archive
/
poidsy
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 2 Wiki Activity
PHP OpenID consumer
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
55 Commits
3 Branches
Tree: a4369dee50
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'a4369dee50'
${ noResults }
poidsy/keymanager.inc.php

keymanager.inc.php 11KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386 
  1. <?PHP

  2. 

  3. /* Poidsy 0.6 - http://chris.smith.name/projects/poidsy

  4.  * Copyright (c) 2008-2010 Chris Smith

  5.  *

  6.  * Permission is hereby granted, free of charge, to any person obtaining a copy

  7.  * of this software and associated documentation files (the "Software"), to deal

  8.  * in the Software without restriction, including without limitation the rights

  9.  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell

  10.  * copies of the Software, and to permit persons to whom the Software is

  11.  * furnished to do so, subject to the following conditions:

  12.  *

  13.  * The above copyright notice and this permission notice shall be included in

  14.  * all copies or substantial portions of the Software.

  15.  *

  16.  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

  17.  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,

  18.  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE

  19.  * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

  20.  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,

  21.  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE

  22.  * SOFTWARE.

  23.  */

  24. 

  25.  require_once(dirname(__FILE__) . '/bigmath.inc.php');

  26.  require_once(dirname(__FILE__) . '/logging.inc.php');

  27.  require_once(dirname(__FILE__) . '/poster.inc.php');

  28.  require_once(dirname(__FILE__) . '/urlbuilder.inc.php');

  29. 

  30.  class KeyManager {

  31. 

  32.   /** Diffie-Hellman P value, defined by OpenID specification. */

  33.   const DH_P = '155172898181473697471232257763715539915724801966915404479707795314057629378541917580651227423698188993727816152646631438561595825688188889951272158842675419950341258706556549803580104870537681476726513255747040765857479291291572334510643245094715007229621094194349783925984760375594985848253359305585439638443';

  34.   /** Diffie-Hellman G value. */

  35.   const DH_G = '2';

  36. 

  37.   private static $header = null;

  38.   private static $data = null;

  39.   private static $bigmath = null;

  40. 

  41.   /**

  42.    * Loads the KeyManager's data array from disk.

  43.    */

  44.   private static function loadData() {

  45.    if (self::$data == null) {

  46.     $data = file(dirname(__FILE__) . '/keycache.php');

  47.     self::$header = array_shift($data);

  48.     self::$data = unserialize(implode("\n", $data));

  49.    }

  50.   }

  51. 

  52.   /**

  53.    * Saves the KeyManager's data array to disk.

  54.    */

  55.   private static function saveData() {

  56.    file_put_contents(dirname(__FILE__) . '/keycache.php', self::$header . serialize(self::$data));

  57.   }

  58. 

  59.   /**

  60.    * Attempts to associate with the specified server.

  61.    *

  62.    * @param String $server The server to associate with

  63.    */

  64.   public static function associate($server, $assocType = null, $sessionType = null) {

  65.    Logger::log('Attempting to associate with %s, assocType: %s, sessionType: %s', $server, $assocType, $sessionType);

  66.    $data = URLBuilder::buildAssociate($server, $_SESSION['openid']['version'], $assocType, $sessionType);

  67. 

  68.    try {

  69.     $res = Poster::post($server, $data);

  70.    } catch (Exception $ex) {

  71.     Logger::log('Exception while posting: %s', $ex->getMessage());

  72.     return;

  73.    }

  74. 

  75.    $data = array();

  76. 

  77.    foreach (explode("\n", $res) as $line) {

  78.     if (preg_match('/^(.*?):(.*)$/', $line, $m)) {

  79.      $data[$m[1]] = $m[2];

  80.     }

  81.    }

  82. 

  83.    if (isset($data['error_code']) && $data['error_code'] == 'unsupported-type') {

  84.     $cont = false;

  85. 

  86.     if (isset($data['session_type']) && $data['session_type'] != $sessionType) {

  87.      // TODO: Check we support it before actually trying

  88.      $sessionType = $data['session_type'];

  89.      $cont = true;

  90.     }

  91. 

  92.     if (isset($data['assoc_type']) && $data['assoc_type'] != $assocType) {

  93.      $assocType = $data['assoc_type'];

  94.      $cont = true;

  95.     }

  96. 

  97.     if ($cont) {

  98.      self::associate($server, $assocType, $sessionType);

  99.     }

  100. 

  101.     return;

  102.    }

  103. 

  104.    try {

  105.     $data = self::decodeKey($server, $data);

  106.    } catch (Exception $ex) {

  107.     return;

  108.    }

  109. 

  110.    $data['expires_at'] = time() + $data['expires_in'];

  111. 

