Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

[project @ OpenID Signed Assertions(Implementation of old sxip draft)]

  In our solution, one party, which we call the Attribute Provider (AP), provides
a signed certificate that the the user possesses some attribute (e.g. is over 18).  This certificate is stored as an attribute at the user's OP, and other RPs can request this certificate when they want to verify attributes of the user.
For the implementation, we have followed the OpenID Signed Assertions
draft: http://www.mail-archive.com/specs@openid.net/msg00907.html

The Signed Assertions Draft did not specify how signed assertions are
stored at the OP, so we adopted the following scheme:
 Attribute:    http://X
 Certificate:  http://X/signature
This enables RPs that don't care about certificates to completely ignore them.  Assertions are SAML documents as specified in the OpenID Signed
Assertions old draft.
We are developing a demo application in which a university issues certificates verifying students' age, student-hood, and even their photo (also potentially useful to dating sites).  So basically the university acts as an attribute provider, signing assertions about user claims. These claims are stored as an attribute in the OpenId provider and we can use the OpenID AX protocol to pass assertions as attributes.  The data flow is:
   User requests assertion --- University(Attribute provider)
                           --- (store request)
                           --- Openid provider
   Relying Party(Dating site) --- (fetch request) --- OpenID Provider
The RP gets the assertion, verifies the signature, and takes actions depending on the result.  In some scenarios, the RP may deny the user request if the attribute verification fails (e.g. the dating site may forbid users under 18).  In other scenarios the RP may treat them differently (e.g. the dating site could tag certified photos as "Verified Photo").
Note that the RP must have some sort of trust relationship with the AP.  We've tried to keep the system as open as possible.  Our protocol and implementation do not specify how this trust relationship is created or managed.  For example, there could be a PKI specifically set up for verifying claims about student-hood, another trust system set up for verifying claims about age, etc.
 
Santosh Subramanian
Shishir Randive
Michael Hart
Rob Johnson
  • Loading branch information...
commit 9a88f5a0864d37457a2266745a1cbdde2b070ace 1 parent 7607004
subrasan subrasan authored

Showing 2 changed files with 400 additions and 0 deletions. Show diff stats Hide diff stats

  1. +180 0 Auth/OpenID/AP.php
  2. +220 0 Auth/OpenID/SAML.php
180 Auth/OpenID/AP.php
... ... @@ -0,0 +1,180 @@
  1 +<?php
  2 +
  3 +/**
  4 + * Introduces the notion of an Attribute Provider that attests and signs
  5 + * attributes
  6 + * Uses OpenID Signed Assertions(Sxip draft) for attesting attributes
  7 + * PHP versions 4 and 5
  8 + *
  9 + * LICENSE: See the COPYING file included in this distribution.
  10 + *
  11 + * @package OpenID
  12 + * @author Santosh Subramanian <subrasan@cs.sunysb.edu>
  13 + * @author Shishir Randive <srandive@cs.sunysb.edu>
  14 + * Stony Brook University.
  15 + *
  16 + */
  17 +require_once 'Auth/OpenID/SAML.php';
  18 +/**
  19 + * The Attribute_Provider class which signs the attribute,value pair
  20 + * for a given openid.
  21 + */
  22 +class Attribute_Provider
  23 +{
  24 + private $public_key_certificate=null;
  25 + private $private_key=null;
  26 + private $authenticatedUser=null;
  27 + private $notBefore=null;
  28 + private $notOnOrAfter=null;
  29 + private $rsadsa=null;
  30 + private $acsURI=null;
  31 + private $attribute=null;
  32 + private $value=null;
  33 + private $assertionTemplate=null;
  34 + /**
  35 + * Creates an Attribute_Provider object initialized with startup values.
  36 + * @param string $public_key_certificate - The public key certificate
  37 + of the signer.
  38 + * @param string $private_key - The private key of the signer.
  39 + * @param string $notBefore - Certificate validity time
  40 + * @param string $notOnOrAfter - Certificate validity time
  41 + * @param string $rsadsa - Choice of the algorithm (RSA/DSA)
  42 + * @param string $acsURI - URI of the signer.
