<pre>
<?php
// Comment the following line out to test the script!
die;
error_reporting(0);
require_once "../lib/browserid.php";
$publicKeyIdentity = AbstractPublicKey::deserialize('{"algorithm":"DS","p":"ff600483db6abfc5b45eab78594b3533d550d9f1bf2a992a7a8daa6dc34f8045ad4e6e0c429d334eeeaaefd7e23d4810be00e4cc1492cba325ba81ff2d5a5b305a8d17eb3bf4a06a349d392e00d329744a5179380344e82a18c47933438f891e22aeef812d69c8f75e326cb70ea000c3f776dfdbd604638c2ef717fc26d02e17","q":"e21e04f911d1ed7991008ecaab3bf775984309c3","g":"c52a4a0ff3b7e61fdf1867ce84138369a6154f4afa92966e3c827e25cfa6cf508b90e5de419e1337e07a2e9e2a3cd5dea704d175f8ebf6af397d69e110b96afb17c7a03259329e4829b0d03bbc7896b15b4ade53e130858cc34d96269aa89041f409136c7242a38895c9d5bccad4f389af1d7a4bd1398bd072dffa896233397a","y":"80942e74d41162e7ab30bb4a7a1e0fb0417aad0a1b55b12e0232618502a2552510d631a02a679e60787b12799215b9c35865efb4c86b56584bf85c31f886b25413dc7ef028917e9afbe35726849cfe28a43fba6cdd8e24f4575d5d582317183599c23399e90f10b7e5c0f2bcf7a37e0559dbe492a17a74a49597b0996a2b616d"}');
$secretKeyIdentity = AbstractSecretKey::deserialize('{"algorithm":"DS","p":"ff600483db6abfc5b45eab78594b3533d550d9f1bf2a992a7a8daa6dc34f8045ad4e6e0c429d334eeeaaefd7e23d4810be00e4cc1492cba325ba81ff2d5a5b305a8d17eb3bf4a06a349d392e00d329744a5179380344e82a18c47933438f891e22aeef812d69c8f75e326cb70ea000c3f776dfdbd604638c2ef717fc26d02e17","q":"e21e04f911d1ed7991008ecaab3bf775984309c3","g":"c52a4a0ff3b7e61fdf1867ce84138369a6154f4afa92966e3c827e25cfa6cf508b90e5de419e1337e07a2e9e2a3cd5dea704d175f8ebf6af397d69e110b96afb17c7a03259329e4829b0d03bbc7896b15b4ade53e130858cc34d96269aa89041f409136c7242a38895c9d5bccad4f389af1d7a4bd1398bd072dffa896233397a","x":"a8e62a39c007ab3b7fbaad2e51398c15ec4a720c"}');
$principal = $_REQUEST['principal'];
$audience = $_REQUEST['audience'];
echo "Usage: createBundle.php?principal=<principal>&audience=<audience>\r\n";
echo "Allowed keysizes: 64, 128, 256!\r\n";
$assertion = CertAssertion::createAssertion($audience, $secretKeyIdentity);
echo "Assertion: ";
var_dump(WebToken::parse($assertion)->getPayload());
echo "\r\n";
$identityCert = CertAssertion::createIdentityCert($principal, $publicKeyIdentity);
echo "Identity Cert: ";
var_dump(WebToken::parse($identityCert)->getPayload());
echo "\r\n";
$bundle = new CertBundle($assertion, array($identityCert));
$assertion = $bundle->bundle();
echo "Bundle: ";
var_dump($assertion);
echo "\r\n";
$certAssertion = new CertAssertion($assertion, $audience);
echo "isValid: ";
var_dump($certAssertion->isValid());
?>
</pre>
/**
* Gets an instance of the public key of the identity provider
*
* @param optional string $name The basename of the certificate or null for default
* @param optional string $dir The directory to the certificate or null for default
* @return AbstractPublicKey The public key
*/
static function loadPublicKey($name = null, $dir = null)
{
$parsedCert = Secrets::readAndParseCert($name, $dir);
if (!$parsedCert) {
return null;
}
$pkString = $parsedCert["public-key"] ? $parsedCert["public-key"] : $parsedCert["publicKey"];
return AbstractPublicKey::deserialize(json_encode($pkString));
}
/**
* Well-Known document parsing
*
* Parses the reply of the well-known document, verifying that all needed
* parts are contained. 'Basic Support Documents' have to implement the keys
* 'public-key', 'authentication' and 'provisioning'. 'Delegated Support Documents'
* only need an 'authority' entry.