  112.    self::$data[$server][$data['assoc_handle']] = $data;

  113.    self::saveData();

  114.   }

  115. 

  116.   /**

  117.    * Decodes the MAC key specified in the $data array.

  118.    *

  119.    * @param String $server The server which sent the data

  120.    * @param Array $data Array of association data from the server

  121.    * @return A copy of the $data array with the mac_key present

  122.    */

  123.   private static function decodeKey($server, $data) {

  124.    switch (strtolower($data['session_type'])) {

  125.     case 'dh-sha1':

  126.      $algo = 'sha1';

  127.      break;

  128.     case 'dh-sha256':

  129.      $algo = 'sha256';

  130.      break;

  131.     case 'no-encryption':

  132.     case 'blank':

  133.     case '':

  134.      $algo = false;

  135.      break;

  136.     default:

  137.      throw new Exception('Unable to handle session type ' . $data['session_type']);

  138.    }

  139. 

  140.    if ($algo !== false) {

  141.     // The key is DH'd

  142.     $mac = base64_decode($data['enc_mac_key']);

  143.     $x = self::getDhPrivateKey($server);

  144.     $temp = self::$bigmath->btwoc_undo(base64_decode($data['dh_server_public']));

  145.     $temp = self::$bigmath->powmod($temp, $x, self::DH_P);

  146.     $temp = self::$bigmath->btwoc($temp);

  147.     $temp = hash($algo, $temp, true);

  148.     $mac = $mac ^ $temp;

  149.     $data['mac_key'] = base64_encode($mac);

  150. 

  151.     unset($data['enc_mac_key'], $data['dh_server_public']);

  152.    }

  153. 

  154.    return $data;

  155.   }

  156. 

  157.   /**

  158.    * Retrieves an active assoc_handle for the specified server.

  159.    *

  160.    * @param String $server The server whose handle we're looking for

  161.    * @return An association handle for the server or null on failure

  162.    */

  163.   public static function getHandle($server) {

  164.    self::loadData();

  165. 

  166.    if (!isset(self::$data[$server])) {

  167.     return null;

  168.    }

  169. 

  170.    foreach (self::$data[$server] as $handle => $data) {

  171.     if ($handle == '__private') { continue; }

  172. 

  173.     if ($data['expires_at'] < time()) {

  174.      unset(self::$data[$server][$handle]);

  175.     } else {

  176.      return $handle;

  177.     }

  178.    }

  179. 

  180.    return null;

  181.   }

  182. 

  183.   /**

  184.    * Determines if the KeyManager has at least one assoc_handle for the

  185.    * specified server.

  186.    *

  187.    * @param String $server The server to check for

  188.    * @return True if the KeyManager has a handle, false otherwise

  189.    */

  190.   public static function hasHandle($server) {

  191.    return self::getHandle($server) !== null;

  192.   }

  193. 

  194.   /**

  195.    * Retrieves the association data array for the specified server and assoc

  196.    * handle.

  197.    *

  198.    * @param String $server The server whose data is being requested

  199.    * @param String $handle The current association handle for the server

  200.    * @return Array of association data or null if none was found

  201.    */

  202.   public static function getData($server, $handle) {

  203.    self::loadData();

  204. 

  205.    if (isset(self::$data[$server][$handle])) {

  206.     if (self::$data[$server][$handle]['expires_at'] < time()) {

  207.      self::revokeHandle($server, $handle);

  208.      return null;

  209.     } else {

  210.      return self::$data[$server][$handle];

  211.     }

  212.    } else {

  213.     return null;

  214.    }

  215.   }

  216. 

  217.   /**

  218.    * Attempts to authenticate that the specified arguments are a valid query

  219.    * from the specified server. If smart authentication is not available

  220.    * or an error is encountered, throws an exception.

  221.    *

  222.    * @param String $server The server that supposedly sent the request

  223.    * @param Array $args The arguments included in the request

  224.    * @return True if the message was authenticated, false if it's a fake

  225.    */

  226.   public static function authenticate($server, $args) {

  227.    $data = self::getData($server, $args['openid_assoc_handle']);

  228. 

  229.    if ($data === null) {

  230.     throw new Exception('No key available for that server/handle');

  231.    }

  232. 

  233.    $contents = '';

  234.    foreach (explode(',', $args['openid_signed']) as $arg) {

  235.     $argn = str_replace('.', '_', $arg);

  236.     $contents .= $arg . ':' . $args['openid_' . $argn] . "\n";

  237.    }

  238. 

  239.    switch (strtolower($data['assoc_type'])) {

  240.     case 'hmac-sha1':

  241.      $algo = 'sha1';

  242.      break;

  243.     case 'hmac-sha256':

  244.      $algo = 'sha256';

  245.      break;

  246.     default:

  247.      throw new Exception('Unable to handle association type ' . $data['assoc_type']);

  248.    }

  249. 