  43 + * @param string $assertionTemplate - SAML template used for assertion
  44 + */
  45 + function Attribute_Provider($public_key_certificate,$private_key,$notBefore,$notOnOrAfter,$rsadsa,$acsURI,
  46 + $assertionTemplate)
  47 + {
  48 + $this->public_key_certificate=$public_key_certificate;
  49 + $this->private_key=$private_key;
  50 + $this->notBefore=$notBefore;
  51 + $this->notOnOrAfter=$notOnOrAfter;
  52 + $this->rsadsa=$rsadsa;
  53 + $this->acsURI=$acsURI;
  54 + $this->assertionTemplate=$assertionTemplate;
  55 + }
  56 + /**
  57 + * Create the signed assertion.
  58 + * @param string $openid - Openid of the entity being asserted.
  59 + * @param string $attribute - The attribute name being asserted.
  60 + * @param string $value - The attribute value being asserted.
  61 + */
  62 + function sign($openid,$attribute,$value)
  63 + {
  64 + $samlObj = new SAML();
  65 + $responseXmlString = $samlObj->createSamlAssertion($openid,
  66 + $this->notBefore,
  67 + $this->notOnOrAfter,
  68 + $this->rsadsa,
  69 + $this->acsURI,
  70 + $attribute,
  71 + sha1($value),
  72 + $this->assertionTemplate);
  73 + $signedAssertion=$samlObj->signAssertion($responseXmlString,
  74 + $this->private_key,
  75 + $this->public_key_certificate);
  76 + return $signedAssertion;
  77 + }
  78 +}
  79 +/**
  80 + * The Attribute_Verifier class which verifies the signed assertion at the Relying party.
  81 + */
  82 +class Attribute_Verifier
  83 +{
  84 + /**
  85 + * The certificate the Relying party trusts.
  86 + */
  87 + private $rootcert;
  88 + /**
  89 + * This function loads the public key certificate that the relying party trusts.
  90 + * @param string $cert - Trusted public key certificate.
  91 + */
  92 + function load_trusted_root_cert($cert)
  93 + {
  94 + $this->rootcert=$cert;
  95 + }
  96 + /**
  97 + * Verifies the certificate given the SAML document.
  98 + * @param string - signed SAML assertion
  99 + * return @boolean - true if verification is successful, false if unsuccessful.
  100 + */
  101 + function verify($responseXmlString)
  102 + {
  103 + $samlObj = new SAML();
  104 + $ret = $samlObj->verifyAssertion($responseXmlString,$this->rootcert);
  105 + return $ret;
  106 + }
  107 +}
  108 +
  109 +/**
  110 + * This is a Store Request creating class at the Attribute Provider.
  111 + */
  112 +class AP_OP_StoreRequest
  113 +{
  114 + /**
  115 + * Creates store request and adds it as an extension to AuthRequest object
  116 + passed to it.
  117 + * @param &Auth_OpenID_AuthRequest &$auth_request - A reference to
  118 + the AuthRequest object.
  119 + * @param &Attribute_Provider &$attributeProvider - A reference to the
  120 + Attribute Provider object.
  121 + * @param string $attribute - The attribute name being asserted.
  122 + * @param string $value - The attribute value being asserted.
  123 + * @param string $openid - Openid of the entity being asserted.
  124 + * @return &Auth_OpenID_AuthRequest - Auth_OpenID_AuthRequest object
  125 + returned with StoreRequest extension.
  126 + */
  127 + static function createStoreRequest(&$auth_request,&$attributeProvider,
  128 + $attribute,$value,$openid)
  129 + {
  130 + if(!$auth_request){
  131 + return null;
  132 + }
  133 + $signedAssertion=$attributeProvider->sign($openid,$attribute,$value);
  134 + $store_request=new Auth_OpenID_AX_StoreRequest;
  135 + $store_request->addValue($attribute,base64_encode($value));
  136 + $store_request->addValue($attribute.'/signature',
  137 + base64_encode($signedAssertion));
  138 + if($store_request) {
  139 + $auth_request->addExtension($store_request);
  140 + return $auth_request;
  141 + }
  142 + }
  143 +}
  144 +
  145 +/*
  146 + *This is implemented at the RP Takes care of getting the attribute from the
  147 + *AX_Fetch_Response object and verifying it.
