我试图在php中重现用java编写的totp计算参考(http://tools.ietf.org/html/rfc6238附录A)官方中提到的测试用例。该参考提供了sha1,sha256和sha512算法的示例。
我找到了Rob Swan的this很好的例子(参见8位数的例子),它再现了一个很好的测试用例(带有sha1)。但是,如果我将算法更改为sha256或sha512(并根据参考输入数据也改变种子),我从参考文献中获得了不同的结果。
PHP的hmac哈希函数可能与java的不同吗?
谢谢!
答案 0 :(得分:1)
*解决方案
以下是Rob Swan提到的php实现的副本:
<?php
// Define your secret seed
// NB: this is a hexadecimal representation of the example
// ASCII string which is: 12345678901234567890
$secret_seed = "3132333435363738393031323334353637383930";
// Determine the time window as 30 seconds
$time_window = 30;
// Set the timestamp manually
$exact_time = 1111111109;
// Round the time down to the time window
$rounded_time = floor($exact_time/$time_window);
// Pack the counter into binary
$packed_time = pack("N", $rounded_time);
// Make sure the packed time is 8 characters long
$padded_packed_time = str_pad($packed_time,8, chr(0), STR_PAD_LEFT);
// Pack the secret seed into a binary string
$packed_secret_seed = pack("H*", $secret_seed);
// Generate the hash using the SHA1 algorithm
$hash = hash_hmac ('sha1', $padded_packed_time, $packed_secret_seed, true);
// NB: Note we have change the exponent in the pow function
// from 6 to 8 to generate an 8 digit OTP not a 6 digit one
// Extract the 8 digit number fromt the hash as per RFC 6238
$offset = ord($hash[19]) & 0xf;
$otp = (
((ord($hash[$offset+0]) & 0x7f) << 24 ) |
((ord($hash[$offset+1]) & 0xff) << 16 ) |
((ord($hash[$offset+2]) & 0xff) << 8 ) |
(ord($hash[$offset+3]) & 0xff)
) % pow(10, 8);
// NB: Note that we are padding to 8 characters not 6 for this example
// Add any missing zeros to the left of the numerical output
$otp = str_pad($otp, 8, "0", STR_PAD_LEFT);
// Display the output, which should be
echo "This should display 07081804: " . $otp;
?>
关键是这一行:
$offset = ord($hash[19]) & 0xf;
这在使用sha1算法的假设下工作正常,该算法返回20个字符串。
要抽象该行并使其与任何其他算法兼容,请将此行更改为:
$offset = ord($hash[strlen($hash)-1]) & 0xf;
现在你有一个通用且有效的RFC版本的RFC 6238 totp计算!