1 files changed, 96 insertions, 0 deletions

diff --git a/OAuth/src/Lib/OAuthSignatureMethod_RSA_SHA1.php b/OAuth/src/Lib/OAuthSignatureMethod_RSA_SHA1.php
new file mode 100644
index 00000000..3b442108
--- /dev/null
+++ b/OAuth/src/Lib/OAuthSignatureMethod_RSA_SHA1.php
@@ -0,0 +1,96 @@
+<?php
+// vim: foldmethod=marker
+/**
+ * The MIT License
+ *
+ * Copyright (c) 2007 Andy Smith
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files ( the "Software" ), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+namespace MediaWiki\Extensions\OAuth\Lib;
+
+use MediaWiki\Extensions\OAuth\Lib\OAuthSignatureMethod;
+
+/**
+ * The RSA-SHA1 signature method uses the RSASSA-PKCS1-v1_5 signature algorithm as defined in
+ * [RFC3447] section 8.2 ( more simply known as PKCS#1 ), using SHA-1 as the hash function for
+ * EMSA-PKCS1-v1_5. It is assumed that the Consumer has provided its RSA public key in a
+ * verified way to the Service Provider, in a manner which is beyond the scope of this
+ * specification.
+ *     - Chapter 9.3 ( "RSA-SHA1" )
+ */
+abstract class OAuthSignatureMethod_RSA_SHA1 extends OAuthSignatureMethod {
+	public function get_name() {
+		return "RSA-SHA1";
+	}
+
+	// Up to the SP to implement this lookup of keys. Possible ideas are:
+	// ( 1 ) do a lookup in a table of trusted certs keyed off of consumer
+	// ( 2 ) fetch via http using a url provided by the requester
+	// ( 3 ) some sort of specific discovery code based on request
+	//
+	// Either way should return a string representation of the certificate
+	protected abstract function fetch_public_cert( &$request );
+
+	// Up to the SP to implement this lookup of keys. Possible ideas are:
+	// ( 1 ) do a lookup in a table of trusted certs keyed off of consumer
+	//
+	// Either way should return a string representation of the certificate
+	protected abstract function fetch_private_cert( &$request );
+
+	public function build_signature( $request, $consumer, $token ) {
+		$base_string = $request->get_signature_base_string();
+		$request->base_string = $base_string;
+
+		// Fetch the private key cert based on the request
+		$cert = $this->fetch_private_cert( $request );
+
+		// Pull the private key ID from the certificate
+		$privatekeyid = openssl_get_privatekey( $cert );
+
+		// Sign using the key
+		$ok = openssl_sign( $base_string, $signature, $privatekeyid );
+
+		// Release the key resource
+		openssl_free_key( $privatekeyid );
+
+		return base64_encode( $signature );
+	}
+
+	public function check_signature( $request, $consumer, $token, $signature ) {
+		$decoded_sig = base64_decode( $signature );
+
+		$base_string = $request->get_signature_base_string();
+
+		// Fetch the public key cert based on the request
+		$cert = $this->fetch_public_cert( $request );
+
+		// Pull the public key ID from the certificate
+		$publickeyid = openssl_get_publickey( $cert );
+
+		// Check the computed signature against the one passed in the query
+		$ok = openssl_verify( $base_string, $decoded_sig, $publickeyid );
+
+		// Release the key resource
+		openssl_free_key( $publickeyid );
+
+		return $ok == 1;
+	}
+}