在 ColdFusion 中创建 Google reCAPTCHA“安全令牌" [英] Creating a Google reCAPTCHA 'secure token' in ColdFusion
问题描述
Google 允许您为 reCAPTCHA 创建一个安全令牌",这意味着您可以在多个域中使用相同的密钥/秘密.无需为您照顾的每个域创建密钥/秘密.
这是他们的文档,正如您所见,除了 Java中的一个例子.我的问题是这将如何用 ColdFusion 编写.我已经破解了 4 个小时,但就是无法让它工作.我查看过的其他示例:
任何 ColdFusion 加密专家都知道如何做到这一点?
更新
感谢 Leigh,认为我们已经走得更远了,但仍然看到无效 stoken".这是我所拥有的:
json_token = '{"session_id":"#createUUID()#","ts_ms":#dateDiff("s", dateConvert("utc2Local", "January 1 1970 00:00"), 现在())#}';secret_key_hash = hash(secret_key,"SHA", "UTF-8");secret_key_binary = binaryDecode(secret_key_hash, "hex");secret_key_aes = arraySlice(secret_key_binary,1,16);secret_key_base64 = binaryEncode(javacast("byte[]", secret_key_aes), "base64");secure_token = Encrypt(json_token,secret_key_base64,"AES/ECB/PKCS5Padding",'base64');我们在 Java 1.7 上使用 ColdFusion 9,arraySlice 方法不可用或底层 java .subList().所以我们使用的是来自 cflib.org 的 arraySlice UDF.
我也看到了关于URL编码的PHP实现的评论,所以我最后也尝试了这个,没有效果:
secure_token = Replace(secure_token,"=","","ALL");安全令牌=替换(安全令牌,+",-",全部");安全令牌=替换(安全令牌,/",_",全部");注意: 因为我在问题结束之前就已经写好了,所以发布这个.尽管将来,请在问题中包含您尝试过的代码.这将有助于澄清问题(并且可能避免将其关闭为过于宽泛")
<块引用>不了解令牌是如何加密的
如果您只停留在加密部分,它看起来像来自 java 示例.唯一棘手的部分是加密密钥的处理.
<块引用>byte[] key = siteSecret.getBytes("UTF-8");key = Arrays.copyOf(MessageDigest.getInstance("SHA").digest(key), 16);在 java 代码中,getKey() 方法解码密钥字符串并使用 SHA1,产生 20 个字节(或 160 位).由于这不是 有效的 AES 密钥大小,代码会抓取前十六 (16) 个字节以用作 128 位 AES 加密密钥.其余的 java 代码只是基本的 AES 加密,您可以使用 在 CF 中轻松复制encrypt() 函数.
在 CF 中复制加密:
散列密钥字符串
hashAsHex = hash(secretKey, "SHA", "UTF-8");然后将哈希解码为二进制,这样您就可以提取前十六 (16) 个字节.这为您提供了 128 位 AES 加密密钥(二进制形式):
hashAsBinary = binaryDecode(hashAsHex, "hex");keyBytes = arraySlice(hashAsBinary, 1, 16);现在只需将密钥字节转换为 base64 字符串,并将其传递给 encrypt() 函数:
keyAsBase64 = binaryEncode(javacast("byte[]", keyBytes), "base64");token = encrypt(jsonToken, keyAsBase64 , "AES/ECB/PKCS5Padding", "base64");
就是这样.我会让你自己解决剩下的问题.
Google allows you to create a 'secure token' for reCAPTCHA which means you can use the same key/secret across multiple domains. No need to create key/secrets for every domain you look after.
Here's their docs, as you can see it has no insight on how the token is encrypted other than an example in Java. My question is how would this be written in ColdFusion. I've had a crack at it for 4 hours, but just can't get it to work. Other examples I've reviewed:
- An example in PHP:
- An example in .NET
Any ColdFusion encryption guru's out there know how to do this?
UPDATE
Thanks Leigh, think we're further along but still seeing 'invalid stoken'. Here's what I have:
json_token = '{"session_id":"#createUUID()#","ts_ms":#dateDiff("s", dateConvert("utc2Local", "January 1 1970 00:00"), now())#}';
secret_key_hash = hash(secret_key,"SHA", "UTF-8");
secret_key_binary = binaryDecode(secret_key_hash, "hex");
secret_key_aes = arraySlice(secret_key_binary,1,16);
secret_key_base64 = binaryEncode( javacast("byte[]", secret_key_aes), "base64");
secure_token = Encrypt(json_token,secret_key_base64,"AES/ECB/PKCS5Padding",'base64');
We're using ColdFusion 9 on Java 1.7, the arraySlice method isn't available or the underlying java .subList(). So we're using the arraySlice UDF from cflib.org.
I've also seen comments on the PHP implementation about URL encoded, so I've also tried this at the end, no effect:
secure_token = Replace(secure_token,"=","","ALL");
secure_token = Replace(secure_token,"+","-","ALL");
secure_token = Replace(secure_token,"/","_","ALL");
NB: Posting this since I had already written it before the question was closed. Though in future, please include the code you have tried within the question. It would have helped clarify the issue (and probably avoided it being closed as "too broad")
no insight on how the token is encrypted
If you are only stuck on the encryption part, it looks like standard AES encryption (ECB mode and PKCS5Padding) from the java example. The only tricky part is the handling of the encryption key.
byte[] key = siteSecret.getBytes("UTF-8"); key = Arrays.copyOf(MessageDigest.getInstance("SHA").digest(key), 16);
In the java code, the getKey() method decodes the key string and hashes it using SHA1, which produces 20 bytes (or 160 bits). Since that is not a valid AES key size, the code grabs the first sixteen (16) bytes to use as a 128 bit AES encryption key. The rest of the java code is just basic AES encryption, which you can easily reproduce in CF using the encrypt() function.
To replicate the encryption in CF:
Hash the secretKey string
hashAsHex = hash(secretKey, "SHA", "UTF-8");Then decode the hash into binary, so you can extract the first sixteen (16) bytes. That gives you the 128 bit AES encryption key (in binary form):
hashAsBinary = binaryDecode(hashAsHex, "hex"); keyBytes = arraySlice(hashAsBinary, 1, 16);Now simply convert the key bytes into a base64 string, and pass it into the encrypt() function:
keyAsBase64 = binaryEncode( javacast("byte[]", keyBytes), "base64"); token = encrypt(jsonToken, keyAsBase64 , "AES/ECB/PKCS5Padding", "base64");
That is it. I will leave you to figure out the rest on your own.
这篇关于在 ColdFusion 中创建 Google reCAPTCHA“安全令牌"的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
