current community

your communities

more stack exchange communities

Stack Exchange
tour help
stack overflow careers
Take the 2-minute tour ×
Stack Overflow is a question and answer site for professional and enthusiast programmers. It's 100% free, no registration required.
up vote 0 down vote favorite

I created a Symfony2 application using FOSUserBundle and FOSRestBundle. I'd like to connect other application with my Symfony application using rest api. I need to write the Symfony password encoder function in Javascript. Actually in PHP, it goes like:

$salt = "secret";
$password = "azerty";
$salted = $password.'{'.$salt.'}';
$digest = hash('sha512', $salted, true);

for ($i = 1; $i < 5000; $i++) {
    $digest = hash('sha512', $digest.$salted, true);
}
$digest = base64_encode($digest);

return $digest;

In Javascript, I tried to use CryptoJS library. My code is:

var salt = 'secret',
    password = 'azerty',
    salted = password + '{' + salt + '}'
    digest = CryptoJS.SHA512(salted);

for (var i=1; i<5000; i++) {
    digest = CryptoJS.SHA512(digest+salted);
}

digest = digest.toString(CryptoJS.enc.Base64);

return digest;

But guess what ? It does not work and i don't know why. Can anyone help please ? :)

Regards, Colzak.

share|improve this question
2  
What does It does not work mean? –  Xatenev Sep 19 at 7:25
    
Yeah sorry, I should have say, the digest returned are not the same. PHP returns ZBNCDQnUk31GBE5y10AG5MUbEzsN9kNGmiORRMTss+DiwtDtRaFJwjoMJQFp7mMTfgvrm8GrUx0q87hm‌​YNYihw== And Javascript returns q2lsiVES6m+Bxmzz87jk5z8epHE+jcd8tfIcIBWVx3KBuke+F9HuaahTHkhvqJDNASxw5mFEWgc2eng4‌​4Z8yKA== –  Colzak Sep 19 at 7:36
    
@Colzak: What are you actually trying to accomplish? That looks really frightening. –  lxg Sep 19 at 10:00
    
@lxg I wanted to copy the password encode function of Symfony to avoid sending the user's password through the api call. On the client side, I get the user's password salt only, so when he type his password, I generate the corresponding hash, which is sent to the server and compared to the one in db. By doing this, the password is never transmitted through the api calls. –  Colzak Sep 19 at 12:25
    
Anyway, I guess there is no solution to this problem. In other language (like java) I saw a working example but in Javascript it's a bit more complex I guess. Maybe instead of doing this, I could just base64_encode the password and send it through https... idk. –  Colzak Sep 19 at 12:30

2 Answers 2

up vote 1 down vote

Ok @timothymctim 's response helped me. Actually, I think it's an issue about character encoding. Here's a (strange) solution :

The PHP:

$salt = "secret";
$password = "azerty";
$salted = $password.'{'.$salt.'}';
$digest = hash('sha512', $salted, true);

for ($i = 1; $i < 5000; $i++) {
    $digest = hash('sha512', utf8_encode($digest).$salted, true);
}
$digest = base64_encode($digest);

return $digest;

And the Javascript :

var salt = 'secret',
password = 'azerty',
salted = password + '{' + salt + '}'
digest = CryptoJS.SHA512(salted);

for (var i=1; i<5000; i++) {
    digest = CryptoJS.SHA512(digest.toString(CryptoJS.enc.Latin1)+salted);
}

digest = digest.toString(CryptoJS.enc.Base64);

return digest;

I don't know what to think. Thanks anyway everybody who helped !

share|improve this answer
up vote 0 down vote

It doesn't work because "[t]he hash you get back isn't a string yet. It's a WordArray object. When you use a WordArray object in a string context, it's automatically converted to a hex string." (source) By using digest = CryptoJS.SHA512(digest+salted); digest is converted into a hex string. If you change your PHP code to

$salt = "secret";
$password = "azerty";
$salted = $password.'{'.$salt.'}';
$digest = hash('sha512', $salted, false);

for ($i = 1; $i < 5000; $i++) {
    $digest = hash('sha512', $digest.$salted, false);
}

return $digest;

and return the digest as a hex string (digest + '' or digest.toString(CryptoJS.enc.Hex) will do) it will work. I'm not sure how to change the JavaScript code to match the original PHP code though.

share|improve this answer
    
Thanks for the response. I got what you meant, but unfortunately, I need to let the php function as it is. I don't know if any solution exists. I'll try few more things, but I guess I will have to do another way. –  Colzak Sep 19 at 12:27

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.