createDhKey() public static method

Performs the first step of a Diffie-Hellman key exchange by generating private and public DH values based on given prime number $p and generator $g. Both sides of key exchange MUST have the same prime number and generator. In this case they will able to create a random shared secret that is never send from one to the other.
public static createDhKey ( string $p, string $g, string $priv_key = null ) : mixed
$p string prime number in binary representation
$g string generator in binary representation
$priv_key string private key in binary representation
return mixed
 /**
  * Create (or reuse existing) association between OpenID consumer and
  * OpenID server based on Diffie-Hellman key agreement. Returns true
  * on success and false on failure.
  *
  * @param string $url OpenID server url
  * @param float $version OpenID protocol version
  * @param string $priv_key for testing only
  * @return bool
  */
 protected function _associate($url, $version, $priv_key = null)
 {
     /* Check if we already have association in chace or storage */
     if ($this->_getAssociation($url, $handle, $macFunc, $secret, $expires)) {
         return true;
     }
     if ($this->_dumbMode) {
         /* Use dumb mode */
         return true;
     }
     $params = array();
     if ($version >= 2.0) {
         $params = array('openid.ns' => Zend_OpenId::NS_2_0, 'openid.mode' => 'associate', 'openid.assoc_type' => 'HMAC-SHA256', 'openid.session_type' => 'DH-SHA256');
     } else {
         $params = array('openid.mode' => 'associate', 'openid.assoc_type' => 'HMAC-SHA1', 'openid.session_type' => 'DH-SHA1');
     }
     $dh = Zend_OpenId::createDhKey(pack('H*', Zend_OpenId::DH_P), pack('H*', Zend_OpenId::DH_G), $priv_key);
     $dh_details = Zend_OpenId::getDhKeyDetails($dh);
     $params['openid.dh_modulus'] = base64_encode(Zend_OpenId::btwoc($dh_details['p']));
     $params['openid.dh_gen'] = base64_encode(Zend_OpenId::btwoc($dh_details['g']));
     $params['openid.dh_consumer_public'] = base64_encode(Zend_OpenId::btwoc($dh_details['pub_key']));
     while (1) {
         $ret = $this->_httpRequest($url, 'POST', $params, $status);
         if ($ret === false) {
             $this->_setError("HTTP request failed");
             return false;
         }
         $r = array();
         $bad_response = false;
         foreach (explode("\n", $ret) as $line) {
             $line = trim($line);
             if (!empty($line)) {
                 $x = explode(':', $line, 2);
                 if (is_array($x) && count($x) == 2) {
                     list($key, $value) = $x;
                     $r[trim($key)] = trim($value);
                 } else {
                     $bad_response = true;
                 }
             }
         }
         if ($bad_response && strpos($ret, 'Unknown session type') !== false) {
             $r['error_code'] = 'unsupported-type';
         }
         $ret = $r;
         if (isset($ret['error_code']) && $ret['error_code'] == 'unsupported-type') {
             if ($params['openid.session_type'] == 'DH-SHA256') {
                 $params['openid.session_type'] = 'DH-SHA1';
                 $params['openid.assoc_type'] = 'HMAC-SHA1';
             } else {
                 if ($params['openid.session_type'] == 'DH-SHA1') {
                     $params['openid.session_type'] = 'no-encryption';
                 } else {
                     $this->_setError("The OpenID service responded with: " . $ret['error_code']);
                     return false;
                 }
             }
         } else {
             break;
         }
     }
     if ($status != 200) {
         $this->_setError("The server responded with status code: " . $status);
         return false;
     }
     if ($version >= 2.0 && isset($ret['ns']) && $ret['ns'] != Zend_OpenId::NS_2_0) {
         $this->_setError("Wrong namespace definition in the server response");
         return false;
     }
     if (!isset($ret['assoc_handle']) || !isset($ret['expires_in']) || !isset($ret['assoc_type']) || $params['openid.assoc_type'] != $ret['assoc_type']) {
         if ($params['openid.assoc_type'] != $ret['assoc_type']) {
