diff options
Diffstat (limited to 'models/openid-php-openid-782224d/contrib/signed_assertions')
| -rw-r--r-- | models/openid-php-openid-782224d/contrib/signed_assertions/AP.php | 180 | ||||
| -rw-r--r-- | models/openid-php-openid-782224d/contrib/signed_assertions/SAML.php | 220 |
2 files changed, 0 insertions, 400 deletions
diff --git a/models/openid-php-openid-782224d/contrib/signed_assertions/AP.php b/models/openid-php-openid-782224d/contrib/signed_assertions/AP.php deleted file mode 100644 index a24265018..000000000 --- a/models/openid-php-openid-782224d/contrib/signed_assertions/AP.php +++ /dev/null @@ -1,180 +0,0 @@ -<?php - -/** - * Introduces the notion of an Attribute Provider that attests and signs - * attributes - * Uses OpenID Signed Assertions(Sxip draft) for attesting attributes - * PHP versions 4 and 5 - * - * LICENSE: See the COPYING file included in this distribution. - * - * @package OpenID - * @author Santosh Subramanian <subrasan@cs.sunysb.edu> - * @author Shishir Randive <srandive@cs.sunysb.edu> - * Stony Brook University. - * - */ -require_once 'Auth/OpenID/SAML.php'; -/** - * The Attribute_Provider class which signs the attribute,value pair - * for a given openid. - */ -class Attribute_Provider -{ - private $public_key_certificate=null; - private $private_key=null; - private $authenticatedUser=null; - private $notBefore=null; - private $notOnOrAfter=null; - private $rsadsa=null; - private $acsURI=null; - private $attribute=null; - private $value=null; - private $assertionTemplate=null; - /** - * Creates an Attribute_Provider object initialized with startup values. - * @param string $public_key_certificate - The public key certificate - of the signer. - * @param string $private_key - The private key of the signer. - * @param string $notBefore - Certificate validity time - * @param string $notOnOrAfter - Certificate validity time - * @param string $rsadsa - Choice of the algorithm (RSA/DSA) - * @param string $acsURI - URI of the signer. - * @param string $assertionTemplate - SAML template used for assertion - */ - function Attribute_Provider($public_key_certificate,$private_key,$notBefore,$notOnOrAfter,$rsadsa,$acsURI, - $assertionTemplate) - { - $this->public_key_certificate=$public_key_certificate; - $this->private_key=$private_key; - $this->notBefore=$notBefore; - $this->notOnOrAfter=$notOnOrAfter; - $this->rsadsa=$rsadsa; - $this->acsURI=$acsURI; - $this->assertionTemplate=$assertionTemplate; - } - /** - * Create the signed assertion. - * @param string $openid - Openid of the entity being asserted. - * @param string $attribute - The attribute name being asserted. - * @param string $value - The attribute value being asserted. - */ - function sign($openid,$attribute,$value) - { - $samlObj = new SAML(); - $responseXmlString = $samlObj->createSamlAssertion($openid, - $this->notBefore, - $this->notOnOrAfter, - $this->rsadsa, - $this->acsURI, - $attribute, - sha1($value), - $this->assertionTemplate); - $signedAssertion=$samlObj->signAssertion($responseXmlString, - $this->private_key, - $this->public_key_certificate); - return $signedAssertion; - } -} -/** - * The Attribute_Verifier class which verifies the signed assertion at the Relying party. - */ -class Attribute_Verifier -{ - /** - * The certificate the Relying party trusts. - */ - private $rootcert; - /** - * This function loads the public key certificate that the relying party trusts. - * @param string $cert - Trusted public key certificate. - */ - function load_trusted_root_cert($cert) - { - $this->rootcert=$cert; - } - /** - * Verifies the certificate given the SAML document. - * @param string - signed SAML assertion - * return @boolean - true if verification is successful, false if unsuccessful. - */ - function verify($responseXmlString) - { - $samlObj = new SAML(); - $ret = $samlObj->verifyAssertion($responseXmlString,$this->rootcert); - return $ret; - } -} - -/** - * This is a Store Request creating class at the Attribute Provider. - */ -class AP_OP_StoreRequest -{ - /** - * Creates store request and adds it as an extension to AuthRequest object - passed to it. - * @param &Auth_OpenID_AuthRequest &$auth_request - A reference to - the AuthRequest object. - * @param &Attribute_Provider &$attributeProvider - A reference to the - Attribute Provider object. - * @param string $attribute - The attribute name being asserted. - * @param string $value - The attribute value being asserted. - * @param string $openid - Openid of the entity being asserted. - * @return &Auth_OpenID_AuthRequest - Auth_OpenID_AuthRequest object - returned with StoreRequest extension. - */ - static function createStoreRequest(&$auth_request,&$attributeProvider, - $attribute,$value,$openid) - { - if(!