Initial import

bigmath.inc.php

@@ -0,0 +1,275 @@
+<?php
+
+/**
+ * BigMath: A math library wrapper that abstracts out the underlying
+ * long integer library.
+ *
+ * Original code (C) 2005 JanRain <openid@janrain.com>
+ * Modifications (C) 2007 Stephen Bounds.
+ * Further modifications (C) 2008 Chris Smith.
+ *
+ * Licensed under the LGPL.
+ */
+
+/**
+ * Base BigMath class which will be extended by a big-integer math library
+ * such as bcmath or gmp. 
+ */
+abstract class BigMath {
+
+  /** File handle for our random data source. */
+  protected $randsource = false;
+
+  /** Duplicate cache for rand(). */
+  protected $duplicate_cache = array();
+
+  /** Singleton reference to our bigmath class. */
+  private static $me = null;
+
+  /**
+   * Converts the specified positive integer to the shortest possible
+   * big-endian, two's complement representation.
+   * 
+   * @param long The integer to be converted
+   * @return the btwoc representation of the integer
+   */    
+  public function btwoc($long) {
+    $cmp = $this->cmp($long, 0);
+
+    if ($cmp < 0) {
+      throw new Exception('$long must be a positive integer.');
+    } else if ($cmp == 0) {
+      return "\x00";
+    }
+
+    $bytes = array();
+
+    while ($this->cmp($long, 0) > 0) {
+      array_unshift($bytes, $this->mod($long, 256));
+      $long = $this->div($long, 256);
+    }
+
+    if ($bytes && ($bytes[0] > 127)) {
+      array_unshift($bytes, 0);
+    }
+
+    // Convert to \xHH\xHH... format and return
+    $string = '';
+
+    foreach ($bytes as $byte) {
+      $string .= pack('C', $byte);
+    }
+
+    return $string;
+  }
+
+  /**
+   * Converts the specified btwoc representation of an integer back to the
+   * original integer.
+   *
+   * @param str The btwoc representation to be "undone"
+   * @return The corresponding integer 
+   */
+  public function btwoc_undo($str) {
+    if ($str == null) {
+      return null;
+    }
+
+    $bytes = array_values(unpack('C*', $str));
+
+    $n = $this->init(0);
+
+    if ($bytes && ($bytes[0] > 127)) {
+      throw new Exception('$str must represent a positive integer');
+    }
+
+    foreach ($bytes as $byte) {
+      $n = $this->mul($n, 256);
+      $n = $this->add($n, $byte);
+    }
+
+    return $n;
+  }
+
+  /**
+   * Returns a random number up to the specified maximum.
+   *
+   * @param max The maximum value to return
+   * @return A random number between 0 and the specified max 
+   */
+  public function rand($max) {
+    // Used as the key for the duplicate cache
+    $rbytes = $this->btwoc($max);
+
+    if (array_key_exists($rbytes, $this->duplicate_cache)) {
+      list($duplicate, $nbytes) = $this->duplicate_cache[$rbytes];
+    } else {
+      if ($rbytes[0] == "\x00") {
+        $nbytes = strlen($rbytes) - 1;
+      } else {
+        $nbytes = strlen($rbytes);
+      }
+
+      $mxrand = $this->pow(256, $nbytes);
+
+      // If we get a number less than this, then it is in the
+      // duplicated range.
+      $duplicate = $this->mod($mxrand, $max);
+
+      if (count($this->duplicate_cache) > 10) {
+        $this->duplicate_cache = array();
+      }
+
+      $this->duplicate_cache[$rbytes] = array($duplicate, $nbytes);
+    }
+
+    do {
+      $bytes = "\x00" . $this->getRandomBytes($nbytes);
+      $n = $this->btwoc_undo($bytes);
+      // Keep looping if this value is in the low duplicated range
+    } while ($this->cmp($n, $duplicate) < 0);
+
+    return $this->mod($n, $max);
+  }
+
+  /**
+   * Get the specified number of random bytes.
+   *
+   * Attempts to use a cryptographically secure (not predictable)
+   * source of randomness. If there is no high-entropy
+   * randomness source available, it will fail.
+
+   * @param num_bytes The number of bytes to retrieve
+   * @return The specified number of random bytes
+   */
+  public function getRandomBytes($num_bytes) {
+    if (!$this->randsource) {
+     $this->randsource = @fopen('/dev/urandom', 'r');
+    }
+
+    if ($this->randsource) {
+      return fread($this->randsource, $num_bytes);
+    } else {
+      // pseudorandom used
+      $bytes = '';
+      for ($i = 0; $i < $num_bytes; $i += 4) {
+        $bytes .= pack('L', mt_rand());
+      }
+      return substr($bytes, 0, $num_bytes);
+    }      
+  }
+
+  public abstract function init($number, $base = 10);
+
+  public abstract function add($x, $y);
+  public abstract function sub($x, $y);
+  public abstract function mul($x, $y);
+  public abstract function div($x, $y);
+  public abstract function cmp($x, $y);
+
+  public abstract function mod($base, $modulus);
+  public abstract function pow($base, $exponent);
+
+  public abstract function powmod($base, $exponent, $modulus);
+
+  public abstract function toString($num);
+
+  /**
+   * Detect which math library is available
+   *
+   * @return The extension details of the first available extension,
+   * or false if no extensions are available.
+   */
+  private static function BigMath_Detect() {
+    $extensions = array(
+  	array('modules' => array('gmp', 'php_gmp'),
+              'extension' => 'gmp',
+              'class' => 'BigMath_GmpMathWrapper'),
+  	array('modules' => array('bcmath', 'php_bcmath'),
+              'extension' => 'bcmath',
+              'class' => 'BigMath_BcMathWrapper')
+    );
+
+    $loaded = false;
+    foreach ($extensions as $ext) {
+      // See if the extension specified is already loaded.
+      if ($ext['extension'] && extension_loaded($ext['extension'])) {
+        $loaded = true;
+      }
+
+      // Try to load dynamic modules.
+      if (!$loaded) {
+        foreach ($ext['modules'] as $module) {
+          if (@dl($module . "." . PHP_SHLIB_SUFFIX)) {
+            $loaded = true;
+            break;
+          }
+        }
+      }
+
+      if ($loaded) {
+        return $ext;
+      }
+    }
+
+    return false;
+  }
+
+  /**
+   * Returns a singleton instance of the best possible BigMath class.
+   * 
+   * @return A singleton instance to a BigMath class.
+   */
+  public static function &getBigMath() {
+    if (self::$me == null) {
+      $ext = self::BigMath_Detect();
+      $class = $ext['class'];
+      self::$me = new $class();
+    }
+
+    return self::$me;
+  }
+
+}
+
+/**
+ * Exposes BCmath math library functionality.
+ */
+class BigMath_BcMathWrapper extends BigMath {
+  public function init($number, $base = 10) { return $number; }
+
+  public function add($x, $y) { return bcadd($x, $y);  }
+  public function sub($x, $y) { return bcsub($x, $y);  }
+  public function mul($x, $y) { return bcmul($x, $y);  }
+  public function div($x, $y) { return bcdiv($x, $y);  }
+  public function cmp($x, $y) { return bccomp($x, $y); }
+
+  public function mod($base, $modulus)    { return bcmod($base, $modulus); }
+  public function pow($base, $exponent)   { return bcpow($base, $exponent); }
+
+  public function powmod($base, $exponent, $modulus) { return bcpowmod($base, $exponent, $modulus); }
+
+  public function toString($num) { return $num; }
+}
+
+/**
+ * Exposes GMP math library functionality.
+ */
+class BigMath_GmpMathWrapper extends BigMath {
+  public function init($number, $base = 10) {  return gmp_init($number, $base); }
+
+  public function add($x, $y) { return gmp_add($x, $y);   }
+  public function sub($x, $y) { return gmp_sub($x, $y);   }
+  public function mul($x, $y) { return gmp_mul($x, $y);   }
+  public function div($x, $y) { return gmp_div_q($x, $y); }
+  public function cmp($x, $y) { return gmp_cmp($x, $y);   }
+
+  public function mod($base, $modulus)  { return gmp_mod($base, $modulus);  }
+  public function pow($base, $exponent) { return gmp_pow($base, $exponent); }
+
+  public function powmod($base, $exponent, $modulus) { return gmp_powm($base, $exponent, $modulus); }
+
+  public function toString($num) { return gmp_strval($num); }
+}
+
+?>

