/** * Creates an association for OpenID versions 1 and 2. * * This function calls {@link DiffieHellman::associateAsServer()} where required, to * generate the cryptographic values required for an association response. * * @param int $mode either ASSOCIATION_SHARED or ASSOCIATION_PRIVATE * @param string $assoc_type a valid OpenID association type * @link http://openid.net/specs/openid-authentication-1_1.html#anchor14, http://openid.net/specs/openid-authentication-2_0.html#anchor20 */ function __construct($mode = self::ASSOCIATION_SHARED, $assoc_type = 'HMAC-SHA1') { $rand = new Random(); $assoc_types = self::getAssociationTypes(); $this->assoc_handle = $rand->id(); $this->assoc_type = $assoc_type; $mac_size = $assoc_types[$assoc_type]['mac_size']; $this->mac_key = base64_encode($rand->bytes($mac_size)); $this->created = time(); if ($mode == self::ASSOCIATION_PRIVATE) { $this->private = true; } }
/** * Creates a auto login cookie. The login cookie will be based on the * current log in user. * * @param string $id the ID of the series of auto login cookies, Cookies * belonging to the same user and computer have the same ID. If none is specified, * one will be generated * @param int $expires the time at which the cookie will expire. If none is specified * the time specified in {@link SIMPLEID_REMEMBERME_EXPIRES_IN} will be * used * */ protected function createCookie($id = NULL, $expires = NULL) { $user = $this->auth->getUser(); $rand = new Random(); if ($expires == NULL) { $this->logger->log(LogLevel::DEBUG, 'Automatic login token created for ' . $user['uid']); } else { $this->logger->log(LogLevel::DEBUG, 'Automatic login token renewed for ' . $user['uid']); } if ($id == NULL) { $id = $rand->id(); } if ($expires == NULL) { $expires = time() + SIMPLEID_LONG_TOKEN_EXPIRES_IN; } $data = array('typ' => 'rememberme', 'id' => $id, 'uid' => $user['uid'], 'exp' => $expires, 'uaid' => $this->auth->assignUAID()); $token = new SecurityToken(); $cookie = $token->generate($data); $this->f3->set('COOKIE.' . $this->cookie_name, $cookie, SIMPLEID_LONG_TOKEN_EXPIRES_IN); }
/** * Detects the current installed version of SimpleID, selects the individual upgrade * functions applicable to this upgrade and displays the upgrade * selection page. */ function select() { global $upgrade_access_check; $token = new SecurityToken(); if ($this->f3->exists('POST.tk') === false || !$token->verify($this->f3->get('POST.tk'), 'upgrade_info')) { $this->f3->set('message', $this->t('SimpleID detected a potential security attack. Please try again.')); $this->info(); return; } $tpl = new \Template(); $cache = \Cache::instance(); $cache->reset('.upgrade'); $list = $this->getUpgradeList(); if (count($list) == 0) { $this->f3->set('script_complete', $this->t('Your SimpleID installation is up-to-date. This script is complete.')); } else { $rand = new Random(); $upgid = $rand->id(); $cache->set($upgid . '.upgrade', array('list' => $list, 'results' => '')); $this->f3->set('upgid', $upgid); $this->f3->set('tk', $token->generate('upgrade_selection', SecurityToken::OPTION_BIND_SESSION)); $this->f3->set('click_continue', $this->t('Click <strong>Continue</strong> to proceed with the upgrade.')); $this->f3->set('continue_button', $this->t('Continue')); } $this->f3->set('original_version', $this->getVersion()); $this->f3->set('this_version', SIMPLEID_VERSION); $this->f3->set('version_detected', $this->t('The version of SimpleID you are updating from has been automatically detected.')); $this->f3->set('original_version_label', $this->t('Original version')); $this->f3->set('this_version_label', $this->t('Upgrade version')); $this->f3->set('edit_upgrade_php', $this->t('Remember to edit upgrade.php to check <code>$upgrade_access_check</code> back to <code>FALSE</code>.')); $this->f3->set('title', $this->t('Upgrade')); $this->f3->set('page_class', 'dialog-page'); $this->f3->set('layout', 'upgrade_selection.html'); print $tpl->render('page.html'); }
