Permalink
Browse files

[project @ OpenID Signed Assertions(Implementation of old sxip draft)]

  In our solution, one party, which we call the Attribute Provider (AP), provides
a signed certificate that the the user possesses some attribute (e.g. is over 18).  This certificate is stored as an attribute at the user's OP, and other RPs can request this certificate when they want to verify attributes of the user.
For the implementation, we have followed the OpenID Signed Assertions
draft: http://www.mail-archive.com/specs@openid.net/msg00907.html

The Signed Assertions Draft did not specify how signed assertions are
stored at the OP, so we adopted the following scheme:
 Attribute:    http://X
 Certificate:  http://X/signature
This enables RPs that don't care about certificates to completely ignore them.  Assertions are SAML documents as specified in the OpenID Signed
Assertions old draft.
We are developing a demo application in which a university issues certificates verifying students' age, student-hood, and even their photo (also potentially useful to dating sites).  So basically the university acts as an attribute provider, signing assertions about user claims. These claims are stored as an attribute in the OpenId provider and we can use the OpenID AX protocol to pass assertions as attributes.  The data flow is:
   User requests assertion --- University(Attribute provider)
                           --- (store request)
                           --- Openid provider
   Relying Party(Dating site) --- (fetch request) --- OpenID Provider
The RP gets the assertion, verifies the signature, and takes actions depending on the result.  In some scenarios, the RP may deny the user request if the attribute verification fails (e.g. the dating site may forbid users under 18).  In other scenarios the RP may treat them differently (e.g. the dating site could tag certified photos as "Verified Photo").
Note that the RP must have some sort of trust relationship with the AP.  We've tried to keep the system as open as possible.  Our protocol and implementation do not specify how this trust relationship is created or managed.  For example, there could be a PKI specifically set up for verifying claims about student-hood, another trust system set up for verifying claims about age, etc.
 