discoverer.inc.php

@@ -0,0 +1,190 @@
+<?PHP
+
+/* Poidsy 0.4 - http://chris.smith.name/projects/poidsy
+ * Copyright (c) 2008 Chris Smith
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+class Discoverer {
+
+ private $server = null;
+ private $delegate = '';
+ private $identity = '';
+ private $version = 1;
+
+ public function __construct($uri) {
+  if ($uri !== null) {
+   $this->discover($this->identity = $this->normalise($uri));
+  }
+ }
+
+ public function getServer() {
+  return $this->server;
+ }
+
+ public function getDelegate() {
+  return $this->delegate;
+ }
+
+ public function getIdentity() {
+  return $this->identity;
+ }
+
+ public function getVersion() {
+  return $this->version;
+ }
+
+ public static function normalise($uri) {
+  // Strip xri:// prefix
+  if (substr($uri, 0, 6) == 'xri://') {
+   $uri = substr($uri, 6);
+  }
+
+  // If the first char is a global context symbol, treat it as XRI
+  if (in_array($uri[0], array('=', '@', '+', '$', '!'))) {
+   // TODO: Implement
+   throw new Exception('This implementation does not currently support XRI');
+  }
+
+  // Add http:// if needed
+  if (strpos($uri, '://') === false) {
+   $uri = 'http://' . $uri;
+  }
+
+  $bits = @parse_url($uri);
+
+  $result = $bits['scheme'] . '://';
+  if (defined('OPENID_ALLOWUSER') && isset($bits['user'])) {
+   $result .= $bits['user'];
+   if (isset($bits['pass'])) {
+    $result .= ':' . $bits['pass'];
+   }
+   $result .= '@';
+  }
+  $result .= preg_replace('/\.$/', '', $bits['host']);
+
+  if (isset($bits['port']) && !empty($bits['port']) &&
+     (($bits['scheme'] == 'http' && $bits['port'] != '80') ||
+      ($bits['scheme'] == 'https' && $bits['port'] != '443') ||
+      ($bits['scheme'] != 'http' && $bits['scheme'] != 'https'))) {
+   $result .= ':' . $bits['port'];
+  }
+
+  if (isset($bits['path'])) {
+   do {
+    $bits['path'] = preg_replace('#/([^/]*)/\.\./#', '/', str_replace('/./', '/', $old = $bits['path']));
+   } while ($old != $bits['path']);
+   $result .= $bits['path'];
+  } else {
+   $result .= '/';
+  }
+
+  if (defined('OPENID_ALLOWQUERY') && isset($bits['query'])) {
+   $result .= '?' . $bits['query'];
+  }
+
+  return $result;
+ }
+
+ private function discover($uri) {
+  // TODO: Yaris discovery
+
+  $this->delegate = $uri;
+  $this->server = null;
+
+  $this->htmlDiscover($uri);
+ }
+
+ private function htmlDiscover($uri) {
+  $fh = @fopen($uri, 'r');
+
+  if (!$fh) {
+   return;
+  }
+
+  $details = stream_get_meta_data($fh);
+
+  foreach ($details['wrapper_data'] as $line) {
+   if (preg_match('/^Location: (.*?)$/i', $line, $m)) {
+    if (strpos($m[1], '://') !== false) {
+     // Fully qualified URL
+     $this->identity = $m[1];
+    } else if ($m[1][0] == '/') {
+     // Absolute URL
+     $this->identity = preg_replace('#^(.*?://.*?)/.*$#', '\1', $this->identity) . $m[1];
+    } else {
+     // Relative URL
+     $this->identity = preg_replace('#^(.*?://.*/).*?$#', '\1', $this->identity) . $m[1];
+    }
+   }
+   $this->identity = self::normalise($this->identity);
+  }
+
+  $data = '';
+  while (!feof($fh) && strpos($data, '</head>') === false) {
+   $data .= fgets($fh);
+  }
+
+  fclose($fh);
+
+  $this->parseHtml($data);
+ }
+
+ public function parseHtml($data) {
+  preg_match_all('#<link\s*(.*?)\s*/?>#is', $data, $matches);
+
+  $links = array();
+
+  foreach ($matches[1] as $link) {
+   $rel = $href = null;
+
+   if (preg_match('#rel\s*=\s*(?:([^"\'>\s]*)|"([^">]*)"|\'([^\'>]*)\')(?:\s|$)#is', $link, $m)) {
+   	array_shift($m);
+    $rel = implode('', $m);
+   }
+
+   if (preg_match('#href\s*=\s*(?:([^"\'>\s]*)|"([^">]*)"|\'([^\'>]*)\')(?:\s|$)#is', $link, $m)) {
+   	array_shift($m);
+    $href = implode('', $m);
+   }
+
+   $links[$rel] = html_entity_decode($href);
+  }
+
+  if (isset($links['openid2.provider'])) {
+   $this->version = 2;
+   $this->server = $links['openid2.provider'];
+
+   if (isset($links['openid2.local_id'])) {
+    $this->delegate = $links['openid2.local_id'];
+   }
+  } else if (isset($links['openid.server'])) {
+   $this->version = 1;
+   $this->server = $links['openid.server'];
+
+   if (isset($links['openid.delegate'])) {
+    $this->delegate = $links['openid.delegate'];
+   }
+  }
+ }
+
+}
+
+?>

