diff options
| author | tailor <subra.santosh@gmail.com> | 2008-11-14 22:07:59 +0000 |
|---|---|---|
| committer | tailor <subra.santosh@gmail.com> | 2008-11-14 22:07:59 +0000 |
| commit | 9a88f5a0864d37457a2266745a1cbdde2b070ace (patch) | |
| tree | 7b21ee7d3ab8b1b3378fd7549c50ef0e7f39a966 /Auth/OpenID | |
| parent | 7607004a3efab0b0213a51a84114de38d93b0543 (diff) | |
| download | php-openid-9a88f5a0864d37457a2266745a1cbdde2b070ace.zip php-openid-9a88f5a0864d37457a2266745a1cbdde2b070ace.tar.gz php-openid-9a88f5a0864d37457a2266745a1cbdde2b070ace.tar.bz2 | |
[project @ OpenID Signed Assertions(Implementation of old sxip draft)]
In our solution, one party, which we call the Attribute Provider (AP), provides
a signed certificate that the the user possesses some attribute (e.g. is over 18). This certificate is stored as an attribute at the user's OP, and other RPs can request this certificate when they want to verify attributes of the user.
For the implementation, we have followed the OpenID Signed Assertions
draft: http://www.mail-archive.com/specs@openid.net/msg00907.html
The Signed Assertions Draft did not specify how signed assertions are
stored at the OP, so we adopted the following scheme:
Attribute: http://X
Certificate: http://X/signature
This enables RPs that don't care about certificates to completely ignore them. Assertions are SAML documents as specified in the OpenID Signed
Assertions old draft.
We are developing a demo application in which a university issues certificates verifying students' age, student-hood, and even their photo (also potentially useful to dating sites). So basically the university acts as an attribute provider, signing assertions about user claims. These claims are stored as an attribute in the OpenId provider and we can use the OpenID AX protocol to pass assertions as attributes. The data flow is:
User requests assertion --- University(Attribute provider)
--- (store request)
--- Openid provider
Relying Party(Dating site) --- (fetch request) --- OpenID Provider
The RP gets the assertion, verifies the signature, and takes actions depending on the result. In some scenarios, the RP may deny the user request if the attribute verification fails (e.g. the dating site may forbid users under 18). In other scenarios the RP may treat them differently (e.g. the dating site could tag certified photos as "Verified Photo").
Note that the RP must have some sort of trust relationship with the AP. We've tried to keep the system as open as possible. Our protocol and implementation do not specify how this trust relationship is created or managed. For example, there could be a PKI specifically set up for verifying claims about student-hood, another trust system set up for verifying claims about age, etc.
Santosh Subramanian
Shishir Randive
Michael Hart
Rob Johnson
Diffstat (limited to 'Auth/OpenID')
| -rw-r--r-- | Auth/OpenID/AP.php | 180 | ||||
| -rw-r--r-- | Auth/OpenID/SAML.php | 220 |
2 files changed, 400 insertions, 0 deletions
diff --git a/Auth/OpenID/AP.php b/Auth/OpenID/AP.php new file mode 100644 index 0000000..a242650 --- /dev/null +++ b/Auth/OpenID/AP.php @@ -0,0 +1,180 @@ +<?php + +/** + * Introduces the notion of an Attribute Provider that attests and signs + * attributes + * Uses OpenID Signed Assertions(Sxip draft) for attesting attributes + * PHP versions 4 and 5 + * + * LICENSE: See the COPYING file included in this distribution. + * + * @package OpenID + * @author Santosh Subramanian <subrasan@cs.sunysb.edu> + * @author Shishir Randive <srandive@cs.sunysb.edu> + * Stony Brook University. + * + */ +require_once 'Auth/OpenID/SAML.php'; +/** + * The Attribute_Provider class which signs the attribute,value pair + * for a given openid. + */ +class Attribute_Provider +{ + private $public_key_certificate=null; + private $private_key=null; + private $authenticatedUser=null; + private $notBefore=null; + private $notOnOrAfter=null; + private $rsadsa=null; + private $acsURI=null; + private $attribute=null; + private $value=null; + private $assertionTemplate=null; + /** + * Creates an Attribute_Provider object initialized with startup values. + * @param string $public_key_certificate - The public key certificate + of the signer. + * @param string $private_key - The private key of the signer. + * @param string $notBefore - Certificate validity time + * @param string $notOnOrAfter - Certificate validity time + * @param string $rsadsa - Choice of the algorithm (RSA/DSA) + * @param string $acsURI - URI of the signer. + * @param string $assertionTemplate - SAML template used for assertion + */ + function Attribute_Provider($public_key_certificate,$private_key,$notBefore,$notOnOrAfter,$rsadsa,$acsURI, + $assertionTemplate) + { + $this->public_key_certificate=$public_key_certificate; + $this->private_key=$private_key; + $this->notBefore=$notBefore; + $this->notOnOrAfter=$notOnOrAfter; + $this->rsadsa=$rsadsa; + $this->acsURI=$acsURI; + $this->assertionTemplate=$assertionTemplate; + } + /** + * Create the signed assertion. + * @param string $openid - Openid of the entity being asserted. + * @param string $attribute - The attribute name being asserted. + * @param string $value - The attribute value being asserted. + */ + function sign($openid,$attribute,$value) + { + $samlObj = new SAML(); + $responseXmlString = $samlObj->createSamlAssertion($openid, + $this->notBefore, + $this->notOnOrAfter, + $this->rsadsa, + $this->acsURI, + $attribute, + sha1($value), + $this->assertionTemplate); + $signedAssertion=$samlObj->signAssertion($responseXmlString, + $this->private_key, + $this->public_key_certificate); + return $signedAssertion; + } +} +/** + * The Attribute_Verifier class which verifies the signed assertion at the Relying party. + */ +class Attribute_Verifier +{ + /** + * The certificate the Relying party trusts. + */ + private $rootcert; + /** + * This function loads the public key certificate that the relying party trusts. + * @param string $cert - Trusted public key certificate. + */ + function load_trusted_root_cert($cert) + { + $this->rootcert=$cert; + } + /** + * Verifies the certificate given the SAML document. + * @param string - signed SAML assertion + * return @boolean - true if verification is successful, false if unsuccessful. + */ + function verify($responseXmlString) + { + $samlObj = new SAML(); + $ret = $samlObj->verifyAssertion($responseXmlString,$this->rootcert); + return $ret; + } +} + +/** + * This is a Store Request creating class at the Attribute Provider. + */ +class AP_OP_StoreRequest +{ + /** + * Creates store request and adds it as an extension to AuthRequest object + passed to it. + * @param &Auth_OpenID_AuthRequest &$auth_request - A reference to + the AuthRequest object. + * @param &Attribute_Provider &$attributeProvider - A reference to the + Attribute Provider object. + * @param string $attribute - The attribute name being asserted. + * @param string $value - The attribute value being asserted. + * @param string $openid - Openid of the entity being asserted. + * @return &Auth_OpenID_AuthRequest - Auth_OpenID_AuthRequest object + returned with StoreRequest extension. + */ + static function createStoreRequest(&$auth_request,&$attributeProvider, + $attribute,$value,$openid) + { + if(!$auth_request){ + return null; + } + $signedAssertion=$attributeProvider->sign($openid,$attribute,$value); + $store_request=new Auth_OpenID_AX_StoreRequest; + $store_request->addValue($attribute,base64_encode($value)); + $store_request->addValue($attribute.'