[project @ OpenID Signed Assertions(Implementation of old sxip draft)]

In our solution, one party, which we call the Attribute Provider (AP), provides a signed certificate that the the user possesses some attribute (e.g. is over 18). This certificate is stored as an attribute at the user's OP, and other RPs can request this certificate when they want to verify attributes of the user. For the implementation, we have followed the OpenID Signed Assertions draft: http://www.mail-archive.com/specs@openid.net/msg00907.html The Signed Assertions Draft did not specify how signed assertions are stored at the OP, so we adopted the following scheme: Attribute: http://X Certificate: http://X/signature This enables RPs that don't care about certificates to completely ignore them. Assertions are SAML documents as specified in the OpenID Signed Assertions old draft. We are developing a demo application in which a university issues certificates verifying students' age, student-hood, and even their photo (also potentially useful to dating sites). So basically the university acts as an attribute provider, signing assertions about user claims. These claims are stored as an attribute in the OpenId provider and we can use the OpenID AX protocol to pass assertions as attributes. The data flow is: User requests assertion --- University(Attribute provider) --- (store request) --- Openid provider Relying Party(Dating site) --- (fetch request) --- OpenID Provider The RP gets the assertion, verifies the signature, and takes actions depending on the result. In some scenarios, the RP may deny the user request if the attribute verification fails (e.g. the dating site may forbid users under 18). In other scenarios the RP may treat them differently (e.g. the dating site could tag certified photos as "Verified Photo"). Note that the RP must have some sort of trust relationship with the AP. We've tried to keep the system as open as possible. Our protocol and implementation do not specify how this trust relationship is created or managed. For example, there could be a PKI specifically set up for verifying claims about student-hood, another trust system set up for verifying claims about age, etc. Santosh Subramanian Shishir Randive Michael Hart Rob Johnson
author: tailor <subra.santosh@gmail.com> 2008-11-14 22:07:59 +0000
committer: tailor <subra.santosh@gmail.com> 2008-11-14 22:07:59 +0000
commit: 9a88f5a0864d37457a2266745a1cbdde2b070ace (patch)
tree: 7b21ee7d3ab8b1b3378fd7549c50ef0e7f39a966 /Auth/OpenID/SAML.php
parent: 7607004a3efab0b0213a51a84114de38d93b0543 (diff)
download: php-openid-9a88f5a0864d37457a2266745a1cbdde2b070ace.zip
php-openid-9a88f5a0864d37457a2266745a1cbdde2b070ace.tar.gz
php-openid-9a88f5a0864d37457a2266745a1cbdde2b070ace.tar.bz2
1 files changed, 220 insertions, 0 deletions
diff --git a/Auth/OpenID/SAML.php b/Auth/OpenID/SAML.php
new file mode 100644
index 0000000..fa6df51
--- /dev/null
+++ b/Auth/OpenID/SAML.php
@@ -0,0 +1,220 @@
+<?php
+/**
+ ** PHP versions 4 and 5
+ **
+ ** LICENSE: See the COPYING file included in this distribution.
+ **
+ ** @package OpenID
+ ** @author Santosh Subramanian <subrasan@cs.sunysb.edu>
+ ** @author Shishir Randive <srandive@cs.sunysb.edu>
+ ** Stony Brook University.
+ ** largely derived from 
+ **
+ * Copyright (C) 2007 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ **/
+
+class SAML{
+   private $assertionTemplate=null;
+   /**
+    * Returns a SAML response with various elements filled in.
+    * @param string $authenticatedUser The OpenId of the user 
+    * @param string $notBefore The ISO 8601 formatted date before which the 
+    response is invalid
+    * @param string $notOnOrAfter The ISO 8601 formatted data after which the 
+    response is invalid
+    * @param string $rsadsa 'rsa' if the response will be signed with RSA keys, 
+    'dsa' for DSA keys
+    * @param string $requestID The ID of the request we're responding to
+    * @param string $destination The ACS URL that the response is submitted to
+    * @return string XML SAML response.