             $this->_setError("The returned assoc_type differed from the supplied openid.assoc_type");
         } else {
             $this->_setError("Missing required data from provider (assoc_handle, expires_in, assoc_type are required)");
         }
         return false;
     }
     $handle = $ret['assoc_handle'];
     $expiresIn = $ret['expires_in'];
     if ($ret['assoc_type'] == 'HMAC-SHA1') {
         $macFunc = 'sha1';
     } else {
         if ($ret['assoc_type'] == 'HMAC-SHA256' && $version >= 2.0) {
             $macFunc = 'sha256';
         } else {
             $this->_setError("Unsupported assoc_type");
             return false;
         }
     }
     if ((empty($ret['session_type']) || $version >= 2.0 && $ret['session_type'] == 'no-encryption') && isset($ret['mac_key'])) {
         $secret = base64_decode($ret['mac_key']);
     } else {
         if (isset($ret['session_type']) && $ret['session_type'] == 'DH-SHA1' && !empty($ret['dh_server_public']) && !empty($ret['enc_mac_key'])) {
             $dhFunc = 'sha1';
         } else {
             if (isset($ret['session_type']) && $ret['session_type'] == 'DH-SHA256' && $version >= 2.0 && !empty($ret['dh_server_public']) && !empty($ret['enc_mac_key'])) {
                 $dhFunc = 'sha256';
             } else {
                 $this->_setError("Unsupported session_type");
                 return false;
             }
         }
     }
     if (isset($dhFunc)) {
         $serverPub = base64_decode($ret['dh_server_public']);
         $dhSec = Zend_OpenId::computeDhSecret($serverPub, $dh);
         if ($dhSec === false) {
             $this->_setError("DH secret comutation failed");
             return false;
         }
         $sec = Zend_OpenId::digest($dhFunc, $dhSec);
         if ($sec === false) {
             $this->_setError("Could not create digest");
             return false;
         }
         $secret = $sec ^ base64_decode($ret['enc_mac_key']);
     }
     if ($macFunc == 'sha1') {
         if (Zend_OpenId::strlen($secret) != 20) {
             $this->_setError("The length of the sha1 secret must be 20");
             return false;
         }
     } else {
         if ($macFunc == 'sha256') {
             if (Zend_OpenId::strlen($secret) != 32) {
                 $this->_setError("The length of the sha256 secret must be 32");
                 return false;
             }
         }
     }
     $this->_addAssociation($url, $handle, $macFunc, $secret, time() + $expiresIn);
     return true;
 }
示例#2
0
 /**
  * Processes association request from OpenID consumerm generates secret
  * shared key and send it back using Diffie-Hellman encruption.
  * Returns array of variables to push back to consumer.
  *
  * @param float $version OpenID version
  * @param array $params GET or POST request variables
  * @return array
  */
 protected function _associate($version, $params)
 {
     $ret = array();
     if ($version >= 2.0) {
         $ret['ns'] = Zend_OpenId::NS_2_0;
     }
     if (isset($params['openid_assoc_type']) && $params['openid_assoc_type'] == 'HMAC-SHA1') {
         $macFunc = 'sha1';
     } else {
         if (isset($params['openid_assoc_type']) && $params['openid_assoc_type'] == 'HMAC-SHA256' && $version >= 2.0) {
             $macFunc = 'sha256';
         } else {
             $ret['error'] = 'Wrong "openid.assoc_type"';
             $ret['error-code'] = 'unsupported-type';
             return $ret;
         }
     }
     $ret['assoc_type'] = $params['openid_assoc_type'];
     $secret = $this->_genSecret($macFunc);
     if (empty($params['openid_session_type']) || $params['openid_session_type'] == 'no-encryption') {
         $ret['mac_key'] = base64_encode($secret);
     } else {
         if (isset($params['openid_session_type']) && $params['openid_session_type'] == 'DH-SHA1') {
             $dhFunc = 'sha1';
         } else {
             if (isset($params['openid_session_type']) && $params['openid_session_type'] == 'DH-SHA256' && $version >= 2.0) {
                 $dhFunc = 'sha256';
             } else {
                 $ret['error'] = 'Wrong "openid.session_type"';
                 $ret['error-code'] = 'unsupported-type';
