/**
* Checks if $params are correct by signing with $association->secret.
*
* The format of the $params array is:
* <code>
* array(
* 'openid.assoc_handle' => HANDLE,
* 'openid.signed' => SIGNED,
* 'openid.sig' => SIG,
* 'openid.mode' => 'id_res'
* );
* </code>
* where HANDLE, SIGNED and SIG are parameters returned from the provider in
* the id_res step of OpenID authentication. In addition, the $params array
* must contain the values present in SIG.
*
* @param ezcAuthenticationOpenidAssociation $association The OpenID association used for signing $params
* @param array(string=>string) $params OpenID parameters for id_res mode
* @return bool
*/
protected function checkSignatureSmart(ezcAuthenticationOpenidAssociation $association, array $params)
{
$sig = $params['openid.sig'];
$signed = explode(',', $params['openid.signed']);
ksort($signed);
for ($i = 0; $i < count($signed); $i++) {
$data[$signed[$i]] = isset($params['openid.' . $signed[$i]]) ? $params['openid.' . $signed[$i]] : null;
}
$serialized = '';
foreach ($data as $key => $value) {
$serialized .= "{$key}:{$value}\n";
}
$key = base64_decode($association->secret);
if (strlen($key) > 64) {
$key = ezcAuthenticationMath::sha1($key);
}
$key = str_pad($key, 64, chr(0x0));
$hashed = ezcAuthenticationMath::sha1(($key ^ str_repeat(chr(0x36), 64)) . $serialized);
$hashed = ezcAuthenticationMath::sha1(($key ^ str_repeat(chr(0x5c), 64)) . $hashed);
$hashed = base64_encode($hashed);
return $sig === $hashed;
}
