ILIAS  release_4-4 Revision
All Data Structures Namespaces Files Functions Variables Modules Pages
Association.php
Go to the documentation of this file.
1 <?php
2 
20 require_once 'Auth/OpenID/CryptUtil.php';
21 
25 require_once 'Auth/OpenID/KVForm.php';
26 
30 require_once 'Auth/OpenID/HMAC.php';
31 
44 class Auth_OpenID_Association {
45 
51  var $SIG_LENGTH = 20;
52 
58  var $assoc_keys = array(
59  'version',
60  'handle',
61  'secret',
62  'issued',
63  'lifetime',
64  'assoc_type'
65  );
66 
67  var $_macs = array(
68  'HMAC-SHA1' => 'Auth_OpenID_HMACSHA1',
69  'HMAC-SHA256' => 'Auth_OpenID_HMACSHA256'
70  );
71 
97  static function fromExpiresIn($expires_in, $handle, $secret, $assoc_type)
98  {
99  $issued = time();
100  $lifetime = $expires_in;
101  return new Auth_OpenID_Association($handle, $secret,
102  $issued, $lifetime, $assoc_type);
103  }
104 
131  function Auth_OpenID_Association(
132  $handle, $secret, $issued, $lifetime, $assoc_type)
133  {
134  if (!in_array($assoc_type,
135  Auth_OpenID_getSupportedAssociationTypes(), true)) {
136  $fmt = 'Unsupported association type (%s)';
137  trigger_error(sprintf($fmt, $assoc_type), E_USER_ERROR);
138  }
139 
140  $this->handle = $handle;
141  $this->secret = $secret;
142  $this->issued = $issued;
143  $this->lifetime = $lifetime;
144  $this->assoc_type = $assoc_type;
145  }
146 
154  function getExpiresIn($now = null)
155  {
156  if ($now == null) {
157  $now = time();
158  }
159 
160  return max(0, $this->issued + $this->lifetime - $now);
161  }
162 
170  function equal($other)
171  {
172  return ((gettype($this) == gettype($other))
173  && ($this->handle == $other->handle)
174  && ($this->secret == $other->secret)
175  && ($this->issued == $other->issued)
176  && ($this->lifetime == $other->lifetime)
177  && ($this->assoc_type == $other->assoc_type));
178  }
179 
186  function serialize()
187  {
188  $data = array(
189  'version' => '2',
190  'handle' => $this->handle,
191  'secret' => base64_encode($this->secret),
192  'issued' => strval(intval($this->issued)),
193  'lifetime' => strval(intval($this->lifetime)),
194  'assoc_type' => $this->assoc_type
195  );
196 
197  assert(array_keys($data) == $this->assoc_keys);
198 
199  return Auth_OpenID_KVForm::fromArray($data, $strict = true);
200  }
201 
209  static function deserialize($class_name, $assoc_s)
210  {
211  $pairs = Auth_OpenID_KVForm::toArray($assoc_s, $strict = true);
212  $keys = array();
213  $values = array();
214  foreach ($pairs as $key => $value) {
215  if (is_array($value)) {
216  list($key, $value) = $value;
217  }
218  $keys[] = $key;
219  $values[] = $value;
220  }
221 
222  $class_vars = get_class_vars($class_name);
223  $class_assoc_keys = $class_vars['assoc_keys'];
224 
225  sort($keys);
226  sort($class_assoc_keys);
227 
228  if ($keys != $class_assoc_keys) {
229  trigger_error('Unexpected key values: ' . var_export($keys, true),
230  E_USER_WARNING);
231  return null;
232  }
233 
234  $version = $pairs['version'];
235  $handle = $pairs['handle'];
236  $secret = $pairs['secret'];
237  $issued = $pairs['issued'];
238  $lifetime = $pairs['lifetime'];
239  $assoc_type = $pairs['assoc_type'];
240 
241  if ($version != '2') {
242  trigger_error('Unknown version: ' . $version, E_USER_WARNING);
243  return null;
244  }
245 
246  $issued = intval($issued);
247  $lifetime = intval($lifetime);
248  $secret = base64_decode($secret);
249 
250  return new $class_name(
251  $handle, $secret, $issued, $lifetime, $assoc_type);
252  }
253 
263  function sign($pairs)
264  {
265  $kv = Auth_OpenID_KVForm::fromArray($pairs);
266 
267  /* Invalid association types should be caught at constructor */
268  $callback = $this->_macs[$this->assoc_type];
269 