  250.    $sig = base64_encode(hash_hmac($algo, $contents, base64_decode($data['mac_key']), true));

  251. 

  252.    if ($sig == $args['openid_sig']) {

  253.     return true;

  254.    } else {

  255.     return false;

  256.    }

  257.   }

  258. 

  259.   /**

  260.    * Validates the current request using dumb authentication (a POST to the

  261.    * provider).

  262.    *

  263.    * @return True if the request has been authenticated, false otherwise.

  264.    */

  265.   public static function dumbAuthenticate() {

  266.    $url = URLBuilder::buildAuth($_REQUEST, $_SESSION['openid']['version']);

  267. 

  268.    try {

  269.     $data = Poster::post($_SESSION['openid']['endpointUrl'], $url);

  270.    } catch (Exception $ex) {

  271.     return false;

  272.    }

  273. 

  274.    $valid = false;

  275.    foreach (explode("\n", $data) as $line) {

  276.     if (substr($line, 0, 9) == 'is_valid:') {

  277.      $valid = (boolean) substr($line, 9);

  278.     }

  279.    }

  280. 

  281.    return $valid;

  282.   }

  283. 

  284.   /**

  285.    * Removes the specified association handle from the specified server's

  286.    * records.

  287.    *

  288.    * @param String $server The server which is revoking the handle

  289.    * @param String $handle The handle which is being revoked

  290.    */

  291.   public static function revokeHandle($server, $handle) {

  292.    self::loadData();

  293.    unset(self::$data[$server][$handle]);

  294.    self::saveData();

  295.   }

  296. 

  297.   /**

  298.    * Determines if the keymanager is supported by the local environment or not.

  299.    *

  300.    * @return True if the keymanager can be used, false otherwise

  301.    */

  302.   public static function isSupported() {

  303.    return @is_writable(dirname(__FILE__) . '/keycache.php')

  304. 	&& function_exists('hash_hmac');

  305.   }

  306. 

  307.   /**

  308.    * Returns the base64-encoded representation of the dh_modulus parameter.

  309.    *

  310.    * @return Base64-encoded representation of dh_modulus

  311.    */

  312.   public static function getDhModulus() {

  313.    return base64_encode(self::$bigmath->btwoc(self::DH_P));

  314.   }

  315. 

  316.   /**

  317.    * Returns the base64-encoded representation of the dh_gen parameter.

  318.    *

  319.    * @return Base64-encoded representation of dh_gen

  320.    */

  321.   public static function getDhGen() {

  322.    return base64_encode(self::$bigmath->btwoc(self::DH_G));

  323.   }

  324. 

  325.   /**

  326.    * Retrieves our private key for the specified server.

  327.    *

  328.    * @param String $server The server which we're communicating with

  329.    * @return Our private key for the specified server, or null if we don't have

  330.    * one

  331.    */

  332.   public static function getDhPrivateKey($server) {

  333.    self::loadData();

  334.    if (isset(self::$data[$server])) {

  335.     return self::$data[$server]['__private'];

  336.    } else {

  337.    	return null;

  338.    }

  339.   }

  340. 

  341.   /**

  342.    * Retrieves our public key for use with the specified server.

  343.    *

  344.    * @param String $server The server we wish to send the public key to

  345.    * @return Base64-encoded public key for the specified server

  346.    */

  347.   public static function getDhPublicKey($server) {

  348.    self::loadData();

  349.    $key = self::createDhKey($server);

  350.    self::saveData();

  351. 

  352.    return base64_encode(self::$bigmath->btwoc(self::$bigmath->powmod(self::DH_G, $key, self::DH_P)));

  353.   }

  354. 

  355.   /**

  356.    * Creates a private key for use when exchanging keys with the specified

  357.    * server.

  358.    *

  359.    * @param String $server The name of the server we're dealing with

  360.    * @return The server's new private key

  361.    */

  362.   private static function createDhKey($server) {

  363.    return self::$data[$server]['__private'] = self::$bigmath->rand(self::DH_P);

  364.   }

  365. 

  366.   /**

  367.    * Determines whether the keymanager can support Diffie-Hellman key exchange.

  368.    *

  369.    * @return True if D-H exchange is supported, false otherwise.

  370.    */

  371.   public static function supportsDH() {

  372.    return self::$bigmath != null;

  373.   }

  374. 

  375.   /**

  376.    * Initialises the key manager.

  377.    */

  378.   public static function init() {

  379.    self::$bigmath = BigMath::getBigMath();

  380.   }

  381. 

  382.  }

  383. 

  384.  KeyManager::init();

  385. 

  386. ?>