examples/basic/index.php

@@ -0,0 +1,128 @@
+<?PHP
+
+/* Poidsy 0.4 - http://chris.smith.name/projects/poidsy
+ * Copyright (c) 2008 Chris Smith
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+ // Poidsy returns its results in a session variable, so we need to start the
+ // session here in order to get access to the results
+ session_start();
+
+ // Request some information from the identity provider. Note that providers 
+ // don't have to implement the extension that provides this, so you can't
+ // rely on getting results back. You can use OPENID_SREG_REQUEST to more
+ // strongly request the information (it implies that the user will have to
+ // manually enter the data if the provider doesn't supply it).
+ //
+ // The fields listed here are all the valid SREG fields. Anything else
+ // almost certainly won't work (but you can of course omit ones you don't
+ // need).
+ define('OPENID_SREG_OPTIONAL',
+      'nickname,email,fullname,dob,gender,postcode,country,language,timezone');
+
+ if (isset($_POST['openid_url']) || isset($_REQUEST['openid_mode'])) {
+  // There are two cases when poidsy's processor needs to be invoked - firstly,
+  // when the user has just submitted an OpenID identifier to be verified, in
+  // which case $_POST['openid_url'] will be present (poidsy has special
+  // handling for inputs named openid_url. If you want to use a URL from
+  // another source, you can define the OPENID_URL constant instead.).
+  // Secondly, if the user is being redirected back from their provider, the
+  // openid.mode parameter will be present (which PHP translates to openid_mode)
+
+  require('../../processor.php');
+
+ } else {
+  // If we don't have any processing to be doing, show them the form and
+  // results.
+
+?>
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
+                      "http://www.w3.org/TR/html4/strict.dtd">
+<html>
+ <head>
+  <title>OpenID consumer demonstration</title>
+  <style type="text/css">
+   input#openid_url {
+    background: url('../../openid.gif') no-repeat; padding-left: 20px;
+   }
+
+   p { padding-left: 10px; }
+   p.error { border-left: 10px solid #f00; }
+   p.succ { border-left: 10px solid #0f0; }
+   caption { text-align: left; } 
+   table { margin: 10px; }
+  </style>
+ </head>
+ <body>
+  <h1>OpenID consumer demo</h1>
+<?PHP
+
+ if (isset($_SESSION['openid']['error'])) {
+
+  // If the error variable is set, it means that poidsy has encountered an
+  // error while trying to validate the identifier. We just tell the user
+  // what went wrong, and unset the session vars so the messages don't persist
+
+  echo '<p class="error">An error occured: ', htmlentities($_SESSION['openid']['error']), '</p>';
+  unset($_SESSION['openid']['error']);
+
+ } else if (isset($_SESSION['openid']['validated']) && $_SESSION['openid']['validated']) {
+
+  // Upon a successful validation, the validated field will have been set to
+  // true. It's important to check the validated field, as the identity
+  // will be specified in the array throughout the process, so it would be
+  // possible for the user to request the page with an identity specified
+  // but before Poidsy had validated it. As above, we unset the session
+  // vars so that the details don't persist.
+
+  echo '<p class="succ">Success: your OpenID identifier is <em>', htmlentities($_SESSION['openid']['identity']), '</em></p>';
+  unset($_SESSION['openid']['validated']);
+
+  // Show the SREG data returned, if any. SREG data is only present if you
+  // defined one of the OPENID_SREG constants before the request was sent,
+  // if the user's identity provider supports SREG, and if (depending on the
+  // provider) the user gives permission for you to have the data.
+  if (isset($_SESSION['openid']['sreg'])) {
+   echo '<table>';
+   echo '<caption>Simple Registration Extension data</caption>';
+
+   foreach ($_SESSION['openid']['sreg'] as $type => $data) {
+    echo '<tr><th>', htmlentities($type), '</th>';
+    echo '<td>', htmlentities($data), '</td></tr>';
+   }
+
+   echo '</table>';
+
+   unset($_SESSION['openid']['sreg']);
+  }
+
+ }
+?>
+  <form action="<?PHP echo htmlentities($_SERVER['REQUEST_URI']); ?>"
+	method="post">
+   <input type="text" name="openid_url" id="openid_url">
+   <input type="submit" value="Login">
+  </form>
+ </body>
+</html>
+<?PHP
+ }
+?>

examples/javascript/iframe.php

@@ -0,0 +1,48 @@
+<?PHP
+
+/* Poidsy 0.4 - http://chris.smith.name/projects/poidsy
+ * Copyright (c) 2008 Chris Smith
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+ session_start();
+
+ define('OPENID_TRUSTROOT', $_SESSION['trustroot']);
+ define('OPENID_IMMEDIATE', true);
+
+ if (isset($_GET['openid_id'])) {
+  define('OPENID_URL', $_GET['openid_id']);
+ }
+
+ if (defined('OPENID_URL') || isset($_REQUEST['openid_mode'])) {
+
+  require('../../processor.php');
+
+ } else if (isset($_SESSION['openid']['error'])) {
+  if ($_SESSION['openid']['errorcode'] == 'noimmediate') {
+   echo '<script type="text/javascript">parent.doSubmit();</script>';
+  } else {
+   echo '<script type="text/javascript">parent.doError("Error: ' . $_SESSION['openid']['error'] . '");</script>';
+  }
+  unset($_SESSION['openid']['error']);
+ } else if (isset($_SESSION['openid']['validated']) && $_SESSION['openid']['validated']) {
+  echo '<script type="text/javascript">parent.doSuccess("Logged in as ' . $_SESSION['openid']['identity'] . '");</script>';
+ }
+?>

