/**
* @param $type
* @param $mac_function
* @param $lifetime
* @param $realm
* @return IAssociation
*/
private function buildAssociation($type, $mac_function, $lifetime, $realm)
{
$new_secret = OpenIdCryptoHelper::generateSecret($mac_function);
$new_handle = AssocHandleGenerator::generate();
$expires_in = intval($lifetime);
$issued = gmdate("Y-m-d H:i:s", time());
return new Association($new_handle, $new_secret, $mac_function, $expires_in, $issued, $type, $realm);
}
public function testDefaultDHParams()
{
$g = OpenIdDHAssociationSessionRequest::DH_G;
$p = OpenIdDHAssociationSessionRequest::DH_P;
$g_bin = pack('H*', $g);
$p_bin = pack('H*', $p);
$g_number = OpenIdCryptoHelper::convert($g_bin, DiffieHellman::FORMAT_BINARY, DiffieHellman::FORMAT_NUMBER);
$p_number = OpenIdCryptoHelper::convert($p_bin, DiffieHellman::FORMAT_BINARY, DiffieHellman::FORMAT_NUMBER);
$this->assertTrue($g_number == '2');
$this->assertTrue($p_number == '155172898181473697471232257763715539915724801966915404479707795314057629378541917580651227423698188993727816152646631438561595825688188889951272158842675419950341258706556549803580104870537681476726513255747040765857479291291572334510643245094715007229621094194349783925984760375594985848253359305585439638443');
}
/**
* @param ResponseContext $context
* @param $macAlg
* @param $secret
* @param OpenIdPositiveAssertionResponse $response
*/
public static function build(ResponseContext $context, $macAlg, $secret, OpenIdPositiveAssertionResponse &$response)
{
//do signing ...
$signed = '';
$data = '';
$params = $context->getSignParams();
foreach ($params as $key) {
if (strpos($key, 'openid.') == 0) {
$val = $response[$key];
$key = substr($key, strlen('openid.'));
if (!empty($signed)) {
$signed .= ',';
}
$signed .= $key;
$data .= $key . ':' . $val . "\n";
}
}
$signed .= ',signed';
$data .= 'signed:' . $signed . "\n";
$sig = base64_encode(OpenIdCryptoHelper::computeHMAC($macAlg, $data, $secret));
$response->setSigned($signed);
$response->setSig($sig);
}
/**
* @return null|OpenIdDirectGenericErrorResponse|\openid\responses\OpenIdAssociationSessionResponse|OpenIdDiffieHellmanAssociationSessionResponse
*/
public function handle()
{
$response = null;
try {
$assoc_type = $this->current_request->getAssocType();
$session_type = $this->current_request->getSessionType();
//DH parameters
$public_prime = $this->current_request->getDHModulus();
//p
$public_generator = $this->current_request->getDHGen();
//g
//get (g ^ xa mod p) where xa is rp secret key
$rp_public_key = $this->current_request->getDHConsumerPublic();
//create association
$association = $this->association_service->addAssociation(AssociationFactory::getInstance()->buildSessionAssociation($assoc_type, $this->server_configuration_service->getConfigValue("Session.Association.Lifetime")));
$dh = new DiffieHellman($public_prime, $public_generator);
$dh->generateKeys();
//server public key (g ^ xb mod p ), where xb is server private key
// g ^ (xa * xb) mod p = (g ^ xa) ^ xb mod p = (g ^ xb) ^ xa mod p
$shared_secret = $dh->computeSecretKey($rp_public_key, DiffieHellman::FORMAT_NUMBER, DiffieHellman::FORMAT_BTWOC);
$hashed_shared_secret = OpenIdCryptoHelper::digest($session_type, $shared_secret);
$server_public_key = base64_encode($dh->getPublicKey(DiffieHellman::FORMAT_BTWOC));
$enc_mac_key = base64_encode($association->getSecret() ^ $hashed_shared_secret);
$response = new OpenIdDiffieHellmanAssociationSessionResponse($association->getHandle(), $session_type, $assoc_type, $association->getLifetime(), $server_public_key, $enc_mac_key);
} catch (InvalidDHParam $exDH) {
$response = new OpenIdDirectGenericErrorResponse($exDH->getMessage());
$this->log_service->error($exDH);
} catch (InvalidArgumentException $exDH1) {
$response = new OpenIdDirectGenericErrorResponse($exDH1->getMessage());
$this->log_service->error($exDH1);
} catch (RuntimeException $exDH2) {
$response = new OpenIdDirectGenericErrorResponse($exDH2->getMessage());
$this->log_service->error($exDH2);
}
return $response;
}
public function testAuthenticationSetupModeSessionAssociationDHSha256()
{
$b64_public = base64_encode(OpenIdCryptoHelper::convert($this->public, DiffieHellman::FORMAT_NUMBER, DiffieHellman::FORMAT_BTWOC));
$this->assertTrue($b64_public === 'AIUmVPMheb/hEupD5m6veEEstnBVteyZPy+mlYX7ygxygLG/XuHFa8q4lZERJ9u1DNFOpXHRDq5RbjsaUYRDOtyrbkGbeKo5tPqjsynjXtoMAItxkxCU4jpQLvH85P+u7DeA0h3kKNHFa90ijZTIGSSDRF5wW9N+QPCUCt4G4xWZ');
$params = array(OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_NS) => OpenIdProtocol::OpenID2MessageType, OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_Mode) => OpenIdProtocol::AssociateMode, OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_AssocType) => OpenIdProtocol::SignatureAlgorithmHMAC_SHA256, OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_SessionType) => OpenIdProtocol::AssociationSessionTypeDHSHA256, OpenIdProtocol::param(OpenIdProtocol::OpenIdProtocol_DHConsumerPublic) => $b64_public);