  148 + */
  149 +class RP_OP_Verify
  150 +{
  151 + /**
  152 + * Verifies a given signed assertion.
  153 + * @param &Attribute_Verifier &$attributeVerifier - An instance of the class
  154 + passed for the verification.
  155 + * @param Auth_OpenID_Response - Response object for extraction.
  156 + * @return boolean - true if successful, false if verification fails.
  157 + */
  158 + function verifyAssertion(&$attributeVerifier,$response)
  159 + {
  160 + $ax_resp=Auth_OpenID_AX_FetchResponse::fromSuccessResponse($response);
  161 + if($ax_resp instanceof Auth_OpenID_AX_FetchResponse){
  162 + $ax_args=$ax_resp->getExtensionArgs();
  163 + if($ax_args) {
  164 + $value=base64_decode($ax_args['value.ext1.1']);
  165 + if($attributeVerifier->verify($value)){
  166 + return base64_decode($ax_args['value.ext0.1']);
  167 + } else {
  168 + return null;
  169 + }
  170 + } else {
  171 + return null;
  172 + }
  173 + } else {
  174 + return null;
  175 + }
  176 + }
  177 +}
  178 +
  179 +
  180 +?>
220 Auth/OpenID/SAML.php
... ... @@ -0,0 +1,220 @@
  1 +<?php
  2 +/**
  3 + ** PHP versions 4 and 5
  4 + **
  5 + ** LICENSE: See the COPYING file included in this distribution.
  6 + **
  7 + ** @package OpenID
  8 + ** @author Santosh Subramanian <subrasan@cs.sunysb.edu>
  9 + ** @author Shishir Randive <srandive@cs.sunysb.edu>
  10 + ** Stony Brook University.
  11 + ** largely derived from
  12 + **
  13 + * Copyright (C) 2007 Google Inc.
  14 + *
  15 + * Licensed under the Apache License, Version 2.0 (the "License");
  16 + * you may not use this file except in compliance with the License.
  17 + * You may obtain a copy of the License at
  18 + *
  19 + * http://www.apache.org/licenses/LICENSE-2.0
  20 + *
  21 + * Unless required by applicable law or agreed to in writing, software
  22 + * distributed under the License is distributed on an "AS IS" BASIS,
  23 + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  24 + * See the License for the specific language governing permissions and
  25 + * limitations under the License.
  26 + **/
  27 +
  28 +class SAML{
  29 + private $assertionTemplate=null;
  30 + /**
  31 + * Returns a SAML response with various elements filled in.
  32 + * @param string $authenticatedUser The OpenId of the user
  33 + * @param string $notBefore The ISO 8601 formatted date before which the
  34 + response is invalid
  35 + * @param string $notOnOrAfter The ISO 8601 formatted data after which the
  36 + response is invalid
  37 + * @param string $rsadsa 'rsa' if the response will be signed with RSA keys,
  38 + 'dsa' for DSA keys
  39 + * @param string $requestID The ID of the request we're responding to
  40 + * @param string $destination The ACS URL that the response is submitted to
  41 + * @return string XML SAML response.
