lib.php 32 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
<?php
/**
 * This program is part of Mahara
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License
 *  along with this program; if not, write to the Free Software
 *  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301 USA
 *
 * @package    mahara
 * @subpackage auth
 * @author     Nigel McNie <nigel@catalyst.net.nz>
 * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL
 * @copyright  (C) 2006,2007 Catalyst IT Ltd http://catalyst.net.nz
 *
 */

27 28
defined('INTERNAL') || die();

29
function xmlrpc_exception (Exception $e) {
Donal McMullan's avatar
Donal McMullan committed
30 31 32 33 34 35
    if (($e instanceof XmlrpcServerException) && get_class($e) == 'XmlrpcServerException') {
        $e->handle_exception();
        return;
    } elseif (($e instanceof MaharaException) && get_class($e) == 'MaharaException') {
        throw new XmlrpcServerException($e->getMessage(), $e->getCode());
        return;
36
    }
Donal McMullan's avatar
Donal McMullan committed
37 38
    xmlrpc_error('An unexpected error has occurred: '.$e->getMessage(), $e->getCode());
    log_message($e->getMessage(), LOG_LEVEL_WARN, true, true, $e->getFile(), $e->getLine(), $e->getTrace());
39 40
}

41 42 43 44 45 46 47 48 49 50 51 52 53
function get_hostname_from_uri($uri = null) {
    $count = preg_match("@^(?:http[s]?://)?([A-Z0-9\-\.]+).*@i", $uri, $matches);
    if ($count > 0) return $matches[1];
    return false;
}

function dropslash($wwwroot) {
    if (substr($wwwroot, -1, 1) == '/') {
        return substr($wwwroot, 0, -1);
    }
    return $wwwroot;
}

54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72
function generate_token() {
    return sha1(str_shuffle('' . mt_rand(999999,99999999) . microtime(true)));
}

function start_jump_session($peer, $instanceid, $wantsurl="") {
    global $USER;

    $rpc_negotiation_timeout = 15;
    $providers = get_service_providers($USER->authinstance);

    $approved = false;
    foreach ($providers as $provider) {
        if ($provider['wwwroot'] == $peer->wwwroot) {
            $approved = true;
            break;
        }
    }

    if (false == $approved) {
Donal McMullan's avatar
Donal McMullan committed
73 74 75
        // This shouldn't happen: the user shouldn't have been presented with 
        // the link
        throw new SystemException('Host not approved for sso');
76 77 78 79
    }

    // set up the session
    $sso_session = get_record('sso_session',
80
                              'userid',     $USER->id);
81 82 83 84 85 86 87 88 89 90 91
    if ($sso_session == false) {
        $sso_session = new stdClass();
        $sso_session->instanceid = $instanceid;
        $sso_session->userid = $USER->id;
        $sso_session->username = $USER->username;
        $sso_session->useragent = sha1($_SERVER['HTTP_USER_AGENT']);
        $sso_session->token = generate_token();
        $sso_session->confirmtimeout = time() + $rpc_negotiation_timeout;
        $sso_session->expires = time() + (integer)ini_get('session.gc_maxlifetime');
        $sso_session->sessionid = session_id();
        if (! insert_record('sso_session', $sso_session)) {
Donal McMullan's avatar
Donal McMullan committed
92
            throw new SQLException("database error");
93 94 95 96
        }
    } else {
        $sso_session->useragent = sha1($_SERVER['HTTP_USER_AGENT']);
        $sso_session->token = generate_token();
97
        $sso_session->instanceid = $instanceid;
98 99
        $sso_session->confirmtimeout = time() + $rpc_negotiation_timeout;
        $sso_session->expires = time() + (integer)ini_get('session.gc_maxlifetime');
100
        $sso_session->useragent = sha1($_SERVER['HTTP_USER_AGENT']);
101 102
        $sso_session->sessionid = session_id();
        if (false == update_record('sso_session', $sso_session, array('userid' => $USER->id))) {
Donal McMullan's avatar
Donal McMullan committed
103
            throw new SQLException("database error");
104 105 106
        }
    }

