You are here

function openid_verify_assertion_signature in Drupal 7

Same name and namespace in other branches
  1. 6 modules/openid/openid.module \openid_verify_assertion_signature()

Verify the signature of the response received from the OpenID provider.

Parameters

$service: Array describing the OpenID provider.

$association: Information on the association with the OpenID provider.

$response: Array of response values from the provider.

Return value

TRUE if the signature is valid and covers all fields required to be signed.

See also

http://openid.net/specs/openid-authentication-2_0.html#rfc.section.11.4

1 call to openid_verify_assertion_signature()
openid_verify_assertion in modules/openid/openid.module
Attempt to verify the response received from the OpenID Provider.

File

modules/openid/openid.module, line 908
Implement OpenID Relying Party support for Drupal

Code

function openid_verify_assertion_signature($service, $association, $response) {
  if ($service['version'] == 2) {

    // OpenID Authentication 2.0, section 10.1:
    // These keys must always be signed.
    $mandatory_keys = array(
      'op_endpoint',
      'return_to',
      'response_nonce',
      'assoc_handle',
    );
    if (isset($response['openid.claimed_id'])) {

      // If present, these two keys must also be signed. According to the spec,
      // they are either both present or both absent.
      $mandatory_keys[] = 'claimed_id';
      $mandatory_keys[] = 'identity';
    }
  }
  else {

    // OpenID Authentication 1.1. section 4.3.3.
    $mandatory_keys = array(
      'identity',
      'return_to',
    );
  }
  $keys_to_sign = explode(',', $response['openid.signed']);
  if (count(array_diff($mandatory_keys, $keys_to_sign)) > 0) {
    return FALSE;
  }
  return _openid_signature($association, $response, $keys_to_sign) === $response['openid.sig'];
}