examples/javascript/index.php

@@ -0,0 +1,132 @@
+<?PHP
+
+/* Poidsy 0.4 - http://chris.smith.name/projects/poidsy
+ * Copyright (c) 2008 Chris Smith
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+ session_start();
+
+ require('../../urlbuilder.inc.php');
+
+ if (isset($_GET['cs'])) {
+  unset($_SESSION['openid']);
+  header('Location: ' . $_SERVER['SCRIPT_NAME']);
+  exit;
+ }
+
+ $_SESSION['trustroot'] = URLBuilder::getCurrentURL();
+
+ if (isset($_POST['openid_url']) || isset($_REQUEST['openid_mode'])) {
+  // Proxy for non-JS users
+
+  require('../../processor.php');
+
+ } else {
+
+?>
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
+                      "http://www.w3.org/TR/html4/strict.dtd">
+<html>
+ <head>
+  <title>OpenID consumer demonstration</title>
+  <style type="text/css">
+   input#openid_url {
+    background: url('../../openid.gif') no-repeat; padding-left: 20px;
+   }
+   div { margin: 20px; padding: 5px; }
+  </style>
+  <script type="text/javascript">
+   function tryJsLogin() {
+    document.getElementById('target').src = 'iframe.php?openid.id=' + document.getElementById('openid_url').value;
+   }
+   function doSubmit() {
+    //alert('Provider is requesting your interaction. Sending you away.');
+    document.getElementById('form').submit();
+   }
+   function doError(msg) {
+    document.getElementById('status').innerHTML = msg;
+    document.getElementById('status').style.backgroundColor = "#a00";
+   }
+   function doSuccess(msg) {
+    document.getElementById('status').innerHTML = msg;
+    document.getElementById('status').style.backgroundColor = "#0a0";
+   }
+  </script>
+ </head>
+ <body>
+  <h1>OpenID consumer demo</h1>
+  <p>
+   The login form below uses a hidden iframe to process the form
+   (assuming the user has javascript enabled; if they don't, it falls back
+   gracefully). If your identity provider implements checkid_immediate
+   properly (which several don't appear to), and has enough information to
+   authorise you without requiring your input, the entire login process
+   should happen without any noticable change except for the status message.
+  </p><p>
+   If your identity provider requires interaction with you, the form
+   will be submitted as usual and you'll leave this page (but, as usual, will
+   return when your IdP is done with you). If your identity provider is
+   <em>broken</em>, you won't see anything happening after the initial page
+   load and redirect. This is because the identity provider is trying to
+   interact with you (via a hidden iframe) when it has been explicitly told
+   not to. This is the identity provider's fault (it's violating the OpenID
+   specifications), not Poidsy's. If you were implementing this on a live site,
+   you'd probably add a timer to detect if it wasn't working and do a normal
+   login.
+  </p>
+  <p>
+   Note: if you are using Firefox and have the 'Disallow third party cookies'
+   preference enabled, Firefox won't send cookies to your provider when it's
+   loaded in the iframe. This almost certainly will mean that your provider
+   can't validate your identity immediately, and thus you'll be redirected.
+   Other browsers (such as IE and Safari) allow these cookies to be sent even
+   if they disallow setting of third-party cookies.
+  </p>
+<?PHP
+
+ echo '<p>Time: ', date('r'), '. <a href="?cs">Clear session info</a></p>';
+
+ if (isset($_SESSION['openid']['error'])) {
+
+  echo '<div id="status" style="background-color: #a00;">An error occured: ', htmlentities($_SESSION['openid']['error']), '</div>';
+  unset($_SESSION['openid']['error']);
+
+ } else if (isset($_SESSION['openid']['validated']) && $_SESSION['openid']['validated']) {
+
+  echo '<div id="status" style="background-color: #0a0;">Logged in as ', htmlentities($_SESSION['openid']['identity']), '</div>';
+
+ } else {
+
+  echo '<div id="status">Not logged in</div>';
+
+ }
+?>
+  <form action="<?PHP echo htmlentities($_SERVER['REQUEST_URI']); ?>"
+	method="post" onSubmit="tryJsLogin(); return false;" id="form">
+   <input type="text" name="openid_url" id="openid_url">
+   <input type="submit" value="Login">
+   <iframe id="target" style="display: none;"></iframe>
+  </form>
+ </body>
+</html>
+<?PHP
+ }
+?>

keycache.php

@@ -0,0 +1 @@
+<?PHP header('HTTP/1.1 403 Forbidden'); echo 'This is not a public page'; __halt_compiler(); ?>

