/**
* Verifies authentication response from OpenID server.
*
* This is the second step of OpenID authentication process.
* The function returns true on successful authentication and false on
* failure.
*
* @param array $params HTTP query data from OpenID server
* @param string &$identity this argument is set to end-user's claimed
* identifier or OpenID provider local identifier.
* @param mixed $extensions extension object or array of extensions objects
* @return bool
*/
public function verify($params, &$identity = "", $extensions = null)
{
$this->_setError('');
$version = 1.1;
if (isset($params['openid_ns']) && $params['openid_ns'] == OpenID\OpenID::NS_2_0) {
$version = 2.0;
}
if (isset($params["openid_claimed_id"])) {
$identity = $params["openid_claimed_id"];
} else {
if (isset($params["openid_identity"])) {
$identity = $params["openid_identity"];
} else {
$identity = "";
}
}
if ($version < 2.0 && !isset($params["openid_claimed_id"])) {
if ($this->_session !== null) {
if ($this->_session->identity === $identity) {
$identity = $this->_session->claimed_id;
}
} else {
if (defined('SID')) {
if (isset($_SESSION["zend_openid"]["identity"]) && isset($_SESSION["zend_openid"]["claimed_id"]) && $_SESSION["zend_openid"]["identity"] === $identity) {
$identity = $_SESSION["zend_openid"]["claimed_id"];
}
} else {
$this->_session = new \Zend\Session\Container("zend_openid");
if ($this->_session->identity === $identity) {
$identity = $this->_session->claimed_id;
}
}
}
}
if (empty($params['openid_mode'])) {
$this->_setError("Missing openid.mode");
return false;
}
if (empty($params['openid_return_to'])) {
$this->_setError("Missing openid.return_to");
return false;
}
if (empty($params['openid_signed'])) {
$this->_setError("Missing openid.signed");
return false;
}
if (empty($params['openid_sig'])) {
$this->_setError("Missing openid.sig");
return false;
}
if ($params['openid_mode'] != 'id_res') {
$this->_setError("Wrong openid.mode '" . $params['openid_mode'] . "' != 'id_res'");
return false;
}
if (empty($params['openid_assoc_handle'])) {
$this->_setError("Missing openid.assoc_handle");
return false;
}
if ($params['openid_return_to'] != OpenID\OpenID::selfUrl()) {
/* Ignore query part in openid.return_to */
$pos = strpos($params['openid_return_to'], '?');
if ($pos === false || SUBSTR($params['openid_return_to'], 0, $pos) != OpenID\OpenID::selfUrl()) {
$this->_setError("Wrong openid.return_to '" . $params['openid_return_to'] . "' != '" . OpenID\OpenID::selfUrl() . "'");
return false;
}
}
if ($version >= 2.0) {
if (empty($params['openid_response_nonce'])) {
$this->_setError("Missing openid.response_nonce");
return false;
}
if (empty($params['openid_op_endpoint'])) {
$this->_setError("Missing openid.op_endpoint");
return false;
/* OpenID 2.0 (11.3) Checking the Nonce */
} else {
if (!$this->_storage->isUniqueNonce($params['openid_op_endpoint'], $params['openid_response_nonce'])) {
$this->_setError("Duplicate openid.response_nonce");
return false;
}
}
}
if (!empty($params['openid_invalidate_handle'])) {
if ($this->_storage->getAssociationByHandle($params['openid_invalidate_handle'], $url, $macFunc, $secret, $expires)) {
$this->_storage->delAssociation($url);
}
}
if ($this->_storage->getAssociationByHandle($params['openid_assoc_handle'], $url, $macFunc, $secret, $expires)) {
$signed = explode(',', $params['openid_signed']);
$data = '';
foreach ($signed as $key) {
$data .= $key . ':' . $params['openid_' . strtr($key, '.', '_')] . "\n";
}
if (base64_decode($params['openid_sig']) == OpenID\OpenID::hashHmac($macFunc, $data, $secret)) {
if (!Extension\AbstractExtension::forAll($extensions, 'parseResponse', $params)) {
$this->_setError("Extension::parseResponse failure");
return false;
}
/* OpenID 2.0 (11.2) Verifying Discovered Information */
if (isset($params['openid_claimed_id'])) {
$id = $params['openid_claimed_id'];
if (!OpenID\OpenID::normalize($id)) {
$this->_setError("Normalization failed");
return false;
} else {
if (!$this->_discovery($id, $discovered_server, $discovered_version)) {
$this->_setError("Discovery failed: " . $this->getError());
return false;
} else {
if (!empty($params['openid_identity']) && $params["openid_identity"] != $id || !empty($params['openid_op_endpoint']) && $params['openid_op_endpoint'] != $discovered_server || $discovered_version != $version) {