$response = $this->action("POST", "OpenIdProviderController@endpoint", $params);
$this->assertResponseStatus(200);
$openid_response = $this->getOpenIdResponseLineBreak($response->getContent());
$this->assertTrue(isset($openid_response['ns']));
$this->assertTrue($openid_response['ns'] === OpenIdProtocol::OpenID2MessageType);
$this->assertTrue(isset($openid_response['assoc_type']));
$this->assertTrue($openid_response['assoc_type'] === OpenIdProtocol::SignatureAlgorithmHMAC_SHA256);
$this->assertTrue(isset($openid_response['session_type']));
$this->assertTrue($openid_response['session_type'] === OpenIdProtocol::AssociationSessionTypeDHSHA256);
$this->assertTrue(isset($openid_response['assoc_handle']));
$this->assertTrue(isset($openid_response['dh_server_public']));
$this->assertTrue(isset($openid_response['enc_mac_key']));
$this->assertTrue(isset($openid_response['expires_in']));
Session::set("openid.authorization.response", IAuthService::AuthorizationResponse_AllowOnce);
$params = array(OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_NS) => OpenIdProtocol::OpenID2MessageType, OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_Mode) => OpenIdProtocol::SetupMode, OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_Realm) => "https://www.test.com/", OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_ReturnTo) => "https://www.test.com/oauth2", OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_Identity) => "http://specs.openid.net/auth/2.0/identifier_select", OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_ClaimedId) => "http://specs.openid.net/auth/2.0/identifier_select", OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_AssocHandle) => $openid_response['assoc_handle']);
$response = $this->action("POST", "OpenIdProviderController@endpoint", $params);
$this->assertResponseStatus(302);
$openid_response = $this->parseOpenIdResponse($response->getTargetUrl());
$this->assertTrue(isset($openid_response[OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_Mode)]));
$this->assertTrue(!empty($openid_response[OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_Mode)]));
$this->assertTrue(isset($openid_response[OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_NS)]));
$this->assertTrue(!empty($openid_response[OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_NS)]));
$this->assertTrue(isset($openid_response[OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_ReturnTo)]));
$this->assertTrue(!empty($openid_response[OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_ReturnTo)]));
$this->assertTrue(isset($openid_response[OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_Sig)]));
$this->assertTrue(!empty($openid_response[OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_Sig)]));
$this->assertTrue(isset($openid_response[OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_Signed)]));
$this->assertTrue(!empty($openid_response[OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_Signed)]));
$this->assertTrue(isset($openid_response[OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_Realm)]));
$this->assertTrue(!empty($openid_response[OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_Realm)]));
$this->assertTrue(isset($openid_response[OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_OpEndpoint)]));
$this->assertTrue(!empty($openid_response[OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_OpEndpoint)]));
$this->assertTrue(isset($openid_response[OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_Identity)]));
$this->assertTrue(!empty($openid_response[OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_Identity)]));
$this->assertTrue(isset($openid_response[OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_ClaimedId)]));
$this->assertTrue(!empty($openid_response[OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_ClaimedId)]));
}
/**
* @return null|string
* @throws \openid\exceptions\InvalidDHParam
*/
public function getDHConsumerPublic()
{
if (is_null($this->rp_pub_key)) {
$rp_pub_key_param = $this->getParam(OpenIdProtocol::OpenIdProtocol_DHConsumerPublic);
if (empty($rp_pub_key_param)) {
throw new InvalidDHParam(sprintf(OpenIdErrorMessages::InvalidDHParamMessage, OpenIdProtocol::OpenIdProtocol_DHConsumerPublic));
}
$rp_pub_key_bin = base64_decode($rp_pub_key_param);
if (!$rp_pub_key_bin) {
throw new InvalidDHParam(sprintf(OpenIdErrorMessages::InvalidDHParamMessage, OpenIdProtocol::OpenIdProtocol_DHConsumerPublic));
}
$this->rp_pub_key = OpenIdCryptoHelper::convert($rp_pub_key_bin, DiffieHellman::FORMAT_BINARY, DiffieHellman::FORMAT_NUMBER);
}
return $this->rp_pub_key;
}