270  return call_user_func_array($callback, array($this->secret, $kv));
271  }
272 
283  function signMessage($message)
284  {
285  if ($message->hasKey(Auth_OpenID_OPENID_NS, 'sig') ||
286  $message->hasKey(Auth_OpenID_OPENID_NS, 'signed')) {
287  // Already has a sig
288  return null;
289  }
290 
291  $extant_handle = $message->getArg(Auth_OpenID_OPENID_NS,
292  'assoc_handle');
293 
294  if ($extant_handle && ($extant_handle != $this->handle)) {
295  // raise ValueError("Message has a different association handle")
296  return null;
297  }
298 
299  $signed_message = $message;
300  $signed_message->setArg(Auth_OpenID_OPENID_NS, 'assoc_handle',
301  $this->handle);
302 
303  $message_keys = array_keys($signed_message->toPostArgs());
304  $signed_list = array();
305  $signed_prefix = 'openid.';
306 
307  foreach ($message_keys as $k) {
308  if (strpos($k, $signed_prefix) === 0) {
309  $signed_list[] = substr($k, strlen($signed_prefix));
310  }
311  }
312 
313  $signed_list[] = 'signed';
314  sort($signed_list);
315 
316  $signed_message->setArg(Auth_OpenID_OPENID_NS, 'signed',
317  implode(',', $signed_list));
318  $sig = $this->getMessageSignature($signed_message);
319  $signed_message->setArg(Auth_OpenID_OPENID_NS, 'sig', $sig);
320  return $signed_message;
321  }
322 
330  function _makePairs($message)
331  {
332  $signed = $message->getArg(Auth_OpenID_OPENID_NS, 'signed');
333  if (!$signed || Auth_OpenID::isFailure($signed)) {
334  // raise ValueError('Message has no signed list: %s' % (message,))
335  return null;
336  }
337 
338  $signed_list = explode(',', $signed);
339  $pairs = array();
340  $data = $message->toPostArgs();
341  foreach ($signed_list as $field) {
342  $pairs[] = array($field, Auth_OpenID::arrayGet($data,
343  'openid.' .
344  $field, ''));
345  }
346  return $pairs;
347  }
348 
355  function getMessageSignature($message)
356  {
357  $pairs = $this->_makePairs($message);
358  return base64_encode($this->sign($pairs));
359  }
360 
367  function checkMessageSignature($message)
368  {
369  $sig = $message->getArg(Auth_OpenID_OPENID_NS,
370  'sig');
371 
372  if (!$sig || Auth_OpenID::isFailure($sig)) {
373  return false;
374  }
375 
376  $calculated_sig = $this->getMessageSignature($message);
377  return $calculated_sig == $sig;
378  }
379 }
380 
381 function Auth_OpenID_getSecretSize($assoc_type)
382 {
383  if ($assoc_type == 'HMAC-SHA1') {
384  return 20;
385  } else if ($assoc_type == 'HMAC-SHA256') {
386  return 32;
387  } else {
388  return null;
389  }
390 }
391 
392 function Auth_OpenID_getAllAssociationTypes()
393 {
394  return array('HMAC-SHA1', 'HMAC-SHA256');
395 }
396 
397 function Auth_OpenID_getSupportedAssociationTypes()
398 {
399  $a = array('HMAC-SHA1');
400 
401  if (Auth_OpenID_HMACSHA256_SUPPORTED) {
402  $a[] = 'HMAC-SHA256';
403  }
404 
405  return $a;
406 }
407 
408 function Auth_OpenID_getSessionTypes($assoc_type)
409 {
410  $assoc_to_session = array(
411  'HMAC-SHA1' => array('DH-SHA1', 'no-encryption'));
412 
413  if (Auth_OpenID_HMACSHA256_SUPPORTED) {
414  $assoc_to_session['HMAC-SHA256'] =
415  array('DH-SHA256', 'no-encryption');
416  }
417 
418  return Auth_OpenID::arrayGet($assoc_to_session, $assoc_type, array());
419 }
420 
421 function Auth_OpenID_checkSessionType($assoc_type, $session_type)
422 {
423  if (!in_array($session_type,
424  Auth_OpenID_getSessionTypes($assoc_type))) {
425  return false;
426  }
427 
428  return true;
429 }
430 
431 function Auth_OpenID_getDefaultAssociationOrder()
432 {
433  $order = array();
434 
435  if (!Auth_OpenID_noMathSupport()) {
436  $order[] = array('HMAC-SHA1', 'DH-SHA1');
437 
438  if (Auth_OpenID_HMACSHA256_SUPPORTED) {
439  $order[] = array('HMAC-SHA256', 'DH-SHA256');
440  }
441  }
442 
443  $order[] = array('HMAC-SHA1', 'no-encryption');
