在ColdFusion中创建Google reCAPTCHA的“安全令牌” [英] Creating a Google reCAPTCHA 'secure token' in ColdFusion

查看:274
本文介绍了在ColdFusion中创建Google reCAPTCHA的“安全令牌”的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

Google允许您为reCAPTCHA创建安全令牌,这意味着您可以在多个域中使用相同的密钥/密钥。不需要为你照顾的每个域创建密钥/秘密。



这是他们的文档,您可以看到它没有洞察如何加密令牌,除了 Java中的示例。我的问题是这将如何写在ColdFusion。我有一个裂痕在它4个小时,但只是不能得到它的工作。我已查看的其他示例:





任何ColdFusion加密大师都知道如何做到这一点?



UPDATE



感谢Leigh,认为我们还在继续,但仍然看到无效的stoken。这是我的:

  json_token ='{session_id:#createUUID()#,ts_ms:# dateDiff(s,dateConvert(utc2Local,January 1 1970 00:00),now())#}'; 
 secret_key_hash = hash(secret_key,SHA,UTF-8); 
 secret_key_binary = binaryDecode(secret_key_hash,hex); 
 secret_key_aes = arraySlice(secret_key_binary,1,16); 
 secret_key_base64 = binaryEncode(javacast(byte [],secret_key_aes),base64); 
 secure_token = Encrypt(json_token,secret_key_base64,AES / ECB / PKCS5Padding,'base64');

我们在Java 1.7上使用ColdFusion 9,arraySlice方法不可用或底层java .subList()。因此,我们使用的是来自cflib.org的 arraySlice UDF



我也看过关于URL编码的PHP实现的意见,所以我也试过这个结果,没有效果:

  secure_token = Replace(secure_token,=,,ALL); 
 secure_token = Replace(secure_token,+, - ,ALL); 
 secure_token = Replace(secure_token,/,_,ALL);


解决方案

>发布,因为我已经在问题关闭之前写了。虽然将来,请包含您在问题中尝试的代码。


没有深入了解如何处理这个问题


如果你只停留在加密部分,它看起来像标准AES加密(ECB模式和PKCS5Padding) java示例。唯一棘手的部分是处理加密密钥。


  byte [] key = siteSecret。 getBytes(UTF-8); 
 key = Arrays.copyOf(MessageDigest.getInstance(SHA)。digest(key),16);




在Java代码中, getKey ()方法解码键字符串,并使用 SHA1 对键字符串进行散列,产生20字节(或160位)。由于这不是有效的AES密钥大小,因此代码会将前十六(16)个字节使用128位AES加密密钥。其余的java代码只是基本的AES加密,您可以使用在CF中轻松复制 encrypt() 函数。



要在CF中复制加密:



  • 散列secretKey字符串



    hashAsHex = hash(secretKey, SHA,UTF-8);


  • 然后将散列解码为二进制, (16)字节。这给你128位AES加密密钥(二进制形式):



    hashAsBinary = binaryDecode(hashAsHex,hex);
    keyBytes = arraySlice(hashAsBinary,1,16);


    • 现在只需将关键字节转换为base64字符串,并将其传递给encrypt()函数:



    keyAsBase64 = binaryEncode(javacast(byte [],keyBytes),base64 );
    token = encrypt(jsonToken,keyAsBase64,AES / ECB / PKCS5Padding,base64);


    就是这样。我会让你自己找出其余的。


    Google allows you to create a 'secure token' for reCAPTCHA which means you can use the same key/secret across multiple domains. No need to create key/secrets for every domain you look after.

    Here's their docs, as you can see it has no insight on how the token is encrypted other than an example in Java. My question is how would this be written in ColdFusion. I've had a crack at it for 4 hours, but just can't get it to work. Other examples I've reviewed:

    Any ColdFusion encryption guru's out there know how to do this?

    UPDATE

    Thanks Leigh, think we're further along but still seeing 'invalid stoken'. Here's what I have:

    json_token = '{"session_id":"#createUUID()#","ts_ms":#dateDiff("s", dateConvert("utc2Local", "January 1 1970 00:00"), now())#}';
secret_key_hash = hash(secret_key,"SHA", "UTF-8");
secret_key_binary = binaryDecode(secret_key_hash, "hex");
secret_key_aes = arraySlice(secret_key_binary,1,16);
secret_key_base64 = binaryEncode( javacast("byte[]", secret_key_aes), "base64");
secure_token = Encrypt(json_token,secret_key_base64,"AES/ECB/PKCS5Padding",'base64');

    We're using ColdFusion 9 on Java 1.7, the arraySlice method isn't available or the underlying java .subList(). So we're using the arraySlice UDF from cflib.org.

    I've also seen comments on the PHP implementation about URL encoded, so I've also tried this at the end, no effect:

        secure_token = Replace(secure_token,"=","","ALL");
    secure_token = Replace(secure_token,"+","-","ALL");
    secure_token = Replace(secure_token,"/","_","ALL");

    解决方案

    NB: Posting this since I had already written it before the question was closed. Though in future, please include the code you have tried within the question. It would have helped clarify the issue (and probably avoided it being closed as "too broad")

    no insight on how the token is encrypted

    If you are only stuck on the encryption part, it looks like standard AES encryption (ECB mode and PKCS5Padding) from the java example. The only tricky part is the handling of the encryption key.

    byte[] key = siteSecret.getBytes("UTF-8");
key = Arrays.copyOf(MessageDigest.getInstance("SHA").digest(key), 16);

    In the java code, the getKey() method decodes the key string and hashes it using SHA1, which produces 20 bytes (or 160 bits). Since that is not a valid AES key size, the code grabs the first sixteen (16) bytes to use as a 128 bit AES encryption key. The rest of the java code is just basic AES encryption, which you can easily reproduce in CF using the encrypt() function.

    To replicate the encryption in CF:

    1. Hash the secretKey string

      hashAsHex = hash(secretKey, "SHA", "UTF-8");

    2. Then decode the hash into binary, so you can extract the first sixteen (16) bytes. That gives you the 128 bit AES encryption key (in binary form):

      hashAsBinary = binaryDecode(hashAsHex, "hex"); keyBytes = arraySlice(hashAsBinary, 1, 16);

    3. Now simply convert the key bytes into a base64 string, and pass it into the encrypt() function:

      keyAsBase64 = binaryEncode( javacast("byte[]", keyBytes), "base64"); token = encrypt(jsonToken, keyAsBase64 , "AES/ECB/PKCS5Padding", "base64");

    That is it. I will leave you to figure out the rest on your own.

    这篇关于在ColdFusion中创建Google reCAPTCHA的“安全令牌”的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

    查看全文
    相关文章
    高性能WEB开发最新文章
    热门教程
    热门工具
    登录 关闭
    扫码关注1秒登录
    发送“验证码”获取 | 15天全站免登陆