Geek Answers Handbook

ColdFusion Hash

I am trying to create a password digest using this formula to get the following variables, and my code just doesn't work. Not sure what I'm doing wrong, but I admit that I need help. Hope someone out there who can help.

  • Formula from the documentation: Base64(SHA1(NONCE + TIMESTAMP + SHA1(PASSWORD)))

  • The correct answer to the password digest is: +LzcaRc+ndGAcZIXmq/N7xGes+k=

ColdFusion Code:

 <cfSet PW = "AMADEUS"> <cfSet TS = "2015-09-30T14:12:15Z"> <cfSet NONCE = "secretnonce10111"> <cfDump var="#ToBase64(Hash(NONCE & TS & Hash(PW,'SHA-1'),'SHA-1'))#">

My code output:

 Njk0MEY3MDc0NUYyOEE1MDMwRURGRkNGNTVGOTcyMUI4OUMxM0U0Qg==

I obviously am doing something wrong, but for me life cannot understand that. Anyone? Bueller?

+7
coldfusion hash sha1 coldfusion-10 amadeus
source share
1 answer

The most interesting thing about hashing is that even if you start with the correct line, the result can still be completely wrong if these lines are combined / encoded / decoded incorrectly.

The biggest problem is that most of these functions actually work with binary representation of input strings. So, how these lines are decoded is of great importance. Please note that the same line generates completely different binaries when decoding as UTF-8 and Hex? This means that the results are Hash, ToBase64, etc. Also will be completely different.

 // Result: UTF-8: 65-65-68-69 writeOutput("<br>UTF-8: "& arrayToList(charsetDecode("AADE", "UTF-8"), "-")); // Result: HEX: -86--34 writeOutput("<br>HEX: "& arrayToList(binaryDecode("AADE", "HEX"), "-"));

Possible Solution:

The problem with the current code is that ToBase64 assumes the input string is encoded as UTF-8. While Hash () actually returns a hexadecimal string. Therefore, ToBase64 () decodes it incorrectly. Instead, use binaryDecode and binaryEncode to convert the hash from hex to base64:

 resultAsHex = Hash( NONCE & TS & Hash(PW,"SHA-1"), "SHA-1"); resultAsBase64 = binaryEncode(binaryDecode(resultAsHex, "HEX"), "base64"); writeDump(resultAsBase64);

More reliable solution:

Having said that, be very careful with string concatenation and hashing. Because it does not always give the expected results . Without knowing more about this particular API, I cannot fully understand what it expects. However, it is generally safer to work with binary values ​​only. Unfortunately, the CF ArrayAppend () function does not support binary array support, but you can easily use the Apache ArrayUtils class that is associated with CF.

 ArrayUtils = createObject("java", "org.apache.commons.lang.ArrayUtils"); // Combine binary of NONCE + TS nonceBytes = charsetDecode(NONCE, "UTF-8"); timeBytes = charsetDecode(TS, "UTF-8"); combinedBytes = ArrayUtils.addAll(nonceBytes, timeBytes); // Combine with binary of SECRET secretBytes = binaryDecode( Hash(PW,"SHA-1"), "HEX"); combinedBytes = ArrayUtils.addAll(combinedBytes, secretBytes); // Finally, HASH the binary and convert to base64 resultAsHex = hash(combinedBytes, "SHA-1"); resultAsBase64 = binaryEncode(binaryDecode(resultAsHex, "hex"), "base64"); writeDump(resultAsBase64);
+6
source share

More articles:


All Articles