<?php

/*
* AUTHOR: Samuel Muñoz Hidalgo
* EMAIL: samuel.mh@gmail.com
* LAST REVISION: 24-APR-09
* DESCRIPTION:
*		Will send cards to other applications via web.
*		Symmetric cryptography and IP filtering are available.
*/


/*
* DESCRIPTION: used to encode the data attribute sent GET method
* TAKEN FROM:  http://es2.php.net/manual/es/function.base64-encode.php#63543
*/
function urlsafe_b64encode($string) {
    $data = base64_encode($string);
    $data = str_replace(array('+','/','='),array('-','_',''),$data);
    return $data;
}


/*
* DESCRIPTION: used to decode the data attribute sent GET method
* TAKEN FROM:  http://es2.php.net/manual/es/function.base64-encode.php#63543
*/
function urlsafe_b64decode($string) {
    $data = str_replace(array('-','_'),array('+','/'),$string);
    $mod4 = strlen($data) % 4;
    if ($mod4) {
        $data .= substr('====', $mod4);
    }
    return base64_decode($data);
}


/*CASE 1 AND 2
* -Has Organization
* -And chains to a trusted root CA
* -NOTE: Based on V1.0, written for compatibility with DigitalMe PPID calculation
*/
function calculate_RP_PPID_Seed_2_2007 ($certs) {
	$check_cert = openssl_x509_read(file_get_contents($certs[0]));
	$array = openssl_x509_parse($check_cert);
	openssl_x509_free($check_cert);
	$OrgIdString = ('|O="'.$array['subject']['O'].'"|L="'.$array['subject']['L'].'"|S="'.$array['subject']['ST'].'"|C="'.$array['subject']['C'].'"|');	
	$numcerts = sizeof($certs);
	for($i=1;$i<$numcerts;$i++){
		$check_cert = openssl_x509_read(file_get_contents($certs[$i]));
		$array = openssl_x509_parse($check_cert);
		openssl_x509_free($check_cert);
		$tmpstring = '|ChainElement="CN='.$array['subject']['CN'].', OU='.$array['subject']['OU'].', O='.$array['subject']['O'].', L='.$array['subject']['L'].', S='.$array['subject']['ST'].', C='.$array['subject']['C'].'"';
		$OrgIdString = $tmpstring.$OrgIdString;
	}
	$OrgIdBytes = iconv("UTF-8", "UTF-16LE", $OrgIdString);
	$RPPPIDSeed = hash('sha256', $OrgIdBytes,TRUE);
	return $RPPPIDSeed;
}


/*
* DESCRIPTION: Calculate the PPID for a card
* INPUT: card ID, and RP certificates
* OUTPUT: PPID asociated to a Relying Party
*/
function calculate_PPID($cardid, $rp_cert) {
	$CardIdBytes = iconv("ISO-8859-1", "UTF-16LE", $cardid);
	$CanonicalCardId = hash('sha256', $CardIdBytes,TRUE);
	$RPPPIDSeed = calculate_RP_PPID_Seed_2_2007($rp_cert);
	$PPID = hash('sha256', $RPPPIDSeed.$CanonicalCardId,TRUE);
	return $PPID;
}


/*
*
* INPUT: VOID
* OUPUT: String with the invoked URL
*/
function curPageURL() {
 $pageURL = 'http';
 if ($_SERVER["HTTPS"] == "on") {$pageURL .= "s";}
 $pageURL .= "://";
 if ($_SERVER["SERVER_PORT"] != "80") {
  $pageURL .= $_SERVER["SERVER_NAME"].":".$_SERVER["SERVER_PORT"].$_SERVER["REQUEST_URI"];
 } else {
  $pageURL .= $_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"];
 }
 return $pageURL;
}


//TAD

/*
* INPUT: String (attribute length + attribute not begginning with a number) n times , number of attributes
* OUPUT: Array with attributes in order
*/
function parse_attributes($parsing_string, $num_attrs){
	for ($i=0 ; $i<$num_attrs ; $i++) {
		if (preg_match('/^[\d]*/', $parsing_string, $res)){
			if (!($output[$i] = substr($parsing_string,strlen($res[0]),$res[0]))){
				return null;
			}
			$parsing_string = substr($parsing_string, strlen($res[0])+strlen($output[$i]));
		} else {
			return null;
		}
	}
	return $output;
}


/*
* Enable downloading an specific card, store Radius request
* INPUT: username, cardid, and radius request time
* OUTPUT; uuid of the stored request
*/
function enable_download($username, $cardid){
	//almacenar existencia
	
	//Add Timestamp to response
	$time = 'x'.time(); //Cannot start with a number	
	
	$uuid = uniqid();
	$handle = fopen(SimpleSAML_Utilities::getTempDir() . "/$uuid",'w');
	if ($handle) {
		fwrite($handle, strlen($username).$username.strlen($cardid).$cardid.strlen($time).$time);
		fclose ($handle);
		return $uuid;
	} else {
		return false;
	}
}


/*
* Disable downloading an specific card, should be called when ending a request = Infocard is Issued
*
*/
function disable_download($uuid){
	unlink("/tmp/$uuid");
}


/*
* ¿Should I generate a card?
*
*/
function is_card_enabled($uuid, $delivery_time){
	$now = time();	
	$filename = SimpleSAML_Utilities::getTempDir() . "/$uuid";
	
	//File check
	if (!file_exists($filename)) return false; //File doesn't exist
	
	//Time check
	$handle = fopen($filename,'r');
	if ($handle) {
		$data = fread($handle, filesize($filename));
		fclose ($handle);
		
		$parsed_data = parse_attributes($data, 3);
		$parsed_data[2] = substr($parsed_data[2],1); //Extracting numeric value
		