$this->_setError("Discovery information verification failed");
return false;
}
}
}
}
return true;
}
$this->_storage->delAssociation($url);
$this->_setError("Signature check failed");
return false;
} else {
/* Use dumb mode */
if (isset($params['openid_claimed_id'])) {
$id = $params['openid_claimed_id'];
} else {
if (isset($params['openid_identity'])) {
$id = $params['openid_identity'];
} else {
$this->_setError("Missing openid.claimed_id and openid.identity");
return false;
}
}
if (!OpenID\OpenID::normalize($id)) {
$this->_setError("Normalization failed");
return false;
} else {
if (!$this->_discovery($id, $server, $discovered_version)) {
$this->_setError("Discovery failed: " . $this->getError());
return false;
}
}
/* OpenID 2.0 (11.2) Verifying Discovered Information */
if (isset($params['openid_identity']) && $params["openid_identity"] != $id || isset($params['openid_op_endpoint']) && $params['openid_op_endpoint'] != $server || $discovered_version != $version) {
$this->_setError("Discovery information verification failed");
return false;
}
$params2 = array();
foreach ($params as $key => $val) {
if (strpos($key, 'openid_ns_') === 0) {
$key = 'openid.ns.' . substr($key, strlen('openid_ns_'));
} else {
if (strpos($key, 'openid_sreg_') === 0) {
$key = 'openid.sreg.' . substr($key, strlen('openid_sreg_'));
} else {
if (strpos($key, 'openid_') === 0) {
$key = 'openid.' . substr($key, strlen('openid_'));
}
}
}
$params2[$key] = $val;
}
$params2['openid.mode'] = 'check_authentication';
$ret = $this->_httpRequest($server, 'POST', $params2, $status);
if ($status != 200) {
$this->_setError("'Dumb' signature verification HTTP request failed");
return false;
}
$r = array();
if (is_string($ret)) {
foreach (explode("\n", $ret) as $line) {
$line = trim($line);
if (!empty($line)) {
$x = explode(':', $line, 2);
if (is_array($x) && count($x) == 2) {
list($key, $value) = $x;
$r[trim($key)] = trim($value);
}
}
}
}
$ret = $r;
if (!empty($ret['invalidate_handle'])) {
if ($this->_storage->getAssociationByHandle($ret['invalidate_handle'], $url, $macFunc, $secret, $expires)) {
$this->_storage->delAssociation($url);
}
}
if (isset($ret['is_valid']) && $ret['is_valid'] == 'true') {
if (!Extension\AbstractExtension::forAll($extensions, 'parseResponse', $params)) {
$this->_setError("Extension::parseResponse failure");
return false;
}
return true;
}
$this->_setError("'Dumb' signature verification failed");
return false;
}
}
/**
* Performs authentication validation for dumb consumers
* Returns array of variables to push back to consumer.
* It MUST contain 'is_valid' variable with value 'true' or 'false'.
*
* @param float $version OpenID version
* @param array $params GET or POST request variables
* @return array
*/
protected function _checkAuthentication($version, $params)
{
$ret = array();
if ($version >= 2.0) {
$ret['ns'] = OpenID\OpenID::NS_2_0;
}
$ret['openid.mode'] = 'id_res';
if (empty($params['openid_assoc_handle']) || empty($params['openid_signed']) || empty($params['openid_sig']) || !$this->_storage->getAssociation($params['openid_assoc_handle'], $macFunc, $secret, $expires)) {
$ret['is_valid'] = 'false';
return $ret;
}
$signed = explode(',', $params['openid_signed']);
$data = '';
foreach ($signed as $key) {
$data .= $key . ':';
if ($key == 'mode') {
$data .= "id_res\n";
} else {
$data .= $params['openid_' . strtr($key, '.', '_')] . "\n";
}
}
if (base64_decode($params['openid_sig']) === OpenID\OpenID::hashHmac($macFunc, $data, $secret)) {
$ret['is_valid'] = 'true';
} else {
$ret['is_valid'] = 'false';
}
return $ret;
}
/**
* testing testHashHmac
*
*/
public function testHashHmac()
{
$key = 'password';
$this->assertSame('1f48abc79459fa853af681ddb3c73ff7f35c48fb', bin2hex(OpenID::hashHmac('sha1', 'hello', $key)));
$this->assertSame('7ae615e698567e5e1512dd8140e740bd4d65dfa4db195d80ca327de6302b4a63', bin2hex(OpenID::hashHmac('sha256', 'hello', $key)));
$key = str_repeat('x', 128);
$this->assertSame('59c6c30dc9fb96b2cb2d7c41dbc6f96d1fbf67ac', bin2hex(OpenID::hashHmac('sha1', 'hello', $key)));
$this->assertSame('f5e0c31f7cdd272710052ac3ebcc40d7e82be2427b7e5e1e8373ef1e327515f4', bin2hex(OpenID::hashHmac('sha256', 'hello', $key)));
}
