forked from GNUsocial/gnu-social
		
	
		
			
	
	
		
			181 lines
		
	
	
		
			6.3 KiB
		
	
	
	
		
			PHP
		
	
	
	
	
	
		
		
			
		
	
	
			181 lines
		
	
	
		
			6.3 KiB
		
	
	
	
		
			PHP
		
	
	
	
	
	
|   | <?php | ||
|  | 
 | ||
|  | /** | ||
|  |  * Introduces the notion of an Attribute Provider that attests and signs | ||
|  |  * attributes | ||
|  |  * Uses OpenID Signed Assertions(Sxip draft) for attesting attributes | ||
|  |  * PHP versions 4 and 5 | ||
|  |  * | ||
|  |  * LICENSE: See the COPYING file included in this distribution. | ||
|  |  * | ||
|  |  * @package OpenID | ||
|  |  * @author Santosh Subramanian <subrasan@cs.sunysb.edu> | ||
|  |  * @author Shishir Randive <srandive@cs.sunysb.edu> | ||
|  |  * Stony Brook University. | ||
|  |  * | ||
|  |  */ | ||
|  | require_once 'Auth/OpenID/SAML.php'; | ||
|  | /** | ||
|  |  * The Attribute_Provider class which signs the attribute,value pair  | ||
|  |  * for a given openid. | ||
|  |  */ | ||
|  | class Attribute_Provider | ||
|  | { | ||
|  |    private $public_key_certificate=null; | ||
|  |    private $private_key=null; | ||
|  |    private $authenticatedUser=null; | ||
|  |    private $notBefore=null; | ||
|  |    private $notOnOrAfter=null; | ||
|  |    private $rsadsa=null; | ||
|  |    private $acsURI=null; | ||
|  |    private $attribute=null; | ||
|  |    private $value=null; | ||
|  |    private $assertionTemplate=null; | ||
|  |    /** | ||
|  |     * Creates an Attribute_Provider object initialized with startup values. | ||
|  |     * @param string $public_key_certificate - The public key certificate  | ||
|  | 	of the signer. | ||
|  |     * @param string $private_key - The private key of the signer. | ||
|  |     * @param string $notBefore - Certificate validity time  | ||
|  |     * @param string $notOnOrAfter - Certificate validity time | ||
|  |     * @param string $rsadsa - Choice of the algorithm (RSA/DSA) | ||
|  |     * @param string $acsURI - URI of the signer. | ||
|  |     * @param string $assertionTemplate - SAML template used for assertion | ||
|  |     */ | ||
|  |    function Attribute_Provider($public_key_certificate,$private_key,$notBefore,$notOnOrAfter,$rsadsa,$acsURI, | ||
|  |                                $assertionTemplate) | ||
|  |    { | ||
|  |       $this->public_key_certificate=$public_key_certificate; | ||
|  |            $this->private_key=$private_key; | ||
|  |       $this->notBefore=$notBefore; | ||
|  |       $this->notOnOrAfter=$notOnOrAfter; | ||
|  |       $this->rsadsa=$rsadsa; | ||
|  |       $this->acsURI=$acsURI; | ||
|  |       $this->assertionTemplate=$assertionTemplate; | ||
|  |    } | ||
|  |    /** | ||
|  |     * Create the signed assertion. | ||
|  |     * @param string $openid - Openid of the entity being asserted. | ||
|  |     * @param string $attribute - The attribute name being asserted. | ||
|  |     * @param string $value - The attribute value being asserted. | ||
|  |     */ | ||
|  |    function sign($openid,$attribute,$value) | ||
|  |    { | ||
|  |       $samlObj = new SAML(); | ||
|  |       $responseXmlString = $samlObj->createSamlAssertion($openid,  | ||
|  |                                                          $this->notBefore,  | ||
|  |                                                          $this->notOnOrAfter,  | ||
|  |                                                          $this->rsadsa, | ||
|  |                                                          $this->acsURI, | ||
|  |                                                          $attribute, | ||
|  |                                                          sha1($value), | ||
|  |                                                       $this->assertionTemplate); | ||
|  |       $signedAssertion=$samlObj->signAssertion($responseXmlString, | ||
|  |                                                $this->private_key, | ||
|  |                                                $this->public_key_certificate); | ||
|  |       return $signedAssertion; | ||
|  |    } | ||
|  | } | ||
|  | /** | ||
|  |  * The Attribute_Verifier class which verifies the signed assertion at the Relying party. | ||
|  |  */ | ||
|  | class Attribute_Verifier | ||
|  | { | ||