  42 + */
  43 + function createSamlAssertion($authenticatedUser, $notBefore, $notOnOrAfter, $rsadsa, $acsURI,$attribute,$value,$assertionTemplate)
  44 + {
  45 + $samlResponse = $assertionTemplate;
  46 + $samlResponse = str_replace('USERNAME_STRING', $authenticatedUser, $samlResponse);
  47 + $samlResponse = str_replace('RESPONSE_ID', $this->samlCreateId(), $samlResponse);
  48 + $samlResponse = str_replace('ISSUE_INSTANT', $this->samlGetDateTime(time()), $samlResponse);
  49 + $samlResponse = str_replace('NOT_BEFORE', $this->samlGetDateTime(strtotime($notBefore)), $samlResponse);
  50 + $samlResponse = str_replace('NOT_ON_OR_AFTER', $this->samlGetDateTime(strtotime($notOnOrAfter)),$samlResponse);
  51 + $samlResponse = str_replace('ASSERTION_ID',$this->samlCreateId(), $samlResponse);
  52 + $samlResponse = str_replace('RSADSA', strtolower($rsadsa), $samlResponse);
  53 + $samlResponse = str_replace('ISSUER_DOMAIN', $acsURI, $samlResponse);
  54 + $samlResponse = str_replace('ATTRIBUTE_NAME', $attribute, $samlResponse);
  55 + $samlResponse = str_replace('ATTRIBUTE_VALUE', $value, $samlResponse);
  56 + return $samlResponse;
  57 + }
  58 +
  59 + /**
  60 + * Signs a SAML response with the given private key, and embeds the public key.
  61 + * @param string $responseXmlString The unsigned Assertion which will be signed
  62 + * @param string $priKey Private key to sign the certificate
  63 + * @param string $cert Public key certificate of signee
  64 + * @return string Signed Assertion
  65 + */
  66 + function signAssertion($responseXmlString,$privKey,$cert)
  67 + {
  68 + if (file_exists("/tmp/xml")) {
  69 + $tempFileDir="/tmp/xml/";
  70 +
  71 + } else {
  72 + mkdir("/tmp/xml",0777);
  73 + $tempFileDir="/tmp/xml/";
  74 + }
  75 + $tempName = 'saml-response-' . $this->samlCreateId() . '.xml';
  76 + $tempFileName=$tempFileDir.$tempName;
  77 + while (file_exists($tempFileName))
  78 + $tempFileName = 'saml-response-' . $this->samlCreateId() . '.xml';
  79 +
  80 + if (!$handle = fopen($tempFileName, 'w')) {
  81 + return null;
  82 + }
  83 + if (fwrite($handle, $responseXmlString) === false) {
  84 + return null;
  85 + }
  86 + fclose($handle);
  87 + $cmd = 'xmlsec1 --sign --privkey-pem ' . $privKey .
  88 + ',' . $cert . ' --output ' . $tempFileName .
  89 + '.out ' . $tempFileName;
  90 + exec($cmd, $resp);
  91 + unlink($tempFileName);
  92 +
  93 + $xmlResult = @file_get_contents($tempFileName . '.out');
  94 + if (!$xmlResult) {
  95 + return null;
  96 + } else {
  97 + unlink($tempFileName . '.out');
  98 + return $xmlResult;
  99 + }
  100 + }
  101 +
  102 +
  103 + /**
  104 + * Verify a saml response with the given public key.