/** * Registration endpoint */ public function register() { $rand = new Random(); $response = new Response(); $this->checkHttps('error'); $this->logger->log(LogLevel::DEBUG, 'SimpleID\\Protocols\\Connect\\ConnectClientRegistrationModule->register'); // Access token OR rate limit if (!$this->isTokenAuthorized(self::CLIENT_REGISTRATION_INIT_SCOPE)) { $limiter = new RateLimiter('connect_register'); if (!$limiter->throttle()) { header('Retry-After: ' . $limiter->getInterval()); // We never display a log for rate limit errors $response->setError('invalid_request', 'client has been blocked from making further requests')->renderJSON(429); return; } } if (!$this->f3->exists('BODY')) { $response->setError('invalid_request')->renderJSON(); return; } $request = json_decode($this->f3->get('BODY'), true); if ($request == null) { $response->setError('invalid_request', 'unable to parse body')->renderJSON(); return; } if (!isset($request['redirect_uris'])) { $response->setError('invalid_redirect_uri', 'redirect_uris missing')->renderJSON(); return; } // Verify redirect_uri based on application_type $application_type = isset($request['application_type']) ? $request['application_type'] : 'web'; $grant_types = isset($request['grant_types']) ? $request['grant_types'] : array('authorization_code'); foreach ($request['redirect_uris'] as $redirect_uri) { $parts = parse_url($redirect_uri); if (isset($parts['fragment'])) { $response->setError('invalid_redirect_uri', 'redirect_uris cannot contain a fragment')->renderJSON(); return; } if ($application_type == 'web' && in_array('implicit', $grant_types)) { if (strtolower($parts['scheme']) != 'https' || strtolower($parts['host']) == 'localhost' && $parts['host'] == '127.0.0.1') { $response->setError('invalid_redirect_uri', 'implicit grant type must use https URIs')->renderJSON(); return; } } elseif ($application_type == 'native') { // Native Clients MUST only register redirect_uris using custom URI schemes or URLs using the http: scheme with localhost as the hostname. // Authorization Servers MAY place additional constraints on Native Clients. // Authorization Servers MAY reject Redirection URI values using the http scheme, other than the localhost case for Native Clients. // The Authorization Server MUST verify that all the registered redirect_uris conform to these constraints. This prevents sharing a Client ID across different types of Clients. if (strtolower($parts['scheme']) == 'http' && (strtolower($parts['host']) != 'localhost' || $parts['host'] != '127.0.0.1') || strtolower($parts['scheme']) == 'https') { $response->setError('invalid_redirect_uri', 'native clients cannot use https URIs')->renderJSON(); return; } } } // Verify sector_identifier_url $subject_type = isset($request['subject_type']) ? $request['subject_type'] : 'public'; if (isset($request['sector_identifier_uri'])) { if (!$this->verifySectorIdentifier($request['sector_identifier_uri'], $request['redirect_uris'])) { $response->setError('invalid_client_metadata', 'cannot verify sector_identifier_uri')->renderJSON(); return; } } $client = new ConnectDynamicClient(); $client_id = $client->getStoreID(); // Map data foreach ($request as $name => $value) { $parts = explode('#', $name, 2); $client_path = isset(self::$metadata_map[$parts[0]]) ? self::$metadata_map[$parts[0]] : 'connect.' . $parts[0]; if (isset($parts[1])) { $client_path .= '#' . $locale; } $client->pathSet($client_path, $value); } $client->fetchJWKs(); $response->loadData($request); $response->loadData(array('client_id' => $client->getStoreID(), 'registration_client_uri' => $this->getCanonicalURL('connect/client/' . $client->getStoreID()), 'client_id_issued_at' => time())); if ($client['oauth']['token_endpoint_auth_method'] != 'none') { $client->pathSet('oauth.client_secret', $rand->secret()); $response['client_secret'] = $client['oauth']['client_secret']; $response['client_secret_expires_at'] = 0; } $store = StoreManager::instance(); $store->saveClient($client); $this->logger->log(LogLevel::INFO, 'Created dynamic client: ' . $client_id); $auth = new Authorization($client, $client, self::CLIENT_REGISTRATION_ACCESS_SCOPE); $store->saveAuth($auth); $token = $auth->issueAccessToken(array(self::CLIENT_REGISTRATION_ACCESS_SCOPE)); $response['registration_access_token'] = $token['access_token']; $this->f3->status(201); $response->renderJSON(); }
public function __construct($data = array()) { parent::__construct($data); $rand = new Random(); $this->cid = '_' . $rand->id() . '.oauth'; }
