如何使用PHP生成Google ReCaptcha V2安全令牌？ [英] How to generate a Google ReCaptcha V2 secure token with PHP?

问题描述

我正在为ReCaptcha V2生成一个安全令牌，如下所述：
https：// developers.google.com/recaptcha/docs/secure_token

I'm trying to generate a secure token for ReCaptcha V2, as described here: https://developers.google.com/recaptcha/docs/secure_token

不幸的是，我生成的stoken无效，我找不到一个方法来检查为什么它不工作有一个工作的Java示例（ STokenUtils .java ），
，但我发现自己无法将其翻译成PHP。

Unfortunately, my generated stoken isn't valid and I can't find a way to check why it doesn't work. There is a working Java example (STokenUtils.java), but I find myself unable to translate it to PHP.

public static function generateSecurityToken($secretKey){
    $stoken = array(
        'session_id' => session_id(),
        'ts_ms' => round(microtime(true)*1000)
    );
    $secretKey = self::pkcs5_pad(hash('sha1', $secretKey), 16);
    $stoken_json = json_encode($stoken);
    $stoken_crypt = self::encrypt(self::pkcs5_pad($stoken_json, 16), $secretKey);
    return $stoken_crypt;
}

public static function encrypt($sStr, $sKey) {
    return base64_encode(
        mcrypt_encrypt(
            MCRYPT_RIJNDAEL_128, 
            base64_decode($sKey),
            $sStr,
            MCRYPT_MODE_ECB
        )
    );
}

public static function pkcs5_pad ($text, $blocksize) { 
    $pad = $blocksize - (strlen($text) % $blocksize); 
    return $text . str_repeat(chr($pad), $pad); 
}

任何人都可以提供一个工作的PHP示例，或指出我的代码中的任何明显的错误？

Can anybody provide a working PHP example or point out any obvious mistakes in my code?

推荐答案

您的代码中有一些问题。首先，当实现需要SHA1哈希的第一个十六个字节时，您的 $ secretKey 值被计算为填充的SHA1哈希值。

There are a number of problems in your code. First, your $secretKey value is computed as a padded SHA1 hash when the implementation requires the first sixteen bytes of the SHA1 hash.

$secretKey = substr(hash('sha1', $secretKey, true), 0, 16);

其次，您正在尝试执行秘密密钥的base64解码，这在这里无效。 mcrypt_encrypt（）的第二个参数应为 $ sKey ，而不是 base64_decode（$ sKey） 。

Second, you are trying to perform a base64 decode of the secret key, which is not valid here. The second argument to mcrypt_encrypt() should be $sKey, not base64_decode($sKey).

最后，如x77686d的答案中所述，您应该使用URL安全base64。这是base64的一个变体，它是未添加的，不使用 + 或 / 字符。相反，在他们的地方使用 - 和 _ 字符。

Finally, as explained in x77686d's answer, you should be using an "URL-safe" base64. That is a variation of base64 that is unpadded and does not use the + or / characters. Instead, the - and _ characters are used in their places.

ReCaptcha的安全令牌有点痛苦，老实说。它们是不安全的，算法是无证的。我一直和你一样，需要一个实现，所以我写了一个，并发表在<一个href =https://packagist.org/packages/slushie/recaptcha-secure-token> Packagist为slushie / recaptcha-secure-token。我建议使用它和/或贡献，只是因为缺少这种算法的替代实现。

ReCaptcha's secure tokens are a bit of a pain, honestly. They are insecure and the algorithm is undocumented. I've been in the same position as you and needed an implementation, so I wrote one and published it on Packagist as "slushie/recaptcha-secure-token". I'd recommend using it and/or contributing, if only because of the lack of alternative implementations of this algorithm.

这篇关于如何使用PHP生成Google ReCaptcha V2安全令牌？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！