keymanager.inc.php

@@ -0,0 +1,362 @@
+<?PHP
+
+/* Poidsy 0.4 - http://chris.smith.name/projects/poidsy
+ * Copyright (c) 2008 Chris Smith
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+ require_once(dirname(__FILE__) . '/bigmath.inc.php');
+ require_once(dirname(__FILE__) . '/poster.inc.php');
+ require_once(dirname(__FILE__) . '/urlbuilder.inc.php');
+
+ class KeyManager {
+
+  /** Diffie-Hellman P value, defined by OpenID specification. */
+  const DH_P = '155172898181473697471232257763715539915724801966915404479707795314057629378541917580651227423698188993727816152646631438561595825688188889951272158842675419950341258706556549803580104870537681476726513255747040765857479291291572334510643245094715007229621094194349783925984760375594985848253359305585439638443';
+  /** Diffie-Hellman G value. */
+  const DH_G = '2';
+
+  private static $header = null;
+  private static $data = null;
+  private static $bigmath = null;
+
+  /**
+   * Loads the KeyManager's data array from disk.
+   */
+  private static function loadData() {
+   if (self::$data == null) {
+    $data = file(dirname(__FILE__) . '/keycache.php');
+    self::$header = array_shift($data);
+    self::$data = unserialize(implode("\n", $data));
+   }
+  }
+
+  /**
+   * Saves the KeyManager's data array to disk.
+   */
+  private static function saveData() {
+   file_put_contents(dirname(__FILE__) . '/keycache.php', self::$header . serialize(self::$data));
+  }
+
+  /**
+   * Attempts to associate with the specified server.
+   *
+   * @param String $server The server to associate with
+   */
+  public static function associate($server) {
+   $data = URLBuilder::buildAssociate($server);
+
+   try {
+    $res = Poster::post($server, $data);
+   } catch (Exception $ex) {
+    return;
+   }
+
+   $data = array();
+
+   foreach (explode("\n", $res) as $line) {
+    if (preg_match('/^(.*?):(.*)$/', $line, $m)) {
+     $data[$m[1]] = $m[2];
+    }
+   }
+
+   try {
+    $data = self::decodeKey($server, $data);
+   } catch (Exception $ex) {
+    return;
+   }
+
+   $data['expires_at'] = time() + $data['expires_in'];
+
+   self::$data[$server][$data['assoc_handle']] = $data;
+   self::saveData();
+  }
+
+  /**
+   * Decodes the MAC key specified in the $data array.
+   *
+   * @param String $server The server which sent the data
+   * @param Array $data Array of association data from the server
+   * @return A copy of the $data array with the mac_key present
+   */
+  private static function decodeKey($server, $data) {
+   switch (strtolower($data['session_type'])) {
+    case 'dh-sha1':
+     $algo = 'sha1';
+     break;
+    case 'dh-sha256':
+     $algo = 'sha256';
+     break;
+    case 'no-encryption':
+    case 'blank':
+    case '':
+     $algo = false;
+     break;
+    default:
+     throw new Exception('Unable to handle session type ' . $data['session_type']);
+   }
+
+   if ($algo !== false) {
+    // The key is DH'd
+    $mac = base64_decode($data['enc_mac_key']);
+    $x = self::getDhPrivateKey($server);
+    $temp = self::$bigmath->btwoc_undo(base64_decode($data['dh_server_public']));
+    $temp = self::$bigmath->powmod($temp, $x, self::DH_P);
+    $temp = self::$bigmath->btwoc($temp);
+    $temp = hash($algo, $temp, true);
+    $mac = $mac ^ $temp;
+    $data['mac_key'] = base64_encode($mac);
+
+    unset($data['enc_mac_key'], $data['dh_server_public']);
+   }
+
+   return $data;
+  }
+
+  /**
+   * Retrieves an active assoc_handle for the specified server.
+   *
+   * @param String $server The server whose handle we're looking for
+   * @return An association handle for the server or null on failure
+   */
+  public static function getHandle($server) {
+   self::loadData();
+
+   if (!isset(self::$data[$server])) {
+    return null;
+   }
+
+   foreach (self::$data[$server] as $handle => $data) {
+    if ($handle == '__private') { continue; }
+
+    if ($data['expires_at'] < time()) {
+     unset(self::$data[$server][$handle]);
+    } else {
+     return $handle;
+    }
+   }
+
+   return null;
+  }
+
+  /**
+   * Determines if the KeyManager has at least one assoc_handle for the
+   * specified server.
+   *
+   * @param String $server The server to check for
+   * @return True if the KeyManager has a handle, false otherwise
+   */
+  public static function hasHandle($server) {
+   return self::getHandle($server) !== null;
+  }
+
+  /**
+   * Retrieves the association data array for the specified server and assoc
+   * handle.
+   *
+   * @param String $server The server whose data is being requested
+   * @param String $handle The current association handle for the server
+   * @return Array of association data or null if none was found
+   */
+  public static function getData($server, $handle) {
+   self::loadData();
+
+   if (isset(self::$data[$server][$handle])) {
+    if (self::$data[$server][$handle]['expires_at'] < time()) {
+     self::revokeHandle($server, $handle);
+     return null;
+    } else {
+     return self::$data[$server][$handle];
+    }
+   } else {
+    return null;
+   }
+  }
+
+  /**
+   * Attempts to authenticate that the specified arguments are a valid query
+   * from the specified server. If smart authentication is not available
+   * or an error is encountered, throws an exception.
+   *
+   * @param String $server The server that supposedly sent the request
+   * @param Array $args The arguments included in the request
+   * @return True if the message was authenticated, false if it's a fake
+   */
+  public static function authenticate($server, $args) {
+   $data = self::getData($server, $args['openid_assoc_handle']);
+
+   if ($data === null) {
+    throw new Exception('No key available for that server/handle');
+   }
+
+   $contents = '';
+   foreach (explode(',', $args['openid_signed']) as $arg) {
+    $argn = str_replace('.', '_', $arg);
+    $contents .= $arg . ':' . $args['openid_' . $argn] . "\n";
+   }
+
+   switch (strtolower($data['assoc_type'])) {
+    case 'hmac-sha1':
+     $algo = 'sha1';
+     break;
+    case 'hmac-sha256':
+     $algo = 'sha256';
+     break;
+    default:
+     throw new Exception('Unable to handle association type ' . $data['assoc_type']);
+   }
+
+   $sig = base64_encode(hash_hmac($algo, $contents, base64_decode($data['mac_key']), true));
+
+   if ($sig == $args['openid_sig']) {
+    return true;
+   } else {
+    return false;
+   }
+  }
+
+  /**
+   * Validates the current request using dumb authentication (a POST to the
+   * provider).
+   *
+   * @return True if the request has been authenticated, false otherwise.
+   */
+  public static function dumbAuthenticate() {
+   $url = URLBuilder::buildAuth($_REQUEST);
+
+   try {
+    $data = Poster::post($_SESSION['openid']['server'], $url);
+   } catch (Exception $ex) {
+    return false;
+   }
+
+   $valid = false;
+   foreach (explode("\n", $data) as $line) {
+    if (substr($line, 0, 9) == 'is_valid:') {
+     $valid = (boolean) substr($line, 9);
+    }
+   }
+
+   return $valid;
+  }
+
+  /**
+   * Removes the specified association handle from the specified server's
+   * records.
+   *
+   * @param String $server The server which is revoking the handle
+   * @param String $handle The handle which is being revoked
+   */
+  public static function revokeHandle($server, $handle) {
+   self::loadData();
+   unset(self::$data[$server][$handle]);
+   self::saveData();
+  }
+
+  /**
+   * Determines if the keymanager is supported by the local environment or not.
+   *
+   * @return True if the keymanager can be used, false otherwise
+   */
+  public static function isSupported() {
+   return @is_writable(dirname(__FILE__) . '/keycache.php')
+	&& function_exists('hash_hmac');
+  }
+
+  /**
+   * Returns the base64-encoded representation of the dh_modulus parameter.
+   *
+   * @return Base64-encoded representation of dh_modulus
+   */
+  public static function getDhModulus() {
+   return base64_encode(self::$bigmath->btwoc(self::DH_P));
+  }
+
+  /**
+   * Returns the base64-encoded representation of the dh_gen parameter.
+   *
+   * @return Base64-encoded representation of dh_gen
+   */
+  public static function getDhGen() {
+   return base64_encode(self::$bigmath->btwoc(self::DH_G));
+  }
+
+  /**
+   * Retrieves our private key for the specified server.
+   *
+   * @param String $server The server which we're communicating with
+   * @return Our private key for the specified server, or null if we don't have
+   * one
+   */
+  public static function getDhPrivateKey($server) {
+   self::loadData();
+   if (isset(self::$data[$server])) {
+    return self::$data[$server]['__private'];
+   } else {
+   	return null;
+   }
+  }
+
+  /**
+   * Retrieves our public key for use with the specified server.
+   *
+   * @param String $server The server we wish to send the public key to
+   * @return Base64-encoded public key for the specified server
+   */
+  public static function getDhPublicKey($server) {
+   self::loadData();
+   $key = self::createDhKey($server);
+   self::saveData();
+
+   return base64_encode(self::$bigmath->btwoc(self::$bigmath->powmod(self::DH_G, $key, self::DH_P)));
+  }
+
+  /**
+   * Creates a private key for use when exchanging keys with the specified
+   * server.
+   *
+   * @param String $server The name of the server we're dealing with
+   * @return The server's new private key
+   */
+  private static function createDhKey($server) {
+   return self::$data[$server]['__private'] = self::$bigmath->rand(self::DH_P);
+  }
+
+  /**
+   * Determines whether the keymanager can support Diffie-Hellman key exchange.
+   *
+   * @return True if D-H exchange is supported, false otherwise.
+   */
+  public static function supportsDH() {
+   return self::$bigmath != null;
+  }
+
+  /**
+   * Initialises the key manager.
+   */
+  public static function init() {
+   self::$bigmath = BigMath::getBigMath();
+  }
+
+ }
+
+ KeyManager::init();
+
+?>

poster.inc.php

@@ -0,0 +1,53 @@
+<?PHP
+
+/* Poidsy 0.4 - http://chris.smith.name/projects/poidsy
+ * Copyright (c) 2008 Chris Smith
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+ class Poster {
+
+  public static function post($url, $data) {
+   $params = array(
+	'http' => array(
+		'method' => 'POST',
+                 'content' => $data
+	)
+   );
+
+   $ctx = stream_context_create($params);
+   $fp = @fopen($url, 'rb', false, $ctx);
+   
+   if (!$fp) {
+    throw new Exception("Problem with $url, $php_errormsg");
+   }
+   
+   $response = @stream_get_contents($fp);
+   if ($response === false) {
+    throw new Exception("Problem reading data from $url, $php_errormsg");
+   }
+
+   return $response;
+  }
+
+
+ }
+
+?>