444 
445  if (Auth_OpenID_HMACSHA256_SUPPORTED) {
446  $order[] = array('HMAC-SHA256', 'no-encryption');
447  }
448 
449  return $order;
450 }
451 
452 function Auth_OpenID_getOnlyEncryptedOrder()
453 {
454  $result = array();
455 
456  foreach (Auth_OpenID_getDefaultAssociationOrder() as $pair) {
457  list($assoc, $session) = $pair;
458 
459  if ($session != 'no-encryption') {
460  if (Auth_OpenID_HMACSHA256_SUPPORTED &&
461  ($assoc == 'HMAC-SHA256')) {
462  $result[] = $pair;
463  } else if ($assoc != 'HMAC-SHA256') {
464  $result[] = $pair;
465  }
466  }
467  }
468 
469  return $result;
470 }
471 
472 function Auth_OpenID_getDefaultNegotiator()
473 {
474  return new Auth_OpenID_SessionNegotiator(
475  Auth_OpenID_getDefaultAssociationOrder());
476 }
477 
478 function Auth_OpenID_getEncryptedNegotiator()
479 {
480  return new Auth_OpenID_SessionNegotiator(
481  Auth_OpenID_getOnlyEncryptedOrder());
482 }
483 
525 class Auth_OpenID_SessionNegotiator {
526  function Auth_OpenID_SessionNegotiator($allowed_types)
527  {
528  $this->allowed_types = array();
529  $this->setAllowedTypes($allowed_types);
530  }
531 
538  function setAllowedTypes($allowed_types)
539  {
540  foreach ($allowed_types as $pair) {
541  list($assoc_type, $session_type) = $pair;
542  if (!Auth_OpenID_checkSessionType($assoc_type, $session_type)) {
543  return false;
544  }
545  }
546 
547  $this->allowed_types = $allowed_types;
548  return true;
549  }
550 
558  function addAllowedType($assoc_type, $session_type = null)
559  {
560  if ($this->allowed_types === null) {
561  $this->allowed_types = array();
562  }
563 
564  if ($session_type === null) {
565  $available = Auth_OpenID_getSessionTypes($assoc_type);
566 
567  if (!$available) {
568  return false;
569  }
570 
571  foreach ($available as $session_type) {
572  $this->addAllowedType($assoc_type, $session_type);
573  }
574  } else {
575  if (Auth_OpenID_checkSessionType($assoc_type, $session_type)) {
576  $this->allowed_types[] = array($assoc_type, $session_type);
577  } else {
578  return false;
579  }
580  }
581 
582  return true;
583  }
584 
585  // Is this combination of association type and session type allowed?
586  function isAllowed($assoc_type, $session_type)
587  {
588  $assoc_good = in_array(array($assoc_type, $session_type),
589  $this->allowed_types);
590 
591  $matches = in_array($session_type,
592  Auth_OpenID_getSessionTypes($assoc_type));
593 
594  return ($assoc_good && $matches);
595  }
596 
601  function getAllowedType()
602  {
603  if (!$this->allowed_types) {
604  return array(null, null);
605  }
606 
607  return $this->allowed_types[0];
608  }
609 }
610 
Auth_OpenID_getDefaultNegotiator
Auth_OpenID_getDefaultNegotiator()
Definition: Association.php:472
Auth_OpenID_SessionNegotiator\setAllowedTypes
setAllowedTypes($allowed_types)
Set the allowed association types, checking to make sure each combination is valid.
Definition: Association.php:538
Auth_OpenID_KVForm\toArray
static toArray($kvs, $strict=false)
Convert an OpenID colon/newline separated string into an associative array.
Definition: KVForm.php:29
Auth_OpenID_OPENID_NS
const Auth_OpenID_OPENID_NS
Definition: Message.php:42
Auth_OpenID_Association\_makePairs
_makePairs($message)
Given a Auth_OpenID_Message, return the key/value pairs to be signed according to the signed list in ...
Definition: Association.php:330
$result
$result
Definition: CleanUpTest.php:407
Auth_OpenID_getAllAssociationTypes
Auth_OpenID_getAllAssociationTypes()
Definition: Association.php:392
Auth_OpenID_Association\fromExpiresIn
static fromExpiresIn($expires_in, $handle, $secret, $assoc_type)
This is an alternate constructor (factory method) used by the OpenID consumer library to create assoc...