/signature', + base64_encode($signedAssertion)); + if($store_request) { + $auth_request->addExtension($store_request); + return $auth_request; + } + } +} + +/* + *This is implemented at the RP Takes care of getting the attribute from the + *AX_Fetch_Response object and verifying it. + */ +class RP_OP_Verify +{ + /** + * Verifies a given signed assertion. + * @param &Attribute_Verifier &$attributeVerifier - An instance of the class + passed for the verification. + * @param Auth_OpenID_Response - Response object for extraction. + * @return boolean - true if successful, false if verification fails. + */ + function verifyAssertion(&$attributeVerifier,$response) + { + $ax_resp=Auth_OpenID_AX_FetchResponse::fromSuccessResponse($response); + if($ax_resp instanceof Auth_OpenID_AX_FetchResponse){ + $ax_args=$ax_resp->getExtensionArgs(); + if($ax_args) { + $value=base64_decode($ax_args['value.ext1.1']); + if($attributeVerifier->verify($value)){ + return base64_decode($ax_args['value.ext0.1']); + } else { + return null; + } + } else { + return null; + } + } else { + return null; + } + } +} + + +?> diff --git a/Auth/OpenID/SAML.php b/Auth/OpenID/SAML.php new file mode 100644 index 0000000..fa6df51 --- /dev/null +++ b/Auth/OpenID/SAML.php @@ -0,0 +1,220 @@ +<?php +/** + ** PHP versions 4 and 5 + ** + ** LICENSE: See the COPYING file included in this distribution. + ** + ** @package OpenID + ** @author Santosh Subramanian <subrasan@cs.sunysb.edu> + ** @author Shishir Randive <srandive@cs.sunysb.edu> + ** Stony Brook University. + ** largely derived from + ** + * Copyright (C) 2007 Google Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + **/ + +class SAML{ + private $assertionTemplate=null; + /** + * Returns a SAML response with various elements filled in. + * @param string $authenticatedUser The OpenId of the user + * @param string $notBefore The ISO 8601 formatted date before which the + response is invalid + * @param string $notOnOrAfter The ISO 8601 formatted data after which the + response is invalid + * @param string $rsadsa 'rsa' if the response will be signed with RSA keys, + 'dsa' for DSA keys + * @param string $requestID The ID of the request we're responding to + * @param string $destination The ACS URL that the response is submitted to + * @return string XML SAML response. + */ + function createSamlAssertion($authenticatedUser, $notBefore, $notOnOrAfter, $rsadsa, $acsURI,$attribute,$value,$assertionTemplate) + { + $samlResponse = $assertionTemplate; + $samlResponse = str_replace('USERNAME_STRING', $authenticatedUser, $samlResponse); + $samlResponse = str_replace('RESPONSE_ID', $this->samlCreateId(), $samlResponse); + $samlResponse = str_replace('ISSUE_INSTANT', $this->samlGetDateTime(time()), $samlResponse); + $samlResponse = str_replace('NOT_BEFORE', $this->samlGetDateTime(strtotime($notBefore)), $samlResponse); + $samlResponse = str_replace('NOT_ON_OR_AFTER', $this->samlGetDateTime(strtotime($notOnOrAfter)),$samlResponse); + $samlResponse = str_replace('ASSERTION_ID',$this->samlCreateId(), $samlResponse); + $samlResponse = str_replace('RSADSA', strtolower($rsadsa), $samlResponse); + $samlResponse = str_replace('ISSUER_DOMAIN', $acsURI, $samlResponse); + $samlResponse = str_replace('ATTRIBUTE_NAME', $attribute, $samlResponse); + $samlResponse = str_replace('ATTRIBUTE_VALUE', $value, $samlResponse); + return $samlResponse; + } + + /** + * Signs a SAML response with the given private key, and embeds the public key. + * @param string $responseXmlString The unsigned Assertion which will be signed + * @param string $priKey Private key to sign the certificate + * @param string $cert Public key certificate of signee + * @return string Signed Assertion + */ + function signAssertion($responseXmlString,$privKey,$cert) + { + if (file_exists("/tmp/xml")) { + $tempFileDir="/tmp/xml/"; + + } else { + mkdir("/tmp/xml",0777); + $tempFileDir="/tmp/xml/"; + } + $tempName = 'saml-response-' . $this->samlCreateId() . '.xml'; + $tempFileName=$tempFileDir.$tempName; + while (file_exists($tempFileName)) + $tempFileName = 'saml-response-' . $this->samlCreateId() . '.xml'; + + if (!