107
    $wwwroot = dropslash(get_config('wwwroot'));
108 109 110 111 112 113 114

    // construct the redirection URL
    $url = "{$peer->wwwroot}{$peer->application->ssolandurl}?token={$sso_session->token}&idp={$wwwroot}&wantsurl={$wantsurl}";

    return $url;
}

115
function api_dummy_method($methodname, $argsarray, $functionname) {
116 117 118
    return call_user_func_array($functionname, $argsarray);
}

119
function fetch_user_image($username) {
120
    global $REMOTEWWWROOT;
121 122 123 124 125 126 127 128 129

    $institution = get_field('host', 'institution', 'wwwroot', $REMOTEWWWROOT);

    if (false == $institution) {
        // This should never happen, because if we don't know the host we'll
        // already have exited
        throw new XmlrpcServerException('Unknown error');
    }

130 131 132
    $dbprefix      = get_config('dbprefix');
    $authinstances = auth_get_auth_instances_for_institution($institution);
    $candidates    = array();
133 134 135 136

    $sql = 'SElECT
                ai.*
            FROM
137 138 139
                '.$dbprefix.'auth_instance ai,
                '.$dbprefix.'auth_instance ai2,
                '.$dbprefix.'auth_instance_config aic
140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189
            WHERE
                ai.id = ? AND
                ai.institution = ? AND
                ai2.institution = ai.institution AND
                ai.id = aic.value AND
                aic.field = \'parent\' AND
                aic.instance = ai2.id AND
                ai2.authname = \'xmlrpc\'';

    foreach ($authinstances as $authinstance) {
        if ($authinstance->authname != 'xmlrpc') {
            $records = get_records_sql_array($sql, array($authinstance->id, $institution));
            if (false == $records) {
                continue;
            }
        }
        try {
            $user = new User;
            $user->find_by_instanceid_username($authinstance->id, $username);
            $candidates[$user->id] = $user;
        } catch (Exception $e) {
            // we don't care
            continue;
        } 
    }

    if (count($candidates) != 1) {
        return false;
    }

    $user = array_pop($candidates);
    
    $ic = $user->profileicon;
    if (!empty($ic)) {
        $filename = get_config('dataroot') . 'artefact/internal/profileicons/' . ($user->profileicon % 256) . '/'.$user->profileicon;
        $return = array();
        try {
            $fi = file_get_contents($filename);
        } catch (Exception $e) {
            // meh
        }

        $return['f1'] = base64_encode($fi);

        require_once('file.php');
        $im = get_dataroot_image_path('artefact/internal/profileicons' , $user->profileicon, '100x100');
        $fi = file_get_contents($im);
        $return['f2'] = base64_encode($fi);
        return $return;
    } else {
190
        // no icon
191 192 193
    }
}

194
function user_authorise($token, $useragent) {
195
    global $USER;
196 197 198

    $sso_session = get_record('sso_session', 'token', $token, 'useragent', $useragent);
    if (empty($sso_session)) {
Donal McMullan's avatar
Donal McMullan committed
199
        throw new XmlrpcServerException('No such session exists');
200 201 202 203
    }

    // check session confirm timeout
    if ($sso_session->expires < time()) {
Donal McMullan's avatar
Donal McMullan committed
204
        throw new XmlrpcServerException('This session has timed out');
205 206 207 208 209 210 211
    }

    // session okay, try getting the user
    $user = new User();
    try {
        $user->find_by_id($sso_session->userid);
    } catch (Exception $e) {
Donal McMullan's avatar
Donal McMullan committed
212
        throw new XmlrpcServerException('Unable to get information for the specified user');
213 214
    }

215 216
    require(get_config('docroot') . 'artefact/lib.php');
    require(get_config('docroot') . 'artefact/internal/lib.php');
217 218 219 220 221 222 223 224 225

    $element_list = call_static_method('ArtefactTypeProfile', 'get_all_fields');
    $element_required = call_static_method('ArtefactTypeProfile', 'get_mandatory_fields');

    // load existing profile information
    $profilefields = array();
    $profile_data = get_records_select_assoc('artefact', "owner=? AND artefacttype IN (" . join(",",array_map(create_function('$a','return db_quote($a);'),array_keys($element_list))) . ")", array($USER->get('id')), '','artefacttype, title');

