archive
/
poidsy
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 2 Wiki Activity
PHP OpenID consumer
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
63 Commits
3 Branches
Branch: master
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'master'
${ noResults }
poidsy/keymanager.inc.php

keymanager.inc.php 12KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401 
  1. <?PHP

  2. 

  3. /* Poidsy 0.6 - http://chris.smith.name/projects/poidsy

  4.  * Copyright (c) 2008-2010 Chris Smith

  5.  *

  6.  * Permission is hereby granted, free of charge, to any person obtaining a copy

  7.  * of this software and associated documentation files (the "Software"), to deal

  8.  * in the Software without restriction, including without limitation the rights

  9.  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell

  10.  * copies of the Software, and to permit persons to whom the Software is

  11.  * furnished to do so, subject to the following conditions:

  12.  *

  13.  * The above copyright notice and this permission notice shall be included in

  14.  * all copies or substantial portions of the Software.

  15.  *

  16.  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

  17.  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,

  18.  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE

  19.  * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

  20.  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,

  21.  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE

  22.  * SOFTWARE.

  23.  */

  24. 

  25.  require_once(dirname(__FILE__) . '/bigmath.inc.php');

  26.  require_once(dirname(__FILE__) . '/logging.inc.php');

  27.  require_once(dirname(__FILE__) . '/poster.inc.php');

  28.  require_once(dirname(__FILE__) . '/urlbuilder.inc.php');

  29. 

  30.  class KeyManager {

  31. 

  32.   /** Diffie-Hellman P value, defined by OpenID specification. */

  33.   const DH_P = '155172898181473697471232257763715539915724801966915404479707795314057629378541917580651227423698188993727816152646631438561595825688188889951272158842675419950341258706556549803580104870537681476726513255747040765857479291291572334510643245094715007229621094194349783925984760375594985848253359305585439638443';

  34.   /** Diffie-Hellman G value. */

  35.   const DH_G = '2';

  36. 

  37.   private static $header = null;

  38.   private static $data = null;

  39.   private static $bigmath = null;

  40. 

  41.   /**

  42.    * Loads the KeyManager's data array from disk.

  43.    */

  44.   private static function loadData() {

  45.    if (self::$data == null) {

  46.     Logger::log('Loading data from %s/keycache.php', dirname(__FILE__));

  47.     $data = file(dirname(__FILE__) . '/keycache.php');

  48.     self::$header = array_shift($data);

  49.     self::$data = unserialize(implode("\n", $data));

  50.    }

  51.   }

  52. 

  53.   /**

  54.    * Saves the KeyManager's data array to disk.

  55.    */

  56.   private static function saveData() {

  57.    Logger::log('Saving data to %s/keycache.php', dirname(__FILE__));

  58.    file_put_contents(dirname(__FILE__) . '/keycache.php', self::$header . serialize(self::$data));

  59.   }

  60. 

  61.   /**

  62.    * Attempts to associate with the specified server.

  63.    *

  64.    * @param String $server The server to associate with

  65.    */

  66.   public static function associate($server, $assocType = null, $sessionType = null) {

  67.    Logger::log('Attempting to associate with %s, assocType: %s, sessionType: %s', $server, $assocType, $sessionType);

  68.    $data = URLBuilder::buildAssociate($server, $_SESSION['openid']['version'], $assocType, $sessionType);

  69. 

  70.    try {

  71.     $res = Poster::post($server, $data);

  72.    } catch (Exception $ex) {

  73.     Logger::log('Exception while posting: %s', $ex->getMessage());

  74.     return;

  75.    }

  76. 

  77.    $data = array();

  78. 

  79.    foreach (explode("\n", $res) as $line) {

  80.     if (preg_match('/^(.*?):(.*)$/', $line, $m)) {

  81.      $data[$m[1]] = $m[2];

  82.     }

  83.    }

  84. 

  85.    if (isset($data['error_code']) && $data['error_code'] == 'unsupported-type') {

  86.     $cont = false;

  87. 

  88.     if (isset($data['session_type']) && $data['session_type'] != $sessionType) {

  89.      // TODO: Check we support it before actually trying

  90.      $sessionType = $data['session_type'];

  91.      $cont = true;

  92.     }

  93. 

  94.     if (isset($data['assoc_type']) && $data['assoc_type'] != $assocType) {

  95.      $assocType = $data['assoc_type'];

  96.      $cont = true;

  97.     }

  98. 

  99.     if ($cont) {

  100.      self::associate($server, $assocType, $sessionType);

  101.     }

  102. 

  103.     return;

  104.    }

  105. 

  106.    try {

  107.     $data = self::decodeKey($server, $data);

  108.    } catch (Exception $ex) {

  109.     return;

  110.    }

  111. 

  112.    $data['expires_at'] = time() + $data['expires_in'];

  113. 

  114.    self::$data[$server][$data['assoc_handle']] = $data;

  115.    self::saveData();

  116.   }

  117. 

  118.   /**

  119.    * Decodes the MAC key specified in the $data array.

