0

In my project, I need to create a hash secure string in the client(javascript) and send it to the server(php). The server checks valid hash secure string or not before doing another stuff.

But the problem is the secure hash string generated in javascript does not match with the secure hash string generated in PHP.

I've already tried this related solution but it does not seem to work in my case.

Here is my PHP code

$message = '123';
$secure_secret = 'e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4';
$pack = pack('H*', $secure_secret);
$hash = hash_hmac('SHA512', $message, $pack);
var_dump('pack: ' . pack('H*', $secure_secret));
var_dump('hash: ' . $hash);

The above echos these:

b"pack: åéú\e£\x1EÍ\x1AèOuʪGO:f?\x05ô"
"hash: 5a7c65c2d0ec43b9c5fc255f36518fa3e6083d40db848768309e272973c200c4f3085466fd852cffbd962ec54cd0bd716d0deee6d76899943875d8da56143585"

And here is the javascript code(I'm using locutus's pack function for js):

var message = '123';
var secure_secret = 'e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4';
var pack = pack('H*', $secure_secret);
var hash = crypto.createHmac('SHA512', pack).update(message);
console.log('pack: ' + pack);
console.log('hash: ' + hash)

Result:

pack: åéú£ÍèOuʪGO:f?ô
hash: 2ab66f2f2b79968549f2744f55ab50b6b3249812d5c45d54b7fb2b24ceb173e3437dc191150bb4d3972a81ec7ea420fb5b58d9e5d4c9ba567d85566410d7508f

But if I change the $secure_secret string with another simpler string, such as '321' then the results will be matched.

PHP:

$message = '123';
$secure_secret = '321';
$pack = pack('H*', $secure_secret);
$hash = hash_hmac('SHA512', $message, $pack);
var_dump('pack: ' . pack('H*', $secure_secret));
var_dump('hash: ' . $hash);

Result

"pack: 2\x10"
"hash: deefdd44d55c5fe786ed3f1c09e3b32f32459dd885a970fe01091fecc17ef12162080c011e58fb7cd2f420a070f48c27ba19be9b92f07081a6f7908536f3eed9"

Javascript:

var message = '123';
var secure_secret = '321';
var pack = pack('H*', $secure_secret);
var hash = crypto.createHmac('SHA512', pack).update(message);
console.log('pack: ' + pack);
console.log('hash: ' + hash)

Result:

pack: "2?"
hash: deefdd44d55c5fe786ed3f1c09e3b32f32459dd885a970fe01091fecc17ef12162080c011e58fb7cd2f420a070f48c27ba19be9b92f07081a6f7908536f3eed9

So how can I fix this? Thank you.

Nguyễn Thành Đức
  • 1
  • 2
  • Look like maybe a typo on the JS. `secure_secret` compared with `$secure_secret`. – ADyson Jul 18 '19 at 07:27
  • By the way, are you intending to deploy this JavaScript into a web page? Because if you do, then your "secure secret" will not be secret any more - anyone who loads the web page can view the JavaScript code and see the secret. You could potentially obfuscate it, but you can't hide it entirely – ADyson Jul 18 '19 at 07:29
  • Ok I have found a way to fix this error: use md5 function to hash the pack function then the results will be matched. – Nguyễn Thành Đức Jul 19 '19 at 07:11
  • Ok. So was there a typo or not? Was that relevant? And would you like to answer my other question? – ADyson Jul 19 '19 at 07:38
  • @ADyson No there was not a typo. Actually, I'm using Vuejs for the client, and I store secure secret in .env, so it's kindly safed. – Nguyễn Thành Đức Jul 19 '19 at 10:44

0 Answers0