/** * Gets the site-specific key for generating identifiers. * * If the key does not exist, it is automatically generated. * * @return string site-specific key as a binary string */ private static function getOpaqueToken() { $store = StoreManager::instance(); $opaque_token = $store->getSetting('opaque-token'); if ($opaque_token == NULL) { $rand = new Random(); $opaque_token = $rand->bytes(16); $store->setSetting('opaque-token', base64_encode($opaque_token)); } else { $opaque_token = base64_decode($opaque_token); } return $opaque_token; }
/** * Gets the site-specific encryption and signing key. * * If the key does not exist, it is automatically generated. * * @return string the site-specific encryption and signing key * as a base64url encoded string */ protected static function getKey() { $store = StoreManager::instance(); $key = $store->getSetting('oauth-fernet'); if ($key == NULL) { $rand = new Random(); $key = Fernet::base64url_encode($rand->bytes(32)); $store->setSetting('oauth-fernet', $key); } return $key; }
/** * Creates an authorization code. * * Once the authorization code object has been created, the code can be retrieved using * the {@link getCode()} method. * * @param Authorization $authorization the authorization that wishes to generate * this code * @param string|null $redirect_uri the redirect_uri parameter in the authorisation request, if * present * @param array $scope the allowed scope - this should be a subset of the scope provided by the * authorization * @param array $additional additional data to be stored in the authorization code * @return Code the authorization code object */ public static function create($authorization, $redirect_uri, $scope, $additional = array()) { $code = new Code(); $rand = new Random(); $cache = \Cache::instance(); $code->cid = $rand->id(); $code->aid = $authorization->getStoreID(); $code->auth_state = $authorization->getAuthState(); $code->redirect_uri = $redirect_uri; $code->scope = !is_array($scope) ? explode(' ', $scope) : $scope; $code->additional = $additional; $code->expires = time() + SIMPLEID_INSTANT_TOKEN_EXPIRES_IN; $cache->set($code->getCode() . '.code', $code, SIMPLEID_INSTANT_TOKEN_EXPIRES_IN); $code->is_valid = true; return $code; }
/** * Resets the current authorisation state * * @param string the new authorisation state */ public function resetAuthState() { $rand = new Random(); $this->auth_state = substr($rand->id(), -9); return $this->auth_state; }
/** * Displays the page used to set up login verification using one-time * passwords. */ public function setup() { $auth = AuthManager::instance(); $store = StoreManager::instance(); $user = $auth->getUser(); $tpl = new \Template(); $token = new SecurityToken(); // Require HTTPS, redirect if necessary $this->checkHttps('redirect', true); if (!$auth->isLoggedIn()) { $this->f3->reroute('/my/dashboard'); return; } if ($this->f3->get('POST.op') == $this->t('Disable')) { if ($this->f3->exists('POST.tk') === false || !$token->verify($this->f3->get('POST.tk'), 'otp')) { $this->f3->set('message', $this->t('SimpleID detected a potential security attack. Please try again.')); $this->f3->mock('GET /my/dashboard'); return; } if (isset($user['otp'])) { unset($user['otp']); $store->saveUser($user); } $this->f3->set('message', $this->t('Login verification has been disabled.')); $this->f3->mock('GET /my/dashboard'); return; } elseif ($this->f3->get('POST.op') == $this->t('Verify')) { $params = $token->getPayload($this->f3->get('POST.otp_params')); $this->f3->set('otp_params', $this->f3->get('POST.otp_params')); if ($this->f3->exists('POST.tk') === false || !