processor.php

@@ -0,0 +1,310 @@
+<?PHP
+
+/* Poidsy 0.4 - http://chris.smith.name/projects/poidsy
+ * Copyright (c) 2008 Chris Smith
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+ // TODO: Remove me before release!
+ error_reporting(E_ALL | E_STRICT);
+
+ require_once(dirname(__FILE__) . '/discoverer.inc.php');
+ require_once(dirname(__FILE__) . '/poster.inc.php');
+ require_once(dirname(__FILE__) . '/sreg.inc.php');
+ require_once(dirname(__FILE__) . '/urlbuilder.inc.php');
+ require_once(dirname(__FILE__) . '/keymanager.inc.php');
+
+ if (session_id() == '') {
+  // No session - testing maybe?
+  session_start();
+ }
+
+ // Process any openid_url form fields (compatability with 0.1)
+ if (!defined('OPENID_URL') && isset($_POST['openid_url'])) {
+  define('OPENID_URL', $_POST['openid_url']);
+ } else if (!defined('OPENID_URL') && isset($_POST['openid_identifier'])) {
+  define('OPENID_URL', $_POST['openid_identifier']);
+ }
+
+ // Maximum number of requests to allow without a OPENID_THROTTLE_GAP second
+ // gap between two of them
+ if (!defined('OPENID_THROTTLE_NUM')) {
+  define('OPENID_THROTTLE_NUM', 3);
+ }
+
+ // Time to require between requests before the request counter is reset
+ if (!defined('OPENID_THROTTLE_GAP')) {
+  define('OPENID_THROTTLE_GAP', 30);
+ }
+
+ // Whether or not to use the key manager
+ define('KEYMANAGER', !defined('OPENID_NOKEYMANAGER') && KeyManager::isSupported());
+
+ /**
+  * Processes the current request.
+  */
+ function process() {
+  if (defined('OPENID_URL')) {
+   // Initial authentication attempt (they just entered their identifier)
+
+   $reqs = checkRequests();
+   $disc = tryDiscovery(OPENID_URL);
+
+   $_SESSION['openid'] = array(
+ 	'identity' => $disc->getIdentity(),
+	'delegate' => $disc->getDelegate(),
+	'validated' => false,
+	'server' => $disc->getServer(),
+	'nonce' => uniqid(microtime(true), true),
+	'requests' => $reqs,
+   );
+
+   $handle = getHandle($disc->getServer());
+
+   $url = URLBuilder::buildRequest(defined('OPENID_IMMEDIATE') ? 'immediate' : 'setup',
+              $disc->getServer(), $disc->getDelegate(),
+              $disc->getIdentity(), URLBuilder::getCurrentURL(), $handle);
+
+   URLBuilder::doRedirect($url);
+  } else if (isset($_REQUEST['openid_mode'])) {
+   checkNonce();
+
+   $func = 'process' . str_replace(' ', '', ucwords(str_replace('_', ' ',
+			strtolower($_REQUEST['openid_mode']))));
+   if (function_exists($func)) {
+  	 call_user_func($func, checkHandleRevocation());
+   }
+  }
+ }
+
+ /**
+  * Checks that the user isn't making requests too frequently, and redirects
+  * them with an appropriate error if they are.
+  *
+  * @return An array containing details about the requests that have been made
+  */
+ function checkRequests() {
+  if (isset($_SESSION['openid']['requests'])) {
+   $requests = $_SESSION['openid']['requests'];
+  } else {
+   $requests = array('lasttime' => 0, 'count' => 0);
+  }
+
+  if ($requests['lasttime'] < time() - OPENID_THROTTLE_GAP) {
+
+   // Last request was a while ago, reset the timer
+   $requests['count'] = 0;
+
+  } else if ($requests['count'] > OPENID_THROTTLE_NUM) {
+
+   // More than the legal number of requests
+   error('throttled', 'You are trying to authenticate too often');
+
+  }
+
+  $requests['count']++;
+  $requests['lasttime'] = time();
+
+  return $requests;
+ }
+
+ /**
+  * Attempts to perform discovery on the specified URL, redirecting the user
+  * with an appropriate error if discovery fails.
+  *
+  * @param String $url The URL to perform discovery on
+  * @return An appropriate Discoverer object
+  */
+ function tryDiscovery($url) {
+  try {
+   $disc = new Discoverer($url);
+
+   if ($disc->getServer() == null) {
+   	error('notvalid', 'Claimed identity is not a valid identifier');
+   }
+
+   return $disc;
+  } catch (Exception $e) {
+   error('discovery', $e->getMessage());
+  }
+  
+  return null;
+ }
+
+ /**
+  * Retrieves an association handle for the specified server. If we don't
+  * currently have one, attempts to associate with the server.
+  *
+  * @param String $server The server whose handle we're retrieving
+  * @return The association handle of the server or null on failure
+  */
+ function getHandle($server) {
+  if (KEYMANAGER) {
+   if (!KeyManager::hasHandle($server)) {
+    KeyManager::associate($server);
+   }
+
+   return KeyManager::getHandle($server);
+  } else {
+   return null;
+  }
+ }
+
+ /**
+  * Checks that the nonce specified in the current request equals the one
+  * stored in the user's session, and redirects them if it doesn't.
+  */
+ function checkNonce() {
+  if ($_REQUEST['openid_nonce'] != $_SESSION['openid']['nonce']) {
+   error('nonce', 'Nonce doesn\'t match - possible replay attack');
+  } else {
+   $_SESSION['openid']['nonce'] = uniqid(microtime(true), true);
+  }
+ }
+
+ /**
+  * Checks to see if the request contains an instruction to invalidate the
+  * handle we used. If it does, the request is authenticated and the handle
+  * removed (or the user is redirected with an error if the IdP doesn't
+  * authenticate the message).
+  *
+  * @return True if the message has been authenticated, false otherwise
+  */
+ function checkHandleRevocation() {
+  $valid = false;
+
+  if (KEYMANAGER && isset($_REQUEST['openid_invalidate_handle'])) {
+   $valid = KeyManager::dumbAuth();
+
+   if ($valid) {
+    KeyManager::removeKey($_SESSION['openid']['server'], $_REQUEST['openid_invalidate_handle']);
+   } else {
+   	error('noauth', 'Provider didn\'t authenticate message');
+   }
+  }
+
+  return $valid;
+ }
+
+ /**
+  * Processes id_res requests.
+  *
+  * @param Boolean $valid True if the request has already been authenticated
+  */
+ function processIdRes($valid) {
+  if (isset($_REQUEST['openid_identity'])) {
+   processPositiveResponse($valid);
+  } else if (isset($_REQUEST['openid_user_setup_url'])) {
+   processSetupRequest();
+  }
+ }
+ 
+ /**
+  * Processes a response where the provider is requesting to interact with the
+  * user in order to confirm their identity.
+  */
+ function processSetupRequest() {
+  if (defined('OPENID_IMMEDIATE') && OPENID_IMMEDIATE) {
+   error('noimmediate', 'Couldn\'t perform immediate auth');
+  }
+
+  $handle = getHandle($_SESSION['openid']['server']);
+
+  $url = URLBuilder::buildRequest('setup', $_REQUEST['openid_user_setup_url'],
+                                $_SESSION['openid']['delegate'],
+                                $_SESSION['openid']['identity'],
+                                URLBuilder::getCurrentURL(), $handle);
+
+  URLBuilder::doRedirect($url); 	
+ }
+ 
+ /**
+  * Processes a positive authentication response.
+  *
+  * @param Boolean $valid True if the request has already been authenticated
+  */
+ function processPositiveResponse($valid) {
+  if ($_REQUEST['openid_identity'] != $_SESSION['openid']['delegate']) {
+   error('diffid', 'Identity provider validated wrong identity. Expected it to '
+  	             . 'validate ' . $_SESSION['openid']['delegate'] . ' but it '
+  	             . 'validated ' . $_REQUEST['openid_identity']);
+  }
+
+  if (!$valid) {
+   $dumbauth = true;
+
+   if (KEYMANAGER) {
+    try {
+     $valid = KeyManager::authenticate($_SESSION['openid']['server'], $_REQUEST);
+     $dumbauth = false;
+    } catch (Exception $ex) {
+     // Ignore it - try dumb auth
+    }
+   }
+
+   if ($dumbauth) {
+    $valid = KeyManager::dumbAuthenticate();
+   }
+  }
+
+  $_SESSION['openid']['validated'] = $valid;
+
+  if (!$valid) {
+  	error('noauth', 'Provider didn\'t authenticate response');
+  }
+
+  parseSRegResponse();
+  URLBuilder::redirect(); 	
+ }
+
+ /**
+  * Processes cancel modes.
+  *
+  * @param Boolean $valid True if the request has already been authenticated
+  */
+ function processCancel($valid) {
+  error('cancelled', 'Provider cancelled the authentication attempt');
+ }
+
+ /**
+  * Processes error modes.
+  *
+  * @param Boolean $valid True if the request has already been authenticated
+  */
+ function processError($valid) {
+  error('perror', 'Provider error: ' . $_REQUEST['openid_error']);
+ }
+
+ /**
+  * Populates the session array with the details of the specified error and
+  * redirects the user appropriately.
+  *
+  * @param String $code The error code that occured
+  * @param String $message A description of the error
+  */
+ function error($code, $message) {
+  $_SESSION['openid']['error'] = $message;
+  $_SESSION['openid']['errorcode'] = $code;
+  URLBuilder::redirect();
+ }
+
+ // Here we go!
+ process();
+?>