|  |    /** | ||
|  |     * The certificate the Relying party trusts. | ||
|  |    */ | ||
|  |    private $rootcert; | ||
|  |    /** | ||
|  |     * This function loads the public key certificate that the relying party trusts. | ||
|  |     * @param string $cert - Trusted public key certificate. | ||
|  |     */ | ||
|  |    function load_trusted_root_cert($cert) | ||
|  |    { | ||
|  |       $this->rootcert=$cert; | ||
|  |    } | ||
|  |    /** | ||
|  |     * Verifies the certificate given the SAML document. | ||
|  |     * @param string - signed SAML assertion | ||
|  |     * return @boolean - true if verification is successful, false if unsuccessful. | ||
|  |    */ | ||
|  |    function verify($responseXmlString) | ||
|  |    { | ||
|  |       $samlObj = new SAML(); | ||
|  |       $ret = $samlObj->verifyAssertion($responseXmlString,$this->rootcert); | ||
|  |       return $ret; | ||
|  |    } | ||
|  | } | ||
|  | 
 | ||
|  | /** | ||
|  |  * This is a Store Request creating class at the Attribute Provider. | ||
|  |  */ | ||
|  | class AP_OP_StoreRequest | ||
|  | { | ||
|  |    /** | ||
|  |     * Creates store request and adds it as an extension to AuthRequest object  | ||
|  |       passed to it. | ||
|  |     * @param &Auth_OpenID_AuthRequest &$auth_request - A reference to  | ||
|  |       the AuthRequest object. | ||
|  |     * @param &Attribute_Provider &$attributeProvider - A reference to the   | ||
|  |       Attribute Provider object. | ||
|  |     * @param string $attribute - The attribute name being asserted. | ||
|  |     * @param string $value - The attribute value being asserted. | ||
|  |     * @param string $openid - Openid of the entity being asserted. | ||
|  |     * @return &Auth_OpenID_AuthRequest - Auth_OpenID_AuthRequest object  | ||
|  |                                    returned with StoreRequest extension. | ||
|  |    */ | ||
|  |    static function createStoreRequest(&$auth_request,&$attributeProvider, | ||
|  |                                                $attribute,$value,$openid) | ||
|  |    { | ||
|  |       if(!$auth_request){ | ||
|  |          return null; | ||
|  |       } | ||
|  |       $signedAssertion=$attributeProvider->sign($openid,$attribute,$value); | ||
|  |       $store_request=new Auth_OpenID_AX_StoreRequest; | ||
|  |       $store_request->addValue($attribute,base64_encode($value)); | ||
|  |       $store_request->addValue($attribute.'/signature', | ||
|  |                                            base64_encode($signedAssertion)); | ||
|  |       if($store_request) { | ||
|  |          $auth_request->addExtension($store_request); | ||
|  |          return $auth_request; | ||
|  |       } | ||
|  |    } | ||
|  | } | ||
|  | 
 | ||
|  | /* | ||
|  |  *This is implemented at the RP Takes care of getting the attribute from the  | ||
|  |  *AX_Fetch_Response object and verifying it. | ||
|  |  */ | ||
|  | class RP_OP_Verify | ||
|  | { | ||
|  |    /** | ||
|  |     * Verifies a given signed assertion. | ||
|  |     * @param &Attribute_Verifier &$attributeVerifier - An instance of the class  | ||
|  |                                             passed for the verification. | ||
|  |     * @param Auth_OpenID_Response - Response object for extraction. | ||
|  |     * @return boolean - true if successful, false if verification fails. | ||
|  |     */ | ||
|  |    function verifyAssertion(&$attributeVerifier,$response) | ||
|  |    { | ||
|  |       $ax_resp=Auth_OpenID_AX_FetchResponse::fromSuccessResponse($response); | ||
|  |       if($ax_resp instanceof Auth_OpenID_AX_FetchResponse){ | ||
|  |          $ax_args=$ax_resp->getExtensionArgs(); | ||
|  |          if($ax_args) { | ||
|  |             $value=base64_decode($ax_args['value.ext1.1']); | ||
|  |             if($attributeVerifier->verify($value)){ | ||
|  |                return base64_decode($ax_args['value.ext0.1']); | ||
|  |             } else { | ||
|  |                return null; | ||
|  |             } | ||
|  |          } else { | ||
|  |             return null; | ||
|  |          } | ||
|  |       } else { | ||
|  |          return null; | ||
|  |       } | ||
|  |    } | ||
|  | } | ||
|  | 
 | ||
|  | 
 | ||
|  | ?>
 |