    $email = get_field('artefact_internal_profile_email', 'email', 'owner', $sso_session->userid, 'principal', 1);
226
    if (false == $email) {
Donal McMullan's avatar
Donal McMullan committed
227
        throw new XmlrpcServerException("No email adress for user");
228 229 230 231
    }

    $userdata = array();
    $userdata['username']                = $user->username;
232
    $userdata['email']                   = $email;
233 234 235 236 237 238 239 240
    $userdata['auth']                    = 'mnet';
    $userdata['confirmed']               = 1;
    $userdata['deleted']                 = 0;
    $userdata['firstname']               = $user->firstname;
    $userdata['lastname']                = $user->lastname;
    $userdata['city']                    = array_key_exists('city', $profile_data) ? $profile_data['city']->title : 'Unknown';
    $userdata['country']                 = array_key_exists('country', $profile_data) ? $profile_data['country']->title : 'Unknown';

241 242
    if (is_numeric($user->profileicon)) {
        $filename = get_config('dataroot') . 'artefact/internal/profileicons/' . ($user->profileicon % 256) . '/'.$user->profileicon;
243
        if (file_exists($filename) && is_readable($filename)) {
244
            $userdata['imagehash'] = sha1_file($filename);
245 246 247 248 249 250 251
        }
    }

    get_service_providers($USER->authinstance);

    // Todo: push application name to list of hosts... update Moodle block to display more info, maybe in 'Other' list
    $userdata['myhosts'] = array();
252
    $userdata['myhosts'][] = array('name'=> $SITE->shortname, 'url' => get_config('wwwroot'), 'count' => 0);
253 254 255 256 257 258 259 260 261 262 263

    return $userdata;
}

/**
 * Given a USER, get all Service Providers for that User, based on child auth
 * instances of its canonical auth instance
 */
function get_service_providers($instance) {
    static $cache = array();

264 265 266 267
    if (defined('INSTALLER')) {
        return array();
    }

268 269 270 271
    if (array_key_exists($instance, $cache)) {
        return $cache[$instance];
    }

272 273
    $dbprefix = get_config('dbprefix');

274 275 276 277 278 279 280
    $query = '
        SELECT
            h.name,
            a.ssolandurl,
            h.wwwroot,
            aic.instance
        FROM
281 282 283 284 285
            '.$dbprefix.'auth_instance_config aic,
            '.$dbprefix.'auth_instance_config aic2,
            '.$dbprefix.'auth_instance_config aic3,
            '.$dbprefix.'host h,
            '.$dbprefix.'application a
286
        WHERE
287
          ((aic.value = 1 AND
288
            aic.field = \'theyautocreateusers\' ) OR
289 290
           (aic.value = ?  AND
            aic.field = \'parent\')) AND
291 292 293 294 295 296 297 298 299 300

            aic.instance = aic2.instance AND
            aic2.field = \'wwwroot\' AND
            aic2.value = h.wwwroot AND

            aic.instance = aic3.instance AND
            aic3.field = \'wessoout\' AND
            aic3.value = \'1\' AND

            a.name = h.appname';
301 302 303 304 305 306
    try {
        $results = get_records_sql_assoc($query, array('value' => $instance));
    } catch (SQLException $e) {
        // Table doesn't exist yet
        return array();
    }
307 308 309 310 311 312 313 314 315 316 317 318 319

    if (false == $results) {
        $results = array();
    }

    foreach($results as $key => $result) {
        $results[$key] = get_object_vars($result);
    }

    $cache[$instance] = $results;
    return $cache[$instance];
}

320
function get_public_key($uri, $application=null) {
321

322 323 324 325 326 327 328
    static $keyarray = array();
    if (isset($keyarray[$uri])) {
        return $keyarray[$uri];
    }

    $openssl = OpenSslRepo::singleton();

329
    if (empty($application)) {
330
        $application = 'moodle';
331
    }
332

333
    $xmlrpcserverurl = get_field('application', 'xmlrpcserverurl', 'name', $application);
334 335 336
    if (empty($xmlrpcserverurl)) {
        throw new XmlrpcClientException('Unknown application');
    } 
337
    $wwwroot = dropslash(get_config('wwwroot'));
338

339
    $rq = xmlrpc_encode_request('system/keyswap', array($wwwroot, $openssl->certificate), array("encoding" => "utf-8"));
340
    $ch = curl_init($uri . $xmlrpcserverurl);
341