+    */
+   function createSamlAssertion($authenticatedUser, $notBefore, $notOnOrAfter, $rsadsa, $acsURI,$attribute,$value,$assertionTemplate)
+   {
+      $samlResponse = $assertionTemplate;
+      $samlResponse = str_replace('USERNAME_STRING', $authenticatedUser, $samlResponse); 
+      $samlResponse = str_replace('RESPONSE_ID', $this->samlCreateId(), $samlResponse);
+      $samlResponse = str_replace('ISSUE_INSTANT', $this->samlGetDateTime(time()), $samlResponse);
+      $samlResponse = str_replace('NOT_BEFORE', $this->samlGetDateTime(strtotime($notBefore)), $samlResponse);
+      $samlResponse = str_replace('NOT_ON_OR_AFTER', $this->samlGetDateTime(strtotime($notOnOrAfter)),$samlResponse);
+      $samlResponse = str_replace('ASSERTION_ID',$this->samlCreateId(), $samlResponse);
+      $samlResponse = str_replace('RSADSA', strtolower($rsadsa), $samlResponse);
+      $samlResponse = str_replace('ISSUER_DOMAIN', $acsURI, $samlResponse);
+      $samlResponse = str_replace('ATTRIBUTE_NAME', $attribute, $samlResponse);
+      $samlResponse = str_replace('ATTRIBUTE_VALUE', $value, $samlResponse);
+      return $samlResponse;
+   }
+
+   /**
+    * Signs a SAML response with the given private key, and embeds the public key.
+    * @param string $responseXmlString The unsigned Assertion which will be signed 
+    * @param string $priKey Private key to sign the certificate 
+    * @param string $cert Public key certificate of signee
+    * @return string Signed Assertion 
+    */
+   function signAssertion($responseXmlString,$privKey,$cert) 
+   {
+      if (file_exists("/tmp/xml")) {
+         $tempFileDir="/tmp/xml/";          
+      
+      } else {
+             mkdir("/tmp/xml",0777);   
+         $tempFileDir="/tmp/xml/";
+      }
+      $tempName = 'saml-response-' . $this->samlCreateId() . '.xml';
+      $tempFileName=$tempFileDir.$tempName;
+      while (file_exists($tempFileName)) 
+         $tempFileName = 'saml-response-' . $this->samlCreateId() . '.xml';
+
+      if (!$handle = fopen($tempFileName, 'w')) {
+         return null;
+      }
+      if (fwrite($handle, $responseXmlString) === false) {
+         return null;
+      }
+      fclose($handle);
+      $cmd = 'xmlsec1 --sign --privkey-pem ' . $privKey . 
+         ',' . $cert . ' --output ' . $tempFileName . 
+         '.out ' . $tempFileName;
+      exec($cmd, $resp);
+      unlink($tempFileName);
+
+      $xmlResult = @file_get_contents($tempFileName . '.out');
+      if (!$xmlResult) { 
+         return null;
+      } else {
+         unlink($tempFileName . '.out');
+         return $xmlResult;
+      }
+   }
+
+
+   /**
+    * Verify a saml response with the given public key.