                 return $ret;
             }
         }
     }
     if (isset($params['openid_session_type'])) {
         $ret['session_type'] = $params['openid_session_type'];
     }
     if (isset($dhFunc)) {
         if (empty($params['openid_dh_consumer_public'])) {
             $ret['error'] = 'Wrong "openid.dh_consumer_public"';
             return $ret;
         }
         if (empty($params['openid_dh_gen'])) {
             $g = pack('H*', Zend_OpenId::DH_G);
         } else {
             $g = base64_decode($params['openid_dh_gen']);
         }
         if (empty($params['openid_dh_modulus'])) {
             $p = pack('H*', Zend_OpenId::DH_P);
         } else {
             $p = base64_decode($params['openid_dh_modulus']);
         }
         $dh = Zend_OpenId::createDhKey($p, $g);
         $dh_details = Zend_OpenId::getDhKeyDetails($dh);
         $sec = Zend_OpenId::computeDhSecret(base64_decode($params['openid_dh_consumer_public']), $dh);
         if ($sec === false) {
             $ret['error'] = 'Wrong "openid.session_type"';
             $ret['error-code'] = 'unsupported-type';
             return $ret;
         }
         $sec = Zend_OpenId::digest($dhFunc, $sec);
         $ret['dh_server_public'] = base64_encode(Zend_OpenId::btwoc($dh_details['pub_key']));
         $ret['enc_mac_key'] = base64_encode($secret ^ $sec);
     }
     $handle = uniqid();
     $expiresIn = $this->_sessionTtl;
     $ret['assoc_handle'] = $handle;
     $ret['expires_in'] = $expiresIn;
     $this->_storage->addAssociation($handle, $macFunc, $secret, time() + $expiresIn);
     return $ret;
 }
示例#3
0
 /**
  * Create (or reuse existing) association between OpenID consumer and
  * OpenID server based on Diffie-Hellman key agreement. Returns true
  * on success and false on failure.
  *
  * @param string $url OpenID server url
  * @param float $version OpenID protocol version
  * @param string $priv_key for testing only
  * @return bool
  */
 protected function _associate($url, $version, $priv_key = null)
 {
     /* Check if we already have association in chace or storage */
     if ($this->_getAssociation($url, $handle, $macFunc, $secret, $expires)) {
         return true;
     }
     if ($this->_dumbMode) {
         /* Use dumb mode */
         return true;
     }
     $params = array();
     if ($version >= 2.0) {
         $params = array('openid.ns' => Zend_OpenId::NS_2_0, 'openid.mode' => 'associate', 'openid.assoc_type' => 'HMAC-SHA256', 'openid.session_type' => 'DH-SHA256');
     } else {
         $params = array('openid.mode' => 'associate', 'openid.assoc_type' => 'HMAC-SHA1', 'openid.session_type' => 'DH-SHA1');
     }
     $dh = Zend_OpenId::createDhKey(pack('H*', Zend_OpenId::DH_P), pack('H*', Zend_OpenId::DH_G), $priv_key);
     $dh_details = Zend_OpenId::getDhKeyDetails($dh);
     $params['openid.dh_modulus'] = base64_encode(Zend_OpenId::btwoc($dh_details['p']));
     $params['openid.dh_gen'] = base64_encode(Zend_OpenId::btwoc($dh_details['g']));
     $params['openid.dh_consumer_public'] = base64_encode(Zend_OpenId::btwoc($dh_details['pub_key']));
     while (1) {
         $ret = $this->_httpRequest($url, 'POST', $params, $status);
         if ($ret === false) {
             return false;
         }
         $r = array();
         foreach (explode("\n", $ret) as $line) {
             $line = trim($line);
             if (!empty($line)) {
                 $x = explode(':', $line, 2);
                 if (is_array($x) && count($x) == 2) {
                     list($key, $value) = $x;
                     $r[trim($key)] = trim($value);
                 }
             }
         }
         $ret = $r;
         if (isset($ret['error_code']) && $ret['error_code'] == 'unsupported-type') {
             if ($params['openid.session_type'] == 'DH-SHA256') {
                 $params['openid.session_type'] = 'DH-SHA1';
                 $params['openid.assoc_type'] = 'HMAC-SHA1';
             } else {
                 if ($params['openid.session_type'] == 'DH-SHA1') {
                     $params['openid.session_type'] = 'no-encryption';
                 } else {
                     return false;
                 }
             }