Definition: Association.php:97
Auth_OpenID_getOnlyEncryptedOrder
Auth_OpenID_getOnlyEncryptedOrder()
Definition: Association.php:452
Auth_OpenID_Association\$SIG_LENGTH
$SIG_LENGTH
This is a HMAC-SHA1 specific value.
Definition: Association.php:51
Auth_OpenID_SessionNegotiator\isAllowed
isAllowed($assoc_type, $session_type)
Definition: Association.php:586
Auth_OpenID_KVForm\fromArray
static fromArray($values)
Convert an array into an OpenID colon/newline separated string.
Definition: KVForm.php:81
Auth_OpenID_Association\sign
sign($pairs)
Generate a signature for a sequence of (key, value) pairs.
Definition: Association.php:263
Auth_OpenID_getSecretSize
Auth_OpenID_getSecretSize($assoc_type)
Definition: Association.php:381
Auth_OpenID_Association\getExpiresIn
getExpiresIn($now=null)
This returns the number of seconds this association is still valid for, or 0 if the association is no...
Definition: Association.php:154
Auth_OpenID_Association\checkMessageSignature
checkMessageSignature($message)
Confirm that the signature of these fields matches the signature contained in the data...
Definition: Association.php:367
Auth_OpenID_Association\$_macs
$_macs
Definition: Association.php:67
Auth_OpenID_getSupportedAssociationTypes
Auth_OpenID_getSupportedAssociationTypes()
Definition: Association.php:397
Auth_OpenID_Association\deserialize
static deserialize($class_name, $assoc_s)
Parse an association as stored by serialize().
Definition: Association.php:209
Auth_OpenID_Association\Auth_OpenID_Association
Auth_OpenID_Association( $handle, $secret, $issued, $lifetime, $assoc_type)
This is the standard constructor for creating an association.
Definition: Association.php:131
Auth_OpenID_Association\getMessageSignature
getMessageSignature($message)
Given an Auth_OpenID_Message, return the signature for the signed list in the message.
Definition: Association.php:355
Auth_OpenID_Association\signMessage
signMessage($message)
Generate a signature for some fields in a dictionary.
Definition: Association.php:283
$data
while($lm_rec=$ilDB->fetchAssoc($lm_set)) $data
Definition: storeScorm2004.php:35
Auth_OpenID\arrayGet
static arrayGet($arr, $key, $fallback=null)
Convenience function for getting array values.
Definition: OpenID.php:242
Auth_OpenID_SessionNegotiator\addAllowedType
addAllowedType($assoc_type, $session_type=null)
Add an association type and session type to the allowed types list.
Definition: Association.php:558
Auth_OpenID_Association
Definition: Association.php:44
Auth_OpenID_Association\equal
equal($other)
This checks to see if two Auth_OpenID_Association instances represent the same association.
Definition: Association.php:170
Auth_OpenID_getDefaultAssociationOrder
Auth_OpenID_getDefaultAssociationOrder()
Definition: Association.php:431
Auth_OpenID_SessionNegotiator\getAllowedType
getAllowedType()
Get a pair of assocation type and session type that are supported.
Definition: Association.php:601
Auth_OpenID\isFailure
static isFailure($thing)
Return true if $thing is an Auth_OpenID_FailureResponse object; false if not.
Definition: OpenID.php:118
Auth_OpenID_Association\serialize
serialize()
Convert an association to KV form.
Definition: Association.php:186
Auth_OpenID_getSessionTypes
Auth_OpenID_getSessionTypes($assoc_type)
Definition: Association.php:408
Auth_OpenID_Association\$assoc_keys
$assoc_keys
The ordering and name of keys as stored by serialize.
Definition: Association.php:58
Auth_OpenID_SessionNegotiator
Definition: Association.php:525
Auth_OpenID_SessionNegotiator\Auth_OpenID_SessionNegotiator
Auth_OpenID_SessionNegotiator($allowed_types)
Definition: Association.php:526
Auth_OpenID_noMathSupport
Auth_OpenID_noMathSupport()
Definition: BigMath.php:447
Auth_OpenID_checkSessionType
Auth_OpenID_checkSessionType($assoc_type, $session_type)
Definition: Association.php:421
Auth_OpenID_getEncryptedNegotiator
Auth_OpenID_getEncryptedNegotiator()
Definition: Association.php:478