duan0714 2018-04-03 17:39
浏览 54
已采纳

C#SSO哈希迁移到PHP

I'm working on an SSO implementation in PHP that authenticates to a system written in C#. Here's some pseudo code to demonstrate:

$token = "MqsXexqpYRUNAHR_lHkPRic1g1BYhH6bFNVPagEkuaL8Mf80l_tOirhThQYIbfWYErgu4bDwl-7brVhXTWnJNQ2";
$id = "bob@company.com";
$ssokey = "7MpszrQpO95p7H";
$idAndKey = $id . $ssokey;
$salt = base64_decode(substr($token, 0, -1));
$hashed = hash_pbkdf2("sha256", $idAndKey, mb_convert_encoding($salt, 'UTF-16LE'), 1000, 24, false);
$data = base64_encode($hashed);

This outputs: NWZiMTBhZmNhNTlmYzMxMTEzMThhZmVl

Here's the C# version from the system with which I'm integrating:

var token = "MqsXexqpYRUNAHR_lHkPRic1g1BYhH6bFNVPagEkuaL8Mf80l_tOirhThQYIbfWYErgu4bDwl-7brVhXTWnJNQ2";
var id = "bob@company.com";
var ssokey = "7MpszrQpO95p7H";
string idAndKey = id + ssokey;
var salt = HttpServerUtility.UrlTokenDecode(token);
var pbkdf2 = new Rfc2898DeriveBytes(idAndKey, salt) {IterationCount = 1000};
var key = HttpServerUtility.UrlTokenEncode(pbkdf2.GetBytes(24)); 
Console.WriteLine(key.ToString());

This outputs: aE1k9-djZ66WbUATqdHbWyJzskMI5ABS0

I cannot figure out how to get my PHP code to do the same thing. I have a feeling it is in the salt generation.

I've tried to translate the C# HttpServerUtility.UrlTokenDecode function to PHP like so:

function UrlTokenDecode($token) {
    $numPadChars = substr($token, -1);

    // add the padded count to the end
    $salt = substr($token, 0, -1) . $numPadChars;

    // Transform the "-" to "+", and "*" to "/"
    $salt = str_replace('-', '+', str_replace('*', '/', $salt));

    // base64_decode
    $salt = base64_decode($salt);

    return $salt;
}

That didn't get me to where I needed to go. Halp!

This is for Absorb LMS. Documentation of their methods are here: https://support.absorblms.com/hc/en-us/articles/222446647-Incoming-Absorb-Single-Sign-On#Methods

Thanks!

  • 写回答

2条回答 默认 最新

  • dsdsm2016 2018-04-03 20:10
    关注

    I don't know php at all, but still can help I think. First, as stated in my comment, Rfc2898DeriveBytes in C# uses SHA1 as hash function, not SHA256, doesn't matter what your documentation says.

    Next, UrlTokenDecode (and Encode) is quite strange thing I rarely seen in practice. It converts regular base64 to "url safe" version as follows:

    • replaces '+' with '-'
    • replaces '/' with '_'
    • removes padding ('==' at the end) and appends length of removed padding as a number as last character (if there were no padding - it still appends "0"). This step doesn't make any sense to me, but it's how it works.

    So to replicate you need to base64_encode, replace, remove padding, and then add padding length as character. So if your base64 string ended with == - you remove that and add "2" at the end. If there was no padding - you add "0".

    So to decode that string you need to make back replacement, then remove last character and add that much '=' to the end as indicated by that character.

    So string

    MqsXexqpYRUNAHR_lHkPRic1g1BYhH6bFNVPagEkuaL8Mf80l_tOirhThQYIbfWYErgu4bDwl-7brVhXTWnJNQ2

    In normal base64 is MqsXexqpYRUNAHR/lHkPRic1g1BYhH6bFNVPagEkuaL8Mf80l/tOirhThQYIbfWYErgu4bDwl+7brVhXTWnJNQ==

    Then, I have no idea why you do that

    mb_convert_encoding($salt, 'UTF-16LE')

    Just remove it (though as I don't know php - there might be some reason you are doing that, but I just cannot imagine which, so take care).

    Then as other answer states - the last argument to hash_pbkdf2() should be true.

    After making this changes your code will work (I used token already converted to normal base64 string):

    $token = "MqsXexqpYRUNAHR/lHkPRic1g1BYhH6bFNVPagEkuaL8Mf80l/tOirhThQYIbfWYErgu4bDwl+7brVhXTWnJNQ==";
$id = "bob@company.com";
$ssokey = "7MpszrQpO95p7H";
$idAndKey = $id . $ssokey;
$salt = base64_decode($token);
$hashed = hash_pbkdf2("sha1", $idAndKey, $salt, 1000, 24, true);
$data = base64_encode($hashed);
echo $data;

    produces expected answer (in normal base64 - you need to "url encode" it to get exact match).

