Startseite Erkunden Hilfe
Anmelden
tokarskiy
/
gnu-social
geforkt von diogo/gnu-social
Beobachten 1
Favorit hinzufügen 0
Fork 0
Dateien
Branch: nightly
Branches Tags
gnu-social
/
vendor
/
openid
/
php-openid
/
contrib
/
signed_assertions
/
AP.php

AP.php 6.3 KB
Permalink Verlauf Originalformat

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181 
  1. <?php
    2. 

  2. 

  3. /**
    4. 

  4.  * Introduces the notion of an Attribute Provider that attests and signs
    5. 

  5.  * attributes
    6. 

  6.  * Uses OpenID Signed Assertions(Sxip draft) for attesting attributes
    7. 

  7.  * PHP versions 4 and 5
    8. 

  8.  *
    9. 

  9.  * LICENSE: See the COPYING file included in this distribution.
    10. 

  10.  *
    11. 

  11.  * @package OpenID
    12. 

  12.  * @author Santosh Subramanian <subrasan@cs.sunysb.edu>
    13. 

  13.  * @author Shishir Randive <srandive@cs.sunysb.edu>
    14. 

  14.  * Stony Brook University.
    15. 

  15.  *
    16. 

  16.  */
    17. 

  17. require_once 'Auth/OpenID/SAML.php';
    18. 

  18. /**
    19. 

  19.  * The Attribute_Provider class which signs the attribute,value pair 
    20. 

  20.  * for a given openid.
    21. 

  21.  */
    22. 

  22. class Attribute_Provider
    23. 

  23. {
    24. 

  24.    private $public_key_certificate=null;
    25. 

  25.    private $private_key=null;
    26. 

  26.    private $authenticatedUser=null;
    27. 

  27.    private $notBefore=null;
    28. 

  28.    private $notOnOrAfter=null;
    29. 

  29.    private $rsadsa=null;
    30. 

  30.    private $acsURI=null;
    31. 

  31.    private $attribute=null;
    32. 

  32.    private $value=null;
    33. 

  33.    private $assertionTemplate=null;
    34. 

  34.    /**
    35. 

  35.     * Creates an Attribute_Provider object initialized with startup values.
    36. 

  36.     * @param string $public_key_certificate - The public key certificate 
    37. 

  37. 	of the signer.
    38. 

  38.     * @param string $private_key - The private key of the signer.
    39. 

  39.     * @param string $notBefore - Certificate validity time 
    40. 

  40.     * @param string $notOnOrAfter - Certificate validity time
    41. 

  41.     * @param string $rsadsa - Choice of the algorithm (RSA/DSA)
    42. 

  42.     * @param string $acsURI - URI of the signer.
    43. 

  43.     * @param string $assertionTemplate - SAML template used for assertion
    44. 

  44.     */
    45. 

  45.    function Attribute_Provider($public_key_certificate,$private_key,$notBefore,$notOnOrAfter,$rsadsa,$acsURI,
    46. 

  46.                                $assertionTemplate)
    47. 

  47.    {
    48. 

  48.       $this->public_key_certificate=$public_key_certificate;
    49. 

  49.            $this->private_key=$private_key;
    50. 

  50.       $this->notBefore=$notBefore;
    51. 

  51.       $this->notOnOrAfter=$notOnOrAfter;
    52. 

  52.       $this->rsadsa=$rsadsa;
    53. 

  53.       $this->acsURI=$acsURI;
    54. 

  54.       $this->assertionTemplate=$assertionTemplate;
    55. 

  55.    }
    56. 

  56.    /**
    57. 

  57.     * Create the signed assertion.
    58. 

  58.     * @param string $openid - Openid of the entity being asserted.
    59. 

  59.     * @param string $attribute - The attribute name being asserted.
    60. 

  60.     * @param string $value - The attribute value being asserted.
    61. 

  61.     */
    62. 

  62.    function sign($openid,$attribute,$value)
    63. 

  63.    {
    64. 

  64.       $samlObj = new SAML();
    65. 

  65.       $responseXmlString = $samlObj->createSamlAssertion($openid, 
    66. 

  66.                                                          $this->notBefore, 
    67. 

  67.                                                          $this->notOnOrAfter, 
    68. 

  68.                                                          $this->rsadsa,
    69. 

  69.                                                          $this->acsURI,
    70. 

  70.                                                          $attribute,
    71. 

  71.                                                          sha1($value),
    72. 

  72.                                                       $this->assertionTemplate);
    73. 

  73.       $signedAssertion=$samlObj->signAssertion($responseXmlString,
    74. 

  74.                                                $this->private_key,
    75. 

  75.                                                $this->public_key_certificate);
    76. 

  76.       return $signedAssertion;
    77. 

  77.    }
    78. 

  78. }
    79. 

  79. /**
    80. 

  80.  * The Attribute_Verifier class which verifies the signed assertion at the Relying party.
    81. 

  81.  */
    82. 

  82. class Attribute_Verifier
    83. 

