I’ve run into this problem twice now; I needed SHA encryption or an MD5 hash in classic ASP. iDeal for example need it, and so does Amazon’s S3 service. Of course there are a lot of programming languages with examples in the documentation of iDeal and Amazon, but none for classic ASP.
Twice is once too many for me, so I took a javascript-implementation of SHA1 and MD5 and baked them into a WSC for my fellow ASP programmers. The javascript implementation isn’t mine, but Paul Johnston’s, detailed descriptions of it’s inner workings are here.
There already is a solution in which the javascript code is included into an ASP page, but IMHO there is a better way. So here is the WSC. For people unfamiliar with WSC’s in classic ASP;
A WSC is a Windows Scripting Component, a shared component like an OCX or a DLL, but written in an interpreted language such as javascript or vbscript. The fun thing is that using WSC you can make your classic ASP code modular. Just write your components in your favorite scripting-language with all the methods and properties you need. The implementation of the SHA1 component, for example is:
<%@ Language=VBScript %>
<% Option Explicit %>
<%
Dim sha1
set sha1 = GetObject("script:"&Server.MapPath("/components/sha1.wsc"))
' set a property
sha1.hexcase = 1
Dim result
' call a function
result = sha1.hex_hmac_sha1("0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b", "Hi There")
%>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<title>test</title>
</head>
<body>
HMAC-SHA1 result: <%= result %>
</body>
</html>
<% Set sha1 = Nothing %>
This example assumes the SHA1.WSC present in the directory “/components/”.
As you can see, after initialisation, different properties and methods can be called. These correspond with the variables and functions in the original javascript code.
The second advantage is that you can use this component from any environment, not just ASP and that you don’t even have to register it in Windows. (it’s possible, but not required). This way you can run your code at any ASP webhost, even if they don’t allow you to register your own components.
Now for the links: sha1.wsc , md5.wsc
Happy programming!
Friday 18 April 2008 at 13:53 |
Hi,
Thanks for the code above. I have to admit I’m new to this, so I’m not sure how I would supply my key for encryption. Any suggestions?
Thanks!
Friday 18 April 2008 at 15:59 |
Hi Steve,
The component works exactly like the javascript code on Paul Johnston’s page, so this should work:
result = sha1.hex_hmac_sha1(“key”, “data”)
In fact, this is exactly like my example above, so just paste that into a new ASP page, make sure you have the SHA1.wsc in the correct location and try it out. You can find the documentation for the SHA1 code here: http://pajhome.org.uk/crypt/md5/instructions.html under “keyed hashes”.
You can call any of the functions that they describe there, only use the name you have given to the object as a prefix, so :
hex_hmac_sha1(“key”, “data”)
becomes:
sha1.hex_hmac_sha1(“key”, “data”)
Sunday 7 September 2008 at 21:44 |
I’m looking for a programmer with experience using Classic ASP and S3 services. Need to display photos on website from a Private Bucket and send files directly to browser for download from Private Bucket.
Please contact me if interested.
Thanks!
Wednesday 24 September 2008 at 10:37 |
Thank you for the work. At last I have something to work with!
Wednesday 19 November 2008 at 15:16 |
Please read the following article:
http://blog.rednael.com/2008/09/30/SecuringYourPasswordTransfersWithKeyedHashingHMACCramMD5.aspx
It’s a walkthrough example of implementing HMAC-MD5 / Cram-MD5 on a website. The same technique can be used for various client-server situations.
The article explains the benefits of using such a password system and shows you how to implement it using the .Net library at server side (examples in C#), and using Paj’s MD5 Javascript functions at client-side.
Thursday 1 January 2009 at 20:15 |
Seeing as how you experienced severe problems with wsc files on your server (with IE7), is there another method that can be used without using wsc files?
Friday 2 January 2009 at 09:21 |
Hi Astralis,
I actually don’t think WSC’s are the problem, but more that the vbscript.dll version 5.7 performs worse. But ofcourse, a WSC file just contains script code (in this case, jscript), so just copying the code to an ASP page or an include file (leave the XML out) should work (make sure you set the language to jscript). The only thing you would have to change are the properties of the component:
In the WSC there are some properties defined (they are just some global variables in the component), together with some getter and setter functions to change and/or read these properties. These properties are used to set up the component. You could remove the getter/setter functions and just set the variable-values directly. Your code would look something like this.
<%
‘ set a property
hexcase = 1
Dim result
‘ call a function
result = hex_hmac_sha1(“0×0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b”, “Hi There”)
%>
Friday 1 May 2009 at 02:57 |
Exactly the solution I needed. Thank you so much for providing this.
Tuesday 18 August 2009 at 10:04 |
Thank you,
This was exactly what i needed.
Kind regards,
Tim
Friday 4 September 2009 at 20:34 |
Hi
Thanks for the demo. I have it working, but how do I pass the text and the key (Is this the public or private key?) to the function as a variable instead of hard coding it?
I want to use the routine to sign text for Amazon’s AWS services.
Best regards
Andre F Bruton
Friday 4 September 2009 at 21:16 |
I managed to answer my own post above! Here is code that passes variables to the SHA1 encryptor. I also checked the final output with other encryptors and it is correct!
test
From website: http://precompiled.wordpress.com/2007/11/26/hmac-sha1-encryptie-onder-classic-asp/
HMAC-SHA1 result:
Text:
Thursday 29 October 2009 at 15:46 |
Hi precompiled,
I’m a newbie on iDeal and only know classic ASP, no .NET. And last-but-not-least didn’t see any iDeal docs yet.
But do you have a working ASP example for iDeal to share? I have to make an inventory on building a solution.
Would appreciate your help!
Cheers,
Fred
Friday 30 October 2009 at 21:12 |
Hi Fred,
I have a working implementation, but it depends very much on what iDeal method you want to use. Also, I’m not too keen on giving away the sourcecode for that :)
iDeal has different implementation methods you can use. The easiest is with a simple form. What you need to do is ask your customer to contact their bank-contact. The bank can set up iDeal and supply you with a merchant-account and documentation. Your customer needs an account with a bank that supports iDeal to be able to use it.
You need to set up that iDeal account, there you can also indicate what method you want to use.
Using the form-method, you need to generate a form with all the information of the products and the customer. One of the fields is a concatenation of a number of values you need to do a SHA1 on:
concatString = ideal_hash_key & business & subID & total_amount & purchaseID & “ideal” & timestamp_later & productString
dim sha1,idealhash
set sha1 = GetObject(“script:”&Server.MapPath(“/~components/sha1.wsc”))
hashString = concatString
idealhash = sha1.hex_sha1(concatString)
set sha1 = nothing
This should get you on your way.
Saturday 31 October 2009 at 16:43 |
A very elegant solution. Bearing in mind it seems there are no such algorithms implemented in ASP it’s just what I was looking for. Thanks!
Nice blog too. Added to my feeds!
Monday 2 November 2009 at 11:18 |
Thanks precompiled!!
I will get the documentation first.