ImSign.php
22.7 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
<?php
namespace App\Http\Service;
class ImSign {
private $key = false;
private $sdkappid = 0;
/**
*【功能说明】用于签发 TRTC 和 IM 服务中必须要使用的 UserSig 鉴权票据
*
*【参数说明】
* @param string userid - 用户id,限制长度为32字节,只允许包含大小写英文字母(a-zA-Z)、数字(0-9)及下划线和连词符。
* @param string expire - UserSig 票据的过期时间,单位是秒,比如 86400 代表生成的 UserSig 票据在一天后就无法再使用了。
* @return string 签名字符串
* @throws \Exception
*/
/**
* Function: Used to issue UserSig that is required by the TRTC and IM services.
*
* Parameter description:
* @param userid - User ID. The value can be up to 32 bytes in length and contain letters (a-z and A-Z), digits (0-9), underscores (_), and hyphens (-).
* @param expire - UserSig expiration time, in seconds. For example, 86400 indicates that the generated UserSig will expire one day after being generated.
* @return string signature string
* @throws \Exception
*/
public function genUserSig( $userid, $expire = 86400*180 ) {
return $this->__genSig( $userid, $expire, '', false );
}
/**
*【功能说明】
* 用于签发 TRTC 进房参数中可选的 PrivateMapKey 权限票据。
* PrivateMapKey 需要跟 UserSig 一起使用,但 PrivateMapKey 比 UserSig 有更强的权限控制能力:
* - UserSig 只能控制某个 UserID 有无使用 TRTC 服务的权限,只要 UserSig 正确,其对应的 UserID 可以进出任意房间。
* - PrivateMapKey 则是将 UserID 的权限控制的更加严格,包括能不能进入某个房间,能不能在该房间里上行音视频等等。
* 如果要开启 PrivateMapKey 严格权限位校验,需要在【实时音视频控制台】=>【应用管理】=>【应用信息】中打开“启动权限密钥”开关。
*
*【参数说明】
* @param userid - 用户id,限制长度为32字节,只允许包含大小写英文字母(a-zA-Z)、数字(0-9)及下划线和连词符。
* @param expire - PrivateMapKey 票据的过期时间,单位是秒,比如 86400 生成的 PrivateMapKey 票据在一天后就无法再使用了。
* @param roomid - 房间号,用于指定该 userid 可以进入的房间号
* @param privilegeMap - 权限位,使用了一个字节中的 8 个比特位,分别代表八个具体的功能权限开关:
* - 第 1 位:0000 0001 = 1,创建房间的权限
* - 第 2 位:0000 0010 = 2,加入房间的权限
* - 第 3 位:0000 0100 = 4,发送语音的权限
* - 第 4 位:0000 1000 = 8,接收语音的权限
* - 第 5 位:0001 0000 = 16,发送视频的权限
* - 第 6 位:0010 0000 = 32,接收视频的权限
* - 第 7 位:0100 0000 = 64,发送辅路(也就是屏幕分享)视频的权限
* - 第 8 位:1000 0000 = 200,接收辅路(也就是屏幕分享)视频的权限
* - privilegeMap == 1111 1111 == 255 代表该 userid 在该 roomid 房间内的所有功能权限。
* - privilegeMap == 0010 1010 == 42 代表该 userid 拥有加入房间和接收音视频数据的权限,但不具备其他权限。
*/
/**
* Function:
* Used to issue PrivateMapKey that is optional for room entry.
* PrivateMapKey must be used together with UserSig but with more powerful permission control capabilities.
* - UserSig can only control whether a UserID has permission to use the TRTC service. As long as the UserSig is correct, the user with the corresponding UserID can enter or leave any room.
* - PrivateMapKey specifies more stringent permissions for a UserID, including whether the UserID can be used to enter a specific room and perform audio/video upstreaming in the room.
* To enable stringent PrivateMapKey permission bit verification, you need to enable permission key in TRTC console > Application Management > Application Info.
*
* Parameter description:
* userid - User ID. The value can be up to 32 bytes in length and contain letters (a-z and A-Z), digits (0-9), underscores (_), and hyphens (-).
* roomid - ID of the room to which the specified UserID can enter.
* expire - PrivateMapKey expiration time, in seconds. For example, 86400 indicates that the generated PrivateMapKey will expire one day after being generated.