342 343 344 345 346 347 348
    curl_setopt($ch, CURLOPT_TIMEOUT, 60);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_USERAGENT, 'Moodle');
    curl_setopt($ch, CURLOPT_POSTFIELDS, $rq);
    curl_setopt($ch, CURLOPT_HTTPHEADER, array("Content-Type: text/xml charset=UTF-8"));

349 350 351 352
    $raw = curl_exec($ch);
    if (empty($raw)) {
        throw new XmlrpcClientException('CURL connection failed');
    }
353 354 355 356 357 358 359

    $response_code        = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    $response_code_prefix = substr($response_code, 0, 1);

    if ('2' != $response_code_prefix) {
        if ('4' == $response_code_prefix) {
            throw new XmlrpcClientException('Client error code: ', $response_code);
360
        } elseif ('5' == $response_code_prefix) {
361 362 363 364
            throw new XmlrpcClientException('An error occurred at the remote server. Code: ', $response_code);
        }
    }

365
    $res = xmlrpc_decode($raw);
366 367
    curl_close($ch);

368 369 370
    // XMLRPC error messages are returned as an array
    // We are expecting a string
    if (!is_array($res)) {
371 372 373 374 375 376 377 378 379
        $keyarray[$uri] = $res;
        $credentials=array();
        if (strlen(trim($keyarray[$uri]))) {
            $credentials = openssl_x509_parse($keyarray[$uri]);
            $host = $credentials['subject']['CN'];
            if (strpos($uri, $host) !== false) {
                return $keyarray[$uri];
            }
        }
380 381
    } else {
        throw new XmlrpcClientException($res['faultString'], $res['faultCode']);
382 383 384 385
    }
    return false;
}

386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414
/**
 * Output a valid XML-RPC error message.
 *
 * @param  string   $message              The error message
 * @param  int      $code                 Unique identifying integer
 * @return string                         An XMLRPC error doc
 */
function xmlrpc_error($message, $code) {
    echo <<<EOF
<?xml version="1.0"?>
<methodResponse>
   <fault>
      <value>
         <struct>
            <member>
               <name>faultCode</name>
               <value><int>$code</int></value>
            </member>
            <member>
               <name>faultString</name>
               <value><string>$message</string></value>
            </member>
         </struct>
      </value>
   </fault>
</methodResponse>
EOF;
}

415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430
function xmlenc_envelope_strip(&$xml) {
    $openssl           = OpenSslRepo::singleton();
    $payload_encrypted = true;
    $data              = base64_decode($xml->EncryptedData->CipherData->CipherValue);
    $key               = base64_decode($xml->EncryptedKey->CipherData->CipherValue);
    $payload           = '';    // Initialize payload var
    $payload           = $openssl->openssl_open($data, $key);
    $xml               = parse_payload($payload);
    return $payload;
}

function parse_payload($payload) {
    try {
        $xml = new SimpleXMLElement($payload);
        return $xml;
    } catch (Exception $e) {
Donal McMullan's avatar
Donal McMullan committed
431
        throw new MaharaException('Encrypted payload is not a valid XML document', 6002);
432 433 434 435
    }
}

function get_peer($wwwroot) {
436

437 438
    $wwwroot = (string)$wwwroot;
    static $peers = array();
439
    if (isset($peers[$wwwroot])) return $peers[$wwwroot];
440

441
    require_once(get_config('libroot') . 'peer.php');
442
    $peer = new Peer();
443

444
    if (!$peer->findByWwwroot($wwwroot)) {
445
        // Bootstrap unknown hosts?
Donal McMullan's avatar
Donal McMullan committed
446
        throw new MaharaException('We don\'t have a record for your webserver in our database', 6003);
447 448 449 450 451
    }
    $peers[$wwwroot] = $peer;
    return $peers[$wwwroot];
}

452 453 454
/**
 * Check that the signature has been signed by the remote host.
 */
455
function xmldsig_envelope_strip(&$xml) {
456

457 458 459 460 461 462
    $signature      = base64_decode($xml->Signature->SignatureValue);
    $payload        = base64_decode($xml->object);
    $wwwroot        = (string)$xml->wwwroot;
    $timestamp      = $xml->timestamp;
    $peer           = get_peer($wwwroot);

