/** * @param $type * @param $mac_function * @param $lifetime * @param $realm * @return IAssociation */ private function buildAssociation($type, $mac_function, $lifetime, $realm) { $new_secret = OpenIdCryptoHelper::generateSecret($mac_function); $new_handle = AssocHandleGenerator::generate(); $expires_in = intval($lifetime); $issued = gmdate("Y-m-d H:i:s", time()); return new Association($new_handle, $new_secret, $mac_function, $expires_in, $issued, $type, $realm); }
public function testDefaultDHParams() { $g = OpenIdDHAssociationSessionRequest::DH_G; $p = OpenIdDHAssociationSessionRequest::DH_P; $g_bin = pack('H*', $g); $p_bin = pack('H*', $p); $g_number = OpenIdCryptoHelper::convert($g_bin, DiffieHellman::FORMAT_BINARY, DiffieHellman::FORMAT_NUMBER); $p_number = OpenIdCryptoHelper::convert($p_bin, DiffieHellman::FORMAT_BINARY, DiffieHellman::FORMAT_NUMBER); $this->assertTrue($g_number == '2'); $this->assertTrue($p_number == '155172898181473697471232257763715539915724801966915404479707795314057629378541917580651227423698188993727816152646631438561595825688188889951272158842675419950341258706556549803580104870537681476726513255747040765857479291291572334510643245094715007229621094194349783925984760375594985848253359305585439638443'); }
/** * @param ResponseContext $context * @param $macAlg * @param $secret * @param OpenIdPositiveAssertionResponse $response */ public static function build(ResponseContext $context, $macAlg, $secret, OpenIdPositiveAssertionResponse &$response) { //do signing ... $signed = ''; $data = ''; $params = $context->getSignParams(); foreach ($params as $key) { if (strpos($key, 'openid.') == 0) { $val = $response[$key]; $key = substr($key, strlen('openid.')); if (!empty($signed)) { $signed .= ','; } $signed .= $key; $data .= $key . ':' . $val . "\n"; } } $signed .= ',signed'; $data .= 'signed:' . $signed . "\n"; $sig = base64_encode(OpenIdCryptoHelper::computeHMAC($macAlg, $data, $secret)); $response->setSigned($signed); $response->setSig($sig); }
/** * @return null|OpenIdDirectGenericErrorResponse|\openid\responses\OpenIdAssociationSessionResponse|OpenIdDiffieHellmanAssociationSessionResponse */ public function handle() { $response = null; try { $assoc_type = $this->current_request->getAssocType(); $session_type = $this->current_request->getSessionType(); //DH parameters $public_prime = $this->current_request->getDHModulus(); //p $public_generator = $this->current_request->getDHGen(); //g //get (g ^ xa mod p) where xa is rp secret key $rp_public_key = $this->current_request->getDHConsumerPublic(); //create association $association = $this->association_service->addAssociation(AssociationFactory::getInstance()->buildSessionAssociation($assoc_type, $this->server_configuration_service->getConfigValue("Session.Association.Lifetime"))); $dh = new DiffieHellman($public_prime, $public_generator); $dh->generateKeys(); //server public key (g ^ xb mod p ), where xb is server private key // g ^ (xa * xb) mod p = (g ^ xa) ^ xb mod p = (g ^ xb) ^ xa mod p $shared_secret = $dh->computeSecretKey($rp_public_key, DiffieHellman::FORMAT_NUMBER, DiffieHellman::FORMAT_BTWOC); $hashed_shared_secret = OpenIdCryptoHelper::digest($session_type, $shared_secret); $server_public_key = base64_encode($dh->getPublicKey(DiffieHellman::FORMAT_BTWOC)); $enc_mac_key = base64_encode($association->getSecret() ^ $hashed_shared_secret); $response = new OpenIdDiffieHellmanAssociationSessionResponse($association->getHandle(), $session_type, $assoc_type, $association->getLifetime(), $server_public_key, $enc_mac_key); } catch (InvalidDHParam $exDH) { $response = new OpenIdDirectGenericErrorResponse($exDH->getMessage()); $this->log_service->error($exDH); } catch (InvalidArgumentException $exDH1) { $response = new OpenIdDirectGenericErrorResponse($exDH1->getMessage()); $this->log_service->error($exDH1); } catch (RuntimeException $exDH2) { $response = new OpenIdDirectGenericErrorResponse($exDH2->getMessage()); $this->log_service->error($exDH2); } return $response; }
public function testAuthenticationSetupModeSessionAssociationDHSha256() { $b64_public = base64_encode(OpenIdCryptoHelper::convert($this->public, DiffieHellman::FORMAT_NUMBER, DiffieHellman::FORMAT_BTWOC)); $this->assertTrue($b64_public === 'AIUmVPMheb/hEupD5m6veEEstnBVteyZPy+mlYX7ygxygLG/XuHFa8q4lZERJ9u1DNFOpXHRDq5RbjsaUYRDOtyrbkGbeKo5tPqjsynjXtoMAItxkxCU4jpQLvH85P+u7DeA0h3kKNHFa90ijZTIGSSDRF5wW9N+QPCUCt4G4xWZ'); $params = array(OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_NS) => OpenIdProtocol::OpenID2MessageType, OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_Mode) => OpenIdProtocol::AssociateMode, OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_AssocType) => OpenIdProtocol::SignatureAlgorithmHMAC_SHA256, OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_SessionType) => OpenIdProtocol::AssociationSessionTypeDHSHA256, OpenIdProtocol::param(OpenIdProtocol::OpenIdProtocol_DHConsumerPublic) => $b64_public); $response = $this->action("POST", "OpenIdProviderController@endpoint", $params); $this->assertResponseStatus(200); $openid_response = $this->getOpenIdResponseLineBreak($response->getContent()); $this->assertTrue(isset($openid_response['ns'])); $this->assertTrue($openid_response['ns'] === OpenIdProtocol::OpenID2MessageType); $this->assertTrue(isset($openid_response['assoc_type'])); $this->assertTrue($openid_response['assoc_type'] === OpenIdProtocol::SignatureAlgorithmHMAC_SHA256); $this->assertTrue(isset($openid_response['session_type'])); $this->assertTrue($openid_response['session_type'] === OpenIdProtocol::AssociationSessionTypeDHSHA256); $this->assertTrue(isset($openid_response['assoc_handle'])); $this->assertTrue(isset($openid_response['dh_server_public'])); $this->assertTrue(isset($openid_response['enc_mac_key'])); $this->assertTrue(isset($openid_response['expires_in'])); Session::set("openid.authorization.response", IAuthService::AuthorizationResponse_AllowOnce); $params = array(OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_NS) => OpenIdProtocol::OpenID2MessageType, OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_Mode) => OpenIdProtocol::SetupMode, OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_Realm) => "https://www.test.com/", OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_ReturnTo) => "https://www.test.com/oauth2", OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_Identity) => "http://specs.openid.net/auth/2.0/identifier_select", OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_ClaimedId) => "http://specs.openid.net/auth/2.0/identifier_select", OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_AssocHandle) => $openid_response['assoc_handle']); $response = $this->action("POST", "OpenIdProviderController@endpoint", $params); $this->assertResponseStatus(302); $openid_response = $this->parseOpenIdResponse($response->getTargetUrl()); $this->assertTrue(isset($openid_response[OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_Mode)])); $this->assertTrue(!empty($openid_response[OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_Mode)])); $this->assertTrue(isset($openid_response[OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_NS)])); $this->assertTrue(!empty($openid_response[OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_NS)])); $this->assertTrue(isset($openid_response[OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_ReturnTo)])); $this->assertTrue(!empty($openid_response[OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_ReturnTo)])); $this->assertTrue(isset($openid_response[OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_Sig)])); $this->assertTrue(!empty($openid_response[OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_Sig)])); $this->assertTrue(isset($openid_response[OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_Signed)])); $this->assertTrue(!empty($openid_response[OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_Signed)])); $this->assertTrue(isset($openid_response[OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_Realm)])); $this->assertTrue(!empty($openid_response[OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_Realm)])); $this->assertTrue(isset($openid_response[OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_OpEndpoint)])); $this->assertTrue(!empty($openid_response[OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_OpEndpoint)])); $this->assertTrue(isset($openid_response[OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_Identity)])); $this->assertTrue(!empty($openid_response[OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_Identity)])); $this->assertTrue(isset($openid_response[OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_ClaimedId)])); $this->assertTrue(!empty($openid_response[OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_ClaimedId)])); }
/** * @return null|string * @throws \openid\exceptions\InvalidDHParam */ public function getDHConsumerPublic() { if (is_null($this->rp_pub_key)) { $rp_pub_key_param = $this->getParam(OpenIdProtocol::OpenIdProtocol_DHConsumerPublic); if (empty($rp_pub_key_param)) { throw new InvalidDHParam(sprintf(OpenIdErrorMessages::InvalidDHParamMessage, OpenIdProtocol::OpenIdProtocol_DHConsumerPublic)); } $rp_pub_key_bin = base64_decode($rp_pub_key_param); if (!$rp_pub_key_bin) { throw new InvalidDHParam(sprintf(OpenIdErrorMessages::InvalidDHParamMessage, OpenIdProtocol::OpenIdProtocol_DHConsumerPublic)); } $this->rp_pub_key = OpenIdCryptoHelper::convert($rp_pub_key_bin, DiffieHellman::FORMAT_BINARY, DiffieHellman::FORMAT_NUMBER); } return $this->rp_pub_key; }