/**
* Attempt to create a shared secret with the OpenID Provider.
*
* @param $op_endpoint URL of the OpenID Provider endpoint.
*
* @return $assoc_handle The association handle.
*/
function openid_association($op_endpoint)
{
//@todo Remove Old Associations:
$openid_association = Database::get_main_table(TABLE_MAIN_OPENID_ASSOCIATION);
$sql = "DELETE FROM {$openid_association}\n WHERE created + expires_in < '" . api_get_utc_datetime() . "'";
Database::query($sql);
// Check to see if we have an association for this IdP already
$op_endpoint = Database::escape_string($op_endpoint);
$sql = "SELECT assoc_handle\n FROM {$openid_association}\n WHERE idp_endpoint_uri = '{$op_endpoint}'";
$assoc_handle = Database::query($sql);
if (Database::num_rows($assoc_handle) <= 1) {
$mod = OPENID_DH_DEFAULT_MOD;
$gen = OPENID_DH_DEFAULT_GEN;
$r = _openid_dh_rand($mod);
$private = bcadd($r, 1);
$public = bcpowmod($gen, $private, $mod);
// If there is no existing association, then request one
$assoc_request = openid_association_request($public);
$assoc_message = _openid_encode_message(_openid_create_message($assoc_request));
$assoc_headers = array('Content-Type' => 'application/x-www-form-urlencoded; charset=utf-8');
//TODO
$assoc_result = openid_http_request($op_endpoint, $assoc_headers, 'POST', $assoc_message);
if (isset($assoc_result->error)) {
return FALSE;
}
$assoc_response = _openid_parse_message($assoc_result->data);
if (isset($assoc_response['mode']) && $assoc_response['mode'] == 'error') {
return FALSE;
}
if ($assoc_response['session_type'] == 'DH-SHA1') {
$spub = _openid_dh_base64_to_long($assoc_response['dh_server_public']);
$enc_mac_key = base64_decode($assoc_response['enc_mac_key']);
$shared = bcpowmod($spub, $private, $mod);
$assoc_response['mac_key'] = base64_encode(_openid_dh_xorsecret($shared, $enc_mac_key));
}
//TODO
$openid_association = Database::get_main_table(TABLE_MAIN_OPENID_ASSOCIATION);
Database::query(sprintf("INSERT INTO {$openid_association} (idp_endpoint_uri, session_type, assoc_handle, assoc_type, expires_in, mac_key, created) VALUES('%s', '%s', '%s', '%s', %d, '%s', %d)", $op_endpoint, $assoc_response['session_type'], $assoc_response['assoc_handle'], $assoc_response['assoc_type'], $assoc_response['expires_in'], $assoc_response['mac_key'], api_get_utc_datetime()));
$assoc_handle = $assoc_response['assoc_handle'];
}
return $assoc_handle;
}
function openid_provider_dh_assoc($request, $secret, $algo = 'sha1')
{
if (empty($request['openid.dh_consumer_public'])) {
return FALSE;
}
if (isset($request['openid.dh_modulus'])) {
$mod = openid_dh_base64_to_long($request['openid.dh_modulus']);
} else {
$mod = OPENID_DH_DEFAULT_MOD;
}
if (isset($request['openid.dh_gen'])) {
$gen = openid_dh_base64_to_long($request['openid.dh_gen']);
} else {
$gen = OPENID_DH_DEFAULT_GEN;
}
$r = _openid_dh_rand($mod);
$private = _openid_provider_add($r, 1);
$public = _openid_provider_powmod($gen, $private, $mod);
$cpub = openid_dh_base64_to_long($request['openid.dh_consumer_public']);
$shared = _openid_provider_powmod($cpub, $private, $mod);
$mac_key = _openid_provider_dh_xorsecret($shared, $secret, $algo);
$enc_mac_key = base64_encode($mac_key);
$spub64 = openid_dh_long_to_base64($public);
return array('dh_server_public' => $spub64, 'enc_mac_key' => $enc_mac_key);
}
