Subversion Repositories oidplus

Compare Revisions

Regard whitespace Rev 1282 → Rev 1283

/trunk/includes/classes/OIDplusAuthContentStoreJWT.class.php
414,7 → 414,7
$k = new \Firebase\JWT\Key($pubKey, 'RS256'); // RSA+SHA256 ist hardcoded in getPkiStatus() generation
$this->content = (array) \Firebase\JWT\JWT::decode($jwt, $k);
} else {
$key = OIDplus::authUtils()->makeSecret('0be35e52-f4ef-11ed-b67e-3c4a92df8582');
$key = OIDplus::authUtils()->makeSecret(['0be35e52-f4ef-11ed-b67e-3c4a92df8582']);
$key = hash_pbkdf2('sha512', $key, '', 10000, 32/*256bit*/, false);
$k = new \Firebase\JWT\Key($key, 'HS512'); // HMAC+SHA512 is hardcoded here
$this->content = (array) \Firebase\JWT\JWT::decode($jwt, $k);
436,7 → 436,7
$privKey = OIDplus::getSystemPrivateKey();
return \Firebase\JWT\JWT::encode($payload, $privKey, 'RS256'); // RSA+SHA256 ist hardcoded in getPkiStatus() generation
} else {
$key = OIDplus::authUtils()->makeSecret('0be35e52-f4ef-11ed-b67e-3c4a92df8582');
$key = OIDplus::authUtils()->makeSecret(['0be35e52-f4ef-11ed-b67e-3c4a92df8582']);
$key = hash_pbkdf2('sha512', $key, '', 10000, 32/*256bit*/, false);
return \Firebase\JWT\JWT::encode($payload, $key, 'HS512'); // HMAC+SHA512 is hardcoded here
}
/trunk/includes/classes/OIDplusAuthUtils.class.php
383,32 → 383,48
// Authentication keys for generating secrets or validating arguments (e.g. sent by mail)
 
/**
* @param string $data
* @param array|string $data
* @return string
* @throws OIDplusException
*/
public function makeSecret(string $data): string {
public function makeSecret($data): string {
if (!is_array($data)) $data = [$data];
$data = json_encode($data);
return sha3_512_hmac($data, 'OIDplus:'.OIDplus::baseConfig()->getValue('SERVER_SECRET'), false);
}
 
/**
* @param string $data
* @return string
* @param array|string $data Arbitary data to be validated later
* @return string A string that need to be validated with validateAuthKey
* @throws OIDplusException
*/
public function makeAuthKey(string $data): string {
return $this->makeSecret($data);
public function makeAuthKey($data): string {
if (!is_array($data)) $data = [$data];
$ts = time();
$data_ext = [$ts, $data];
$secret = $this->makeSecret($data_ext);
return $ts.'.'.$secret;
}
 
/**
* @param string $data
* @param string $auth_key
* @return bool
* @param array|string $data The original data that had been passed to makeAuthKey()
* @param string $auth_key The result from makeAuthKey()
* @param int $valid_secs How many seconds is the auth key valid? (-1 for infinite)
* @return bool True if the key is valid and not expired.
* @throws OIDplusException
*/
public function validateAuthKey(string $data, string $auth_key): bool {
return hash_equals($this->makeAuthKey($data), $auth_key);
public function validateAuthKey($data, string $auth_key, int $valid_secs=-1): bool {
$auth_key_ary = explode('.', $auth_key, 2);
if (count($auth_key_ary) != 2) return false; // invalid auth key syntax
list($ts, $secret) = $auth_key_ary;
if (!is_numeric($ts)) return false; // invalid auth key syntax
if ($valid_secs >= 0) {
if (time() > ($ts+$valid_secs)) return false; // expired auth key
}
if (!is_array($data)) $data = [$data];
$data_ext = [(int)$ts, $data];
return hash_equals($this->makeSecret($data_ext), $secret);
}
 
// "Veto" functions to force logout state
 
/trunk/includes/classes/OIDplusSessionHandler.class.php
40,7 → 40,7
*/
public function __construct() {
$this->sessionLifetime = OIDplus::baseConfig()->getValue('SESSION_LIFETIME', 30*60);
$this->secret = OIDplus::authUtils()->makeSecret('b118abc8-f4ec-11ed-86ca-3c4a92df8582');
$this->secret = OIDplus::authUtils()->makeSecret(['b118abc8-f4ec-11ed-86ca-3c4a92df8582']);
 
// **PREVENTING SESSION HIJACKING**
// Prevents javascript XSS attacks aimed to steal the session ID