/**
*
* @param string $URL_string String to parse
* @return Authentication_URL A valid Authentication_URL instance
* (or NULL on error)
*/
public static function parse($URL_string)
{
$URL = new Authentication_URL();
$isOk = $URL->parseInternal($URL_string);
return $isOk ? $URL : NULL;
}
/**
* Perform delegated WebID authentication relying on an Identity Provider
* @param Authentication_SignedURL $request (if not specified infered from _GET)
* @param Authentication_X509CertRepo $certRepository (if not default is used)
* @param bool $createSession
* @param string $sigAlg
* @param int $allowedTimeWindow
*/
public function __construct($createSession = TRUE, Authentication_SignedURL $request = NULL, Authentication_URL $referer = NULL, Authentication_X509CertRepo $certRepository = NULL, $sigAlg = self::SIG_ALG_RSA_SHA1, $allowedTimeWindow = 300)
{
if ($createSession) {
$session = new Authentication_Session();
if ($session->isAuthenticated) {
$this->webid = $session->webid;
$this->isAuthenticated = $session->isAuthenticated;
$this->authnDiagnostic = self::STATUS_AUTH_VIA_SESSION;
return;
}
}
if (!$certRepository) {
$certRepository = new Authentication_X509CertRepo();
}
if (!$request) {
$request = Authentication_SignedURL::parse((isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] == "on" ? "https" : "http") . "://" . $_SERVER["SERVER_NAME"] . ($_SERVER["SERVER_PORT"] != (isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] == "on" ? 443 : 80) ? ":" . $_SERVER["SERVER_PORT"] : "") . $_SERVER["REQUEST_URI"]);
}
$error = null;
$sig = null;
$ts = null;
isset($_GET["error"]) and $error = $_GET["error"];
isset($_GET["sig"]) and $sig = $_GET["sig"];
isset($_GET["ts"]) and $ts = $_GET["ts"];
$error = $request->getQueryParameter('error', $error);
$sig = $request->getQueryParameter('sig', $sig);
$ts = $request->getQueryParameter('ts', $ts);
$this->requestURI = $request;
if (NULL != $referer) {
$this->referer = $referer;
} else {
if (isset($_GET["referer"])) {
$this->referer = Authentication_URL::parse($_GET["referer"]);
} else {
$this->referer = new Authentication_URL();
}
}
$this->ts = $ts;
$webid = null;
isset($_GET["webid"]) and $webid = $_GET["webid"];
$this->webid = $request->getQueryParameter('webid', $webid);
$this->allowedTimeWindow = $allowedTimeWindow;
$this->elapsedTime = time() - strtotime($ts);
/*
* Loads the trusted certificate of the IdP: its public key is used to
* verify the integrity of the signed assertion.
*/
$idpCertificate = $certRepository->getIdpCertificate($this->referer->host);
if (!$idpCertificate) {
$this->isAuthenticated = 0;
$this->authnDiagnostic = self::STATUS_IDP_CERTIFICATE_MISSING;
} else {
if ($this->elapsedTime < $this->allowedTimeWindow && !isset($error)) {
$signedInfo = $this->requestURI->urlWithoutSignature();
// Extracts the signature
$signature = $this->requestURI->digitalSignature();
// TODO this may be removed in the future
if (!$signature) {
$signature = $sig;
}
// Only rsa-sha1 is supported at the moment.
if ($sigAlg == self::SIG_ALG_RSA_SHA1) {
$pubKeyId = openssl_get_publickey($idpCertificate);
// Verifies the signature
$verified = openssl_verify($signedInfo, $signature, $pubKeyId);
if ($verified == 1) {
// The verification was successful.
$this->isAuthenticated = 1;
$this->authnDiagnostic = self::STATUS_DELEGATED_LOGIN_OK;
} else {
if ($verified == 0) {
// The signature didn't match.
$this->isAuthenticated = 0;
$this->authnDiagnostic = self::STATUS_SIGNATURE_VERIFICATION_ERR;
} else {
// Error during the verification.
$this->isAuthenticated = 0;
$this->authnDiagnostic = self::STATUS_OPENSSL_VERIFICATION_ERR;
}
}
openssl_free_key($pubKeyId);
} else {
// Unsupported signature algorithm.
$this->isAuthenticated = 0;
$this->authnDiagnostic = self::STATUS_UNSUPPORTED_SIGNATURE_ALG_ERR;
}
} else {
$this->isAuthenticated = 0;
if (isset($error)) {
$this->authnDiagnostic = $error;
} else {
$this->authnDiagnostic = self::STATUS_IDP_RESPONSE_TIMEOUT_ERR;
}
}
}
if ($createSession) {
if ($this->isAuthenticated) {
$session->setAuthenticatedWebid($this->webid);
} else {
$session->unsetAuthenticatedWebid();
}
}
}
