From 6c8c03142db734678d460ee085a73df1d05a88a1 Mon Sep 17 00:00:00 2001 From: brettp Date: Tue, 15 Mar 2011 03:46:37 +0000 Subject: Refs #3115. Moved oauth_lib to oauth_api. git-svn-id: http://code.elgg.org/elgg/trunk@8715 36083f99-b078-4883-b0ff-0f9b5a30f544 --- .../OAuthSignatureMethod.class.php | 69 +++++++++++ .../OAuthSignatureMethod_HMAC_SHA1.php | 115 +++++++++++++++++ .../signature_method/OAuthSignatureMethod_MD5.php | 95 ++++++++++++++ .../OAuthSignatureMethod_PLAINTEXT.php | 80 ++++++++++++ .../OAuthSignatureMethod_RSA_SHA1.php | 136 +++++++++++++++++++++ 5 files changed, 495 insertions(+) create mode 100644 mod/oauth_api/vendors/oauth/library/signature_method/OAuthSignatureMethod.class.php create mode 100644 mod/oauth_api/vendors/oauth/library/signature_method/OAuthSignatureMethod_HMAC_SHA1.php create mode 100644 mod/oauth_api/vendors/oauth/library/signature_method/OAuthSignatureMethod_MD5.php create mode 100644 mod/oauth_api/vendors/oauth/library/signature_method/OAuthSignatureMethod_PLAINTEXT.php create mode 100644 mod/oauth_api/vendors/oauth/library/signature_method/OAuthSignatureMethod_RSA_SHA1.php (limited to 'mod/oauth_api/vendors/oauth/library/signature_method') diff --git a/mod/oauth_api/vendors/oauth/library/signature_method/OAuthSignatureMethod.class.php b/mod/oauth_api/vendors/oauth/library/signature_method/OAuthSignatureMethod.class.php new file mode 100644 index 000000000..34ccb428c --- /dev/null +++ b/mod/oauth_api/vendors/oauth/library/signature_method/OAuthSignatureMethod.class.php @@ -0,0 +1,69 @@ + + * @date Sep 8, 2008 12:04:35 PM + * + * The MIT License + * + * Copyright (c) 2007-2008 Mediamatic Lab + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + */ + +abstract class OAuthSignatureMethod +{ + /** + * Return the name of this signature + * + * @return string + */ + abstract public function name(); + + /** + * Return the signature for the given request + * + * @param OAuthRequest request + * @param string base_string + * @param string consumer_secret + * @param string token_secret + * @return string + */ + abstract public function signature ( $request, $base_string, $consumer_secret, $token_secret ); + + /** + * Check if the request signature corresponds to the one calculated for the request. + * + * @param OAuthRequest request + * @param string base_string data to be signed, usually the base string, can be a request body + * @param string consumer_secret + * @param string token_secret + * @param string signature from the request, still urlencoded + * @return string + */ + abstract public function verify ( $request, $base_string, $consumer_secret, $token_secret, $signature ); +} + + +/* vi:set ts=4 sts=4 sw=4 binary noeol: */ + +?> \ No newline at end of file diff --git a/mod/oauth_api/vendors/oauth/library/signature_method/OAuthSignatureMethod_HMAC_SHA1.php b/mod/oauth_api/vendors/oauth/library/signature_method/OAuthSignatureMethod_HMAC_SHA1.php new file mode 100644 index 000000000..4bc949c10 --- /dev/null +++ b/mod/oauth_api/vendors/oauth/library/signature_method/OAuthSignatureMethod_HMAC_SHA1.php @@ -0,0 +1,115 @@ + + * @date Sep 8, 2008 12:21:19 PM + * + * The MIT License + * + * Copyright (c) 2007-2008 Mediamatic Lab + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + */ + + +require_once dirname(__FILE__).'/OAuthSignatureMethod.class.php'; + + +class OAuthSignatureMethod_HMAC_SHA1 extends OAuthSignatureMethod +{ + public function name () + { + return 'HMAC-SHA1'; + } + + + /** + * Calculate the signature using HMAC-SHA1 + * This function is copyright Andy Smith, 2007. + * + * @param OAuthRequest request + * @param string base_string + * @param string consumer_secret + * @param string token_secret + * @return string + */ + function signature ( $request, $base_string, $consumer_secret, $token_secret ) + { + $key = $request->urlencode($consumer_secret).'&'.$request->urlencode($token_secret); + if (function_exists('hash_hmac')) + { + $signature = base64_encode(hash_hmac("sha1", $base_string, $key, true)); + } + else + { + $blocksize = 64; + $hashfunc = 'sha1'; + if (strlen($key) > $blocksize) + { + $key = pack('H*', $hashfunc($key)); + } + $key = str_pad($key,$blocksize,chr(0x00)); + $ipad = str_repeat(chr(0x36),$blocksize); + $opad = str_repeat(chr(0x5c),$blocksize); + $hmac = pack( + 'H*',$hashfunc( + ($key^$opad).pack( + 'H*',$hashfunc( + ($key^$ipad).