463

464 465 466 467 468 469 470 471 472
    // Does the signature match the data and the public cert?
    $signature_verified = openssl_verify($payload, $signature, $peer->certificate);

    if ($signature_verified == 1) {
        // Parse the XML
        try {
            $xml = new SimpleXMLElement($payload);
            return $payload;
        } catch (Exception $e) {
Donal McMullan's avatar
Donal McMullan committed
473
            throw new MaharaException('Signed payload is not a valid XML document', 6007);
474 475
        }
    } else {
Donal McMullan's avatar
Donal McMullan committed
476
        throw new MaharaException('An error occurred while trying to verify your message signature', 6004);
477 478 479
    }
}

480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513
/**
 * Encrypt a message and return it in an XML-Encrypted document
 *
 * This function can encrypt any content, but it was written to provide a system
 * of encrypting XML-RPC request and response messages. The message does not 
 * need to be text - binary data should work.
 * 
 * Asymmetric keys can encrypt only small chunks of data. Usually 1023 or 2047 
 * characters, depending on the key size. So - we generate a symmetric key and 
 * use the asymmetric key to secure it for transport with the data.
 *
 * We generate a symmetric key
 * We encrypt the symmetric key with the public key of the remote host
 * We encrypt our content with the symmetric key
 * We base64 the key & message data.
 * We identify our wwwroot - this must match our certificate's CN
 *
 * Normally, the XML-RPC document will be parceled inside an XML-SIG envelope.
 * We parcel the XML-SIG document inside an XML-ENC envelope.
 *
 * See the {@Link http://www.w3.org/TR/xmlenc-core/ XML-ENC spec} at the W3c
 * site
 *
 * @param  string   $message              The data you want to sign
 * @param  string   $remote_certificate   Peer's certificate in PEM format
 * @return string                         An XML-ENC document
 */
function xmlenc_envelope($message, $remote_certificate) {

    // Generate a key resource from the remote_certificate text string
    $publickey = openssl_get_publickey($remote_certificate);

    if ( gettype($publickey) != 'resource' ) {
        // Remote certificate is faulty.
Donal McMullan's avatar
Donal McMullan committed
514
        throw new MaharaException('Could not generate public key resource from certificate', 1);
515 516 517
    }

    // Initialize vars
518
    $wwwroot = dropslash(get_config('wwwroot'));
519 520 521 522 523 524 525
    $encryptedstring = '';
    $symmetric_keys = array();

    //      passed by ref ->      &$encryptedstring &$symmetric_keys
    $bool = openssl_seal($message, $encryptedstring, $symmetric_keys, array($publickey));
    $message = base64_encode($encryptedstring);
    $symmetrickey = base64_encode(array_pop($symmetric_keys));
526
    $zed = 'nothing';
527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553

    return <<<EOF
<?xml version="1.0" encoding="iso-8859-1"?>
    <encryptedMessage>
        <EncryptedData Id="ED" xmlns="http://www.w3.org/2001/04/xmlenc#">
            <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#arcfour"/>
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:RetrievalMethod URI="#EK" Type="http://www.w3.org/2001/04/xmlenc#EncryptedKey"/>
                <ds:KeyName>XMLENC</ds:KeyName>
            </ds:KeyInfo>
            <CipherData>
                <CipherValue>$message</CipherValue>
            </CipherData>
        </EncryptedData>
        <EncryptedKey Id="EK" xmlns="http://www.w3.org/2001/04/xmlenc#">
            <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:KeyName>SSLKEY</ds:KeyName>
            </ds:KeyInfo>
            <CipherData>
                <CipherValue>$symmetrickey</CipherValue>
            </CipherData>
            <ReferenceList>
                <DataReference URI="#ED"/>
            </ReferenceList>
            <CarriedKeyName>XMLENC</CarriedKeyName>
        </EncryptedKey>
554
        <wwwroot>{$wwwroot}</wwwroot>
555
        <X1>$zed</X1>
556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584
    </encryptedMessage>
EOF;
}

