Code Coverage |
||||||||||
Lines |
Functions and Methods |
Classes and Traits |
||||||||
| Total | |
100.00% |
13 / 13 |
|
100.00% |
3 / 3 |
CRAP | |
100.00% |
1 / 1 |
| OAuthSignatureMethodRsaSha1 | |
100.00% |
13 / 13 |
|
100.00% |
3 / 3 |
3 | |
100.00% |
1 / 1 |
| get_name | |
100.00% |
1 / 1 |
|
100.00% |
1 / 1 |
1 | |||
| fetch_public_cert | n/a |
0 / 0 |
n/a |
0 / 0 |
0 | |||||
| fetch_private_cert | n/a |
0 / 0 |
n/a |
0 / 0 |
0 | |||||
| build_signature | |
100.00% |
6 / 6 |
|
100.00% |
1 / 1 |
1 | |||
| check_signature | |
100.00% |
6 / 6 |
|
100.00% |
1 / 1 |
1 | |||
| 1 | <?php |
| 2 | // vim: foldmethod=marker |
| 3 | /** |
| 4 | * The MIT License |
| 5 | * |
| 6 | * Copyright (c) 2007 Andy Smith |
| 7 | * |
| 8 | * Permission is hereby granted, free of charge, to any person obtaining a copy |
| 9 | * of this software and associated documentation files ( the "Software" ), to deal |
| 10 | * in the Software without restriction, including without limitation the rights |
| 11 | * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell |
| 12 | * copies of the Software, and to permit persons to whom the Software is |
| 13 | * furnished to do so, subject to the following conditions: |
| 14 | * |
| 15 | * The above copyright notice and this permission notice shall be included in |
| 16 | * all copies or substantial portions of the Software. |
| 17 | * |
| 18 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR |
| 19 | * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, |
| 20 | * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE |
| 21 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER |
| 22 | * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, |
| 23 | * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN |
| 24 | * THE SOFTWARE. |
| 25 | */ |
| 26 | |
| 27 | namespace MediaWiki\Extension\OAuth\Lib; |
| 28 | |
| 29 | /** |
| 30 | * The RSA-SHA1 signature method uses the RSASSA-PKCS1-v1_5 signature algorithm as defined in |
| 31 | * [RFC3447] section 8.2 ( more simply known as PKCS#1 ), using SHA-1 as the hash function for |
| 32 | * EMSA-PKCS1-v1_5. It is assumed that the Consumer has provided its RSA public key in a |
| 33 | * verified way to the Service Provider, in a manner which is beyond the scope of this |
| 34 | * specification. |
| 35 | * - Chapter 9.3 ( "RSA-SHA1" ) |
| 36 | */ |
| 37 | abstract class OAuthSignatureMethodRsaSha1 extends OAuthSignatureMethod { |
| 38 | public function get_name() { |
| 39 | return "RSA-SHA1"; |
| 40 | } |
| 41 | |
| 42 | // Up to the SP to implement this lookup of keys. Possible ideas are: |
| 43 | // ( 1 ) do a lookup in a table of trusted certs keyed off of consumer |
| 44 | // ( 2 ) fetch via http using a url provided by the requester |
| 45 | // ( 3 ) some sort of specific discovery code based on request |
| 46 | // |
| 47 | // Either way should return a string representation of the certificate |
| 48 | protected abstract function fetch_public_cert( &$request ); |
| 49 | |
| 50 | // Up to the SP to implement this lookup of keys. Possible ideas are: |
| 51 | // ( 1 ) do a lookup in a table of trusted certs keyed off of consumer |
| 52 | // |
| 53 | // Either way should return a string representation of the certificate |
| 54 | protected abstract function fetch_private_cert( &$request ); |
| 55 | |
| 56 | public function build_signature( $request, $consumer, $token ) { |
| 57 | $base_string = $request->get_signature_base_string(); |
| 58 | $request->base_string = $base_string; |
| 59 | |
| 60 | // Fetch the private key cert based on the request |
| 61 | $cert = $this->fetch_private_cert( $request ); |
| 62 | |
| 63 | // Pull the private key ID from the certificate |
| 64 | $privatekeyid = openssl_get_privatekey( $cert ); |
| 65 | |
| 66 | // Sign using the key |
| 67 | $ok = openssl_sign( $base_string, $signature, $privatekeyid ); |
| 68 | |
| 69 | return base64_encode( $signature ); |
| 70 | } |
| 71 | |
| 72 | public function check_signature( $request, $consumer, $token, $signature ) { |
| 73 | $decoded_sig = base64_decode( $signature ); |
| 74 | |
| 75 | $base_string = $request->get_signature_base_string(); |
| 76 | |
| 77 | // Fetch the public key cert based on the request |
| 78 | $cert = $this->fetch_public_cert( $request ); |
| 79 | |
| 80 | // Pull the public key ID from the certificate |
| 81 | $publickeyid = openssl_get_publickey( $cert ); |
| 82 | |
| 83 | // Check the computed signature against the one passed in the query |
| 84 | $ok = openssl_verify( $base_string, $decoded_sig, $publickeyid ); |
| 85 | |
| 86 | return $ok == 1; |
| 87 | } |
| 88 | } |