$base_string + ) + ) + ) + ); + $signature = base64_encode($hmac); + } + return $request->urlencode($signature); + } + + + /** + * Check if the request signature corresponds to the one calculated for the request. + * + * @param OAuthRequest request + * @param string base_string data to be signed, usually the base string, can be a request body + * @param string consumer_secret + * @param string token_secret + * @param string signature from the request, still urlencoded + * @return string + */ + public function verify ( $request, $base_string, $consumer_secret, $token_secret, $signature ) + { + $a = $request->urldecode($signature); + $b = $request->urldecode($this->signature($request, $base_string, $consumer_secret, $token_secret)); + + // We have to compare the decoded values + $valA = base64_decode($a); + $valB = base64_decode($b); + + // Crude binary comparison + return rawurlencode($a) == rawurlencode($b); + } +} + + +/* vi:set ts=4 sts=4 sw=4 binary noeol: */ + +?> \ No newline at end of file diff --git a/mod/oauth_api/vendors/oauth/library/signature_method/OAuthSignatureMethod_MD5.php b/mod/oauth_api/vendors/oauth/library/signature_method/OAuthSignatureMethod_MD5.php new file mode 100644 index 000000000..6f593a47f --- /dev/null +++ b/mod/oauth_api/vendors/oauth/library/signature_method/OAuthSignatureMethod_MD5.php @@ -0,0 +1,95 @@ + + * @date Sep 8, 2008 12:09:43 PM + * + * The MIT License + * + * Copyright (c) 2007-2008 Mediamatic Lab + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + */ + +require_once dirname(__FILE__).'/OAuthSignatureMethod.class.php'; + + +class OAuthSignatureMethod_MD5 extends OAuthSignatureMethod +{ + public function name () + { + return 'MD5'; + } + + + /** + * Calculate the signature using MD5 + * Binary md5 digest, as distinct from PHP's built-in hexdigest. + * This function is copyright Andy Smith, 2007. + * + * @param OAuthRequest request + * @param string base_string + * @param string consumer_secret + * @param string token_secret + * @return string + */ + function signature ( $request, $base_string, $consumer_secret, $token_secret ) + { + $s .= '&'.$request->urlencode($consumer_secret).'&'.$request->urlencode($token_secret); + $md5 = md5($base_string); + $bin = ''; + + for ($i = 0; $i < strlen($md5); $i += 2) + { + $bin .= chr(hexdec($md5{$i+1}) + hexdec($md5{$i}) * 16); + } + return $request->urlencode(base64_encode($bin)); + } + + + /** + * Check if the request signature corresponds to the one calculated for the request. + * + * @param OAuthRequest request + * @param string base_string data to be signed, usually the base string, can be a request body + * @param string consumer_secret + * @param string token_secret + * @param string signature from the request, still urlencoded + * @return string + */ + public function verify ( $request, $base_string, $consumer_secret, $token_secret, $signature ) + { + $a = $request->urldecode($signature); + $b = $request->urldecode($this->signature($request, $base_string, $consumer_secret, $token_secret)); + + // We have to compare the decoded values + $valA = base64_decode($a); + $valB = base64_decode($b); + + // Crude binary comparison + return rawurlencode($a) == rawurlencode($b); + } +} + +/* vi:set ts=4 sts=4 sw=4 binary noeol: */ + +?> \ No newline at end of file diff --git a/mod/oauth_api/vendors/oauth/library/signature_method/OAuthSignatureMethod_PLAINTEXT.php b/mod/oauth_api/vendors/oauth/library/signature_method/OAuthSignatureMethod_PLAINTEXT.php new file mode 100644 index 000000000..92ef30867 --- /dev/null +++ b/mod/oauth_api/vendors/oauth/library/signature_method/OAuthSignatureMethod_PLAINTEXT.php @@ -0,0 +1,80 @@ + + * @date Sep 8, 2008 12:09:43 PM + * + * The MIT License + * + * Copyright (c) 2007-2008 Mediamatic Lab + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + */ + +require_once dirname(__FILE__).'/OAuthSignatureMethod.class.php'; + + +class OAuthSignatureMethod_PLAINTEXT extends OAuthSignatureMethod +{ + public function name () + { + return 'PLAINTEXT'; + } + + + /** + * Calculate the signature using PLAINTEXT + * + * @param OAuthRequest request + * @param string base_string + * @param string consumer_secret + * @param string token_secret + * @return string + */ + function signature ( $request, $base_string, $consumer_secret, $token_secret ) + { + return $request->urlencode($request->urlencode($consumer_secret).'