/**
 * Sign a message and return it in an XML-Signature document
 *
 * This function can sign any content, but it was written to provide a system of
 * signing XML-RPC request and response messages. The message will be base64
 * encoded, so it does not need to be text.
 *
 * We compute the SHA1 digest of the message.
 * We compute a signature on that digest with our private key.
 * We link to the public key that can be used to verify our signature.
 * We base64 the message data.
 * We identify our wwwroot - this must match our certificate's CN
 *
 * The XML-RPC document will be parceled inside an XML-SIG document, which holds
 * the base64_encoded XML as an object, the SHA1 digest of that document, and a
 * signature of that document using the local private key. This signature will
 * uniquely identify the RPC document as having come from this server.
 *
 * See the {@Link http://www.w3.org/TR/xmldsig-core/ XML-DSig spec} at the W3c
 * site
 *
 * @param  string   $message              The data you want to sign
 * @return string                         An XML-DSig document
 */
function xmldsig_envelope($message) {
585

586
    $openssl = OpenSslRepo::singleton();
587
    $wwwroot = dropslash(get_config('wwwroot'));
588
    $digest = sha1($message);
589

590
    $sig = base64_encode($openssl->sign_message($message));
591 592
    $message = base64_encode($message);
    $time = time();
593
    // TODO: Provide RESTful access to our public key as per KeyInfo element
594 595 596 597 598 599 600 601 602 603 604 605 606 607 608

return <<<EOF
<?xml version="1.0" encoding="iso-8859-1"?>
    <signedMessage>
        <Signature Id="MoodleSignature" xmlns="http://www.w3.org/2000/09/xmldsig#">
            <SignedInfo>
                <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
                <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
                <Reference URI="#XMLRPC-MSG">
                    <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                    <DigestValue>$digest</DigestValue>
                </Reference>
            </SignedInfo>
            <SignatureValue>$sig</SignatureValue>
            <KeyInfo>
609
                <RetrievalMethod URI="{$wwwroot}/api/xmlrpc/publickey.php"/>
610 611 612
            </KeyInfo>
        </Signature>
        <object ID="XMLRPC-MSG">$message</object>
613
        <wwwroot>{$wwwroot}</wwwroot>
614 615 616 617 618 619
        <timestamp>$time</timestamp>
    </signedMessage>
EOF;

}

620 621 622
/**
 * Good candidate to be a singleton
 */
623
class OpenSslRepo {
624 625 626

    private $keypair = array();

627 628 629 630 631 632 633 634
    /**
     * Sign a message with our private key so that peers can verify that it came
     * from us.
     *
     * @param  string   $message
     * @return string
     * @access public
     */
635 636 637 638 639
    public function sign_message($message) {
        $signature = '';
        $bool      = openssl_sign($message, $signature, $this->keypair['privatekey']);
        return $signature;
    }
640

641 642 643 644 645 646 647 648 649 650 651 652
    /**
     * Decrypt some data using our private key and an auxiliary symmetric key. 
     * The symmetric key encrypted the data, and then was itself encrypted with
     * our public key.
     * This is because asymmetric keys can only safely be used to encrypt 
     * relatively short messages.
     *
     * @param string   $data
     * @param string   $key
     * @return string
     * @access public
     */
653 654 655 656 657 658 659 660
    public function openssl_open($data, $key) {
        $payload = '';
        $isOpen = openssl_open($data, $payload, $key, $this->keypair['privatekey']);

        if (!empty($isOpen)) {
            return $payload;
        } else {
            // Decryption failed... let's try our archived keys
661
            $openssl_history = $this->get_history();
662 663 664 665 666 667
            foreach($openssl_history as $keyset) {
                $keyresource = openssl_pkey_get_private($keyset['keypair_PEM']);
                $isOpen      = openssl_open($data, $payload, $key, $keyresource);
                if ($isOpen) {
                    // It's an older code, sir, but it checks out
                    // We notify the remote host that the key has changed
668
                    throw new CryptException($this->keypair['certificate'], 7025);
669 670 671
                }
            }
        }
672
        throw new CryptException('Invalid certificate', 7025);
673 674
    }

675
    /**
676
     * Singleton function keeps us from generating multiple instances of this
677 678 679 680 681
     * class
     *
     * @return object   The class instance
     * @access public
     */
682 683 684 685 686
    public static function singleton() {
        //single instance
        static $instance;