		$time = $parsed_data[2];
		$endtime = $time + $delivery_time;
		if (($now<=$time)||($now>$endtime)) return false; //Incorrect time
		return $parsed_data;
	} else {
		return false; //Could not read the file
	}

}


/*
* Check if the user is in the connected table
* Update the row with the created Infocard card_ID
*/
function DB_update_connected_user ($username, $DB_params){
	$card_id = sspmod_InfoCard_UserFunctions::generate_card_ID($username);;
	$dbconn = pg_connect('host='.$DB_params['DB_host'].'  port='.$DB_params['DB_port'].'  dbname='.$DB_params['DB_dbname'].' user='.$DB_params['DB_user'].'  password='.$DB_params['DB_password']);
	$result = pg_fetch_all(pg_query_params($dbconn, 'SELECT * FROM connected_users WHERE name = $1', array("$username")));
	if ($result[0]){
		pg_update($dbconn, 'connected_users', array('card_id'=>$card_id), array('name'=>$username));
		return true;
	} else {
		return false;
	}
}


$config = SimpleSAML_Configuration::getInstance();
$autoconfig = $config->copyFromBase('logininfocard', 'config-login-infocard.php');
$configuredIP =   $autoconfig->getValue('configuredIP');


//RADIUS Request - Send One Time URL
if ( (strcmp($_GET['ident'],'RADIUS')==0) && (($configuredIP == null) || ($_SERVER['REMOTE_ADDR'] == $configuredIP)) ){

	/* Load the configuration. */
	$key =   $autoconfig->getValue('symmetric_key');
	$internalkey = hash('sha256', $autoconfig->getValue('internal_key'));

	$encrequest = urlsafe_b64decode($_GET['data']);
	if (!$encrequest) throw new SimpleSAML_Error_NotFound('The URL wasn\'t found in the module.');

	// Encryption
	if ($key!=null) {
		$iv = urlsafe_b64decode($_GET['iv']);
		if (!$iv)  throw new SimpleSAML_Error_NotFound('The URL wasn\'t found in the module.');
		$enckey = hash('sha256', $key);
		$request = mcrypt_decrypt(MCRYPT_RIJNDAEL_128, pack("H*",$enckey), $encrequest, MCRYPT_MODE_CBC, $iv);
	} else {
		$request = $encrequest;
	}
	
	//Parse Attributes (username lenght + username + cardid length + cardid)
	$parsed_request = parse_attributes($request, 2);
	
	
	//Enable card for downloading (username+cardid+time)
	$response = enable_download($parsed_request[0],$parsed_request[1]);
	if(!$response) throw new SimpleSAML_Error_NotFound('FUNCTION enable_download, error accessing directory');
	
	
	// Encrypt response for myself
	$response = mcrypt_encrypt(MCRYPT_RIJNDAEL_128, pack("H*",$internalkey), $response, MCRYPT_MODE_CBC, $iv);
	$response = preg_replace('/\?.*/','',curPageURL()).'?data='.urlsafe_b64encode($response).'&iv='.urlsafe_b64encode($iv);
	

	// Encrypt response for RADIUS
	if ($key!=null){
		$encresponse  = mcrypt_encrypt(MCRYPT_RIJNDAEL_128, pack("H*",$enckey), $response, MCRYPT_MODE_CBC, $iv);
	} else {
		$encresponse = $response;
	}
	
	// Send URL
	print base64_encode($encresponse);

} else {  //Client Resquest- Send InfoCard
	//Get Attributes
	$encrequest = urlsafe_b64decode($_GET['data']);
	$iv = urlsafe_b64decode($_GET['iv']);
	if ((!$encrequest)||(!$iv)) throw new SimpleSAML_Error_NotFound('The URL wasn\'t found in the module.');

	/* Load the configuration. */
	$internalkey = hash('sha256', $autoconfig->getValue('internal_key'));
	$certificates =   $autoconfig->getValue('certificates');
	$ICconfig['InfoCard'] = $autoconfig->getValue('InfoCard');
	$ICconfig['InfoCard']['issuer'] = $autoconfig->getValue('tokenserviceurl');//sspmod_InfoCard_Utils::getIssuer($sts_crt);
	$ICconfig['tokenserviceurl'] = $autoconfig->getValue('tokenserviceurl');
	$ICconfig['mexurl'] = $autoconfig->getValue('mexurl');
	$ICconfig['sts_key'] = $autoconfig->getValue('sts_key');
	$ICconfig['certificates'] = $autoconfig->getValue('certificates');
	$ICconfig['UserCredential'] = $autoconfig->getValue('UserCredential');
	$IC_lifetime_delivery = $autoconfig->getValue('IC_lifetime_delivery');
	$DB_params = $autoconfig->getValue('DB_params');
	
	// Encryption
	$request = mcrypt_decrypt(MCRYPT_RIJNDAEL_128, pack("H*",$internalkey), $encrequest, MCRYPT_MODE_CBC, $iv);
	
	$parsed_request = is_card_enabled($request, $IC_lifetime_delivery);
	if ($parsed_request && DB_update_connected_user($parsed_request[0], $DB_params)) {
		// Calculate PPID
		$ppid = base64_encode(calculate_PPID($parsed_request[1], $certificates));
	
		// Create InfoCard
		$ICdata = sspmod_InfoCard_UserFunctions::fillICdata($parsed_request[0],$ICconfig['UserCredential'],$ppid);	
		$IC = sspmod_InfoCard_STS::createCard($ICdata,$ICconfig);
		
		disable_download($request);
		
		//Send Infocard
		print ($IC);
	} else {
		throw new SimpleSAML_Error_NotFound('The URL wasn\'t found in the module.');
	}
}


?>