  120.    *

  121.    * @param String $server The server which sent the data

  122.    * @param Array $data Array of association data from the server

  123.    * @return A copy of the $data array with the mac_key present

  124.    */

  125.   private static function decodeKey($server, $data) {

  126.    switch (strtolower($data['session_type'])) {

  127.     case 'dh-sha1':

  128.      $algo = 'sha1';

  129.      break;

  130.     case 'dh-sha256':

  131.      $algo = 'sha256';

  132.      break;

  133.     case 'no-encryption':

  134.     case 'blank':

  135.     case '':

  136.      $algo = false;

  137.      break;

  138.     default:

  139.      throw new Exception('Unable to handle session type ' . $data['session_type']);

  140.    }

  141. 

  142.    if ($algo !== false) {

  143.     // The key is DH'd

  144.     $mac = base64_decode($data['enc_mac_key']);

  145.     $x = self::getDhPrivateKey($server);

  146.     $temp = self::$bigmath->btwoc_undo(base64_decode($data['dh_server_public']));

  147.     $temp = self::$bigmath->powmod($temp, $x, self::DH_P);

  148.     $temp = self::$bigmath->btwoc($temp);

  149.     $temp = hash($algo, $temp, true);

  150.     $mac = $mac ^ $temp;

  151.     $data['mac_key'] = base64_encode($mac);

  152. 

  153.     unset($data['enc_mac_key'], $data['dh_server_public']);

  154.    }

  155. 

  156.    return $data;

  157.   }

  158. 

  159.   /**

  160.    * Retrieves an active assoc_handle for the specified server.

  161.    *

  162.    * @param String $server The server whose handle we're looking for

  163.    * @return An association handle for the server or null on failure

  164.    */

  165.   public static function getHandle($server) {

  166.    self::loadData();

  167. 

  168.    if (!isset(self::$data[$server])) {

  169.     Logger::log('No data found for %s', $server);

  170.     return null;

  171.    }

  172. 

  173.    foreach (self::$data[$server] as $handle => $data) {

  174.     if ($handle == '__private') { continue; }

  175. 

  176.     if ($data['expires_at'] < time()) {

  177.      Logger::log('Handle for %s expired at %s, unsetting', $server, $data['expires_at']);

  178.      unset(self::$data[$server][$handle]);

  179.     } else {

  180.      return $handle;

  181.     }

  182.    }

  183. 

  184.    return null;

  185.   }

  186. 

  187.   /**

  188.    * Determines if the KeyManager has at least one assoc_handle for the

  189.    * specified server.

  190.    *

  191.    * @param String $server The server to check for

  192.    * @return True if the KeyManager has a handle, false otherwise

  193.    */

  194.   public static function hasHandle($server) {

  195.    return self::getHandle($server) !== null;

  196.   }

  197. 

  198.   /**

  199.    * Retrieves the association data array for the specified server and assoc

  200.    * handle.

  201.    *

  202.    * @param String $server The server whose data is being requested

  203.    * @param String $handle The current association handle for the server

  204.    * @return Array of association data or null if none was found

  205.    */

  206.   public static function getData($server, $handle) {

  207.    self::loadData();

  208. 

  209.    if (isset(self::$data[$server][$handle])) {

  210.     if (self::$data[$server][$handle]['expires_at'] < time()) {

  211.      self::revokeHandle($server, $handle);

  212.      return null;

  213.     } else {

  214.      return self::$data[$server][$handle];

  215.     }

  216.    } else {

  217.     return null;

  218.    }

  219.   }

  220. 

  221.   /**

  222.    * Attempts to authenticate that the specified arguments are a valid query

  223.    * from the specified server. If smart authentication is not available

  224.    * or an error is encountered, throws an exception.

  225.    *

  226.    * @param String $server The server that supposedly sent the request

  227.    * @param Array $args The arguments included in the request

  228.    * @return True if the message was authenticated, false if it's a fake

  229.    */

  230.   public static function authenticate($server, $args) {

  231.    Logger::log('Authenticating message from %s', $server);

  232. 

  233.    $data = self::getData($server, $args['openid_assoc_handle']);

  234. 

  235.    if ($data === null) {

  236.     Logger::log('Can\'t authenticate, no key available');

  237.     throw new Exception('No key available for that server/handle');

  238.    }

  239. 

  240.    $contents = '';

  241.    foreach (explode(',', $args['openid_signed']) as $arg) {

  242.     $argn = str_replace('.', '_', $arg);

  243.     $contents .= $arg . ':' . $args['openid_' . $argn] . "\n";

  244.    }

  245. 

  246.    switch (strtolower($data['assoc_type'])) {

  247.     case 'hmac-sha1':

  248.      $algo = 'sha1';

  249.      break;

  250.     case 'hmac-sha256':

  251.      $algo = 'sha256';

  252.      break;

  253.     default:

  254.      Logger::log('Can\'t authenticate, unknown assoc type %s', $data['assoc_type']);

  255.      throw new Exception('Unable to handle association type ' . $data['assoc_type']);

  256.    }

  257. 