sreg.inc.php

@@ -0,0 +1,48 @@
+<?PHP
+
+/* Poidsy 0.4 - http://chris.smith.name/projects/poidsy
+ * Copyright (c) 2008 Chris Smith
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+ define('SREG_NICKNAME', 'openid.sreg.nickname');
+ define('SREG_EMAIL', 'openid.sreg.email');
+ define('SREG_FULLNAME', 'openid.sreg.fullname');
+ define('SREG_DOB', 'openid.sreg.dob');
+ define('SREG_GENDER', 'openid.sreg.gender');
+ define('SREG_POSTCODE', 'openid.sreg.postcode');
+ define('SREG_COUNTRY', 'openid.sreg.country');
+ define('SREG_LANGUAGE', 'openid.sreg.language');
+ define('SREG_TIMEZONE', 'openid.sreg.timezone');
+
+ define('SREG_ALL', SREG_NICKNAME . ',' . SREG_EMAIL . ',' . SREG_FULLNAME
+             . ',' . SREG_DOB . ',' . SREG_GENDER . ',' . SREG_POSTCODE . ','
+             . SREG_COUNTRY . ',' . SREG_LANGUAGE . ', ' . SREG_TIMEZONE);
+
+ function parseSRegResponse() {
+  foreach (explode(',', SREG_ALL) as $reg) {
+   $reg = str_replace('.', '_', $reg);
+   if (isset($_REQUEST[$reg])) {
+    $_SESSION['openid']['sreg'][substr($reg, 12)] = $_REQUEST[$reg];
+   }
+  }
+ }
+
+?>

test.php

@@ -0,0 +1,106 @@
+<?PHP
+
+/* Poidsy 0.4 - http://chris.smith.name/projects/poidsy
+ * Copyright (c) 2008 Chris Smith
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+ // This file tests to see if your environment is compatible with Poidsy.
+
+?>
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
+                      "http://www.w3.org/TR/html4/strict.dtd">
+<html>
+ <head>
+  <title>Poidsy compatibility test</title>
+  <style type="text/css">
+   table { border-collapse: collapse; }
+   td, th { border: 1px solid #000; padding: 10px; }
+   td.error { text-align: center; color: #fff; background-color: #c00; }
+   td.succ { text-align: center; color: #fff; background-color: #0c0; }
+   td.warn { text-align: center; color: #fff; background-color: #c70; }
+   td { max-width: 400px; }
+   code { font-size: small; }
+  </style>
+ </head>
+ <body>
+  <h1>Poidsy compatibility test</h1>
+  <table>
+<?PHP
+
+ function doTest($name, $result, $failinfo) {
+  echo '<tr><th>', htmlentities($name), '</th>';
+  echo '<td class="', $result ? 'succ' : 'error', '">';
+  echo $result ? 'Passed' : 'Failed';
+  echo '</td>';
+  if (!$result) { echo '<td>', $failinfo, '</td>'; }
+  echo '</tr>';
+ }
+
+ echo '<tr><th colspan="2">Poidsy requirements</th></tr>';
+ doTest('PHP Version', version_compare(PHP_VERSION, '5.2.0', '>='), 'Poidsy requires PHP version 5.2.0 or greater to run');
+
+ echo '<tr><th colspan="2">Associate mode requirements</th></tr>';
+ doTest('hash_hmac function', function_exists('hash_hmac'), 'Poidsy requires the hash_hmac function to use associate mode. It should be available in PHP 5.2.0 or greater, unless you\'ve explicitly disabled it when compiling PHP');
+ doTest('Keycache writable', is_writable(dirname(__FILE__) . '/keycache.php'), 'Poidsy requires write access to the keycache.php file in its directory. Without it, Poidsy will be unable to use associate mode.');
+ echo '<tr><th colspan="2">Diffie-Hellman key exchange requirements</th></tr>';
+
+ $extensions = array(
+        array('modules' => array('gmp', 'php_gmp'),
+              'extension' => 'gmp'),
+        array('modules' => array('bcmath', 'php_bcmath'),
+              'extension' => 'bcmath')
+    );
+
+ $best = '';
+ foreach ($extensions as $ext) {
+  if ($ext['extension'] && extension_loaded($ext['extension'])) {
+   $loaded = true;
+  } else {
+   foreach ($ext['modules'] as $module) {
+    if (@dl($module . "." . PHP_SHLIB_SUFFIX)) {
+     $loaded = true;
+     break;
+    }
+   }
+  }
+
+  if ($loaded) {
+   $best = $ext['extension'];
+   break; 
+  }
+ }
+
+  echo '<tr><th>Bigmath support</th>';
+  echo '<td class="', $best == 'gmp' ? 'succ' : $best == 'bcmath' ? 'warn' : 'error', '">';
+  echo $best != '' ? $best : 'Failed';
+  echo '</td>';
+  if ($best == 'bcmath') {
+   echo '<td>Your version of PHP has bcmath support, which is good enough for Poidsy to use, but is much slower than gmp.</td>';
+  } else if ($best == '') {
+   echo '<td>Your version of PHP doesn\'t have support for either gmp (preferred) or bcmath. Poidsy needs one of these libraries to perform D-H key exchange.</td>';
+  }
+  echo '</tr>';
+
+
+?>
+  </table>
+ </body>
+</html>

