Google-App-Script vs php in encoding base64

2019-08-18 03:28发布

问题:

This php code decodes the secret key before hashing with SHA 512

$API_SECRET_KEY="W0+m0Dc9GMN9yDVeq3GMDsJ49WasEhQHkNHNuDw3wNg=";
$BDAPI_SECRET_KEY=base64_decode($API_SECRET_KEY);
$HMAC_SIGN = base64_encode(hash_hmac('sha512',$MESSAGE,$BDAPI_SECRET_KEY,true));
echo $HMAC_SIGN;

BfVNi21gY09c8M18cWBRBgo1W9pAlXM99ZVoF7Kz2ETFnIuvXjj8NRvRgn/GaT/m6YJ8efsr5s9EDbIhznAaag==

I want to replicate this in google app script

var Secret = "W0+m0Dc9GMN9yDVeq3GMDsJ49WasEhQHkNHNuDw3wNg="  
var BDSecret= Utilities.base64Decode(Secret)
var hmac = Utilities.base64Encode(Utilities.computeHmacSignature(Utilities.MacAlgorithm.HMAC_SHA_512, message, BDSecret ));
    Logger.log(hmac)

ew5KhLWSJixn8zw4s6VkpYIwvGBjrmjY3LhNWZr9CVEw6W22LOGg+lVzA3uQgOVyICSCffw2bzTepnBdoYtldw==

If I do not decode the API before hashing they return the same result. But for this particular purpose, the key needs to be decoded. The message variable is just my first name "Parit" in case someone wants to replicate.

回答1:

I thought that Utilities.computeHmacSignature() might not be able to use []byte for the value. So as a workaround, how about using jsSHA? I think that in your case, you can use https://github.com/Caligatio/jsSHA/blob/master/src/sha512.js.

The flow for using jsSHA is as follows.

Flow :

  1. Download sha512.js.
  2. On script editor, create new script as for example, the filename of sha512.js.
    • Copy and paste the script of sha512.js to the created script.
  3. Copy and paste the sample script to Code.gs of the script editor.
  4. Run myFunction() of the sample script.

Sample script :

function myFunction() {
  var message = "Parit";
  var secret = "W0+m0Dc9GMN9yDVeq3GMDsJ49WasEhQHkNHNuDw3wNg=";
  var obj = new jsSHA("SHA-512", "TEXT");
  obj.setHMACKey(secret, "B64");
  obj.update(message);
  Logger.log(obj.getHMAC("B64"))
}

Note :

  • When I tested Parit for message, I got BfVNi21gY09c8M18cWBRBgo1W9pAlXM99ZVoF7Kz2ETFnIuvXjj8NRvRgn/GaT/m6YJ8efsr5s9EDbIhznAaag==.

It this was not useful for you, I'm sorry.

Update :

By the Google's update at June 19, 2018, Utilities.computeHmacSignature() got to be able to use the byte arrays. By this, using only native Google Apps Scvript, the result can be retrieved without using jsSHA. So I would like to update my answer.

Modified script :

function myFunction() {
  var message = "Parit";
  var secret = "W0+m0Dc9GMN9yDVeq3GMDsJ49WasEhQHkNHNuDw3wNg=";

  var value = Utilities.base64Decode(Utilities.base64Encode(message));
  var key = Utilities.base64Decode(secret);
  var out = Utilities.computeHmacSignature(Utilities.MacAlgorithm.HMAC_SHA_512, value, key);
  var res = Utilities.base64Encode(out)
  Logger.log(res)
}

Result :

BfVNi21gY09c8M18cWBRBgo1W9pAlXM99ZVoF7Kz2ETFnIuvXjj8NRvRgn/GaT/m6YJ8efsr5s9EDbIhznAaag==