<?php
namespace PhpOffice\PhpSpreadsheet\Shared;
> use PhpOffice\PhpSpreadsheet\Exception as SpException;
class PasswordHasher
> use PhpOffice\PhpSpreadsheet\Worksheet\Protection;
{
>
/**
> const MAX_PASSWORD_LENGTH = 255;
* Create a password hash from a given string.
>
*
> /**
* This method is based on the algorithm provided by
> * Get algorithm name for PHP.
* Daniel Rentz of OpenOffice and the PEAR package
> */
* Spreadsheet_Excel_Writer by Xavier Noguer <xnoguer@rezebra.com>.
> private static function getAlgorithm(string $algorithmName): string
*
> {
* @param string $pPassword Password to hash
> if (!$algorithmName) {
*
> return '';
* @return string Hashed password
> }
*/
>
public static function hashPassword($pPassword)
> // Mapping between algorithm name in Excel and algorithm name in PHP
{
> $mapping = [
$password = 0x0000;
> Protection::ALGORITHM_MD2 => 'md2',
$charPos = 1; // char position
> Protection::ALGORITHM_MD4 => 'md4',
> Protection::ALGORITHM_MD5 => 'md5',
// split the plain text password in its component characters
> Protection::ALGORITHM_SHA_1 => 'sha1',
$chars = preg_split('//', $pPassword, -1, PREG_SPLIT_NO_EMPTY);
> Protection::ALGORITHM_SHA_256 => 'sha256',
foreach ($chars as $char) {
> Protection::ALGORITHM_SHA_384 => 'sha384',
$value = ord($char) << $charPos++; // shifted ASCII value
> Protection::ALGORITHM_SHA_512 => 'sha512',
$rotated_bits = $value >> 15; // rotated bits beyond bit 15
> Protection::ALGORITHM_RIPEMD_128 => 'ripemd128',
$value &= 0x7fff; // first 15 bits
> Protection::ALGORITHM_RIPEMD_160 => 'ripemd160',
$password ^= ($value | $rotated_bits);
> Protection::ALGORITHM_WHIRLPOOL => 'whirlpool',
}
> ];
>
$password ^= strlen($pPassword);
> if (array_key_exists($algorithmName, $mapping)) {
$password ^= 0xCE4B;
> return $mapping[$algorithmName];
> }
return strtoupper(dechex($password));
>
}
> throw new SpException('Unsupported password algorithm: ' . $algorithmName);
}
> }
>
< * This method is based on the algorithm provided by
> * This method is based on the spec at:
> * https://interoperability.blob.core.windows.net/files/MS-OFFCRYPTO/[MS-OFFCRYPTO].pdf
> * 2.3.7.1 Binary Document Password Verifier Derivation Method 1
> *
> * It replaces a method based on the algorithm provided by
< * @param string $pPassword Password to hash
> * Scrutinizer will squawk at the use of bitwise operations here,
> * but it should ultimately pass.
< * @return string Hashed password
> * @param string $password Password to hash
< public static function hashPassword($pPassword)
> private static function defaultHashPassword(string $password): string
< $password = 0x0000;
< $charPos = 1; // char position
> $verifier = 0;
> $pwlen = strlen($password);
> $passwordArray = pack('c', $pwlen) . $password;
> for ($i = $pwlen; $i >= 0; --$i) {
> $intermediate1 = (($verifier & 0x4000) === 0) ? 0 : 1;
> $intermediate2 = 2 * $verifier;
> $intermediate2 = $intermediate2 & 0x7fff;
> $intermediate3 = $intermediate1 | $intermediate2;
> $verifier = $intermediate3 ^ ord($passwordArray[$i]);
> }
> $verifier ^= 0xCE4B;
>
> return strtoupper(dechex($verifier));
> }
< // split the plain text password in its component characters
< $chars = preg_split('//', $pPassword, -1, PREG_SPLIT_NO_EMPTY);
< foreach ($chars as $char) {
< $value = ord($char) << $charPos++; // shifted ASCII value
< $rotated_bits = $value >> 15; // rotated bits beyond bit 15
< $value &= 0x7fff; // first 15 bits
< $password ^= ($value | $rotated_bits);
> /**
> * Create a password hash from a given string by a specific algorithm.
> *
> * 2.4.2.4 ISO Write Protection Method
> *
> * @see https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-offcrypto/1357ea58-646e-4483-92ef-95d718079d6f
> *
> * @param string $password Password to hash
> * @param string $algorithm Hash algorithm used to compute the password hash value
> * @param string $salt Pseudorandom string
> * @param int $spinCount Number of times to iterate on a hash of a password
> *
> * @return string Hashed password
> */
> public static function hashPassword(string $password, string $algorithm = '', string $salt = '', int $spinCount = 10000): string
> {
> if (strlen($password) > self::MAX_PASSWORD_LENGTH) {
> throw new SpException('Password exceeds ' . self::MAX_PASSWORD_LENGTH . ' characters');
> $phpAlgorithm = self::getAlgorithm($algorithm);
> if (!$phpAlgorithm) {
> return self::defaultHashPassword($password);
> }
>
> $saltValue = base64_decode($salt);
> $encodedPassword = mb_convert_encoding($password, 'UCS-2LE', 'UTF-8');
< $password ^= strlen($pPassword);
< $password ^= 0xCE4B;
> $hashValue = hash($phpAlgorithm, $saltValue . /** @scrutinizer ignore-type */ $encodedPassword, true);
> for ($i = 0; $i < $spinCount; ++$i) {
> $hashValue = hash($phpAlgorithm, $hashValue . pack('L', $i), true);
> }
< return strtoupper(dechex($password));
> return base64_encode($hashValue);