开发者

How to reliably hash JavaScript objects?

Is there a reliable way to JSON.stringify a JavaScript object that guarantees that the ceated JSON string is the same across all browsers, Node.js and so on, given that the JavaScript object is the same?

I want to hash JavaScript objects like

{
  signed_data: object_to_sign,
  signature:   md5(JSON.stringify(ob开发者_如何学JAVAject_to_sign) + secret_code)
}

and pass them around across web applications (e.g. Python and Node.js) and the user so that the user can authenticate against one service and show the next service "signed data" for that one to check if the data is authentic.

However, I came across the problem that JSON.stringify is not really unique across the implementations:

  • In Node.js / V8, JSON.stringify returns a JSON string without unnecessary whitespace, such as '{"user_id":3}.
  • Python's simplejson.dumps leaves some whitespace, e.g. '{"user_id": 3}'
  • Probably other stringify implementations might deal differently with whitespace, the order of attributes, or whatever.

Is there a reliable cross-platform stringify method? Is there a "nomalised JSON"?

Would you recommend other ways to hash objects like this?

UPDATE:

This is what I use as a workaround:

normalised_json_data = JSON.stringify(object_to_sign)
{
  signed_data: normalised_json_data,
  signature:   md5(normalised_json_data + secret_code)
}

So in this approach, not the object itself, but its JSON representation (which is specific to the sigining platform) is signed. This works well because what I sign now is an unambiguous string and I can easily JSON.parse the data after I have checked the signature hash.

The drawback here is that if I send the whole {signed_data, signature} object as JSON around as well, I have to call JSON.parse twice and it does not look as nice because the inner one gets escaped:

{"signature": "1c3763890298f5711c8b2ea4eb4c8833", "signed_data": "{\"user_id\":5}"}


You might be interested in npm package object-hash, which seems to have a rather good activity & reliability level.

var hash = require('object-hash');

var testobj1 = {a: 1, b: 2};
var testobj2 = {b: 2, a: 1};
var testobj3 = {b: 2, a: "1"};

console.log(hash(testobj1)); // 214e9967a58b9eb94f4348d001233ab1b8b67a17
console.log(hash(testobj2)); // 214e9967a58b9eb94f4348d001233ab1b8b67a17
console.log(hash(testobj3)); // 4a575d3a96675c37ddcebabd8a1fea40bc19e862


This is an old question, but I thought I'd add a current solution to this question for any google referees.

The best way to sign and hash JSON objects now is to use JSON Web Tokens. This allows for an object to be signed, hashed and then verified by others based on the signature. It's offered for a bunch of different technologies and has an active development group.


You're asking for an implementation of something across multiple languages to be the same... you're almost certainly out of luck. You have two options:

  • check www.json.org implementations to see if they might be more standardized
  • roll your own in each language (use json.org implementations as a base and there should be VERY little work to do)


You could normalise the result of stringify() by applying rules such as:

  • remove unnecessary whitespace
  • sort attribute names in hashes
  • well-defined consistent quoting style
  • normalise string contents (so "\u0041" and "A" become the same)

This would leave you with a canonical JSON representation of your object, which you can then reliably hash.


After trying some hash algorithms and JSON-to-string methods, I found this to work the best (Sorry, it is typescript, can of course be rewritten to javascript):

// From: https://stackoverflow.com/questions/5467129/sort-javascript-object-by-key
function sortObjectKeys(obj){
    if(obj == null || obj == undefined){
        return obj;
    }
    if(typeof obj != 'object'){ // it is a primitive: number/string (in an array)
        return obj;
    }
    return Object.keys(obj).sort().reduce((acc,key)=>{
        if (Array.isArray(obj[key])){
            acc[key]=obj[key].map(sortObjectKeys);
        }
        else if (typeof obj[key] === 'object'){
            acc[key]=sortObjectKeys(obj[key]);
        }
        else{
            acc[key]=obj[key];
        }
        return acc;
    },{});
}
let xxhash64_ObjectToUniqueStringNoWhiteSpace = function(Obj : any)
{
    let SortedObject : any = sortObjectKeys(Obj);
    let jsonstring = JSON.stringify(SortedObject, function(k, v) { return v === undefined ? "undef" : v; });

    // Remove all whitespace
    let jsonstringNoWhitespace :string = jsonstring.replace(/\s+/g, '');

    let JSONBuffer: Buffer = Buffer.from(jsonstringNoWhitespace,'binary');   // encoding: encoding to use, optional.  Default is 'utf8'
    return xxhash.hash64(JSONBuffer, 0xCAFEBABE, "hex");
}

It used npm module: https://cyan4973.github.io/xxHash/ , https://www.npmjs.com/package/xxhash

The benefits:

  • This is deterministic
  • Ignores key order (preserves array order)
  • Cross platform (if you can find equivalents for JSON-stringify) JSON-stringify will hopefully will not get a different implementation and the whitespace removal will hopefully make it JSON-formatting independent.
  • 64-bit
  • Hexadecimal string a result
  • Fastest (0.021 ms for 2177 B JSON, 2.64 ms for 150 kB JSON)


You may find bencode suitable for your needs. It's cross-platform, and the encoding is guaranteed to be the same from every implementation.

The downside is it doesn't support nulls or booleans. But that may be okay for you if you do something like transforming e.g., bools -> 0|1 and nulls -> "null" before encoding.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