$auth_request){ - return null; - } - $signedAssertion=$attributeProvider->sign($openid,$attribute,$value); - $store_request=new Auth_OpenID_AX_StoreRequest; - $store_request->addValue($attribute,base64_encode($value)); - $store_request->addValue($attribute.'/signature', - base64_encode($signedAssertion)); - if($store_request) { - $auth_request->addExtension($store_request); - return $auth_request; - } - } -} - -/* - *This is implemented at the RP Takes care of getting the attribute from the - *AX_Fetch_Response object and verifying it. - */ -class RP_OP_Verify -{ - /** - * Verifies a given signed assertion. - * @param &Attribute_Verifier &$attributeVerifier - An instance of the class - passed for the verification. - * @param Auth_OpenID_Response - Response object for extraction. - * @return boolean - true if successful, false if verification fails. - */ - function verifyAssertion(&$attributeVerifier,$response) - { - $ax_resp=Auth_OpenID_AX_FetchResponse::fromSuccessResponse($response); - if($ax_resp instanceof Auth_OpenID_AX_FetchResponse){ - $ax_args=$ax_resp->getExtensionArgs(); - if($ax_args) { - $value=base64_decode($ax_args['value.ext1.1']); - if($attributeVerifier->verify($value)){ - return base64_decode($ax_args['value.ext0.1']); - } else { - return null; - } - } else { - return null; - } - } else { - return null; - } - } -} - - -?> diff --git a/models/openid-php-openid-782224d/contrib/signed_assertions/SAML.php b/models/openid-php-openid-782224d/contrib/signed_assertions/SAML.php deleted file mode 100644 index fa6df51f6..000000000 --- a/models/openid-php-openid-782224d/contrib/signed_assertions/SAML.php +++ /dev/null @@ -1,220 +0,0 @@ -<?php -/** - ** PHP versions 4 and 5 - ** - ** LICENSE: See the COPYING file included in this distribution. - ** - ** @package OpenID - ** @author Santosh Subramanian <subrasan@cs.sunysb.edu> - ** @author Shishir Randive <srandive@cs.sunysb.edu> - ** Stony Brook University. - ** largely derived from - ** - * Copyright (C) 2007 Google Inc. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - **/ - -class SAML{ - private $assertionTemplate=null; - /** - * Returns a SAML response with various elements filled in. - * @param string $authenticatedUser The OpenId of the user - * @param string $notBefore The ISO 8601 formatted date before which the - response is invalid - * @param string $notOnOrAfter The ISO 8601 formatted data after which the - response is invalid - * @param string $rsadsa 'rsa' if the response will be signed with RSA keys, - 'dsa' for DSA keys - * @param string $requestID The ID of the request we're responding to - * @param string $destination The ACS URL that the response is submitted to - * @return string XML SAML response. - */ - function createSamlAssertion($authenticatedUser, $notBefore, $notOnOrAfter, $rsadsa, $acsURI,$attribute,$value,$assertionTemplate) - { - $samlResponse = $assertionTemplate; - $samlResponse = str_replace('USERNAME_STRING', $authenticatedUser, $samlResponse); - $samlResponse = str_replace('RESPONSE_ID', $this->samlCreateId(), $samlResponse); - $samlResponse = str_replace('ISSUE_INSTANT', $this->samlGetDateTime(time()), $samlResponse); - $samlResponse = str_replace('NOT_BEFORE', $this->samlGetDateTime(strtotime($notBefore)), $samlResponse); - $samlResponse = str_replace('NOT_ON_OR_AFTER', $this->samlGetDateTime(strtotime($notOnOrAfter)),$samlResponse); - $samlResponse = str_replace('ASSERTION_ID',$this->samlCreateId(), $samlResponse); - $samlResponse = str_replace('RSADSA', strtolower($rsadsa), $samlResponse); - $samlResponse = str_replace('ISSUER_DOMAIN', $acsURI, $samlResponse); - $samlResponse = str_replace('ATTRIBUTE_NAME', $attribute, $samlResponse); - $samlResponse = str_replace('ATTRIBUTE_VALUE', $value, $samlResponse); - return $samlResponse; - } - - /** - * Signs a SAML response with the given private key, and embeds the public key. - * @param string $responseXmlString The unsigned Assertion which will be signed - * @param string $priKey Private key to sign the certificate - * @param string $cert Public key certificate of signee - * @return string Signed Assertion - */ - function signAssertion($responseXmlString,$privKey,$cert) - { - if (file_exists("/tmp/xml")) { - $tempFileDir="/tmp/xml/"; - - } else { - mkdir("/tmp/xml",0777); - $tempFileDir="/tmp/xml/"; - } - $tempName = 'saml-response-' . $this->samlCreateId() . '.xml'; - $tempFileName=$tempFileDir.