can easily reproduce in CF using the encrypt() function.

To copy encryption to CF:

  • Reset secretKey line

    hashAsHex = hash(secretKey, "SHA", "UTF-8");

  • Then we decode the hash into a binary so that you can extract the first sixteen (16) bytes. This gives a 128-bit AES encryption key (in binary form):

    hashAsBinary = binaryDecode(hashAsHex, "hex"); keyBytes = arraySlice(hashAsBinary, 1, 16);

  • Now just convert the key bytes to a base64 string and pass it to the encrypt () function:

    keyAsBase64 = binaryEncode( javacast("byte[]", keyBytes), "base64"); token = encrypt(jsonToken, keyAsBase64 , "AES/ECB/PKCS5Padding", "base64");

That's all. I will leave you to figure out the rest myself.

+3
source

More articles:


All Articles