0

when using the following javascript code:

var username = "TEST"; var password = "test"; var key = "6591bbcb28880da7e7b91154ec39a9d5"; var latin_parsed = CryptoJS.enc.Latin1.parse(password + username); var message = CryptoJS.SHA1(latin_parsed); var key_hex = CryptoJS.enc.Hex.parse(key); var hash_password = CryptoJS.HmacSHA1(message, key_hex) var hash_password_hex = hash_password.toString(CryptoJS.enc.Hex); // Above code gives this output: // hash_password_hex == "2f0dc5257278493636a30fe5d3eeda43f4d8d8c1"

A live example can be seen here: https://jsfiddle.net/Ld7469vh/

I have tried with the following Python code, but the hash are not similar.

https://gist.github.com/heskyji/5167567b64cb92a910a3

But the hash are not similar. It seems like CryptoJS returns WordsArray and not strings. So my issue might rely on that difference, but I am not sure how to create a 1:1 solution in python.

Improve this question

1 Answer 1

Reset to default
1

Python uses bytes for most encryption/byte related operations. Conversion from hex and back is done with bytes.hex and bytes.fromhex.

You can read more on the docs about hashlib and hmac. They both follow the same general format, which is to create the object (and optionally update it with the data, or do it immediately as shown below) and get the digest of it.

# these are both built in import hashlib import hmac username = "TEST" password = "test" string_key = "6591bbcb28880da7e7b91154ec39a9d5" latin_parsed = (password + username).encode('utf-8') # this is now `bytes` message = hashlib.sha1(latin_parsed).digest() # sha1 of latin_parsed key = bytes.fromhex(string_key) # turn it into `bytes` as well hash_password = hmac.HMAC(key, message, hashlib.sha1).digest() # do hmac of this with key key and message message hash_password_hex = hash_password.hex() print(hash_password_hex) # 2f0dc5257278493636a30fe5d3eeda43f4d8d8c1

The code linked uses signature2 = base64.urlsafe_b64encode(signature1) opposed to the hex string. It also does not do what you wanted - it is supposed to combine the username and password first (warning, length extension attacks) and hashes it first before feeding it into the hmac.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks @eric-jin, it works like a charm. I also tried with this version before you solved it: ``` import hashlib import hmac key = "6591bbcb28880da7e7b91154ec39a9d5" username = "TEST" password = "test" password_username = f"{password}{username}".encode(encoding="latin_1") m = hashlib.sha1() m.update(password_username) raw = m.hexdigest() hashed = hmac.new(key.encode(), raw.encode(), hashlib.sha1) hashed.hexdigest() ``` But it gives me this output: 3cff0641f0f224f8af4fa786e1c0197cdb75ba6a What is the big difference ?
.update() does the same thing, I just do it on one line. .hexdigest() returns the output of the hash, but as a hex string instead of bytes. If you want to feed the input into more hashing, bytes is better.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.