0

Facing an issue while creating SHA1 from javascript and java. The problem is both are different. It is used for validating the client request to web server. That means client send a based64 encoded security key to server and server regenerate the same key and equate both are same. Please find below code for generating secret keys in client and server. Server

MessageDigest mDigest = null;
try {
    mDigest = MessageDigest.getInstance("SHA1");
} catch (NoSuchAlgorithmException e) {
    e.printStackTrace();
}

String input = value1 + value1 + server_key;
byte[] result = mDigest.digest(input.getBytes());
String secret = Base64.encodeToString(result, Base64.NO_WRAP);
...
//comparison logic goes here

...

Client (java script)

var input = value1 + value2 + server_key;
//http://code.google.com/p/crypto-js/
var hash = CryptoJS.SHA1(input);
var encoded  = base64Encode(hash.toString());

//WEB SERVICE INVOCATION FROM JAVASCRIPT GIES HERE.

The values value1, value1, server_key will be available in both client and server. The issue we are facing is, the SHA1 generated in both client and server is not matching. I understand the issue is in java its using getBytes() and in javascript using string value for generating SHA1. The CryptoJS.SHA1 does not support bytearray as parameter. We cannot change the server code as it is used by many client applications. Any help will be much appreciated.

In Java -> 

byte[] result = mDigest.digest(input.getBytes());

and in JavaScript -> 

var hash = CryptoJS.SHA1(input);.

I belief this is the problem. In java the parameter is a bytearray and output is also a bytearray. But in javascript the parameter is var (string) and return is also var (string). I 've also compared the output of CryptoJS.SHA1 with some online SHA1 generating tools. The comparison is true. I am not an expert in this area. If you can explain more, it will be more helpful.

user867662
  • 1,091
  • 4
  • 20
  • 45
  • This may help: http://stackoverflow.com/questions/4895523/java-string-to-sha1. The javascript sha1 and the sha1 of the same string on the command line "echo -n "value1value2server_key" | openssl sha1" match. – John Estess Jun 16 '16 at 17:20
  • The link you 've given is explains about the issue in Java code. But for me I am good with Java code. I m facing issue with Javascript code. – user867662 Jun 16 '16 at 17:51
  • In the javascript code the hash.toString() equals the sha1 generated on the command line by using "openssl sha1" method above. Your Java method is not matching because the results from javascript and the command line are in hex. A simple solution is given in the link provided. – John Estess Jun 16 '16 at 18:50
  • In Java -> byte[] result = mDigest.digest(input.getBytes()); and in JavaScript -> var hash = CryptoJS.SHA1(input);. I belief this is the problem. In java the parameter is a bytearray and output is also a bytearray. But in javascript the parameter is var (string) and return is also var (string). I 've also compared the output of CryptoJS.SHA1 with some online SHA1 generating tools. The comparison is true. I am not an expert in this area. If you can explain more, it will be more helpful. – user867662 Jun 16 '16 at 20:03
  • "byte[] result" is never translated to the expected hex format so it's hard to check the resulting sha1 against other tools unless you create the inverse of the byteArrayToHexString (hexStringToByteArray?) in the link above in Javascript. – John Estess Jun 16 '16 at 21:03
  • Are you talking about answer by Nishant? In that he mentioned about java code. And I am looking for an option the correct it in javascript. – user867662 Jun 16 '16 at 21:11
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/114882/discussion-between-user867662-and-john-estess). – user867662 Jun 16 '16 at 21:49

1 Answers1

0

I managed it to do in another way. My application is a cordova based application. So generated the sha1 and encoded it from java and objC and invoked it using cordova plugins.

user867662
  • 1,091
  • 4
  • 20
  • 45