function _idResCheckSignature($message, $server_url)
{
$assoc_handle = $message->getArg(Auth_OpenID_OPENID_NS, 'assoc_handle');
if (Auth_OpenID::isFailure($assoc_handle)) {
return $assoc_handle;
}
$assoc = $this->store->getAssociation($server_url, $assoc_handle);
if ($assoc) {
if ($assoc->getExpiresIn() <= 0) {
// XXX: It might be a good idea sometimes to re-start
// the authentication with a new association. Doing it
// automatically opens the possibility for
// denial-of-service by a server that just returns
// expired associations (or really short-lived
// associations)
return new Auth_OpenID_FailureResponse(null, 'Association with ' . $server_url . ' expired');
}
if (!$assoc->checkMessageSignature($message)) {
// If we get a "bad signature" here, it means that the association
// is unrecoverabley corrupted in some way. Any futher attempts
// to login with this association is likely to fail. Drop it.
$this->store->removeAssociation($server_url, $assoc_handle);
return new Auth_OpenID_FailureResponse(null, "Bad signature");
}
} else {
// It's not an association we know about. Stateless mode
// is our only possible path for recovery. XXX - async
// framework will not want to block on this call to
// _checkAuth.
if (!$this->_checkAuth($message, $server_url)) {
return new Auth_OpenID_FailureResponse(null, "Server denied check_authentication");
}
}
return null;
}