5 # Part of the Collection Workflow Integration System (CWIS) 6 # Copyright 2017 Edward Almasy and Internet Scout Research Group 7 # http://scout.wisc.edu/cwis/ 32 $CheckForDuplicateFn, $RegisterMessageFn)
34 $this->APIUrl = $APIUrl;
35 $this->APIPassword = $APIPassword;
36 $this->CheckForDuplicateFn = $CheckForDuplicateFn;
37 $this->RegisterMessageFn = $RegisterMessageFn;
48 # build an encrypted message 51 # set up curl to do the post 52 $Context = curl_init();
54 # enable cookie handling 55 curl_setopt($Context, CURLOPT_COOKIEFILE,
'');
57 # use our configured endpoint 58 curl_setopt($Context, CURLOPT_URL, $this->APIUrl);
60 # get results back as a string 61 curl_setopt($Context, CURLOPT_RETURNTRANSFER, TRUE);
64 curl_setopt($Context, CURLOPT_POST, TRUE);
67 curl_setopt($Context, CURLOPT_POSTFIELDS, http_build_query($PostData));
70 $Data = curl_exec($Context);
72 # attempt to parse the reply into an encrypted envelope 73 $Result = json_decode($Data, TRUE);
78 "Message" =>
"Could not parse PostData.",
83 # attempt to decode the encrypted envelope 86 # if we decoded the envelope, return the message contents 87 if ($Result[
"Status"] ==
"OK")
89 $Result = $Result[
"Data"];
102 # create an envelope for our message, put the provided data inside 104 $Env[
"Version"] =
"3";
105 $Env[
"Timestamp"] = time();
106 $Env[
"Cookie"] = base64_encode(random_bytes(16));
107 $Env[
"Data"] = $Data;
109 # generate full key from provided password 110 $FullKey = hash(
"sha512", $this->APIPassword, TRUE);
112 # split into encryption and MAC keys 113 $EncKey = mb_substr($FullKey, 0, 32,
'8bit');
114 $MacKey = mb_substr($FullKey, 32, 32,
'8bit');
116 # generate a random IV (initialization vector), required by 117 # AES (and for most ciphers) to provide some randomness in the 118 # data and prevent identical messages from having identical 121 $IV = random_bytes(16);
123 # encrypt and base64 our payload 124 $Payload = base64_encode(openssl_encrypt(
125 json_encode($Env),
"aes-256-cbc", $EncKey, OPENSSL_RAW_DATA, $IV));
127 # base64 encode our IV 128 $IV = base64_encode($IV);
130 # construct data we will POST 133 "Payload" => $Payload,
134 "MAC" => base64_encode(hash_hmac(
"sha256", $IV.
":".$Payload, $MacKey, TRUE)),
151 # verify that the provided POST data has the correct elements 152 if (!isset($PostData[
"MAC"]) || !isset($PostData[
"Payload"]) ||
153 !isset($PostData[
"IV"]))
157 "Message" =>
"PostData lacks required elements.");
160 # generate full key from provided password 161 $FullKey = hash(
"sha512", $this->APIPassword, TRUE);
163 # split into encryption and MAC keys 164 $EncKey = mb_substr($FullKey, 0, 32,
'8bit');
165 $MacKey = mb_substr($FullKey, 32, 32,
'8bit');
169 "sha256", $PostData[
"IV"].
":".$PostData[
"Payload"], $MacKey, TRUE);
171 # check MAC, bail if it was not valid 172 if (!hash_equals($MAC, base64_decode($PostData[
"MAC"])))
176 "Message" =>
"HMAC validation failure -- message is corrupted.");
179 # strip base64 encoding from payload and IV 180 $Payload = base64_decode($PostData[
"Payload"]);
181 $IV = base64_decode($PostData[
"IV"]);
183 # decrypt the payload to get the envelope 184 $Env = openssl_decrypt(
185 $Payload,
"aes-256-cbc", $EncKey, OPENSSL_RAW_DATA, $IV);
187 # attempt to unserialize the envelope, bailing on failure 188 $Env = json_decode($Env, TRUE);
193 "Message" =>
"Could not decode message envelope.");
196 # check that the envelope contains all the required headers 197 if (!isset($Env[
"Version"]) || !isset($Env[
"Timestamp"]) ||
198 !isset($Env[
"Cookie"]) || !isset($Env[
"Data"]) )
202 "Message" =>
"Payload did not include all required parameters.");
205 # check that this is an envelope in a version we understand 206 if ($Env[
"Version"] !=
"3")
210 "Message" =>
"Message was not version 3.");
213 # check that this envelope isn't too old 214 if (time() - $Env[
"Timestamp"] > 300)
218 "Message" =>
"Message is more than 5 minutes old.");
221 # check if this is a duplicate message 222 if (call_user_func($this->CheckForDuplicateFn,
223 $Env[
"Timestamp"], $Env[
"Cookie"]))
227 "Message" =>
"This is a duplicate message");
230 call_user_func($this->RegisterMessageFn,
231 $Env[
"Timestamp"], $Env[
"Cookie"]);
235 "Data" => $Env[
"Data"]);
239 private $APIPassword;
240 private $CheckForDuplicateFn;
241 private $RegisterMessageFn;
EncodeEncryptedMessage($Data)
Construct an encrypted message packet from provided data.
DoRestCommand($Params)
Run a REST API command against a remote site.
__construct($APIUrl, $APIPassword, $CheckForDuplicateFn, $RegisterMessageFn)
Constructor.
DecodeEncryptedMessage($PostData)
Decrypt an encrypted message packet.
This class provides a general-purpose library for encrypted REST calls and responses.