+    * @param string $responseXmlString Response to sign
+    * @param string $rootcert trusted public key certificate
+    * @return string Signed SAML response
+    */
+   function verifyAssertion($responseXmlString,$rootcert) 
+   {
+      date_default_timezone_set("UTC");
+      if (file_exists("/tmp/xml")) {
+         $tempFileDir="/tmp/xml/";          
+      
+      } else {
+             mkdir("/tmp/xml",0777);   
+         $tempFileDir="/tmp/xml/";
+      }
+      
+      $tempName = 'saml-response-' . $this->samlCreateId() . '.xml';
+      $tempFileName=$tempFileDir.$tempName;
+      while (file_exists($tempFileName)) 
+         $tempFileName = 'saml-response-' . $this->samlCreateId() . '.xml';
+
+      if (!$handle = fopen($tempFileName, 'w')) {
+         return false;
+      }
+
+      if (fwrite($handle, $responseXmlString) === false) {
+         return false;
+      }
+
+      $p=xml_parser_create();
+      $result=xml_parse_into_struct($p,$responseXmlString,$vals,$index);
+      xml_parser_free($p);
+      $cert_info=$index["X509CERTIFICATE"];
+      $conditions=$index["CONDITIONS"];
+      foreach($cert_info as $key=>$value){
+         file_put_contents($tempFileName.'.cert',$vals[$value]['value']);
+      }
+      $cert=$tempFileName.'.cert';
+      $before=0;
+      $after=0;
+      foreach($conditions as $key=>$value){
+         $before=$vals[$value]['attributes']['NOTBEFORE'];
+         $after=$vals[$value]['attributes']['NOTONORAFTER'];
+      }
+      $before=$this->validSamlDateFormat($before);
+      $after=$this->validSamlDateFormat($after);
+      if(strtotime("now") < $before || strtotime("now") >= $after){
+         unlink($tempFileName);
+         unlink($cert);
+         return false;
+      }
+      fclose($handle);
+      $cmd = 'xmlsec1 --verify --pubkey-cert ' . $cert .'--trusted '.$rootcert. ' '.$tempFileName.'* 2>&1 1>/dev/null';
+      exec($cmd,$resp);
+      if(strcmp($resp[0],"FAIL") == 0){
+         $value = false;
+      }elseif(strcmp($resp[0],"ERROR") == 0){
+         $value = false;
+      }elseif(strcmp($resp[0],"OK") == 0){
+         $value = TRUE;
+      }
+      unlink($tempFileName);
+      unlink($cert);
+      return $value;
+   }
+
+   /**
+    * Creates a 40-character string containing 160-bits of pseudorandomness.
+    * @return string Containing pseudorandomness of 160 bits
+    */
+
+   function samlCreateId() 
+   {
+      $rndChars = 'abcdefghijklmnop';
+      $rndId = '';
+      for ($i = 0; $i < 40; $i++ ) {
+         $rndId .= $rndChars[rand(0,strlen($rndChars)-1)];
+      }
+      return $rndId;
+   }
+
+   /**
+    * Returns a unix timestamp in xsd:dateTime format.
+    * @param timestamp int UNIX Timestamp to convert to xsd:dateTime 
+    * ISO 8601 format.
+    * @return string
+    */
+   function samlGetDateTime($timestamp) 
+   {
+      return gmdate('Y-m-d\TH:i:s\Z', $timestamp);
+   }
+   /**
+    * Attempts to check whether a SAML date is valid.  Returns true or false.
+    * @param string $samlDate
+    * @return bool
+    */
+
+   function validSamlDateFormat($samlDate) 
+   {
+      if ($samlDate == "") return false;
+      $indexT = strpos($samlDate, 'T');
+      $indexZ = strpos($samlDate, 'Z');
+      if (($indexT != 10) || ($indexZ != 19)) {
+         return false;
+      }
+      $dateString = substr($samlDate, 0, 10);
+      $timeString = substr($samlDate, $indexT + 1, 8);
+      list($year, $month, $day) = explode('-', $dateString);
+      list($hour, $minute, $second) = explode(':', $timeString);
+      $parsedDate = gmmktime($hour, $minute, $second, $month, $day, $year);
+      if (($parsedDate === false) || ($parsedDate == -1)) return false;
+      if (!checkdate($month, $day, $year)) return false;
+      return $parsedDate;
+   }
+
+}
+?>
author	tailor <subra.santosh@gmail.com>	2008-11-14 22:07:59 +0000
committer	tailor <subra.santosh@gmail.com>	2008-11-14 22:07:59 +0000
commit	9a88f5a0864d37457a2266745a1cbdde2b070ace (patch)
tree	7b21ee7d3ab8b1b3378fd7549c50ef0e7f39a966 /Auth/OpenID/SAML.php
parent	7607004a3efab0b0213a51a84114de38d93b0543 (diff)
download	php-openid-9a88f5a0864d37457a2266745a1cbdde2b070ace.zip php-openid-9a88f5a0864d37457a2266745a1cbdde2b070ace.tar.gz php-openid-9a88f5a0864d37457a2266745a1cbdde2b070ace.tar.bz2