5 # Part of the Collection Workflow Integration System (CWIS) 6 # Copyright 2017 Edward Almasy and Internet Scout Research Group 7 # http://scout.wisc.edu/cwis/ 23 $CheckForDuplicateFn, $RegisterMessageFn)
25 $this->APIUrl = $APIUrl;
26 $this->APIPassword = $APIPassword;
27 $this->CheckForDuplicateFn = $CheckForDuplicateFn;
28 $this->RegisterMessageFn = $RegisterMessageFn;
39 # build an encrypted message 42 # set up curl to do the post 43 $Context = curl_init();
45 # enable cookie handling 46 curl_setopt($Context, CURLOPT_COOKIEFILE,
'');
48 # use our configured endpoint 49 curl_setopt($Context, CURLOPT_URL, $this->APIUrl);
51 # get results back as a string 52 curl_setopt($Context, CURLOPT_RETURNTRANSFER, TRUE);
55 curl_setopt($Context, CURLOPT_POST, TRUE);
58 curl_setopt($Context, CURLOPT_POSTFIELDS, http_build_query($PostData));
61 $Data = curl_exec($Context);
63 # attempt to parse the reply into an encrypted envelope 64 $Result = json_decode($Data, TRUE);
69 "Message" =>
"Could not parse PostData.",
74 # attempt to decode the encrypted envelope 77 # if we decoded the envelope, return the message contents 78 if ($Result[
"Status"] ==
"OK")
80 $Result = $Result[
"Data"];
93 # create an envelope for our message, put the provided data inside 95 $Env[
"Version"] =
"3";
96 $Env[
"Timestamp"] = time();
97 $Env[
"Cookie"] = base64_encode(mcrypt_create_iv(16, MCRYPT_DEV_URANDOM));
100 # generate full key from provided password 101 $FullKey = hash(
"sha512", $this->APIPassword, TRUE);
103 # split into encryption and MAC keys 104 $EncKey = mb_substr($FullKey, 0, 32,
'8bit');
105 $MacKey = mb_substr($FullKey, 32, 32,
'8bit');
107 # generate a random IV (initialization vector), required by 108 # AES (and for most ciphers) to provide some randomness in the 109 # data and prevent identical messages from having identical 112 # the mcrypt extension is deprecated, but unfortunately 113 # mcrypt_create_iv() is the only function available in both PHP 114 # 5.x and PHP 7.x that reliably provides randomness. 115 # see slides # 24-28 in "Using Encryption in PHP" at 116 # http://otscripts.com/wp-content/uploads/2016/10/UsingEncryption-v02.pdf 118 $IV = mcrypt_create_iv(16, MCRYPT_DEV_URANDOM);
120 # encrypt and base64 our payload 121 $Payload = base64_encode(openssl_encrypt(
122 json_encode($Env),
"aes-256-cbc", $EncKey, OPENSSL_RAW_DATA, $IV));
124 # base64 encode our IV 125 $IV = base64_encode($IV);
127 # construct data we will POST 130 "Payload" => $Payload,
131 "MAC" => base64_encode(hash_hmac(
"sha256", $IV.
":".$Payload, $MacKey, TRUE)),
148 # verify that the provided POST data has the correct elements 149 if (!isset($PostData[
"MAC"]) || !isset($PostData[
"Payload"]) ||
150 !isset($PostData[
"IV"]))
154 "Message" =>
"PostData lacks required elements.");
157 # generate full key from provided password 158 $FullKey = hash(
"sha512", $this->APIPassword, TRUE);
160 # split into encryption and MAC keys 161 $EncKey = mb_substr($FullKey, 0, 32,
'8bit');
162 $MacKey = mb_substr($FullKey, 32, 32,
'8bit');
166 "sha256", $PostData[
"IV"].
":".$PostData[
"Payload"], $MacKey, TRUE);
168 # check MAC, bail if it was not valid 169 if (!hash_equals($MAC, base64_decode($PostData[
"MAC"])))
173 "Message" =>
"HMAC validation failure -- message is corrupted.");
176 # strip base64 encoding from payload and IV 177 $Payload = base64_decode($PostData[
"Payload"]);
178 $IV = base64_decode($PostData[
"IV"]);
180 # decrypt the payload to get the envelope 181 $Env = openssl_decrypt(
182 $Payload,
"aes-256-cbc", $EncKey, OPENSSL_RAW_DATA, $IV);
184 # attempt to unserialize the envelope, bailing on failure 185 $Env = json_decode($Env, TRUE);
190 "Message" =>
"Could not decode message envelope.");
193 # check that the envelope contains all the required headers 194 if (!isset($Env[
"Version"]) || !isset($Env[
"Timestamp"]) ||
195 !isset($Env[
"Cookie"]) || !isset($Env[
"Data"]) )
199 "Message" =>
"Payload did not include all required parameters.");
202 # check that this is an envelope in a version we understand 203 if ($Env[
"Version"] !=
"3")
207 "Message" =>
"Message was not version 3.");
210 # check that this envelope isn't too old 211 if (time() - $Env[
"Timestamp"] > 300)
215 "Message" =>
"Message is more than 5 minutes old.");
218 # check if this is a duplicate message 219 if (call_user_func($this->CheckForDuplicateFn,
220 $Env[
"Timestamp"], $Env[
"Cookie"]))
224 "Message" =>
"This is a duplicate message");
227 call_user_func($this->RegisterMessageFn,
228 $Env[
"Timestamp"], $Env[
"Cookie"]);
232 "Data" => $Env[
"Data"]);
EncodeEncryptedMessage($Data)
Construct an encrypted message packet from provided data.
DoRestCommand($Params)
Run a REST API command against a remote site.
__construct($APIUrl, $APIPassword, $CheckForDuplicateFn, $RegisterMessageFn)
Constructor.
DecodeEncryptedMessage($PostData)
Decrypt an encrypted message packet.