&'.$request->urlencode($token_secret)); + } + + + /** + * Check if the request signature corresponds to the one calculated for the request. + * + * @param OAuthRequest request + * @param string base_string data to be signed, usually the base string, can be a request body + * @param string consumer_secret + * @param string token_secret + * @param string signature from the request, still urlencoded + * @return string + */ + public function verify ( $request, $base_string, $consumer_secret, $token_secret, $signature ) + { + $a = $request->urldecode($signature); + $b = $request->urldecode($this->signature($request, $base_string, $consumer_secret, $token_secret)); + + return $request->urldecode($a) == $request->urldecode($b); + } +} + +/* vi:set ts=4 sts=4 sw=4 binary noeol: */ + +?> \ No newline at end of file diff --git a/mod/oauth_api/vendors/oauth/library/signature_method/OAuthSignatureMethod_RSA_SHA1.php b/mod/oauth_api/vendors/oauth/library/signature_method/OAuthSignatureMethod_RSA_SHA1.php new file mode 100644 index 000000000..3bbde7d90 --- /dev/null +++ b/mod/oauth_api/vendors/oauth/library/signature_method/OAuthSignatureMethod_RSA_SHA1.php @@ -0,0 +1,136 @@ + + * @date Sep 8, 2008 12:00:14 PM + * + * The MIT License + * + * Copyright (c) 2007-2008 Mediamatic Lab + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + */ + +class OAuthSignatureMethod_RSA_SHA1 extends OAuthSignatureMethod +{ + public function name() + { + return 'RSA-SHA1'; + } + + + /** + * Fetch the public CERT key for the signature + * + * @param OAuthRequest request + * @return string public key + */ + protected function fetch_public_cert ( $request ) + { + // not implemented yet, ideas are: + // (1) do a lookup in a table of trusted certs keyed off of consumer + // (2) fetch via http using a url provided by the requester + // (3) some sort of specific discovery code based on request + // + // either way should return a string representation of the certificate + throw OAuthException("OAuthSignatureMethod_RSA_SHA1::fetch_public_cert not implemented"); + } + + + /** + * Fetch the private CERT key for the signature + * + * @param OAuthRequest request + * @return string private key + */ + protected function fetch_private_cert ( $request ) + { + // not implemented yet, ideas are: + // (1) do a lookup in a table of trusted certs keyed off of consumer + // + // either way should return a string representation of the certificate + throw OAuthException("OAuthSignatureMethod_RSA_SHA1::fetch_private_cert not implemented"); + } + + + /** + * Calculate the signature using RSA-SHA1 + * This function is copyright Andy Smith, 2008. + * + * @param OAuthRequest request + * @param string base_string + * @param string consumer_secret + * @param string token_secret + * @return string + */ + public function signature ( $request, $base_string, $consumer_secret, $token_secret ) + { + // Fetch the private key cert based on the request + $cert = $this->fetch_private_cert($request); + + // Pull the private key ID from the certificate + $privatekeyid = openssl_get_privatekey($cert); + + // Sign using the key + $sig = false; + $ok = openssl_sign($base_string, $sig, $privatekeyid); + + // Release the key resource + openssl_free_key($privatekeyid); + + return $request->urlencode(base64_encode($sig)); + } + + + /** + * Check if the request signature is the same as the one calculated for the request. + * + * @param OAuthRequest request + * @param string base_string + * @param string consumer_secret + * @param string token_secret + * @param string signature + * @return string + */ + public function verify ( $request, $base_string, $consumer_secret, $token_secret, $signature ) + { + $decoded_sig = base64_decode($request->urldecode($signature)); + + // Fetch the public key cert based on the request + $cert = $this->fetch_public_cert($request); + + // Pull the public key ID from the certificate + $publickeyid = openssl_get_publickey($cert); + + // Check the computed signature against the one passed in the query + $ok = openssl_verify($base_string, $decoded_sig, $publickeyid); + + // Release the key resource + openssl_free_key($publickeyid); + return $ok == 1; + } + +} + +/* vi:set ts=4 sts=4 sw=4 binary noeol: */ + +?> \ No newline at end of file -- cgit v1.2.3