$handle = fopen($tempFileName, 'w')) { + return null; + } + if (fwrite($handle, $responseXmlString) === false) { + return null; + } + fclose($handle); + $cmd = 'xmlsec1 --sign --privkey-pem ' . $privKey . + ',' . $cert . ' --output ' . $tempFileName . + '.out ' . $tempFileName; + exec($cmd, $resp); + unlink($tempFileName); + + $xmlResult = @file_get_contents($tempFileName . '.out'); + if (!$xmlResult) { + return null; + } else { + unlink($tempFileName . '.out'); + return $xmlResult; + } + } + + + /** + * Verify a saml response with the given public key. + * @param string $responseXmlString Response to sign + * @param string $rootcert trusted public key certificate + * @return string Signed SAML response + */ + function verifyAssertion($responseXmlString,$rootcert) + { + date_default_timezone_set("UTC"); + if (file_exists("/tmp/xml")) { + $tempFileDir="/tmp/xml/"; + + } else { + mkdir("/tmp/xml",0777); + $tempFileDir="/tmp/xml/"; + } + + $tempName = 'saml-response-' . $this->samlCreateId() . '.xml'; + $tempFileName=$tempFileDir.$tempName; + while (file_exists($tempFileName)) + $tempFileName = 'saml-response-' . $this->samlCreateId() . '.xml'; + + if (!$handle = fopen($tempFileName, 'w')) { + return false; + } + + if (fwrite($handle, $responseXmlString) === false) { + return false; + } + + $p=xml_parser_create(); + $result=xml_parse_into_struct($p,$responseXmlString,$vals,$index); + xml_parser_free($p); + $cert_info=$index["X509CERTIFICATE"]; + $conditions=$index["CONDITIONS"]; + foreach($cert_info as $key=>$value){ + file_put_contents($tempFileName.'.cert',$vals[$value]['value']); + } + $cert=$tempFileName.'.cert'; + $before=0; + $after=0; + foreach($conditions as $key=>$value){ + $before=$vals[$value]['attributes']['NOTBEFORE']; + $after=$vals[$value]['attributes']['NOTONORAFTER']; + } + $before=$this->validSamlDateFormat($before); + $after=$this->validSamlDateFormat($after); + if(strtotime("now") < $before || strtotime("now") >= $after){ + unlink($tempFileName); + unlink($cert); + return false; + } + fclose($handle); + $cmd = 'xmlsec1 --verify --pubkey-cert ' . $cert .'--trusted '.$rootcert. ' '.$tempFileName.'* 2>&1 1>/dev/null'; + exec($cmd,$resp); + if(strcmp($resp[0],"FAIL") == 0){ + $value = false; + }elseif(strcmp($resp[0],"ERROR") == 0){ + $value = false; + }elseif(strcmp($resp[0],"OK") == 0){ + $value = TRUE; + } + unlink($tempFileName); + unlink($cert); + return $value; + } + + /** + * Creates a 40-character string containing 160-bits of pseudorandomness. + * @return string Containing pseudorandomness of 160 bits + */ + + function samlCreateId() + { + $rndChars = 'abcdefghijklmnop'; + $rndId = ''; + for ($i = 0; $i < 40; $i++ ) { + $rndId .= $rndChars[rand(0,strlen($rndChars)-1)]; + } + return $rndId; + } + + /** + * Returns a unix timestamp in xsd:dateTime format. + * @param timestamp int UNIX Timestamp to convert to xsd:dateTime + * ISO 8601 format. + * @return string + */ + function samlGetDateTime($timestamp) + { + return gmdate('Y-m-d\TH:i:s\Z', $timestamp); + } + /** + * Attempts to check whether a SAML date is valid. Returns true or false. + * @param string $samlDate + * @return bool + */ + + function validSamlDateFormat($samlDate) + { + if ($samlDate == "") return false; + $indexT = strpos($samlDate, 'T'); + $indexZ = strpos($samlDate, 'Z'); + if (($indexT != 10) || ($indexZ != 19)) { + return false; + } + $dateString = substr($samlDate, 0, 10); + $timeString = substr($samlDate, $indexT + 1, 8); + list($year, $month, $day) = explode('-', $dateString); + list($hour, $minute, $second) = explode(':', $timeString); + $parsedDate = gmmktime($hour, $minute, $second, $month, $day, $year); + if (($parsedDate === false) || ($parsedDate == -1)) return false; + if (!checkdate($month, $day, $year)) return false; + return $parsedDate; + } + +} +?> |