        //if we don't have the single instance, create one
687
        if (!isset($instance)) {
688 689 690 691 692 693 694 695 696 697 698 699 700
            $instance = new OpenSslRepo();
        }
        return($instance);
    }

    /**
     * This is a singleton - don't try to create an instance by doing:
     * $openssl = new OpenSslRepo();
     * Instead, use:
     * $openssl = OpenSslRepo::singleton();
     * 
     */
    private function __construct() {
701
        if (empty($this->keypair)) {
702
            $this->get_keypair();
703 704 705
            $this->keypair['privatekey'] = openssl_pkey_get_private($this->keypair['keypair_PEM']);
            $this->keypair['publickey']  = openssl_pkey_get_public($this->keypair['certificate']);
        }
706
        return $this;
707 708
    }

709 710 711 712 713 714 715
    /**
     * Utility function to get old SSL keys from the config table, or create a 
     * blank record if none exists.
     *
     * @return array    Array of keypair hashes
     * @access private
     */
716 717
    private function get_history() {
        $openssl_history = get_field('config', 'value', 'field', 'openssl_history');
718
        if (empty($openssl_history)) {
719 720 721 722 723 724 725 726 727 728 729
            $openssl_history = array();
            $record = new stdClass();
            $record->field = 'openssl_history';
            $record->value = serialize($openssl_history);
            insert_record('config', $record);
        } else {
            $openssl_history = unserialize($openssl_history);
        }
        return $openssl_history;
    }

730 731 732 733 734 735 736 737
    /**
     * Utility function to stash old SSL keys in the config table. It will retain
     * a max of 'openssl_generations' which is itself a value in config.
     *
     * @param  array    Array of keypair hashes
     * @return bool
     * @access private
     */
738 739
    private function save_history($openssl_history) {
        $openssl_generations = get_field('config', 'value', 'field', 'openssl_generations');
740
        if (empty($openssl_generations)) {
741 742 743
            set_config('openssl_generations', 6);
            $openssl_generations = 6;
        }
744
        if (count($openssl_history) > $openssl_generations) {
745 746 747 748 749
            $openssl_history = array_slice($openssl_history, 0, $openssl_generations);
        }
        return set_config('openssl_history', serialize($openssl_history));
    }

750 751 752 753 754 755 756 757 758
    /**
     * The get Overloader will let you pull out the 'certificate' and 'expires'
     * values
     *
     * @param  string    Name of the value you want
     * @return mixed     The value of the thing you asked for or null (if it 
     *                   doesn't exist or is private)
     * @access public
     */
759
    public function __get($name) {
760 761
        if ('certificate' === $name) return $this->keypair['certificate'];
        if ('expires' === $name)     return $this->keypair['expires'];
762 763
        return null;
    }
764

765 766 767 768 769 770 771 772
    /**
     * Get the keypair. If it doesn't exist, create it. If it's out of date, 
     * archive it and create a fresh pair.
     *
     * @param  bool      True if you want to force fresh keys to be generated
     * @return bool     
     * @access private
     */
773 774 775 776
    private function get_keypair($regenerate = null) {
        $this->keypair = array();
        $records       = null;
        
777
        if (empty($regenerate)) {
778
            $records = get_records_select_menu('config', "field IN ('openssl_keypair', 'openssl_keypair_expires')", 'field', 'field, value');
779
            if (!empty($records)) {
780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806
                list($this->keypair['certificate'], $this->keypair['keypair_PEM']) = explode('@@@@@@@@', $records['openssl_keypair']);
                $this->keypair['expires'] = $records['openssl_keypair_expires'];
                if ($this->keypair['expires'] <= time()) {
                    $openssl_history = $this->get_history();
                    array_unshift($openssl_history, $this->keypair);
                    $this->save_history($openssl_history);
                } else {
                    return true;
                }
            }
        }

        // Initialize a new set of SSL keys
        $this->keypair = array();
        $this->generate_keypair();

        // A record for the keys
        $keyrecord = new stdClass();
        $keyrecord->field = 'openssl_keypair';
        $keyrecord->value = implode('@@@@@@@@', $this->keypair);

        // A convenience record for the keys' expire time (UNIX timestamp)
        $expiresrecord        = new stdClass();
        $expiresrecord->field = 'openssl_keypair_expires';