Santosh Subramanian
Shishir Randive
Michael Hart
Rob Johnson
  • Loading branch information...
1 parent 7607004 commit 9a88f5a0864d37457a2266745a1cbdde2b070ace @subrasan subrasan committed Nov 14, 2008
Showing with 400 additions and 0 deletions.
  1. +180 −0 Auth/OpenID/AP.php
  2. +220 −0 Auth/OpenID/SAML.php
View
@@ -0,0 +1,180 @@
+<?php
+
+/**
+ * Introduces the notion of an Attribute Provider that attests and signs
+ * attributes
+ * Uses OpenID Signed Assertions(Sxip draft) for attesting attributes
+ * PHP versions 4 and 5
+ *
+ * LICENSE: See the COPYING file included in this distribution.
+ *
+ * @package OpenID
+ * @author Santosh Subramanian <subrasan@cs.sunysb.edu>
+ * @author Shishir Randive <srandive@cs.sunysb.edu>
+ * Stony Brook University.
+ *
+ */
+require_once 'Auth/OpenID/SAML.php';
+/**
+ * The Attribute_Provider class which signs the attribute,value pair
+ * for a given openid.
+ */
+class Attribute_Provider
+{
+ private $public_key_certificate=null;
+ private $private_key=null;
+ private $authenticatedUser=null;
+ private $notBefore=null;
+ private $notOnOrAfter=null;
+ private $rsadsa=null;
+ private $acsURI=null;
+ private $attribute=null;
+ private $value=null;
+ private $assertionTemplate=null;
+ /**
+ * Creates an Attribute_Provider object initialized with startup values.
+ * @param string $public_key_certificate - The public key certificate
+ of the signer.
+ * @param string $private_key - The private key of the signer.
+ * @param string $notBefore - Certificate validity time
+ * @param string $notOnOrAfter - Certificate validity time
+ * @param string $rsadsa - Choice of the algorithm (RSA/DSA)
+ * @param string $acsURI - URI of the signer.
+ * @param string $assertionTemplate - SAML template used for assertion
+ */
+ function Attribute_Provider($public_key_certificate,$private_key,$notBefore,$notOnOrAfter,$rsadsa,$acsURI,
+ $assertionTemplate)
+ {
+ $this->public_key_certificate=$public_key_certificate;
+ $this->private_key=$private_key;
+ $this->notBefore=$notBefore;
+ $this->notOnOrAfter=$notOnOrAfter;
+ $this->rsadsa=$rsadsa;
+ $this->acsURI=$acsURI;
+ $this->assertionTemplate=$assertionTemplate;
+ }
+ /**
+ * Create the signed assertion.
+ * @param string $openid - Openid of the entity being asserted.
+ * @param string $attribute - The attribute name being asserted.
+ * @param string $value - The attribute value being asserted.
+ */
+ function sign($openid,$attribute,$value)
+ {
+ $samlObj = new SAML();
+ $responseXmlString = $samlObj->createSamlAssertion($openid,
+ $this->notBefore,
+ $this->notOnOrAfter,
+ $this->rsadsa,
+ $this->acsURI,
+ $attribute,
+ sha1($value),
+ $this->assertionTemplate);
+ $signedAssertion=$samlObj->signAssertion($responseXmlString,
+ $this->private_key,
+ $this->public_key_certificate);
+ return $signedAssertion;
+ }
+}
+/**
+ * The Attribute_Verifier class which verifies the signed assertion at the Relying party.
+ */
+class Attribute_Verifier
+{
+ /**
+ * The certificate the Relying party trusts.
+ */
+ private $rootcert;
+ /**
+ * This function loads the public key certificate that the relying party trusts.
+ * @param string $cert - Trusted public key certificate.
+ */
+ function load_trusted_root_cert($cert)
+ {
+ $this->rootcert=$cert;
+ }
+ /**
+ * Verifies the certificate given the SAML document.
+ * @param string - signed SAML assertion
+ * return @boolean - true if verification is successful, false if unsuccessful.
+ */
+ function verify($responseXmlString)
+ {
+ $samlObj = new SAML();
+ $ret = $samlObj->verifyAssertion($responseXmlString,$this->rootcert);
+ return $ret;
+ }
+}
+
+/**
+ * This is a Store Request creating class at the Attribute Provider.
+ */
+class AP_OP_StoreRequest
+{
+ /**
+ * Creates store request and adds it as an extension to AuthRequest object
+ passed to it.
+ * @param &Auth_OpenID_AuthRequest &$auth_request - A reference to
+ the AuthRequest object.
+ * @param &Attribute_Provider &$attributeProvider - A reference to the
+ Attribute Provider object.
+ * @param string $attribute - The attribute name being asserted.
+ * @param string $value - The attribute value being asserted.
+ * @param string $openid - Openid of the entity being asserted.
+ * @return &Auth_OpenID_AuthRequest - Auth_OpenID_AuthRequest object
+ returned with StoreRequest extension.
+ */
+ static function createStoreRequest(&$auth_request,&$attributeProvider,
+ $attribute,$value,$openid)
+ {
+ if(!$auth_request){
+ return null;
+ }
+ $signedAssertion=$attributeProvider->sign($openid,$attribute,$value);
+ $store_request=new Auth_OpenID_AX_StoreRequest;
+ $store_request->addValue($attribute,base64_encode($value));
+ $store_request->addValue($attribute.'/signature',
+ base64_encode($signedAssertion));
+ if($store_request) {
+ $auth_request->addExtension($store_request);
+ return $auth_request;
+ }
+ }
+}
+
+/*
+ *This is implemented at the RP Takes care of getting the attribute from the
+ *AX_Fetch_Response object and verifying it.
+ */
+class RP_OP_Verify
+{
+ /**
+ * Verifies a given signed assertion.
+ * @param &Attribute_Verifier &$attributeVerifier - An instance of the class
+ passed for the verification.
+ * @param Auth_OpenID_Response - Response object for extraction.
+ * @return boolean - true if successful, false if verification fails.
+ */
+ function verifyAssertion(&$attributeVerifier,$response)
+ {
+ $ax_resp=Auth_OpenID_AX_FetchResponse::fromSuccessResponse($response);
+ if($ax_resp instanceof Auth_OpenID_AX_FetchResponse){
+ $ax_args=$ax_resp->getExtensionArgs();
+ if($ax_args) {
+ $value=base64_decode($ax_args['value.ext1.1']);
+ if($attributeVerifier->verify($value)){
+ return base64_decode($ax_args['value.ext0.1']);
+ } else {
+ return null;
+ }
+ } else {
+ return null;
+ }
+ } else {
+ return null;
+ }
+ }
+}
+
+
+?>
Oops, something went wrong.

0 comments on commit 9a88f5a

Please sign in to comment.