* privilegeMap - Permission bits. Eight bits in the same byte are used as the permission switches of eight specific features:
* - Bit 1: 0000 0001 = 1, permission for room creation
* - Bit 2: 0000 0010 = 2, permission for room entry
* - Bit 3: 0000 0100 = 4, permission for audio sending
* - Bit 4: 0000 1000 = 8, permission for audio receiving
* - Bit 5: 0001 0000 = 16, permission for video sending
* - Bit 6: 0010 0000 = 32, permission for video receiving
* - Bit 7: 0100 0000 = 64, permission for substream video sending (screen sharing)
* - Bit 8: 1000 0000 = 200, permission for substream video receiving (screen sharing)
* - privilegeMap == 1111 1111 == 255: Indicates that the UserID has all feature permissions of the room specified by roomid.
* - privilegeMap == 0010 1010 == 42: Indicates that the UserID has only the permissions to enter the room and receive audio/video data.
*/
public function genPrivateMapKey( $userid, $expire, $roomid, $privilegeMap ) {
$userbuf = $this->__genUserBuf( $userid, $roomid, $expire, $privilegeMap, 0, '' );
return $this->__genSig( $userid, $expire, $userbuf, true );
}
/**
*【功能说明】
* 用于签发 TRTC 进房参数中可选的 PrivateMapKey 权限票据。
* PrivateMapKey 需要跟 UserSig 一起使用,但 PrivateMapKey 比 UserSig 有更强的权限控制能力:
* - UserSig 只能控制某个 UserID 有无使用 TRTC 服务的权限,只要 UserSig 正确,其对应的 UserID 可以进出任意房间。
* - PrivateMapKey 则是将 UserID 的权限控制的更加严格,包括能不能进入某个房间,能不能在该房间里上行音视频等等。
* 如果要开启 PrivateMapKey 严格权限位校验,需要在【实时音视频控制台】=>【应用管理】=>【应用信息】中打开“启动权限密钥”开关。
*
*【参数说明】
* @param userid - 用户id,限制长度为32字节,只允许包含大小写英文字母(a-zA-Z)、数字(0-9)及下划线和连词符。
* @param expire - PrivateMapKey 票据的过期时间,单位是秒,比如 86400 生成的 PrivateMapKey 票据在一天后就无法再使用了。
* @param roomstr - 房间号,用于指定该 userid 可以进入的房间号
* @param privilegeMap - 权限位,使用了一个字节中的 8 个比特位,分别代表八个具体的功能权限开关:
* - 第 1 位:0000 0001 = 1,创建房间的权限
* - 第 2 位:0000 0010 = 2,加入房间的权限
* - 第 3 位:0000 0100 = 4,发送语音的权限
* - 第 4 位:0000 1000 = 8,接收语音的权限
* - 第 5 位:0001 0000 = 16,发送视频的权限
* - 第 6 位:0010 0000 = 32,接收视频的权限
* - 第 7 位:0100 0000 = 64,发送辅路(也就是屏幕分享)视频的权限
* - 第 8 位:1000 0000 = 200,接收辅路(也就是屏幕分享)视频的权限
* - privilegeMap == 1111 1111 == 255 代表该 userid 在该 roomid 房间内的所有功能权限。
* - privilegeMap == 0010 1010 == 42 代表该 userid 拥有加入房间和接收音视频数据的权限,但不具备其他权限。
*/
/**
* Function:
* Used to issue PrivateMapKey that is optional for room entry.
* PrivateMapKey must be used together with UserSig but with more powerful permission control capabilities.
* - UserSig can only control whether a UserID has permission to use the TRTC service. As long as the UserSig is correct, the user with the corresponding UserID can enter or leave any room.
* - PrivateMapKey specifies more stringent permissions for a UserID, including whether the UserID can be used to enter a specific room and perform audio/video upstreaming in the room.
* To enable stringent PrivateMapKey permission bit verification, you need to enable permission key in TRTC console > Application Management > Application Info.
*
* Parameter description:
* @param userid - User ID. The value can be up to 32 bytes in length and contain letters (a-z and A-Z), digits (0-9), underscores (_), and hyphens (-).
* @param roomstr - ID of the room to which the specified UserID can enter.
* @param expire - PrivateMapKey expiration time, in seconds. For example, 86400 indicates that the generated PrivateMapKey will expire one day after being generated.