$token->verify($this->f3->get('POST.tk'), 'otp')) { $this->f3->set('message', $this->t('SimpleID detected a potential security attack. Please try again.')); page_dashboard(); return; } elseif ($this->f3->exists('POST.otp') === false || $this->f3->get('POST.otp') == '') { $this->f3->set('message', $this->t('You need to enter the verification code to complete enabling login verification.')); } elseif ($this->verifyOTP($params, $this->f3->get('POST.otp'), 10) === false) { $this->f3->set('message', $this->t('The verification code is not correct.')); } else { $user['otp'] = $params; $store->saveUser($user); $this->f3->set('message', $this->t('Login verification has been enabled.')); $this->f3->mock('GET /my/dashboard'); return; } } else { $rand = new Random(); $params = array('type' => 'totp', 'secret' => $rand->bytes(10), 'algorithm' => 'sha1', 'digits' => 6, 'period' => 30, 'drift' => 0, 'remember' => array()); $this->f3->set('otp_params', $token->generate($params, SecurityToken::OPTION_BIND_SESSION)); } $secret = new BigNum($params['secret'], 256); $code = strtr($secret->val(32), '0123456789abcdefghijklmnopqrstuv', 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567'); $code = str_repeat('A', 16 - strlen($code)) . $code; for ($i = 0; $i < strlen($code); $i += 4) { $this->f3->set('secret' . ($i + 1), substr($code, $i, 4)); } $url = 'otpauth://totp/SimpleID?secret=' . $code . '&digits=' . $params['digits'] . '&period=' . $params['period']; $this->f3->set('qr', addslashes($url)); $this->f3->set('about_otp', $this->t('Login verification adds an extra layer of protection to your account. When enabled, you will need to enter an additional security code whenever you log into SimpleID.')); $this->f3->set('otp_warning', $this->t('<strong>WARNING:</strong> If you enable login verification and lose your authenticator app, you will need to <a href="!url">edit your identity file manually</a> before you can log in again.', array('!url' => 'http://simpleid.koinic.net/docs/2/common_problems/#otp'))); $this->f3->set('setup_otp', $this->t('To set up login verification, following these steps.')); $this->f3->set('download_app', $this->t('Download an authenticator app that supports TOTP for your smartphone, such as Google Authenticator.')); $this->f3->set('add_account', $this->t('Add your SimpleID account to authenticator app using this key. If you are viewing this page on your smartphone you can use <a href="!url">this link</a> or scan the QR code to add your account.', array('!url' => $url))); $this->f3->set('verify_code', $this->t('To check that your account has been added properly, enter the verification code from your phone into the box below, and click Verify.')); $this->f3->set('tk', $token->generate('otp', SecurityToken::OPTION_BIND_SESSION)); $this->f3->set('otp_label', $this->t('Verification code:')); $this->f3->set('submit_button', $this->t('Verify')); $this->f3->set('page_class', 'dialog-page'); $this->f3->set('title', $this->t('Login Verification')); $this->f3->set('framekiller', true); $this->f3->set('layout', 'auth_otp_setup.html'); print $tpl->render('page.html'); }
/** * Generates a random integer, which will be used to derive a private key * for Diffie-Hellman key exchange. The integer must be less than $stop * * @param BigNum $stop a prime number as a bignum * @return BigNum the random integer as a bignum */ private function generateRandom($stop) { $duplicate_cache = array(); $rand = new Random(); // Used as the key for the duplicate cache $rbytes = $stop->val(256); if (array_key_exists($rbytes, $duplicate_cache)) { list($duplicate, $nbytes) = $duplicate_cache[$rbytes]; } else { if ($rbytes[0] == "") { $nbytes = strlen($rbytes) - 1; } else { $nbytes = strlen($rbytes); } $mxrand = new BigNum(256); $mxrand = $mxrand->pow(new BigNum($nbytes)); // If we get a number less than this, then it is in the // duplicated range. $duplicate = $mxrand->mod($stop); if (count($duplicate_cache) > 10) { $duplicate_cache = array(); } $duplicate_cache[$rbytes] = array($duplicate, $nbytes); } do { $bytes = "" . $rand->bytes($nbytes); $n = new BigNum($bytes, 256); // Keep looping if this value is in the low duplicated range } while ($n->cmp($duplicate) < 0); return $n->mod($stop); }
/** * Gets the site-specific encryption and signing key. * * If the key does not exist, it is automatically generated. * * @return string the site-specific encryption and signing key * as a base64url encoded string */ private static function getSiteToken() { $store = StoreManager::instance(); $site_token = $store->getSetting('site-token'); if ($site_token == NULL) { $rand = new Random(); $site_token = Fernet::base64url_encode($rand->bytes(32)); $store->setSetting('site-token', $site_token); } return $site_token; }