*
* This is called recursive for delegated identity providers.
*
* @access public
* @static
* @param string $body The body of the well-known document
* @param string $domain The domain the body belongs to
* @param array $delegates A list of already seen domains while delegating
* @return array Containing the string 'publicKey' (the domains public key) and the array 'urls' (with the URL of the authentification document as 'auth' and the URL of the provisioning document as 'prov')
*/
public static function parseWellKnownBody($body, $domain, $delegates)
{
try {
$v = json_decode($body, true);
} catch (Exception $e) {
throw new \Exception("malformed declaration of support for '" . $domain . "': " . $e->getMessage());
}
$want = array('public-key');
if ($domain != Configuration::getInstance()->get("master_idp")) {
// TODO: This is only valid for mozillas main idp
$want = array_merge($want, array('authentication', 'provisioning'));
}
$got = array();
if (is_array($v)) {
$got = array_keys($v);
}
foreach ($got as $k) {
$dels = array_keys($delegates);
if ('authority' === $k) {
// Recursion
if (isset($delegates[$domain])) {
// return to break out of function, but callbacks are actual program flow
throw new \Exception("Circular reference in delegating authority " . json_encode($delegates));
}
if (sizeof($dels) > Primary::MAX_AUTHORITY_DELEGATIONS) {
throw new \Exception("Too many hops while delegating authority " . json_encode($dels));
}
//logger.debug(domain + ' is delegating to ' + v[k]);
// recurse into low level get /.well-known/browserid and parse again?
// If everything goes well, finally call our original callback
$delegates[$domain] = sizeof($dels);
$r = Primary::getWellKnown($v[$k], $delegates);
return Primary::parseWellKnownBody($r["body"], $r["domain"], $r["delegates"]);
}
}
$missing_keys = array();
foreach ($want as $k) {
if (array_search($k, $got) === false) {
array_push($missing_keys, $k);
}
}
if (sizeof($missing_keys) > 0) {
throw new \Exception("missing required key: " . join(', ', $missing_keys));
}
// Allow SHIMMED_PRIMARIES to change example.com into 127.0.0.1:10005
$url_prefix = 'https://' . $domain;
if (isset(Primary::$g_shim_cache[$domain])) {
$url_prefix = Primary::$g_shim_cache[$domain]["origin"];
}
$urls = array("auth" => $url_prefix . $v["authentication"], "prov" => $url_prefix . $v["provisioning"]);
// validate the urls
if (!Utils::is_url_valid($urls["auth"])) {
throw new \Exception("authentication url isn't valid");
}
if (!Utils::is_url_valid($urls["prov"])) {
throw new \Exception("provisioning url isn't valid");
}
// parse the public key
return array("publicKey" => AbstractPublicKey::fromSimpleObject($v['public-key']), "urls" => $urls);
}
/**
* Verify web token
*
* Verifies a Webtoken against an public key.
*
* @param AbstractPublicKey $key The key used to verify the webtoken
* @return bool true, if the webtoken is valid
*/
public function verify($key)
{
return $key->verify($this->headerSegment . "." . $this->payloadSegment, $this->getSignature());
}
/**
* Deserialize parameters
*
* Creates an instance based on the parameter object. The used parameters will be removed from params.
*
* @access public
* @static
* @param array $params An array of parameters, used ones will be removed
* @return CertParams An instance of certificate parameters
*/
public static function deserialize(&$params)
{
$pubKey = AbstractPublicKey::deserialize(json_encode($params["public-key"]));
$cert_params = new CertParams($pubKey, $params["principal"]);
unset($params["public-key"], $params["principal"]);
return $cert_params;
}
/**
* Deserialize key
*
* Deserializes the key.
*
* @abstract
* @access public
* @static
* @param string $str Serialized parmeters of the key
* @return AbstractPublicKey
*/
public static function deserialize($str)
{
return AbstractPublicKey::fromSimpleObject(json_decode($str, true));
}
