How to use Buffer.from() with crypto.timingSafeEqual()?

编程入门行业动态更新时间:2024-10-04 13:28:37

How to use <a href=https://www.elefans.com/category/jswz/34/1759932.html style= Buffer.from() with crypto.timingSafeEqual()?"/>

How to use Buffer.from() with crypto.timingSafeEqual()?

出于某种原因我得到

TypeError [ERR_INVALID_ARG_TYPE]: The first argument must be of type string or an instance of Buffer, ArrayBuffer, or Array or an Array-like Object. Received undefined

从两个论点到

crypto.timingSafeEqual(a, b)

我也试过了

const a = Buffer.from(signature, 'utf8').toString('base64');
const b = Buffer.from(expectedSignature, 'utf8').toString('base64');

我得到了同样的错误。

问题

谁能弄清楚为什么参数不是缓冲区？

const express = require("express");
const bodyParser = require("body-parser");
const crypto = require('crypto');
const secret = "x";

const app = express();
const PORT = 8080;

app.use(bodyParser.json());

function isSigOk(request, secret) {
    // calculate the signature
    const expectedSignature = "sha256=" +
        crypto.createHmac("sha256", secret)
            .update(JSON.stringify(request.body))
            .digest("hex");

    // compare the signature against the one in the request
    const signature = request.headers["X-Hub-Signature-256"];
    const a = Buffer.from(signature);
    const b = Buffer.from(expectedSignature);
    return crypto.timingSafeEqual(a, b);
};

app.post("/", (req, res) => {
  if (isSigOk(req, secret)) {
    // Do stuff here
  } else {
    console.log('Error: Signatures does not match. Return res.status(401)');
  };
  res.status(200).end();
});

// Start express on the defined port
app.listen(PORT, () => console.log(`Github wekhook listening on port ${PORT}`));

回答如下：

我看到两个问题：

第一个也是主要的是

isSigOk

假设will是

"X-Hub-Signature-256"

标题的值：

const signature = request.headers["X-Hub-Signature-256"];
const a = Buffer.from(signature);

如果

Buffer.from

是

signature

，那么

undefined

调用将抛出您引用的错误，因为标题不存在。在这种情况下，您可能想返回

false

（并且可能通过稍微重新排序来跳过计算预期签名的开销），请参阅

***

评论和相关行：

function isSigOk(request, secret) {
    // *** get the signature on this message, if any
    const signature = request.headers["X-Hub-Signature-256"];
    if (!signature) {
        // *** none
        return false;
    }
    // calculate the signature
    const expectedSignature = "sha256=" +
        crypto.createHmac("sha256", secret)
            .update(JSON.stringify(request.body))
            .digest("hex");

    // compare the signature against the one in the request
    const a = Buffer.from(signature);
    const b = Buffer.from(expectedSignature);
    return crypto.timingSafeEqual(a, b);
};

资本问题。根据Node.js 文档（Express 的

Request

对象继承自Node.js 的

IncomingMessage

），

headers

的名称是小写的。所以

request.headers["X-Hub-Signature-256"]

应该是

request.headers["x-hub-signature-256"]

。（在评论中你说你得到了一个值，但是评论使用了全部小写，而代码使用了混合大小写。）所以：

function isSigOk(request, secret) {
    // *** get the signature on this message, if any
    const signature = request.headers["x-hub-signature-256"]; // *** Lowercase
    if (!signature) {
        // *** none
        return false;
    }
    // calculate the signature
    const expectedSignature = "sha256=" +
        crypto.createHmac("sha256", secret)
            .update(JSON.stringify(request.body))
            .digest("hex");

    // compare the signature against the one in the request
    const a = Buffer.from(signature);
    const b = Buffer.from(expectedSignature);
    return a.length === b.length && crypto.timingSafeEqual(a, b);
};

注意其中的