/** * Builds the JOSE response. This will return one of the following: * * - A JSON encoded string, if {@link $signed_response_alg} and * {@link $encrypted_response_alg} are both null * - A signed JWT (JWS), if {@link $signed_response_alg} is set * - A JWE containing a nested JWT, if both {@link $signed_response_alg} * and {@link $encrypted_response_alg} are set * * @param SimpleJWT\Keys\KeySet $set the key set used to sign and/or * encrypt the token. If set to null, the default set of keys * configured for the client and the server are loaded * @return string the response body */ function buildJOSE($set = null) { $rand = new Random(); $typ = $this->getType(); if ($typ == 'json') { return json_encode($this->container); } if ($set == null) { $builder = new KeySetBuilder($client); $set = $builder->addClientSecret()->addClientPublicKeys()->addServerPrivateKeys()->toKeySet(); } $headers = array_merge($this->headers, array('alg' => $this->signed_response_alg)); $claims = array_merge($this->container, array('iss' => $this->issuer, 'aud' => $this->client->getStoreID(), 'jti' => $rand->id())); $jwt = new JWT($headers, $claims); try { $token = $jwt->encode($set); } catch (CryptException $e) { return null; } if ($typ == 'jwt') { return $token; } $headers = array('alg' => $this->encrypted_response_alg, 'enc' => $this->encrypted_response_enc, 'cty' => 'JWT'); $jwe = new JWE($headers, $token); try { return $jwe->encrypt($set); } catch (CryptException $e) { return null; } }
/** * Returns an OpenID response indicating a positive assertion. * * @param Request $request the OpenID request * @param int $result the authentication result providing the positive * assertion * @return Response an OpenID response with a positive assertion * @link http://openid.net/specs/openid-authentication-1_1.html#anchor17, http://openid.net/specs/openid-authentication-1_1.html#anchor23, http://openid.net/specs/openid-authentication-2_0.html#positive_assertions */ protected function createOKResponse($request) { $rand = new Random(); $response = new Response($request); $response->setArray(array('mode' => 'id_res', 'op_endpoint' => $this->getCanonicalURL(), 'response_nonce' => $rand->openIDNonce())); if (isset($request['openid.assoc_handle'])) { $response['assoc_handle'] = $request['openid.assoc_handle']; } if (isset($request['openid.identity'])) { $response['identity'] = $request['openid.identity']; } if (isset($request['openid.return_to'])) { $response['return_to'] = $request['openid.return_to']; } if ($request->getVersion() == Message::OPENID_VERSION_2 && isset($request['openid.claimed_id'])) { $response['claimed_id'] = $request['openid.claimed_id']; } $this->mgr->invokeAll('openIDResponse', true, $request, $response); $this->logger->log(LogLevel::INFO, 'OpenID authentication response', $response->toArray()); return $response; }
/** * Assigns and returns a unique login state for the current * authenticated session with user agent (UALS). * * A UALS uniquely identifies the current authenticated session with * the user agent (e.g. browser). It is reset with each successful * login and logout. The cookie associated with a UALS is only * valid for the current session. * * This function will look for a cookie sent by the user agent with * the name returned by {@link getCookieName()} with a suffix * of uals. If the cookie does not exist, it will generate a * UALS and return it to the user agent with a Set-Cookie * response header. * * @param bool $reset true to reset the UALS * @return string the UALS */ public function assignUALoginState($reset = false) { $name = $this->getCookieName('uals'); if ($this->f3->exists('COOKIE.' . $name) === true && !$reset) { $this->ua_login_state = $this->f3->get('COOKIE.' . $name); } else { $rand = new Random(); $opaque = new OpaqueIdentifier(); $this->ua_login_state = $opaque->generate($this->assignUAID() . ':' . $rand->id()); // We don't use f3->set->COOKIE, as this automatically sets the cookie to be httponly // We want this to be script readable. setcookie($this->getCookieName('uals'), $this->ua_login_state, 0, $this->f3->get('BASE'), '', true, false); } return $this->ua_login_state; }