/** * Parses the given URL string into a Authentication_SignedURL * @param string $URL_string * @return Authentication_SignedURL */ public static function parse($URL_string) { $URL = new Authentication_SignedURL(); $isOk = $URL->parseInternal($URL_string); return $isOk ? $URL : NULL; }
/** * Perform delegated WebID authentication relying on an Identity Provider * @param Authentication_SignedURL $request (if not specified infered from _GET) * @param Authentication_X509CertRepo $certRepository (if not default is used) * @param bool $createSession * @param string $sigAlg * @param int $allowedTimeWindow */ public function __construct($createSession = TRUE, Authentication_SignedURL $request = NULL, Authentication_URL $referer = NULL, Authentication_X509CertRepo $certRepository = NULL, $sigAlg = self::SIG_ALG_RSA_SHA1, $allowedTimeWindow = 300) { if ($createSession) { $session = new Authentication_Session(); if ($session->isAuthenticated) { $this->webid = $session->webid; $this->isAuthenticated = $session->isAuthenticated; $this->authnDiagnostic = self::STATUS_AUTH_VIA_SESSION; return; } } if (!$certRepository) { $certRepository = new Authentication_X509CertRepo(); } if (!$request) { $request = Authentication_SignedURL::parse((isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] == "on" ? "https" : "http") . "://" . $_SERVER["SERVER_NAME"] . ($_SERVER["SERVER_PORT"] != (isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] == "on" ? 443 : 80) ? ":" . $_SERVER["SERVER_PORT"] : "") . $_SERVER["REQUEST_URI"]); } $error = null; $sig = null; $ts = null; isset($_GET["error"]) and $error = $_GET["error"]; isset($_GET["sig"]) and $sig = $_GET["sig"]; isset($_GET["ts"]) and $ts = $_GET["ts"]; $error = $request->getQueryParameter('error', $error); $sig = $request->getQueryParameter('sig', $sig); $ts = $request->getQueryParameter('ts', $ts); $this->requestURI = $request; if (NULL != $referer) { $this->referer = $referer; } else { if (isset($_GET["referer"])) { $this->referer = Authentication_URL::parse($_GET["referer"]); } else { $this->referer = new Authentication_URL(); } } $this->ts = $ts; $webid = null; isset($_GET["webid"]) and $webid = $_GET["webid"]; $this->webid = $request->getQueryParameter('webid', $webid); $this->allowedTimeWindow = $allowedTimeWindow; $this->elapsedTime = time() - strtotime($ts); /* * Loads the trusted certificate of the IdP: its public key is used to * verify the integrity of the signed assertion. */ $idpCertificate = $certRepository->getIdpCertificate($this->referer->host); if (!$idpCertificate) { $this->isAuthenticated = 0; $this->authnDiagnostic = self::STATUS_IDP_CERTIFICATE_MISSING; } else { if ($this->elapsedTime < $this->allowedTimeWindow && !isset($error)) { $signedInfo = $this->requestURI->urlWithoutSignature(); // Extracts the signature $signature = $this->requestURI->digitalSignature(); // TODO this may be removed in the future if (!$signature) { $signature = $sig; } // Only rsa-sha1 is supported at the moment. if ($sigAlg == self::SIG_ALG_RSA_SHA1) { $pubKeyId = openssl_get_publickey($idpCertificate); // Verifies the signature $verified = openssl_verify($signedInfo, $signature, $pubKeyId); if ($verified == 1) { // The verification was successful. $this->isAuthenticated = 1; $this->authnDiagnostic = self::STATUS_DELEGATED_LOGIN_OK; } else { if ($verified == 0) { // The signature didn't match. $this->isAuthenticated = 0; $this->authnDiagnostic = self::STATUS_SIGNATURE_VERIFICATION_ERR; } else { // Error during the verification. $this->isAuthenticated = 0; $this->authnDiagnostic = self::STATUS_OPENSSL_VERIFICATION_ERR; } } openssl_free_key($pubKeyId); } else { // Unsupported signature algorithm. $this->isAuthenticated = 0; $this->authnDiagnostic = self::STATUS_UNSUPPORTED_SIGNATURE_ALG_ERR; } } else { $this->isAuthenticated = 0; if (isset($error)) { $this->authnDiagnostic = $error; } else { $this->authnDiagnostic = self::STATUS_IDP_RESPONSE_TIMEOUT_ERR; } } } if ($createSession) { if ($this->isAuthenticated) { $session->setAuthenticatedWebid($this->webid); } else { $session->unsetAuthenticatedWebid(); } } }