CSecurityManager.php
10.6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
<?php
/**
* This file contains classes implementing security manager feature.
*
* @author Qiang Xue <qiang.xue@gmail.com>
* @link http://www.yiiframework.com/
* @copyright Copyright © 2008-2011 Yii Software LLC
* @license http://www.yiiframework.com/license/
*/
/**
* CSecurityManager provides private keys, hashing and encryption functions.
*
* CSecurityManager is used by Yii components and applications for security-related purpose.
* For example, it is used in cookie validation feature to prevent cookie data
* from being tampered.
*
* CSecurityManager is mainly used to protect data from being tampered and viewed.
* It can generate HMAC and encrypt the data. The private key used to generate HMAC
* is set by {@link setValidationKey ValidationKey}. The key used to encrypt data is
* specified by {@link setEncryptionKey EncryptionKey}. If the above keys are not
* explicitly set, random keys will be generated and used.
*
* To protected data with HMAC, call {@link hashData()}; and to check if the data
* is tampered, call {@link validateData()}, which will return the real data if
* it is not tampered. The algorithm used to generated HMAC is specified by
* {@link validation}.
*
* To encrypt and decrypt data, call {@link encrypt()} and {@link decrypt()}
* respectively, which uses 3DES encryption algorithm. Note, the PHP Mcrypt
* extension must be installed and loaded.
*
* CSecurityManager is a core application component that can be accessed via
* {@link CApplication::getSecurityManager()}.
*
* @property string $validationKey The private key used to generate HMAC.
* If the key is not explicitly set, a random one is generated and returned.
* @property string $encryptionKey The private key used to encrypt/decrypt data.
* If the key is not explicitly set, a random one is generated and returned.
* @property string $validation
*
* @author Qiang Xue <qiang.xue@gmail.com>
* @version $Id$
* @package system.base
* @since 1.0
*/
class CSecurityManager extends CApplicationComponent
{
const STATE_VALIDATION_KEY='Yii.CSecurityManager.validationkey';
const STATE_ENCRYPTION_KEY='Yii.CSecurityManager.encryptionkey';
/**
* @var string the name of the hashing algorithm to be used by {@link computeHMAC}.
* See {@link http://php.net/manual/en/function.hash-algos.php hash-algos} for the list of possible
* hash algorithms. Note that if you are using PHP 5.1.1 or below, you can only use 'sha1' or 'md5'.
*
* Defaults to 'sha1', meaning using SHA1 hash algorithm.
* @since 1.1.3
*/
public $hashAlgorithm='sha1';
/**
* @var mixed the name of the crypt algorithm to be used by {@link encrypt} and {@link decrypt}.
* This will be passed as the first parameter to {@link http://php.net/manual/en/function.mcrypt-module-open.php mcrypt_module_open}.
*
* This property can also be configured as an array. In this case, the array elements will be passed in order
* as parameters to mcrypt_module_open. For example, <code>array('rijndael-256', '', 'ofb', '')</code>.
*
* Defaults to 'des', meaning using DES crypt algorithm.
* @since 1.1.3
*/
public $cryptAlgorithm='des';
private $_validationKey;
private $_encryptionKey;
private $_mbstring;
public function init()
{
parent::init();
$this->_mbstring=extension_loaded('mbstring');
}
/**
* @return string a randomly generated private key
*/
protected function generateRandomKey()
{
return sprintf('%08x%08x%08x%08x',mt_rand(),mt_rand(),mt_rand(),mt_rand());
}
/**
* @return string the private key used to generate HMAC.
* If the key is not explicitly set, a random one is generated and returned.
*/
public function getValidationKey()
{
if($this->_validationKey!==null)
return $this->_validationKey;
else
{
if(($key=Yii::app()->getGlobalState(self::STATE_VALIDATION_KEY))!==null)
$this->setValidationKey($key);
else
{
$key=$this->generateRandomKey();
$this->setValidationKey($key);
Yii::app()->setGlobalState(self::STATE_VALIDATION_KEY,$key);
}
return $this->_validationKey;
}
}
/**
* @param string $value the key used to generate HMAC
* @throws CException if the key is empty
*/
public function setValidationKey($value)
{
if(!empty($value))
$this->_validationKey=$value;
else
throw new CException(Yii::t('yii','CSecurityManager.validationKey cannot be empty.'));
}
/**
* @return string the private key used to encrypt/decrypt data.
* If the key is not explicitly set, a random one is generated and returned.
*/
public function getEncryptionKey()
{
if($this->_encryptionKey!==null)
return $this->_encryptionKey;
else
{
if(($key=Yii::app()->getGlobalState(self::STATE_ENCRYPTION_KEY))!==null)
$this->setEncryptionKey($key);
else
{
$key=$this->generateRandomKey();
$this->setEncryptionKey($key);
Yii::app()->setGlobalState(self::STATE_ENCRYPTION_KEY,$key);
}
return $this->_encryptionKey;
}
}
/**
* @param string $value the key used to encrypt/decrypt data.
* @throws CException if the key is empty
*/
public function setEncryptionKey($value)
{
if(!empty($value))
$this->_encryptionKey=$value;
else
throw new CException(Yii::t('yii','CSecurityManager.encryptionKey cannot be empty.'));
}
/**
* This method has been deprecated since version 1.1.3.
* Please use {@link hashAlgorithm} instead.
* @return string
*/
public function getValidation()
{
return $this->hashAlgorithm;
}
/**
* This method has been deprecated since version 1.1.3.