urlbuilder.inc.php

@@ -0,0 +1,189 @@
+<?PHP
+
+/* Poidsy 0.4 - http://chris.smith.name/projects/poidsy
+ * Copyright (c) 2008 Chris Smith
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+ require_once(dirname(__FILE__) . '/keymanager.inc.php');
+
+ class URLBuilder {
+
+  const NAMESPACE = 'http://openid.net/signon/1.1';
+
+  public static function addArguments($base, $arguments) {
+   $first = true;
+   $res = $base === false ? '' : $base;
+
+   if ($base !== false && strrpos($base, '?', -2) === false) {
+    if ($base[strlen($base) - 1] != '?') {
+     $res .= '?';
+    }
+   } else if ($base !== false) {
+    $res .= '&';
+   }
+
+   foreach ($arguments as $key => $value) {
+    if ($first) {
+     $first = false;
+    } else {
+     $res .= '&';
+    }
+
+    $res .= urlencode($key) . '=' . urlencode($value);
+   }
+
+   return $res;
+  }
+
+  public static function buildRequest($type, $base, $delegate, $identity, $returnURL, $handle) {
+   $args = array(
+    'openid.ns' => self::NAMESPACE,
+	'openid.mode' => 'checkid_' . $type,
+	'openid.identity' => $delegate,
+	'openid.claimed_id' => $identity,
+	'openid.trust_root' => self::getTrustRoot(),
+	'openid.return_to' => self::addArguments($returnURL,
+		array('openid.nonce' => $_SESSION['openid']['nonce']))
+   );
+
+   if ($handle !== null) {
+    $args['openid.assoc_handle'] = $handle;
+   }
+
+   self::addSRegArgs($args);
+
+   return self::addArguments($base, $args);
+  }
+
+  private static function getTrustRoot() {
+   if (defined('OPENID_TRUSTROOT')) {
+    return OPENID_TRUSTROOT;
+   } else {
+    return self::getCurrentURL();
+   }
+  }
+
+  private static function addSRegArgs(&$args) {
+   if (defined('OPENID_SREG_REQUEST')) {
+    $args['openid.sreg.required'] = OPENID_SREG_REQUEST;
+   }
+
+   if (defined('OPENID_SREG_OPTIONAL')) {
+    $args['openid.sreg.optional'] = OPENID_SREG_OPTIONAL;
+   }
+
+   if (defined('OPENID_SREG_POLICY')) {
+    $args['openid.sreg.policy_url'] = OPENID_SREG_POLICY;
+   }
+  }
+
+  public static function buildAssociate($server) {
+   $args = array(
+        'openid.ns' => self::NAMESPACE,
+	'openid.mode' => 'associate',
+	'openid.assoc_type' => 'HMAC-SHA1',
+   );
+
+   if (KeyManager::supportsDH()) {
+    $args['openid.session_type'] = 'DH-SHA1';
+    $args['openid.dh_modulus'] = KeyManager::getDhModulus();
+    $args['openid.dh_gen'] = KeyManager::getDhGen();
+    $args['openid.dh_consumer_public'] = KeyManager::getDhPublicKey($server);
+   } else {
+    $args['openid.session_type'] = '';
+   }
+
+   return self::addArguments(false, $args);
+  }
+
+  public static function buildAuth($params) {
+   $args = array(
+        'openid.ns' => self::NAMESPACE,
+	'openid.mode' => 'check_authentication'
+   );
+
+   $toadd = array('assoc_handle', 'sig', 'signed');
+   $toadd = array_merge($toadd, explode(',', $params['openid_signed']));
+
+   foreach ($toadd as $arg) {
+    if (!isset($args['openid.' . $arg])) {
+     $args['openid.' . $arg] = $params['openid_' . $arg];
+    }
+   }
+
+   return self::addArguments(false, $args);
+  }
+
+  public static function getCurrentURL() {
+   $res = 'http';
+
+   if (isset($_SERVER['HTTPS'])) {
+    $res = 'https';
+   }
+
+   $res .= '://' . $_SERVER['SERVER_NAME'];
+
+   if ($_SERVER['SERVER_PORT'] != 80) {
+    $res .= ':' . $_SERVER['SERVER_PORT'];
+   }
+
+   $url = $_SERVER['REQUEST_URI'];
+
+   while (preg_match('/([\?&])openid[\._](.*?)=(.*?)(&|$)/', $url, $m)) {
+    $url = str_replace($m[0], $m[1], $url);
+   }
+
+   $url = preg_replace('/\??&*$/', '', $url);
+
+   return $res . $url;
+  }
+
+  /**
+   * Redirects the user back to their original page.
+   */
+  public static function redirect() {
+   if (defined('OPENID_REDIRECTURL')) {
+    $url = OPENID_REDIRECTURL;
+   } else if (isset($_SESSION['openid']['redirect'])) {
+    $url = $_SESSION['openid']['redirect'];
+   } else {
+    $url = self::getCurrentURL();
+   }
+
+   self::doRedirect($url);
+  }
+
+  /**
+   * Redirects the user to the specified URL.
+   *
+   * @param $url The URL to redirect the user to
+   */
+  public static function doRedirect($url) {
+   header('Location: ' . $url);
+   echo '<html><head><title>Redirecting</title></head><body>';
+   echo '<p>Redirecting to <a href="', htmlentities($url), '">';
+   echo htmlentities($url), '</a></p></body></html>';
+   exit();
+  }
+
+ }
+
+?>