        // Getting the expire timestamp is convoluted, but required:
        $credentials = openssl_x509_parse($this->keypair['certificate']);
807
        if (is_array($credentials) && isset($credentials['validTo_time_t'])) {
808 809 810 811
            $expiresrecord->value = $credentials['validTo_time_t'];
            $this->keypair['expires'] = $credentials['validTo_time_t'];
        }

812
        if (empty($records)) {
813 814 815 816 817 818 819 820
                   $result = insert_record('config', $keyrecord);
            return $result & insert_record('config', $expiresrecord);
        } else {
                   $result = update_record('config', $keyrecord,     array('field' => 'openssl_keypair'));
            return $result & update_record('config', $expiresrecord, array('field' => 'openssl_keypair_expires'));
        }
    }

821 822 823 824 825 826 827 828 829 830 831 832
    /**
     * Generate public/private keys and store in the config table
     *
     * Use the distinguished name provided to create a CSR, and then sign that CSR
     * with the same credentials. Store the keypair you create in the config table.
     * If a distinguished name is not provided, create one using the fullname of
     * 'the course with ID 1' as your organization name, and your hostname (as
     * detailed in $CFG->wwwroot).
     *
     * @param   array  $dn  The distinguished name of the server
     * @return  string      The signature over that text
     */
833
    private function generate_keypair() {
834
        $host = get_hostname_from_uri(get_config('wwwroot'));
835 836 837 838 839 840 841 842 843

        $organization = get_config('sitename');
        $email        = get_config('noreplyaddress');
        $country      = get_config('country');
        $province     = get_config('province');
        $locality     = get_config('locality');

        //TODO: Create additional fields on site setup and read those from 
        //      config. Then remove the next 3 linez
844 845 846
        if (empty($country))  $country  = 'NZ';
        if (empty($province)) $province = 'Wellington';
        if (empty($locality)) $locality = 'Te Aro';
847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877

        $dn = array(
           "countryName" => $country,
           "stateOrProvinceName" => $province,
           "localityName" => $locality,
           "organizationName" => $organization,
           "organizationalUnitName" => 'Mahara',
           "commonName" => get_config('wwwroot'),
           "emailAddress" => $email
        );

        // ensure we remove trailing slashes
        $dn["commonName"] = preg_replace(':/$:', '', $dn["commonName"]);

        $new_key = openssl_pkey_new();
        $csr_rsc = openssl_csr_new($dn, $new_key, array('private_key_bits',2048));
        $selfSignedCert = openssl_csr_sign($csr_rsc, null, $new_key, 28 /*days*/);
        unset($csr_rsc); // Free up the resource

        // We export our self-signed certificate to a string.
        openssl_x509_export($selfSignedCert, $this->keypair['certificate']);
        openssl_x509_free($selfSignedCert);

        // Export your public/private key pair as a PEM encoded string. You
        // can protect it with an optional passphrase if you wish.
        $export = openssl_pkey_export($new_key, $this->keypair['keypair_PEM'] /* , $passphrase */);
        openssl_pkey_free($new_key);
        unset($new_key); // Free up the resource

        return $this;
    }
878 879 880
}

class PublicKey {
881

882 883 884
    private   $credentials = array();
    private   $wwwroot     = '';
    private   $certificate = '';
885 886

    function __construct($keystring, $wwwroot) {
887

888 889 890 891 892
        $this->credentials = openssl_x509_parse($keystring);
        $this->wwwroot     = dropslash($wwwroot);
        $this->certificate = $keystring;

        if ($this->credentials == false) {
Donal McMullan's avatar
Donal McMullan committed
893
            throw new CryptException('This is not a valid SSL Certificate: '.$keystring, 1);
894
            return false;
895
        } elseif ($this->credentials['subject']['CN'] != $this->wwwroot) {
Donal McMullan's avatar
Donal McMullan committed
896
            throw new CryptException('This certificate does not match the server it claims to represent: '.$this->credentials['subject']['CN'] .', '. $this->wwwroot, 1);
897 898
            return false;
        } else {
899
            return $this->credentials;
900 901 902
        }
    }

903
    function __get($name) {
904
        if ('expires' == $name) return $this->credentials['validTo_time_t'];
905
        return $this->{$name};
906 907 908
    }
}
?>