* @param privilegeMap - Permission bits. Eight bits in the same byte are used as the permission switches of eight specific features:
* - Bit 1: 0000 0001 = 1, permission for room creation
* - Bit 2: 0000 0010 = 2, permission for room entry
* - Bit 3: 0000 0100 = 4, permission for audio sending
* - Bit 4: 0000 1000 = 8, permission for audio receiving
* - Bit 5: 0001 0000 = 16, permission for video sending
* - Bit 6: 0010 0000 = 32, permission for video receiving
* - Bit 7: 0100 0000 = 64, permission for substream video sending (screen sharing)
* - Bit 8: 1000 0000 = 200, permission for substream video receiving (screen sharing)
* - privilegeMap == 1111 1111 == 255: Indicates that the UserID has all feature permissions of the room specified by roomid.
* - privilegeMap == 0010 1010 == 42: Indicates that the UserID has only the permissions to enter the room and receive audio/video data.
*/
public function genPrivateMapKeyWithStringRoomID( $userid, $expire, $roomstr, $privilegeMap ) {
$userbuf = $this->__genUserBuf( $userid, 0, $expire, $privilegeMap, 0, $roomstr );
return $this->__genSig( $userid, $expire, $userbuf, true );
}
public function __construct() {
$this->sdkappid = config('services.im.key');
$this->key = config('services.im.secret');
}
/**
* 用于 url 的 base64 encode
* '+' => '*', '/' => '-', '=' => '_'
* @param string $string 需要编码的数据
* @return string 编码后的base64串,失败返回false
* @throws \Exception
*/
/**
* base64 encode for url
* '+' => '*', '/' => '-', '=' => '_'
* @param string $string data to be encoded
* @return string The encoded base64 string, returns false on failure
* @throws \Exception
*/
private function base64_url_encode( $string ) {
static $replace = Array( '+' => '*', '/' => '-', '=' => '_' );
$base64 = base64_encode( $string );
if ( $base64 === false ) {
throw new \Exception( 'base64_encode error' );
}
return str_replace( array_keys( $replace ), array_values( $replace ), $base64 );
}
/**
* 用于 url 的 base64 decode
* '+' => '*', '/' => '-', '=' => '_'
* @param string $base64 需要解码的base64串
* @return string 解码后的数据,失败返回false
* @throws \Exception
*/
/**
* base64 decode for url
* '+' => '*', '/' => '-', '=' => '_'
* @param string $base64 base64 string to be decoded
* @return string Decoded data, return false on failure
* @throws \Exception
*/
private function base64_url_decode( $base64 ) {
static $replace = Array( '+' => '*', '/' => '-', '=' => '_' );
$string = str_replace( array_values( $replace ), array_keys( $replace ), $base64 );
$result = base64_decode( $string );
if ( $result == false ) {
throw new \Exception( 'base64_url_decode error' );
}
return $result;
}
/**
* TRTC业务进房权限加密串使用用户定义的userbuf
* @brief 生成 userbuf
* @param account 用户名
* @param dwSdkappid sdkappid
* @param dwAuthID 数字房间号
* @param dwExpTime 过期时间:该权限加密串的过期时间. 过期时间 = now+dwExpTime
* @param dwPrivilegeMap 用户权限,255表示所有权限
* @param dwAccountType 用户类型, 默认为0
* @param roomStr 字符串房间号
* @return userbuf string 返回的userbuf
*/
/**
* User-defined userbuf is used for the encrypted string of TRTC service entry permission
* @brief generate userbuf
* @param account username
* @param dwSdkappid sdkappid
* @param dwAuthID digital room number
* @param dwExpTime Expiration time: The expiration time of the encrypted string of this permission. Expiration time = now+dwExpTime
* @param dwPrivilegeMap User permissions, 255 means all permissions
* @param dwAccountType User type, default is 0
* @param roomStr String room number
* @return userbuf string returned userbuf
*/
private function __genUserBuf( $account, $dwAuthID, $dwExpTime, $dwPrivilegeMap, $dwAccountType,$roomStr ) {
//cVer unsigned char/1 版本号,填0
if($roomStr == '')
$userbuf = pack( 'C1', '0' );
else