$tempName; - while (file_exists($tempFileName)) - $tempFileName = 'saml-response-' . $this->samlCreateId() . '.xml'; - - if (!$handle = fopen($tempFileName, 'w')) { - return null; - } - if (fwrite($handle, $responseXmlString) === false) { - return null; - } - fclose($handle); - $cmd = 'xmlsec1 --sign --privkey-pem ' . $privKey . - ',' . $cert . ' --output ' . $tempFileName . - '.out ' . $tempFileName; - exec($cmd, $resp); - unlink($tempFileName); - - $xmlResult = @file_get_contents($tempFileName . '.out'); - if (!$xmlResult) { - return null; - } else { - unlink($tempFileName . '.out'); - return $xmlResult; - } - } - - - /** - * Verify a saml response with the given public key. - * @param string $responseXmlString Response to sign - * @param string $rootcert trusted public key certificate - * @return string Signed SAML response - */ - function verifyAssertion($responseXmlString,$rootcert) - { - date_default_timezone_set("UTC"); - if (file_exists("/tmp/xml")) { - $tempFileDir="/tmp/xml/"; - - } else { - mkdir("/tmp/xml",0777); - $tempFileDir="/tmp/xml/"; - } - - $tempName = 'saml-response-' . $this->samlCreateId() . '.xml'; - $tempFileName=$tempFileDir.$tempName; - while (file_exists($tempFileName)) - $tempFileName = 'saml-response-' . $this->samlCreateId() . '.xml'; - - if (!$handle = fopen($tempFileName, 'w')) { - return false; - } - - if (fwrite($handle, $responseXmlString) === false) { - return false; - } - - $p=xml_parser_create(); - $result=xml_parse_into_struct($p,$responseXmlString,$vals,$index); - xml_parser_free($p); - $cert_info=$index["X509CERTIFICATE"]; - $conditions=$index["CONDITIONS"]; - foreach($cert_info as $key=>$value){ - file_put_contents($tempFileName.'.cert',$vals[$value]['value']); - } - $cert=$tempFileName.'.cert'; - $before=0; - $after=0; - foreach($conditions as $key=>$value){ - $before=$vals[$value]['attributes']['NOTBEFORE']; - $after=$vals[$value]['attributes']['NOTONORAFTER']; - } - $before=$this->validSamlDateFormat($before); - $after=$this->validSamlDateFormat($after); - if(strtotime("now") < $before || strtotime("now") >= $after){ - unlink($tempFileName); - unlink($cert); - return false; - } - fclose($handle); - $cmd = 'xmlsec1 --verify --pubkey-cert ' . $cert .'--trusted '.$rootcert. ' '.$tempFileName.'* 2>&1 1>/dev/null'; - exec($cmd,$resp); - if(strcmp($resp[0],"FAIL") == 0){ - $value = false; - }elseif(strcmp($resp[0],"ERROR") == 0){ - $value = false; - }elseif(strcmp($resp[0],"OK") == 0){ - $value = TRUE; - } - unlink($tempFileName); - unlink($cert); - return $value; - } - - /** - * Creates a 40-character string containing 160-bits of pseudorandomness. - * @return string Containing pseudorandomness of 160 bits - */ - - function samlCreateId() - { - $rndChars = 'abcdefghijklmnop'; - $rndId = ''; - for ($i = 0; $i < 40; $i++ ) { - $rndId .= $rndChars[rand(0,strlen($rndChars)-1)]; - } - return $rndId; - } - - /** - * Returns a unix timestamp in xsd:dateTime format. - * @param timestamp int UNIX Timestamp to convert to xsd:dateTime - * ISO 8601 format. - * @return string - */ - function samlGetDateTime($timestamp) - { - return gmdate('Y-m-d\TH:i:s\Z', $timestamp); - } - /** - * Attempts to check whether a SAML date is valid. Returns true or false. - * @param string $samlDate - * @return bool - */ - - function validSamlDateFormat($samlDate) - { - if ($samlDate == "") return false; - $indexT = strpos($samlDate, 'T'); - $indexZ = strpos($samlDate, 'Z'); - if (($indexT != 10) || ($indexZ != 19)) { - return false; - } - $dateString = substr($samlDate, 0, 10); - $timeString = substr($samlDate, $indexT + 1, 8); - list($year, $month, $day) = explode('-', $dateString); - list($hour, $minute, $second) = explode(':', $timeString); - $parsedDate = gmmktime($hour, $minute, $second, $month, $day, $year); - if (($parsedDate === false) || ($parsedDate == -1)) return false; - if (!checkdate($month, $day, $year)) return false; - return $parsedDate; - } - -} -?> |