/** * Sign certain keys in a message * @param $association - object loaded from openid_association or openid_server_association table * - important fields are ->assoc_type and ->mac_key * @param $message_array - array of entire message about to be sent * @param $keys_to_sign - keys in the message to include in signature (without * 'openid.' appended) */ function _openid_signature($association, $message_array, $keys_to_sign) { $signature = ''; $sign_data = array(); foreach ($keys_to_sign as $key) { if (isset($message_array['openid.' . $key])) { $sign_data[$key] = $message_array['openid.' . $key]; } } $message = _openid_create_message($sign_data); $secret = base64_decode($association->mac_key); $signature = _openid_hmac($secret, $message); return base64_encode($signature); }
/** * Attempt to verify the response received from the OpenID Provider. * * @param $op_endpoint The OpenID Provider URL. * @param $response Array of repsonse values from the provider. * * @return boolean */ function openid_verify_assertion($op_endpoint, $response) { $valid = FALSE; //TODO $openid_association = Database::get_main_table(TABLE_MAIN_OPENID_ASSOCIATION); $sql = sprintf("SELECT * FROM {$openid_association} WHERE assoc_handle = '%s'", $response['openid.assoc_handle']); $res = Database::query($sql); $association = Database::fetch_object($res); if ($association && isset($association->session_type)) { $keys_to_sign = explode(',', $response['openid.signed']); $self_sig = _openid_signature($association, $response, $keys_to_sign); if ($self_sig == $response['openid.sig']) { $valid = TRUE; } else { $valid = FALSE; } } else { $request = $response; $request['openid.mode'] = 'check_authentication'; $message = _openid_create_message($request); $headers = array('Content-Type' => 'application/x-www-form-urlencoded; charset=utf-8'); $result = openid_http_request($op_endpoint, $headers, 'POST', _openid_encode_message($message)); if (!isset($result->error)) { $response = _openid_parse_message($result->data); if (strtolower(trim($response['is_valid'])) == 'true') { $valid = TRUE; } else { $valid = FALSE; } } } return $valid; }