$userbuf = pack( 'C1', '1' );
$userbuf .= pack( 'n', strlen( $account ) );
//wAccountLen unsigned short /2 第三方自己的帐号长度
$userbuf .= pack( 'a'.strlen( $account ), $account );
//buffAccount wAccountLen 第三方自己的帐号字符
$userbuf .= pack( 'N', $this->sdkappid );
//dwSdkAppid unsigned int/4 sdkappid
$userbuf .= pack( 'N', $dwAuthID );
//dwAuthId unsigned int/4 群组号码/音视频房间号
$expire = $dwExpTime + time();
$userbuf .= pack( 'N', $expire );
//dwExpTime unsigned int/4 过期时间 (当前时间 + 有效期(单位:秒,建议300秒))
$userbuf .= pack( 'N', $dwPrivilegeMap );
//dwPrivilegeMap unsigned int/4 权限位
$userbuf .= pack( 'N', $dwAccountType );
//dwAccountType unsigned int/4
if($roomStr != '')
{
$userbuf .= pack( 'n', strlen( $roomStr ) );
//roomStrLen unsigned short /2 字符串房间号长度
$userbuf .= pack( 'a'.strlen( $roomStr ), $roomStr );
//roomStr roomStrLen 字符串房间号
}
return $userbuf;
}
/**
* 使用 hmac sha256 生成 sig 字段内容,经过 base64 编码
* @param $identifier 用户名,utf-8 编码
* @param $curr_time 当前生成 sig 的 unix 时间戳
* @param $expire 有效期,单位秒
* @param $base64_userbuf base64 编码后的 userbuf
* @param $userbuf_enabled 是否开启 userbuf
* @return string base64 后的 sig
*/
/**
* Use hmac sha256 to generate sig field content, base64 encoded
* @param $identifier Username, utf-8 encoded
* @param $curr_time The unix timestamp of the current generated sig
* @param $expire Validity period, in seconds
* @param $base64_userbuf base64 encoded userbuf
* @param $userbuf_enabled 是No enable userbuf
* @return string sig after base64
*/
private function hmacsha256( $identifier, $curr_time, $expire, $base64_userbuf, $userbuf_enabled ) {
$content_to_be_signed = 'TLS.identifier:' . $identifier . "\n"
. 'TLS.sdkappid:' . $this->sdkappid . "\n"
. 'TLS.time:' . $curr_time . "\n"
. 'TLS.expire:' . $expire . "\n";
if ( true == $userbuf_enabled ) {
$content_to_be_signed .= 'TLS.userbuf:' . $base64_userbuf . "\n";
}
return base64_encode( hash_hmac( 'sha256', $content_to_be_signed, $this->key, true ) );
}
/**
* 生成签名。
*
* @param $identifier 用户账号
* @param int $expire 过期时间,单位秒,默认 180 天
* @param $userbuf base64 编码后的 userbuf
* @param $userbuf_enabled 是否开启 userbuf
* @return string 签名字符串
* @throws \Exception
*/
/**
* Generate signature.
*
* @param $identifier user account
* @param int $expire Expiration time, in seconds, default 180 days
* @param $userbuf base64 encoded userbuf
* @param $userbuf_enabled Whether to enable userbuf
* @return string signature string
* @throws \Exception
*/
private function __genSig( $identifier, $expire, $userbuf, $userbuf_enabled ) {
$curr_time = time();
$sig_array = Array(
'TLS.ver' => '2.0',
'TLS.identifier' => strval( $identifier ),
'TLS.sdkappid' => intval( $this->sdkappid ),
'TLS.expire' => intval( $expire ),
'TLS.time' => intval( $curr_time )
);
$base64_userbuf = '';
if ( true == $userbuf_enabled ) {
$base64_userbuf = base64_encode( $userbuf );
$sig_array['TLS.userbuf'] = strval( $base64_userbuf );
}
$sig_array['TLS.sig'] = $this->hmacsha256( $identifier, $curr_time, $expire, $base64_userbuf, $userbuf_enabled );
if ( $sig_array['TLS.sig'] === false ) {
throw new \Exception( 'base64_encode error' );
}
$json_str_sig = json_encode( $sig_array );
if ( $json_str_sig === false ) {
throw new \Exception( 'json_encode error' );
}
$compressed = gzcompress( $json_str_sig );
if ( $compressed === false ) {
throw new \Exception( 'gzcompress error' );
}
return $this->base64_url_encode( $compressed );
}
/**
* 验证签名。
*
* @param string $sig 签名内容
* @param string $identifier 需要验证用户名,utf-8 编码
* @param int $init_time 返回的生成时间,unix 时间戳
* @param int $expire_time 返回的有效期,单位秒
* @param string $userbuf 返回的用户数据
* @param string $error_msg 失败时的错误信息
* @return boolean 验证是否成功
* @throws \Exception
*/
/**
* Verify signature.
