<?php

/**
 * Introduces the notion of an Attribute Provider that attests and signs
 * attributes
 * Uses OpenID Signed Assertions(Sxip draft) for attesting attributes
 * PHP versions 4 and 5
 *
 * LICENSE: See the COPYING file included in this distribution.
 *
 * @package OpenID
 * @author Santosh Subramanian <subrasan@cs.sunysb.edu>
 * @author Shishir Randive <srandive@cs.sunysb.edu>
 * Stony Brook University.
 *
 */
require_once 'Auth/OpenID/SAML.php';
/**
 * The Attribute_Provider class which signs the attribute,value pair 
 * for a given openid.
 */
class Attribute_Provider
{
   private $public_key_certificate=null;
   private $private_key=null;
   private $authenticatedUser=null;
   private $notBefore=null;
   private $notOnOrAfter=null;
   private $rsadsa=null;
   private $acsURI=null;
   private $attribute=null;
   private $value=null;
   private $assertionTemplate=null;
   /**
    * Creates an Attribute_Provider object initialized with startup values.
    * @param string $public_key_certificate - The public key certificate 
	of the signer.
    * @param string $private_key - The private key of the signer.
    * @param string $notBefore - Certificate validity time 
    * @param string $notOnOrAfter - Certificate validity time
    * @param string $rsadsa - Choice of the algorithm (RSA/DSA)
    * @param string $acsURI - URI of the signer.
    * @param string $assertionTemplate - SAML template used for assertion
    */
   function Attribute_Provider($public_key_certificate,$private_key,$notBefore,$notOnOrAfter,$rsadsa,$acsURI,
                               $assertionTemplate)
   {
      $this->public_key_certificate=$public_key_certificate;
           $this->private_key=$private_key;
      $this->notBefore=$notBefore;
      $this->notOnOrAfter=$notOnOrAfter;
      $this->rsadsa=$rsadsa;
      $this->acsURI=$acsURI;
      $this->assertionTemplate=$assertionTemplate;
   }
   /**
    * Create the signed assertion.
    * @param string $openid - Openid of the entity being asserted.
    * @param string $attribute - The attribute name being asserted.
    * @param string $value - The attribute value being asserted.
    */
   function sign($openid,$attribute,$value)
   {
      $samlObj = new SAML();
      $responseXmlString = $samlObj->createSamlAssertion($openid, 
                                                         $this->notBefore, 
                                                         $this->notOnOrAfter, 
                                                         $this->rsadsa,
                                                         $this->acsURI,
                                                         $attribute,
                                                         sha1($value),
                                                      $this->assertionTemplate);
      $signedAssertion=$samlObj->signAssertion($responseXmlString,
                                               $this->private_key,
                                               $this->public_key_certificate);
      return $signedAssertion;
   }
}
/**
 * The Attribute_Verifier class which verifies the signed assertion at the Relying party.
 */
class Attribute_Verifier
{
   /**
    * The certificate the Relying party trusts.
   */
   private $rootcert;
   /**
    * This function loads the public key certificate that the relying party trusts.
    * @param string $cert - Trusted public key certificate.
    */
   function load_trusted_root_cert($cert)
   {
      $this->rootcert=$cert;
   }
   /**
    * Verifies the certificate given the SAML document.
    * @param string - signed SAML assertion
    * return @boolean - true if verification is successful, false if unsuccessful.
   */
   function verify($responseXmlString)
   {
      $samlObj = new SAML();
      $ret = $samlObj->verifyAssertion($responseXmlString,$this->rootcert);
      return $ret;
   }
}

/**
 * This is a Store Request creating class at the Attribute Provider.
 */
class AP_OP_StoreRequest
{
   /**
    * Creates store request and adds it as an extension to AuthRequest object 
      passed to it.
    * @param &Auth_OpenID_AuthRequest &$auth_request - A reference to 
      the AuthRequest object.
    * @param &Attribute_Provider &$attributeProvider - A reference to the  
      Attribute Provider object.
    * @param string $attribute - The attribute name being asserted.
    * @param string $value - The attribute value being asserted.
    * @param string $openid - Openid of the entity being asserted.
    * @return &Auth_OpenID_AuthRequest - Auth_OpenID_AuthRequest object 
                                   returned with StoreRequest extension.
   */
   static function createStoreRequest(&$auth_request,&$attributeProvider,
                                               $attribute,$value,$openid)
   {
      if(!$auth_request){
         return null;
      }
      $signedAssertion=$attributeProvider->sign($openid,$attribute,$value);
      $store_request=new Auth_OpenID_AX_StoreRequest;
      $store_request->addValue($attribute,base64_encode($value));
      $store_request->addValue($attribute.'/signature',
                                           base64_encode($signedAssertion));
      if($store_request) {
         $auth_request->addExtension($store_request);
         return $auth_request;
      }
   }
}

/*
 *This is implemented at the RP Takes care of getting the attribute from the 
 *AX_Fetch_Response object and verifying it.
 */
class RP_OP_Verify
{
   /**
    * Verifies a given signed assertion.
    * @param &Attribute_Verifier &$attributeVerifier - An instance of the class 
                                            passed for the verification.
    * @param Auth_OpenID_Response - Response object for extraction.
    * @return boolean - true if successful, false if verification fails.
    */
   function verifyAssertion(&$attributeVerifier,$response)
   {
      $ax_resp=Auth_OpenID_AX_FetchResponse::fromSuccessResponse($response);
      if($ax_resp instanceof Auth_OpenID_AX_FetchResponse){
         $ax_args=$ax_resp->getExtensionArgs();
         if($ax_args) {
            $value=base64_decode($ax_args['value.ext1.1']);
            if($attributeVerifier->verify($value)){
               return base64_decode($ax_args['value.ext0.1']);
            } else {
               return null;
            }
         } else {
            return null;
         }
      } else {
         return null;
      }
   }
}


?>