  258.    $sig = base64_encode(hash_hmac($algo, $contents, base64_decode($data['mac_key']), true));

  259.    Logger::log('Expected signature %s, received signature %s', $sig, $args['openid_sig']);

  260. 

  261.    // Manually compare characters to prevent timing attacks

  262.    $res = strlen($sig) == strlen($args['openid_sig']);

  263.    for ($i = 0; $i < strlen($sig); $i++) {

  264.     $res &= $sig[$i] == $args['openid_sig'][$i];

  265.    }

  266. 

  267.    Logger::log('Authentication result: %s', $res ? 'good' : 'bad');

  268.    return $res;

  269.   }

  270. 

  271.   /**

  272.    * Validates the current request using dumb authentication (a POST to the

  273.    * provider).

  274.    *

  275.    * @return True if the request has been authenticated, false otherwise.

  276.    */

  277.   public static function dumbAuthenticate() {

  278.    Logger::log('Performing dumb authentication');

  279. 

  280.    $url = URLBuilder::buildAuth($_REQUEST, $_SESSION['openid']['version']);

  281. 

  282.    try {

  283.     $data = Poster::post($_SESSION['openid']['endpointUrl'], $url);

  284.    } catch (Exception $ex) {

  285.     return false;

  286.    }

  287. 

  288.    $valid = false;

  289.    foreach (explode("\n", $data) as $line) {

  290.     if (substr($line, 0, 9) == 'is_valid:') {

  291.      $valid = (boolean) substr($line, 9);

  292.     }

  293.    }

  294. 

  295.    Logger::log('Authentication result: %s', $valid ? 'good' : 'bad');

  296.    return $valid;

  297.   }

  298. 

  299.   /**

  300.    * Removes the specified association handle from the specified server's

  301.    * records.

  302.    *

  303.    * @param String $server The server which is revoking the handle

  304.    * @param String $handle The handle which is being revoked

  305.    */

  306.   public static function revokeHandle($server, $handle) {

  307.    self::loadData();

  308.    unset(self::$data[$server][$handle]);

  309.    self::saveData();

  310.   }

  311. 

  312.   /**

  313.    * Determines if the keymanager is supported by the local environment or not.

  314.    *

  315.    * @return True if the keymanager can be used, false otherwise

  316.    */

  317.   public static function isSupported() {

  318.    return @is_writable(dirname(__FILE__) . '/keycache.php')

  319. 	&& function_exists('hash_hmac');

  320.   }

  321. 

  322.   /**

  323.    * Returns the base64-encoded representation of the dh_modulus parameter.

  324.    *

  325.    * @return Base64-encoded representation of dh_modulus

  326.    */

  327.   public static function getDhModulus() {

  328.    return base64_encode(self::$bigmath->btwoc(self::DH_P));

  329.   }

  330. 

  331.   /**

  332.    * Returns the base64-encoded representation of the dh_gen parameter.

  333.    *

  334.    * @return Base64-encoded representation of dh_gen

  335.    */

  336.   public static function getDhGen() {

  337.    return base64_encode(self::$bigmath->btwoc(self::DH_G));

  338.   }

  339. 

  340.   /**

  341.    * Retrieves our private key for the specified server.

  342.    *

  343.    * @param String $server The server which we're communicating with

  344.    * @return Our private key for the specified server, or null if we don't have

  345.    * one

  346.    */

  347.   public static function getDhPrivateKey($server) {

  348.    self::loadData();

  349.    if (isset(self::$data[$server])) {

  350.     return self::$data[$server]['__private'];

  351.    } else {

  352.    	return null;

  353.    }

  354.   }

  355. 

  356.   /**

  357.    * Retrieves our public key for use with the specified server.

  358.    *

  359.    * @param String $server The server we wish to send the public key to

  360.    * @return Base64-encoded public key for the specified server

  361.    */

  362.   public static function getDhPublicKey($server) {

  363.    self::loadData();

  364.    $key = self::createDhKey($server);

  365.    self::saveData();

  366. 

  367.    return base64_encode(self::$bigmath->btwoc(self::$bigmath->powmod(self::DH_G, $key, self::DH_P)));

  368.   }

  369. 

  370.   /**

  371.    * Creates a private key for use when exchanging keys with the specified

  372.    * server.

  373.    *

  374.    * @param String $server The name of the server we're dealing with

  375.    * @return The server's new private key

  376.    */

  377.   private static function createDhKey($server) {

  378.    return self::$data[$server]['__private'] = self::$bigmath->rand(self::DH_P);

  379.   }

  380. 

  381.   /**

  382.    * Determines whether the keymanager can support Diffie-Hellman key exchange.

  383.    *

  384.    * @return True if D-H exchange is supported, false otherwise.

  385.    */

  386.   public static function supportsDH() {

  387.    return self::$bigmath != null;

  388.   }

  389. 

  390.   /**

  391.    * Initialises the key manager.

  392.    */

  393.   public static function init() {

  394.    self::$bigmath = BigMath::getBigMath();

  395.   }

  396. 

  397.  }

  398. 

  399.  KeyManager::init();

  400. 

  401. ?>