|
1
|
|
|
<?php |
|
2
|
|
|
|
|
3
|
|
|
/** |
|
4
|
|
|
* Copyright 2014 SURFnet bv |
|
5
|
|
|
* |
|
6
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License"); |
|
7
|
|
|
* you may not use this file except in compliance with the License. |
|
8
|
|
|
* You may obtain a copy of the License at |
|
9
|
|
|
* |
|
10
|
|
|
* http://www.apache.org/licenses/LICENSE-2.0 |
|
11
|
|
|
* |
|
12
|
|
|
* Unless required by applicable law or agreed to in writing, software |
|
13
|
|
|
* distributed under the License is distributed on an "AS IS" BASIS, |
|
14
|
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
|
15
|
|
|
* See the License for the specific language governing permissions and |
|
16
|
|
|
* limitations under the License. |
|
17
|
|
|
*/ |
|
18
|
|
|
|
|
19
|
|
|
namespace Surfnet\StepupBundle\Security; |
|
20
|
|
|
|
|
21
|
|
|
use Surfnet\StepupBundle\Exception\InvalidArgumentException; |
|
22
|
|
|
use Surfnet\StepupBundle\Security\Exception\OtpGenerationRuntimeException; |
|
23
|
|
|
|
|
24
|
|
|
/** |
|
25
|
|
|
* A stand-alone class for securely generating OTPs. |
|
26
|
|
|
*/ |
|
27
|
|
|
final class OtpGenerator |
|
28
|
|
|
{ |
|
29
|
|
|
/** |
|
30
|
|
|
* The characters used in the OTP. Must be a power of two characters long to ensure all characters have equal chance |
|
31
|
|
|
* of being included. |
|
32
|
|
|
*/ |
|
33
|
|
|
const CHARACTER_SET = 'ABCDEFGHJKLMNPQRSTUVWXYZ23456789'; |
|
34
|
|
|
|
|
35
|
|
|
/** |
|
36
|
|
|
* The 32 possible characters in the Base32 alphabet can be represented in exactly 5 bits |
|
37
|
|
|
*/ |
|
38
|
|
|
const BITS_PER_CHARACTER = 5; |
|
39
|
|
|
|
|
40
|
|
|
/** |
|
41
|
|
|
* Securely generate an arbitrary length OTP containing only characters from the OtpGenerator::CHARACTER_SET constant. |
|
42
|
|
|
* Based on https://gist.github.com/pmeulen/3dff8bab3227ed340dd1 |
|
43
|
|
|
* |
|
44
|
|
|
* @param int $length The length of the OTP to generate |
|
45
|
|
|
* @return string |
|
46
|
|
|
* @throws OtpGenerationRuntimeException |
|
47
|
|
|
*/ |
|
48
|
|
|
public static function generate($length) |
|
49
|
|
|
{ |
|
50
|
|
|
if (!is_int($length)) { |
|
51
|
|
|
throw InvalidArgumentException::invalidType('int', 'length', $length); |
|
52
|
|
|
} |
|
53
|
|
|
|
|
54
|
|
|
if ($length <= 0) { |
|
55
|
|
|
throw new InvalidArgumentException('Expected positive integer $length'); |
|
56
|
|
|
} |
|
57
|
|
|
|
|
58
|
|
|
$bitsPerValue = self::BITS_PER_CHARACTER; |
|
59
|
|
|
$randomBytesRequired = (int) ceil($length * $bitsPerValue / 8); |
|
60
|
|
|
$cryptoStrong = false; |
|
61
|
|
|
$randomBytes = openssl_random_pseudo_bytes($randomBytesRequired, $cryptoStrong); // Generate random bytes |
|
62
|
|
|
|
|
63
|
|
|
if ($cryptoStrong === false) { |
|
64
|
|
|
throw new OtpGenerationRuntimeException('openssl_random_pseudo_bytes() is not cryptographically strong'); |
|
65
|
|
|
} |
|
66
|
|
|
|
|
67
|
|
|
if ($randomBytes === false) { |
|
68
|
|
|
throw new OtpGenerationRuntimeException('openssl_random_pseudo_bytes() failed'); |
|
69
|
|
|
} |
|
70
|
|
|
|
|
71
|
|
|
// Transform each byte $random_bytes into $random_bits where each byte |
|
72
|
|
|
// is converted to its 8 character ASCII binary representation. |
|
73
|
|
|
// This allows us to work with the individual bits using the php string functions |
|
74
|
|
|
// Not very efficient, but easy to understand. |
|
75
|
|
|
$randomBits = ''; |
|
76
|
|
|
for ($i = 0; $i < $randomBytesRequired; $i++) { |
|
77
|
|
|
$randomBits .= str_pad(decbin(ord($randomBytes[$i])), 8, '0', STR_PAD_LEFT); |
|
78
|
|
|
} |
|
79
|
|
|
|
|
80
|
|
|
// Get 'bits' form $random_bits string in blocks of 5 bits, convert bits to value [0..32> and use |
|
81
|
|
|
// this as offset in self::CHARACTER_SET to pick the character |
|
82
|
|
|
$password = ''; |
|
83
|
|
|
for ($i = 0; $i < $length; $i++) { |
|
84
|
|
|
$randomValueBin = substr($randomBits, $i * $bitsPerValue, $bitsPerValue); |
|
85
|
|
|
|
|
86
|
|
|
$password .= substr(self::CHARACTER_SET, bindec($randomValueBin), 1); |
|
87
|
|
|
} |
|
88
|
|
|
|
|
89
|
|
|
return $password; |
|
90
|
|
|
} |
|
91
|
|
|
} |
|
92
|
|
|
|
OpenConext /
Stepup-bundle
