archive
/
poidsy
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 2 Wiki Activity
PHP OpenID consumer
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1 Commit
3 Branches
Tree: 95f1b0b960
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '95f1b0b960'
${ noResults }
poidsy/keymanager.inc.php

keymanager.inc.php 10KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362 
  1. <?PHP

  2. 

  3. /* Poidsy 0.4 - http://chris.smith.name/projects/poidsy

  4.  * Copyright (c) 2008 Chris Smith

  5.  *

  6.  * Permission is hereby granted, free of charge, to any person obtaining a copy

  7.  * of this software and associated documentation files (the "Software"), to deal

  8.  * in the Software without restriction, including without limitation the rights

  9.  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell

  10.  * copies of the Software, and to permit persons to whom the Software is

  11.  * furnished to do so, subject to the following conditions:

  12.  *

  13.  * The above copyright notice and this permission notice shall be included in

  14.  * all copies or substantial portions of the Software.

  15.  *

  16.  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

  17.  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,

  18.  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE

  19.  * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

  20.  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,

  21.  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE

  22.  * SOFTWARE.

  23.  */

  24. 

  25.  require_once(dirname(__FILE__) . '/bigmath.inc.php');

  26.  require_once(dirname(__FILE__) . '/poster.inc.php');

  27.  require_once(dirname(__FILE__) . '/urlbuilder.inc.php');

  28. 

  29.  class KeyManager {

  30. 

  31.   /** Diffie-Hellman P value, defined by OpenID specification. */

  32.   const DH_P = '155172898181473697471232257763715539915724801966915404479707795314057629378541917580651227423698188993727816152646631438561595825688188889951272158842675419950341258706556549803580104870537681476726513255747040765857479291291572334510643245094715007229621094194349783925984760375594985848253359305585439638443';

  33.   /** Diffie-Hellman G value. */

  34.   const DH_G = '2';

  35. 

  36.   private static $header = null;

  37.   private static $data = null;

  38.   private static $bigmath = null;

  39. 

  40.   /**

  41.    * Loads the KeyManager's data array from disk.

  42.    */

  43.   private static function loadData() {

  44.    if (self::$data == null) {

  45.     $data = file(dirname(__FILE__) . '/keycache.php');

  46.     self::$header = array_shift($data);

  47.     self::$data = unserialize(implode("\n", $data));

  48.    }

  49.   }

  50. 

  51.   /**

  52.    * Saves the KeyManager's data array to disk.

  53.    */

  54.   private static function saveData() {

  55.    file_put_contents(dirname(__FILE__) . '/keycache.php', self::$header . serialize(self::$data));

  56.   }

  57. 

  58.   /**

  59.    * Attempts to associate with the specified server.

  60.    *

  61.    * @param String $server The server to associate with

  62.    */

  63.   public static function associate($server) {

  64.    $data = URLBuilder::buildAssociate($server);

  65. 

  66.    try {

  67.     $res = Poster::post($server, $data);

  68.    } catch (Exception $ex) {

  69.     return;

  70.    }

  71. 

  72.    $data = array();

  73. 

  74.    foreach (explode("\n", $res) as $line) {

  75.     if (preg_match('/^(.*?):(.*)$/', $line, $m)) {

  76.      $data[$m[1]] = $m[2];

  77.     }

  78.    }

  79. 

  80.    try {

  81.     $data = self::decodeKey($server, $data);

  82.    } catch (Exception $ex) {

  83.     return;

  84.    }

  85. 

  86.    $data['expires_at'] = time() + $data['expires_in'];

  87. 

  88.    self::$data[$server][$data['assoc_handle']] = $data;

  89.    self::saveData();

  90.   }

  91. 

  92.   /**

  93.    * Decodes the MAC key specified in the $data array.

  94.    *

  95.    * @param String $server The server which sent the data

  96.    * @param Array $data Array of association data from the server

  97.    * @return A copy of the $data array with the mac_key present

  98.    */

  99.   private static function decodeKey($server, $data) {

  100.    switch (strtolower($data['session_type'])) {

  101.     case 'dh-sha1':

  102.      $algo = 'sha1';

  103.      break;

  104.     case 'dh-sha256':

  105.      $algo = 'sha256';

  106.      break;

  107.     case 'no-encryption':

  108.     case 'blank':

  109.     case '':

  110.      $algo = false;

  111.      break;

  112.     default:

  113.      throw new Exception('Unable to handle session type ' . $data['session_type']);

  114.    }

  115. 