         } else {
             break;
         }
     }
     if ($status != 200) {
         return false;
     }
     if ($version >= 2.0 && isset($ret['ns']) && $ret['ns'] != Zend_OpenId::NS_2_0) {
         return false;
     }
     if (!isset($ret['assoc_handle']) || !isset($ret['expires_in']) || !isset($ret['assoc_type']) || $params['openid.assoc_type'] != $ret['assoc_type']) {
         return false;
     }
     $handle = $ret['assoc_handle'];
     $expiresIn = $ret['expires_in'];
     if ($ret['assoc_type'] == 'HMAC-SHA1') {
         $macFunc = 'sha1';
     } else {
         if ($ret['assoc_type'] == 'HMAC-SHA256' && $version >= 2.0) {
             $macFunc = 'sha256';
         } else {
             return false;
         }
     }
     if ((empty($ret['session_type']) || $version >= 2.0 && $ret['session_type'] == 'no-encryption') && isset($ret['mac_key'])) {
         $secret = base64_decode($ret['mac_key']);
     } else {
         if (isset($ret['session_type']) && $ret['session_type'] == 'DH-SHA1' && !empty($ret['dh_server_public']) && !empty($ret['enc_mac_key'])) {
             $dhFunc = 'sha1';
         } else {
             if (isset($ret['session_type']) && $ret['session_type'] == 'DH-SHA256' && $version >= 2.0 && !empty($ret['dh_server_public']) && !empty($ret['enc_mac_key'])) {
                 $dhFunc = 'sha256';
             } else {
                 return false;
             }
         }
     }
     if (isset($dhFunc)) {
         $serverPub = base64_decode($ret['dh_server_public']);
         $dhSec = Zend_OpenId::computeDhSecret($serverPub, $dh);
         if ($dhSec === false) {
             return false;
         }
         $sec = Zend_OpenId::digest($dhFunc, $dhSec);
         if ($sec === false) {
             return false;
         }
         $secret = $sec ^ base64_decode($ret['enc_mac_key']);
     }
     if ($macFunc == 'sha1') {
         if (strlen($secret) != 20) {
             return false;
         }
     } else {
         if ($macFunc == 'sha256') {
             if (strlen($secret) != 32) {
                 return false;
             }
         }
     }
     $this->_addAssociation($url, $handle, $macFunc, $secret, time() + $expiresIn);
     return true;
 }
示例#4
0
    /**
     * testing testComputeDhSecret
     *
     */
    public function testComputeDhSecret()
    {
        try {
            $alice = Zend_OpenId::createDhKey(
                pack('H*', '0233'),
                pack('H*', '05'),
                pack('H*', '09'));
            $alice_details = Zend_OpenId::getDhKeyDetails($alice);
            $this->assertSame( '4e', bin2hex($alice_details['pub_key']) );

            $bob = Zend_OpenId::createDhKey(
                pack('H*', '0233'),
                pack('H*', '05'),
                pack('H*', '0e'));
            $bob_details = Zend_OpenId::getDhKeyDetails($bob);
            $this->assertSame( '0216', bin2hex($bob_details['pub_key']) );

            $this->assertSame( '75',
                bin2hex(Zend_OpenId::computeDhSecret($alice_details['pub_key'], $bob)) );
            $this->assertSame( '75',
                bin2hex(Zend_OpenId::computeDhSecret($bob_details['pub_key'], $alice)) );
        } catch (Zend_OpenId_Exception $e) {
            $this->markTestSkipped($e->getMessage());
        }
    }
示例#5
0
    /**
     * testing testComputeDhSecret
     *
     */
    public function testComputeDhSecret()
    {
        $alice = Zend_OpenId::createDhKey(
            pack('H*', '0233'),
            pack('H*', '05'),
            pack('H*', '09'));
        $alice_details = Zend_OpenId::getDhKeyDetails($alice);
        $this->assertSame( '4e', bin2hex($alice_details['pub_key']) );

        $bob = Zend_OpenId::createDhKey(
            pack('H*', '0233'),
            pack('H*', '05'),
            pack('H*', '0e'));
        $bob_details = Zend_OpenId::getDhKeyDetails($bob);
        $this->assertSame( '0216', bin2hex($bob_details['pub_key']) );

        $this->assertSame( '75',
            bin2hex(Zend_OpenId::computeDhSecret($alice_details['pub_key'], $bob)) );
        $this->assertSame( '75',
            bin2hex(Zend_OpenId::computeDhSecret($bob_details['pub_key'], $alice)) );
    }