  105 + * @param string $responseXmlString Response to sign
  106 + * @param string $rootcert trusted public key certificate
  107 + * @return string Signed SAML response
  108 + */
  109 + function verifyAssertion($responseXmlString,$rootcert)
  110 + {
  111 + date_default_timezone_set("UTC");
  112 + if (file_exists("/tmp/xml")) {
  113 + $tempFileDir="/tmp/xml/";
  114 +
  115 + } else {
  116 + mkdir("/tmp/xml",0777);
  117 + $tempFileDir="/tmp/xml/";
  118 + }
  119 +
  120 + $tempName = 'saml-response-' . $this->samlCreateId() . '.xml';
  121 + $tempFileName=$tempFileDir.$tempName;
  122 + while (file_exists($tempFileName))
  123 + $tempFileName = 'saml-response-' . $this->samlCreateId() . '.xml';
  124 +
  125 + if (!$handle = fopen($tempFileName, 'w')) {
  126 + return false;
  127 + }
  128 +
  129 + if (fwrite($handle, $responseXmlString) === false) {
  130 + return false;
  131 + }
  132 +
  133 + $p=xml_parser_create();
  134 + $result=xml_parse_into_struct($p,$responseXmlString,$vals,$index);
  135 + xml_parser_free($p);
  136 + $cert_info=$index["X509CERTIFICATE"];
  137 + $conditions=$index["CONDITIONS"];
  138 + foreach($cert_info as $key=>$value){
  139 + file_put_contents($tempFileName.'.cert',$vals[$value]['value']);
  140 + }
  141 + $cert=$tempFileName.'.cert';
  142 + $before=0;
  143 + $after=0;
  144 + foreach($conditions as $key=>$value){
  145 + $before=$vals[$value]['attributes']['NOTBEFORE'];
  146 + $after=$vals[$value]['attributes']['NOTONORAFTER'];
  147 + }
  148 + $before=$this->validSamlDateFormat($before);
  149 + $after=$this->validSamlDateFormat($after);
  150 + if(strtotime("now") < $before || strtotime("now") >= $after){
  151 + unlink($tempFileName);
  152 + unlink($cert);
  153 + return false;
  154 + }
  155 + fclose($handle);
  156 + $cmd = 'xmlsec1 --verify --pubkey-cert ' . $cert .'--trusted '.$rootcert. ' '.$tempFileName.'* 2>&1 1>/dev/null';
  157 + exec($cmd,$resp);
  158 + if(strcmp($resp[0],"FAIL") == 0){
  159 + $value = false;
  160 + }elseif(strcmp($resp[0],"ERROR") == 0){
  161 + $value = false;
  162 + }elseif(strcmp($resp[0],"OK") == 0){
  163 + $value = TRUE;
  164 + }
  165 + unlink($tempFileName);
  166 + unlink($cert);
  167 + return $value;
  168 + }
  169 +
  170 + /**
  171 + * Creates a 40-character string containing 160-bits of pseudorandomness.
  172 + * @return string Containing pseudorandomness of 160 bits
  173 + */
  174 +
  175 + function samlCreateId()
  176 + {
  177 + $rndChars = 'abcdefghijklmnop';
  178 + $rndId = '';
  179 + for ($i = 0; $i < 40; $i++ ) {
  180 + $rndId .= $rndChars[rand(0,strlen($rndChars)-1)];
  181 + }
  182 + return $rndId;
  183 + }
  184 +
  185 + /**
  186 + * Returns a unix timestamp in xsd:dateTime format.
  187 + * @param timestamp int UNIX Timestamp to convert to xsd:dateTime
  188 + * ISO 8601 format.
  189 + * @return string
  190 + */
  191 + function samlGetDateTime($timestamp)
  192 + {
  193 + return gmdate('Y-m-d\TH:i:s\Z', $timestamp);
  194 + }
  195 + /**
  196 + * Attempts to check whether a SAML date is valid. Returns true or false.
  197 + * @param string $samlDate
  198 + * @return bool
  199 + */
  200 +
  201 + function validSamlDateFormat($samlDate)
  202 + {
  203 + if ($samlDate == "") return false;
  204 + $indexT = strpos($samlDate, 'T');
  205 + $indexZ = strpos($samlDate, 'Z');
  206 + if (($indexT != 10) || ($indexZ != 19)) {
  207 + return false;
  208 + }
  209 + $dateString = substr($samlDate, 0, 10);
  210 + $timeString = substr($samlDate, $indexT + 1, 8);
  211 + list($year, $month, $day) = explode('-', $dateString);
  212 + list($hour, $minute, $second) = explode(':', $timeString);
  213 + $parsedDate = gmmktime($hour, $minute, $second, $month, $day, $year);
  214 + if (($parsedDate === false) || ($parsedDate == -1)) return false;
  215 + if (!checkdate($month, $day, $year)) return false;
  216 + return $parsedDate;
  217 + }
  218 +
  219 +}
  220 +?>

0 comments on commit 9a88f5a

Please sign in to comment.
Something went wrong with that request. Please try again.