  116.    if ($algo !== false) {

  117.     // The key is DH'd

  118.     $mac = base64_decode($data['enc_mac_key']);

  119.     $x = self::getDhPrivateKey($server);

  120.     $temp = self::$bigmath->btwoc_undo(base64_decode($data['dh_server_public']));

  121.     $temp = self::$bigmath->powmod($temp, $x, self::DH_P);

  122.     $temp = self::$bigmath->btwoc($temp);

  123.     $temp = hash($algo, $temp, true);

  124.     $mac = $mac ^ $temp;

  125.     $data['mac_key'] = base64_encode($mac);

  126. 

  127.     unset($data['enc_mac_key'], $data['dh_server_public']);

  128.    }

  129. 

  130.    return $data;

  131.   }

  132. 

  133.   /**

  134.    * Retrieves an active assoc_handle for the specified server.

  135.    *

  136.    * @param String $server The server whose handle we're looking for

  137.    * @return An association handle for the server or null on failure

  138.    */

  139.   public static function getHandle($server) {

  140.    self::loadData();

  141. 

  142.    if (!isset(self::$data[$server])) {

  143.     return null;

  144.    }

  145. 

  146.    foreach (self::$data[$server] as $handle => $data) {

  147.     if ($handle == '__private') { continue; }

  148. 

  149.     if ($data['expires_at'] < time()) {

  150.      unset(self::$data[$server][$handle]);

  151.     } else {

  152.      return $handle;

  153.     }

  154.    }

  155. 

  156.    return null;

  157.   }

  158. 

  159.   /**

  160.    * Determines if the KeyManager has at least one assoc_handle for the

  161.    * specified server.

  162.    *

  163.    * @param String $server The server to check for

  164.    * @return True if the KeyManager has a handle, false otherwise

  165.    */

  166.   public static function hasHandle($server) {

  167.    return self::getHandle($server) !== null;

  168.   }

  169. 

  170.   /**

  171.    * Retrieves the association data array for the specified server and assoc

  172.    * handle.

  173.    *

  174.    * @param String $server The server whose data is being requested

  175.    * @param String $handle The current association handle for the server

  176.    * @return Array of association data or null if none was found

  177.    */

  178.   public static function getData($server, $handle) {

  179.    self::loadData();

  180. 

  181.    if (isset(self::$data[$server][$handle])) {

  182.     if (self::$data[$server][$handle]['expires_at'] < time()) {

  183.      self::revokeHandle($server, $handle);

  184.      return null;

  185.     } else {

  186.      return self::$data[$server][$handle];

  187.     }

  188.    } else {

  189.     return null;

  190.    }

  191.   }

  192. 

  193.   /**

  194.    * Attempts to authenticate that the specified arguments are a valid query

  195.    * from the specified server. If smart authentication is not available

  196.    * or an error is encountered, throws an exception.

  197.    *

  198.    * @param String $server The server that supposedly sent the request

  199.    * @param Array $args The arguments included in the request

  200.    * @return True if the message was authenticated, false if it's a fake

  201.    */

  202.   public static function authenticate($server, $args) {

  203.    $data = self::getData($server, $args['openid_assoc_handle']);

  204. 

  205.    if ($data === null) {

  206.     throw new Exception('No key available for that server/handle');

  207.    }

  208. 

  209.    $contents = '';

  210.    foreach (explode(',', $args['openid_signed']) as $arg) {

  211.     $argn = str_replace('.', '_', $arg);

  212.     $contents .= $arg . ':' . $args['openid_' . $argn] . "\n";

  213.    }

  214. 

  215.    switch (strtolower($data['assoc_type'])) {

  216.     case 'hmac-sha1':

  217.      $algo = 'sha1';

  218.      break;

  219.     case 'hmac-sha256':

  220.      $algo = 'sha256';

  221.      break;

  222.     default:

  223.      throw new Exception('Unable to handle association type ' . $data['assoc_type']);

  224.    }

  225. 

  226.    $sig = base64_encode(hash_hmac($algo, $contents, base64_decode($data['mac_key']), true));

  227. 

  228.    if ($sig == $args['openid_sig']) {

  229.     return true;

  230.    } else {

  231.     return false;

  232.    }

  233.   }

  234. 