  83. {
    84. 

  84.    /**
    85. 

  85.     * The certificate the Relying party trusts.
    86. 

  86.    */
    87. 

  87.    private $rootcert;
    88. 

  88.    /**
    89. 

  89.     * This function loads the public key certificate that the relying party trusts.
    90. 

  90.     * @param string $cert - Trusted public key certificate.
    91. 

  91.     */
    92. 

  92.    function load_trusted_root_cert($cert)
    93. 

  93.    {
    94. 

  94.       $this->rootcert=$cert;
    95. 

  95.    }
    96. 

  96.    /**
    97. 

  97.     * Verifies the certificate given the SAML document.
    98. 

  98.     * @param string - signed SAML assertion
    99. 

  99.     * return @boolean - true if verification is successful, false if unsuccessful.
    100. 

  100.    */
    101. 

  101.    function verify($responseXmlString)
    102. 

  102.    {
    103. 

  103.       $samlObj = new SAML();
    104. 

  104.       $ret = $samlObj->verifyAssertion($responseXmlString,$this->rootcert);
    105. 

  105.       return $ret;
    106. 

  106.    }
    107. 

  107. }
    108. 

  108. 

  109. /**
    110. 

  110.  * This is a Store Request creating class at the Attribute Provider.
    111. 

  111.  */
    112. 

  112. class AP_OP_StoreRequest
    113. 

  113. {
    114. 

  114.    /**
    115. 

  115.     * Creates store request and adds it as an extension to AuthRequest object 
    116. 

  116.       passed to it.
    117. 

  117.     * @param &Auth_OpenID_AuthRequest &$auth_request - A reference to 
    118. 

  118.       the AuthRequest object.
    119. 

  119.     * @param &Attribute_Provider &$attributeProvider - A reference to the  
    120. 

  120.       Attribute Provider object.
    121. 

  121.     * @param string $attribute - The attribute name being asserted.
    122. 

  122.     * @param string $value - The attribute value being asserted.
    123. 

  123.     * @param string $openid - Openid of the entity being asserted.
    124. 

  124.     * @return &Auth_OpenID_AuthRequest - Auth_OpenID_AuthRequest object 
    125. 

  125.                                    returned with StoreRequest extension.
    126. 

  126.    */
    127. 

  127.    static function createStoreRequest(&$auth_request,&$attributeProvider,
    128. 

  128.                                                $attribute,$value,$openid)
    129. 

  129.    {
    130. 

  130.       if(!$auth_request){
    131. 

  131.          return null;
    132. 

  132.       }
    133. 

  133.       $signedAssertion=$attributeProvider->sign($openid,$attribute,$value);
    134. 

  134.       $store_request=new Auth_OpenID_AX_StoreRequest;
    135. 

  135.       $store_request->addValue($attribute,base64_encode($value));
    136. 

  136.       $store_request->addValue($attribute.'/signature',
    137. 

  137.                                            base64_encode($signedAssertion));
    138. 

  138.       if($store_request) {
    139. 

  139.          $auth_request->addExtension($store_request);
    140. 

  140.          return $auth_request;
    141. 

  141.       }
    142. 

  142.    }
    143. 

  143. }
    144. 

  144. 

  145. /*
    146. 

  146.  *This is implemented at the RP Takes care of getting the attribute from the 
    147. 

  147.  *AX_Fetch_Response object and verifying it.
    148. 

  148.  */
    149. 

  149. class RP_OP_Verify
    150. 

  150. {
    151. 

  151.    /**
    152. 

  152.     * Verifies a given signed assertion.
    153. 

  153.     * @param &Attribute_Verifier &$attributeVerifier - An instance of the class 
    154. 

  154.                                             passed for the verification.
    155. 

  155.     * @param Auth_OpenID_Response - Response object for extraction.
    156. 

  156.     * @return boolean - true if successful, false if verification fails.
    157. 

  157.     */
    158. 

  158.    function verifyAssertion(&$attributeVerifier,$response)
    159. 

  159.    {
    160. 

  160.       $ax_resp=Auth_OpenID_AX_FetchResponse::fromSuccessResponse($response);
    161. 

  161.       if($ax_resp instanceof Auth_OpenID_AX_FetchResponse){
    162. 

  162.          $ax_args=$ax_resp->getExtensionArgs();
    163. 

  163.          if($ax_args) {
    164. 

  164.             $value=base64_decode($ax_args['value.ext1.1']);
    165. 

  165.             if($attributeVerifier->verify($value)){
    166. 

  166.                return base64_decode($ax_args['value.ext0.1']);
    167. 

  167.             } else {
    168. 

  168.                return null;
    169. 

  169.             }
    170. 

  170.          } else {
    171. 

  171.             return null;
    172. 

  172.          }
    173. 

  173.       } else {
    174. 

  174.          return null;
    175. 

  175.       }
    176. 

  176.    }
    177. 

  177. }
    178. 

  178. 

  179. 

  180. ?>
    181. 

  181.