*
* @param string $sig Signature content
* @param string $identifier Need to authenticate user name, utf-8 encoding
* @param int $init_time Returned generation time, unix timestamp
* @param int $expire_time Return the validity period, in seconds
* @param string $userbuf returned user data
* @param string $error_msg error message on failure
* @return boolean Verify success
* @throws \Exception
*/
private function __verifySig( $sig, $identifier, &$init_time, &$expire_time, &$userbuf, &$error_msg ) {
try {
$error_msg = '';
$compressed_sig = $this->base64_url_decode( $sig );
$pre_level = error_reporting( E_ERROR );
$uncompressed_sig = gzuncompress( $compressed_sig );
error_reporting( $pre_level );
if ( $uncompressed_sig === false ) {
throw new \Exception( 'gzuncompress error' );
}
$sig_doc = json_decode( $uncompressed_sig );
if ( $sig_doc == false ) {
throw new \Exception( 'json_decode error' );
}
$sig_doc = ( array )$sig_doc;
if ( $sig_doc['TLS.identifier'] !== $identifier ) {
throw new \Exception( "identifier dosen't match" );
}
if ( $sig_doc['TLS.sdkappid'] != $this->sdkappid ) {
throw new \Exception( "sdkappid dosen't match" );
}
$sig = $sig_doc['TLS.sig'];
if ( $sig == false ) {
throw new \Exception( 'sig field is missing' );
}
$init_time = $sig_doc['TLS.time'];
$expire_time = $sig_doc['TLS.expire'];
$curr_time = time();
if ( $curr_time > $init_time+$expire_time ) {
throw new \Exception( 'sig expired' );
}
$userbuf_enabled = false;
$base64_userbuf = '';
if ( isset( $sig_doc['TLS.userbuf'] ) ) {
$base64_userbuf = $sig_doc['TLS.userbuf'];
$userbuf = base64_decode( $base64_userbuf );
$userbuf_enabled = true;
}
$sigCalculated = $this->hmacsha256( $identifier, $init_time, $expire_time, $base64_userbuf, $userbuf_enabled );
if ( $sig != $sigCalculated ) {
throw new \Exception( 'verify failed' );
}
return true;
} catch ( \Exception $ex ) {
$error_msg = $ex->getMessage();
return false;
}
}
/**
* 带 userbuf 验证签名。
*
* @param string $sig 签名内容
* @param string $identifier 需要验证用户名,utf-8 编码
* @param int $init_time 返回的生成时间,unix 时间戳
* @param int $expire_time 返回的有效期,单位秒
* @param string $error_msg 失败时的错误信息
* @return boolean 验证是否成功
* @throws \Exception
*/
/**
* Verify signature with userbuf.
*
* @param string $sig Signature content
* @param string $identifier Need to authenticate user name, utf-8 encoding
* @param int $init_time Returned generation time, unix timestamp
* @param int $expire_time Return the validity period, in seconds
* @param string $error_msg error message on failure
* @return boolean Verify success
* @throws \Exception
*/
public function verifySig( $sig, $identifier, &$init_time, &$expire_time, &$error_msg ) {
$userbuf = '';
return $this->__verifySig( $sig, $identifier, $init_time, $expire_time, $userbuf, $error_msg );
}
/**
* 验证签名
* @param string $sig 签名内容
* @param string $identifier 需要验证用户名,utf-8 编码
* @param int $init_time 返回的生成时间,unix 时间戳
* @param int $expire_time 返回的有效期,单位秒
* @param string $userbuf 返回的用户数据
* @param string $error_msg 失败时的错误信息
* @return boolean 验证是否成功
* @throws \Exception
*/
/**
* Verify signature
* @param string $sig Signature content
* @param string $identifier Need to authenticate user name, utf-8 encoding
* @param int $init_time Returned generation time, unix timestamp
* @param int $expire_time Return the validity period, in seconds
* @param string $userbuf returned user data
* @param string $error_msg error message on failure
* @return boolean Verify success
* @throws \Exception
*/
public function verifySigWithUserBuf( $sig, $identifier, &$init_time, &$expire_time, &$userbuf, &$error_msg ) {
return $this->__verifySig( $sig, $identifier, $init_time, $expire_time, $userbuf, $error_msg );
}
}