Below is the code that can be used to perform the (pass-thru) SSO to BankMobile. It is understood that this code is behind some form of site-imposed SSO (CAS/SAML/LDAP etc.).
Lines Purpose
8-19 Functions to perform the basic encryption/decryption with AES-128-ECB.
21-24 Load specific support files. This abstraction provides additional security as the include path
is specific outside the web server path.
28 This simply un-hexes the AES shared secret from BankMobile. This could have been done in the encrypt function.
34-65 Banner specific DB queries and PHP code to simulate failures and test the error reporting code.
67-70 Get current UTC time in proper format and build the text string.
72-76 A bunch of debug code to test encrypting and decrypting should something go horribly wrong.
78 FINALLY! Encrypt and produce the token!
86 Generate the URL.
90 Redirect the session to BankMobile.
<?php
/*
Ok. The openssl_encrypt is supposed to PKCS5PAD by default.
The call as shown below returns the raw encryption. This is
converted to hex before returning.
*/
function encrypt($data, $key) {
return bin2hex(openssl_encrypt($data, 'aes-128-ecb', $key, OPENSSL_RAW_DATA));
}
/*
For openssl_decrypt, we are assuming the $data is coming in
as hex and this is converted to raw. Generally, the decrypt
function is only used for debugging purposes.
*/
function decrypt($data, $key) {
return openssl_decrypt(hex2bin($data), 'aes-128-ecb', $key, OPENSSL_RAW_DATA);
}
// DB required include
include_once 'baseRequired.php';
//The next include defines $client_code and $secretKeyHex
include_once 'bankMobileRequired.php';
// The Hex key needs to be converted to UTF8 before calling
// openssl_encrypt().
$secretKey=hex2bin($secretKeyHex);
// $shib_uid is set via baseRequired.php and is taken from
// previously authenticated sources (SAML/SHIB/LDAP etc).
print 'shib_uid = ' . $shib_uid . '<br />'; // debug
//$shib_uid = 'fake'; // debug
$DBbanner = oci_connect($OCI_CRSE_LOGIN, $OCI_CRSE_PASSWORD, $db);
//$DBbanner = FALSE; // debug
if ( $DBbanner === FALSE ) {
print "We are unable to connect to the Banner database.";
print "<br /> <br /> Please contact the Cashier's office for further assistance. (518)-629-4505.<br />";
print "Let them know you were attempting a \"BankMobile SSO Login\" and the database connection failed.";
exit(1);
}
$query = "SELECT SPRIDEN_ID, SPRIDEN_LAST_NAME, SPRIDEN_FIRST_NAME, GOREMAL_EMAIL_ADDRESS
FROM GOBTPAC, GOREMAL, SPRIDEN
WHERE GOBTPAC_LDAP_USER = :samaccountname
AND GOREMAL_PIDM = GOBTPAC_PIDM
AND GOREMAL_STATUS_IND = 'A'
AND GOREMAL_EMAL_CODE = 'CAM'
AND SPRIDEN_PIDM = GOBTPAC_PIDM
AND SPRIDEN_CHANGE_IND IS NULL";
$parse = oci_parse($DBbanner, $query);
oci_bind_by_name($parse, ":samaccountname", $shib_uid);
oci_execute($parse);
$row = oci_fetch_array($parse, OCI_ASSOC);
$hnum = $row['SPRIDEN_ID'];
oci_free_statement($parse);
oci_close($DBbanner);
if ( is_null($hnum) || $hnum === '' || $hnum === FALSE ) {
print "We are unable to acquire an ID that matched the user \"" . $shib_uid . "\".";
print "<br /> <br /> Please contact the Cashier's office for further assistance. (518)-629-4505.<br />";
print "Let them know you were attempting a \"BankMobile SSO Login\" and no matching ID was found.";
exit(1);
}
$timestamp = gmdate('m/d/Y H:i:s'); // MUST be 24-hour 'MM/DD/YYYY HH:MM:SS'
// Ampersands are literal. Do not convert to &.
$text = $client_code . '&' . $hnum . '&' . $timestamp;
//$encrypted = encrypt($text, $secretKey); //debug
//print "The encrypted, hexed text is " . $encrypted . "<br />"; //debug
//print "The raw text is \"" . hex2bin($encrypted) . "\" (" . strlen(hex2bin($encrypted)) . ") <br />"; //debug
//$decrypted = decrypt($encrypted, $secretKey); //debug
//print "The decrypted text is " . $decrypted . "<br />"; //debug
$token = encrypt($text, $secretKey);
print $token . "<br />"; // debug
/*
BankMobile wants the URL to be in the form shown below. The
token is a hex string that represents the raw encryption.
(See above!)
*/
$url = "https://www.refundselection.com/refundselection/#/landing?token=" . $token . "&clientcode=" . $client_code;
print $url . "<br />"; // debug
// Uncomment next line to perform the redirection.
//header("Location: " . $url);