* Please use {@link hashAlgorithm} instead.
* @param string $value -
*/
public function setValidation($value)
{
$this->hashAlgorithm=$value;
}
/**
* Encrypts data.
* @param string $data data to be encrypted.
* @param string $key the decryption key. This defaults to null, meaning using {@link getEncryptionKey EncryptionKey}.
* @return string the encrypted data
* @throws CException if PHP Mcrypt extension is not loaded
*/
public function encrypt($data,$key=null)
{
$module=$this->openCryptModule();
$key=$this->substr($key===null ? md5($this->getEncryptionKey()) : $key,0,mcrypt_enc_get_key_size($module));
srand();
$iv=mcrypt_create_iv(mcrypt_enc_get_iv_size($module), MCRYPT_RAND);
mcrypt_generic_init($module,$key,$iv);
$encrypted=$iv.mcrypt_generic($module,$data);
mcrypt_generic_deinit($module);
mcrypt_module_close($module);
return $encrypted;
}
/**
* Decrypts data
* @param string $data data to be decrypted.
* @param string $key the decryption key. This defaults to null, meaning using {@link getEncryptionKey EncryptionKey}.
* @return string the decrypted data
* @throws CException if PHP Mcrypt extension is not loaded
*/
public function decrypt($data,$key=null)
{
$module=$this->openCryptModule();
$key=$this->substr($key===null ? md5($this->getEncryptionKey()) : $key,0,mcrypt_enc_get_key_size($module));
$ivSize=mcrypt_enc_get_iv_size($module);
$iv=$this->substr($data,0,$ivSize);
mcrypt_generic_init($module,$key,$iv);
$decrypted=mdecrypt_generic($module,$this->substr($data,$ivSize,$this->strlen($data)));
mcrypt_generic_deinit($module);
mcrypt_module_close($module);
return rtrim($decrypted,"\0");
}
/**
* Opens the mcrypt module with the configuration specified in {@link cryptAlgorithm}.
* @return resource the mycrypt module handle.
* @since 1.1.3
*/
protected function openCryptModule()
{
if(extension_loaded('mcrypt'))
{
if(is_array($this->cryptAlgorithm))
$module=@call_user_func_array('mcrypt_module_open',$this->cryptAlgorithm);
else
$module=@mcrypt_module_open($this->cryptAlgorithm,'', MCRYPT_MODE_CBC,'');
if($module===false)
throw new CException(Yii::t('yii','Failed to initialize the mcrypt module.'));
return $module;
}
else
throw new CException(Yii::t('yii','CSecurityManager requires PHP mcrypt extension to be loaded in order to use data encryption feature.'));
}
/**
* Prefixes data with an HMAC.
* @param string $data data to be hashed.
* @param string $key the private key to be used for generating HMAC. Defaults to null, meaning using {@link validationKey}.
* @return string data prefixed with HMAC
*/
public function hashData($data,$key=null)
{
return $this->computeHMAC($data,$key).$data;
}
/**
* Validates if data is tampered.
* @param string $data data to be validated. The data must be previously
* generated using {@link hashData()}.
* @param string $key the private key to be used for generating HMAC. Defaults to null, meaning using {@link validationKey}.
* @return string the real data with HMAC stripped off. False if the data
* is tampered.
*/
public function validateData($data,$key=null)
{
$len=$this->strlen($this->computeHMAC('test'));
if($this->strlen($data)>=$len)
{
$hmac=$this->substr($data,0,$len);
$data2=$this->substr($data,$len,$this->strlen($data));
return $hmac===$this->computeHMAC($data2,$key)?$data2:false;
}
else
return false;
}
/**
* Computes the HMAC for the data with {@link getValidationKey ValidationKey}.
* @param string $data data to be generated HMAC
* @param string $key the private key to be used for generating HMAC. Defaults to null, meaning using {@link validationKey}.
* @return string the HMAC for the data
*/
protected function computeHMAC($data,$key=null)
{
if($key===null)
$key=$this->getValidationKey();
if(function_exists('hash_hmac'))
return hash_hmac($this->hashAlgorithm, $data, $key);
if(!strcasecmp($this->hashAlgorithm,'sha1'))
{
$pack='H40';
$func='sha1';
}
else
{
$pack='H32';
$func='md5';
}
if($this->strlen($key) > 64)
$key=pack($pack, $func($key));
if($this->strlen($key) < 64)
$key=str_pad($key, 64, chr(0));
$key=$this->substr($key,0,64);
return $func((str_repeat(chr(0x5C), 64) ^ $key) . pack($pack, $func((str_repeat(chr(0x36), 64) ^ $key) . $data)));
}
/**
* Returns the length of the given string.
* If available uses the multibyte string function mb_strlen.
* @param string $string the string being measured for length
* @return integer the length of the string
*/
private function strlen($string)
{
return $this->_mbstring ? mb_strlen($string,'8bit') : strlen($string);
}
/**
* Returns the portion of string specified by the start and length parameters.
* If available uses the multibyte string function mb_substr
* @param string $string the input string. Must be one character or longer.
* @param integer $start the starting position
* @param integer $length the desired portion length
* @return string the extracted part of string, or FALSE on failure or an empty string.
*/
private function substr($string,$start,$length)
{
return $this->_mbstring ? mb_substr($string,$start,$length,'8bit') : substr($string,$start,$length);
}
}