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

  • C#SSO哈希迁移PHP c# php
    2018-04-03 17:39
    回答 2 已采纳 I don't know php at all, but still can help I think. First, as stated in my comment, Rfc2898Derive
  • 不同子域(w / PHP)之间的SSO / Auth? ajax javascript jquery php
    2019-03-05 18:59
    回答 2 已采纳 In PHP if you setcookie() with a $domain parameter (e.g. parappawithfries.com), that cookie can be
  • 仅限NTLM和PHPSSO php
    2014-06-15 14:03
    回答 1 已采纳 This is not possible using only PHP. Validating NTLMv2 credentials requires SecureChannel encrypte
  • 从初级开发者到资深架构师,看这
    2022-07-11 14:01
    Hanson,的博客 (Toc generated by simple-php-github-toc )《java队列——queue详细分析》《LinkedList、ConcurrentLinkedQueue、LinkedBlockingQueue对比分析》每个节点最多有两个叶子节点。左右两个子树的高度差的绝对值不超过...
  • Apache2 PHP SSO与Active Directory php
    2014-01-21 11:37
    回答 1 已采纳 I did this yesterday using mod_auth_kerberos. Basic process is as follows: Install kerberos and
  • SSO单点登录的一些疑问 java spring 后端
    2021-12-28 08:20
    回答 2 已采纳 问题1:若去单点登录检测未登录,调转单点登录会携带之前的请求地址(如图中redirect) 问题2:这问题应该不用考虑,正常人不会去禁用(不懂电脑的人,就更不会禁用了)!毕竟很多大型网站都依赖coo
  • 使用HttpWebRequest的ASP.NET到Wordpress SSO asp.net php
    2010-12-10 17:06
    回答 1 已采纳 From what I can see, your server side code is submitting the request to wp-load.php which is creat
  • 后端架构师技术图谱
    2020-11-01 18:49
    从前有座山,山里有座庙的博客 从初级开发者到资深架构师,看这些书就够了 数据结构 队列 集合 链表、数组 字典、关联数组 栈 树 二叉树 完全二叉树 平衡二叉树 二叉查找树(BST) 红黑树 B,B+,B*树 LSM 树 BitSet 常用算法 排序、查找...
  • LR 录制cas sso 单击登录
    2017-07-12 10:44
    回答 1 已采纳 http 302 问题的解决: //////////////////////////////////////////////////////////////////////////////////
  • LDAP / SSO Intranet解决方案 php
    2017-05-16 14:37
    回答 2 已采纳 the (quick ´n dirty) solution: <html> <head> <meta http-equiv="content-type" conte
  • 单点登录从WordPress到媒体维基 php
    2019-04-01 13:10
    回答 2 已采纳 I was able to setup SSO (Single sign-on) from WordPress to media wiki, by following these steps:
  • PHP面试题(一)
    2018-03-24 11:56
    钟长森的博客 一:php部分 用PHP实现一个双向队列(使用deque) deque,全名double-ended queue,是一种具有队列和栈的性质的数据结构。双端队列中的元素可以从两端弹出,其限定插入和删除操作在表的两端进行。双向队列(双端队列...
  • 关于sso单点登录问题
    2017-04-27 09:40
    回答 1 已采纳 http://www.cnblogs.com/songyaqi/p/4553069.html
  • 自我知识点总结
    2020-04-08 17:27
    weixin_45685805的博客 拿到结果集之后,再次根据配置好的映射对象,自动实现对象的封装 三、编程步骤 Step01:创建maven 桌面项目(Java 项目) Step02:添加mybatis依赖以及mysql驱动依赖 Step03:创建mybatis 配置文件,映射文件 Step04:配置...
  • 资源工具分享(第1期):后端架构师技术图谱
    2021-07-16 18:38
    Hello 程序猿的博客 推荐:《Java技术书籍大全》 - awesome-java-books 从初级开发者到资深架构师,看这些书就够了 数据结构 队列 集合 链表、数组 字典、关联数组 栈 树 二叉树 完全二叉树 平衡二叉树 ...
  • 没有解决我的问题, 去提问

悬赏问题

  • ¥15 netty整合springboot之后自动重连失效
  • ¥20 wireshark抓不到vlan
  • ¥20 关于#stm32#的问题:需要指导自动酸碱滴定仪的原理图程序代码及仿真
  • ¥20 设计一款异域新娘的视频相亲软件需要哪些技术支持
  • ¥15 stata安慰剂检验作图但是真实值不出现在图上
  • ¥15 c程序不知道为什么得不到结果
  • ¥40 复杂的限制性的商函数处理
  • ¥15 程序不包含适用于入口点的静态Main方法
  • ¥15 素材场景中光线烘焙后灯光失效
  • ¥15 请教一下各位,为什么我这个没有实现模拟点击