  235.   /**

  236.    * Validates the current request using dumb authentication (a POST to the

  237.    * provider).

  238.    *

  239.    * @return True if the request has been authenticated, false otherwise.

  240.    */

  241.   public static function dumbAuthenticate() {

  242.    $url = URLBuilder::buildAuth($_REQUEST);

  243. 

  244.    try {

  245.     $data = Poster::post($_SESSION['openid']['server'], $url);

  246.    } catch (Exception $ex) {

  247.     return false;

  248.    }

  249. 

  250.    $valid = false;

  251.    foreach (explode("\n", $data) as $line) {

  252.     if (substr($line, 0, 9) == 'is_valid:') {

  253.      $valid = (boolean) substr($line, 9);

  254.     }

  255.    }

  256. 

  257.    return $valid;

  258.   }

  259. 

  260.   /**

  261.    * Removes the specified association handle from the specified server's

  262.    * records.

  263.    *

  264.    * @param String $server The server which is revoking the handle

  265.    * @param String $handle The handle which is being revoked

  266.    */

  267.   public static function revokeHandle($server, $handle) {

  268.    self::loadData();

  269.    unset(self::$data[$server][$handle]);

  270.    self::saveData();

  271.   }

  272. 

  273.   /**

  274.    * Determines if the keymanager is supported by the local environment or not.

  275.    *

  276.    * @return True if the keymanager can be used, false otherwise

  277.    */

  278.   public static function isSupported() {

  279.    return @is_writable(dirname(__FILE__) . '/keycache.php')

  280. 	&& function_exists('hash_hmac');

  281.   }

  282. 

  283.   /**

  284.    * Returns the base64-encoded representation of the dh_modulus parameter.

  285.    *

  286.    * @return Base64-encoded representation of dh_modulus

  287.    */

  288.   public static function getDhModulus() {

  289.    return base64_encode(self::$bigmath->btwoc(self::DH_P));

  290.   }

  291. 

  292.   /**

  293.    * Returns the base64-encoded representation of the dh_gen parameter.

  294.    *

  295.    * @return Base64-encoded representation of dh_gen

  296.    */

  297.   public static function getDhGen() {

  298.    return base64_encode(self::$bigmath->btwoc(self::DH_G));

  299.   }

  300. 

  301.   /**

  302.    * Retrieves our private key for the specified server.

  303.    *

  304.    * @param String $server The server which we're communicating with

  305.    * @return Our private key for the specified server, or null if we don't have

  306.    * one

  307.    */

  308.   public static function getDhPrivateKey($server) {

  309.    self::loadData();

  310.    if (isset(self::$data[$server])) {

  311.     return self::$data[$server]['__private'];

  312.    } else {

  313.    	return null;

  314.    }

  315.   }

  316. 

  317.   /**

  318.    * Retrieves our public key for use with the specified server.

  319.    *

  320.    * @param String $server The server we wish to send the public key to

  321.    * @return Base64-encoded public key for the specified server

  322.    */

  323.   public static function getDhPublicKey($server) {

  324.    self::loadData();

  325.    $key = self::createDhKey($server);

  326.    self::saveData();

  327. 

  328.    return base64_encode(self::$bigmath->btwoc(self::$bigmath->powmod(self::DH_G, $key, self::DH_P)));

  329.   }

  330. 

  331.   /**

  332.    * Creates a private key for use when exchanging keys with the specified

  333.    * server.

  334.    *

  335.    * @param String $server The name of the server we're dealing with

  336.    * @return The server's new private key

  337.    */

  338.   private static function createDhKey($server) {

  339.    return self::$data[$server]['__private'] = self::$bigmath->rand(self::DH_P);

  340.   }

  341. 

  342.   /**

  343.    * Determines whether the keymanager can support Diffie-Hellman key exchange.

  344.    *

  345.    * @return True if D-H exchange is supported, false otherwise.

  346.    */

  347.   public static function supportsDH() {

  348.    return self::$bigmath != null;

  349.   }

  350. 

  351.   /**

  352.    * Initialises the key manager.

  353.    */

  354.   public static function init() {

  355.    self::$bigmath = BigMath::getBigMath();

  356.   }

  357. 

  358.  }

  359. 

  360.  KeyManager::init();

  361. 

  362. ?>