nov-ruby-openid 2.1.9

data/lib/openid/consumer/responses.rb

@@ -0,0 +1,148 @@
+module OpenID
+  class Consumer
+    # Code returned when either the of the
+    # OpenID::OpenIDConsumer.begin_auth or OpenID::OpenIDConsumer.complete_auth
+    # methods return successfully.
+    SUCCESS = :success
+
+    # Code OpenID::OpenIDConsumer.complete_auth
+    # returns when the value it received indicated an invalid login.
+    FAILURE = :failure
+
+    # Code returned by OpenIDConsumer.complete_auth when the user
+    # cancels the operation from the server.
+    CANCEL = :cancel
+
+    # Code returned by OpenID::OpenIDConsumer.complete_auth when the
+    # OpenIDConsumer instance is in immediate mode and ther server sends back a
+    # URL for the user to login with.
+    SETUP_NEEDED = :setup_needed
+
+
+    module Response
+      attr_reader :endpoint
+
+      def status
+        self.class::STATUS
+      end
+
+      # The identity URL that has been authenticated; the Claimed Identifier.
+      # See also display_identifier.
+      def identity_url
+        @endpoint ? @endpoint.claimed_id : nil
+      end
+
+      # The display identifier is related to the Claimed Identifier, but the
+      # two are not always identical.  The display identifier is something the
+      # user should recognize as what they entered, whereas the response's
+      # claimed identifier (in the identity_url attribute) may have extra
+      # information for better persistence.
+      #
+      # URLs will be stripped of their fragments for display.  XRIs will
+      # display the human-readable identifier (i-name) instead of the
+      # persistent identifier (i-number).
+      #
+      # Use the display identifier in your user interface.  Use identity_url
+      # for querying your database or authorization server, or other
+      # identifier equality comparisons.
+      def display_identifier
+        @endpoint ? @endpoint.display_identifier : nil
+      end
+    end
+
+    # A successful acknowledgement from the OpenID server that the
+    # supplied URL is, indeed controlled by the requesting agent.
+    class SuccessResponse
+      include Response
+
+      STATUS = SUCCESS
+
+      attr_reader :message, :signed_fields
+
+      def initialize(endpoint, message, signed_fields)
+        # Don't use :endpoint=, because endpoint should never be nil
+        # for a successfull transaction.
+        @endpoint = endpoint
+        @identity_url = endpoint.claimed_id
+        @message = message
+        @signed_fields = signed_fields
+      end
+
+      # Was this authentication response an OpenID 1 authentication
+      # response?
+      def is_openid1
+        @message.is_openid1
+      end
+
+      # Return whether a particular key is signed, regardless of its
+      # namespace alias
+      def signed?(ns_uri, ns_key)
+        @signed_fields.member?(@message.get_key(ns_uri, ns_key))
+      end
+
+      # Return the specified signed field if available, otherwise
+      # return default
+      def get_signed(ns_uri, ns_key, default=nil)
+        if signed?(ns_uri, ns_key)
+          return @message.get_arg(ns_uri, ns_key, default)
+        else
+          return default
+        end
+      end
+
+      # Get signed arguments from the response message.  Return a dict
+      # of all arguments in the specified namespace.  If any of the
+      # arguments are not signed, return nil.
+      def get_signed_ns(ns_uri)
+        msg_args = @message.get_args(ns_uri)
+        msg_args.each_key do |key|
+          if !signed?(ns_uri, key)
+            return nil
+          end
+        end
+        return msg_args
+      end
+
+      # Return response arguments in the specified namespace.
+      # If require_signed is true and the arguments are not signed,
+      # return nil.
+      def extension_response(namespace_uri, require_signed)
+        if require_signed
+          get_signed_ns(namespace_uri)
+        else
+          @message.get_args(namespace_uri)
+        end
+      end
+    end
+
+    class FailureResponse
+      include Response
+      STATUS = FAILURE
+
+      attr_reader :message, :contact, :reference
+      def initialize(endpoint, message, contact=nil, reference=nil)
+        @endpoint = endpoint
+        @message = message
+        @contact = contact
+        @reference = reference
+      end
+    end
+
+    class CancelResponse
+      include Response
+      STATUS = CANCEL
+      def initialize(endpoint)
+        @endpoint = endpoint
+      end
+    end
+
+    class SetupNeededResponse
+      include Response
+      STATUS = SETUP_NEEDED
+      def initialize(endpoint, setup_url)
+        @endpoint = endpoint
+        @setup_url = setup_url
+      end
+    end
+  end
+end

data/lib/openid/cryptutil.rb

@@ -0,0 +1,115 @@
+require "openid/util"
+require "digest/sha1"
+require "digest/sha2"
+begin
+  require "digest/hmac"
+rescue LoadError
+  begin
+    # Try loading the ruby-hmac files if they exist
+    require "hmac-sha1"
+    require "hmac-sha2"
+  rescue LoadError
+    # Nothing exists use included hmac files
+    require "hmac/sha1"
+    require "hmac/sha2"
+  end
+end
+
+module OpenID
+  # This module contains everything needed to perform low-level
+  # cryptograph and data manipulation tasks.
+  module CryptUtil
+
+    # Generate a random number, doing a little extra work to make it
+    # more likely that it's suitable for cryptography. If your system
+    # doesn't have /dev/urandom then this number is not
+    # cryptographically safe. See
+    # <http://www.cosine.org/2007/08/07/security-ruby-kernel-rand/>
+    # for more information.  max is the largest possible value of such
+    # a random number, where the result will be less than max.
+    def CryptUtil.rand(max)
+      Kernel.srand()
+      return Kernel.rand(max)
+    end
+
+    def CryptUtil.sha1(text)
+      return Digest::SHA1.digest(text)
+    end
+
+    def CryptUtil.hmac_sha1(key, text)
+      if Digest.const_defined? :HMAC
+        Digest::HMAC.new(key,Digest::SHA1).update(text).digest
+      else
+        return HMAC::SHA1.digest(key, text)
+      end
+    end
+
+    def CryptUtil.sha256(text)
+      return Digest::SHA256.digest(text)
+    end
+
+    def CryptUtil.hmac_sha256(key, text)
+      if Digest.const_defined? :HMAC
+        Digest::HMAC.new(key,Digest::SHA256).update(text).digest
+      else
+        return HMAC::SHA256.digest(key, text)
+      end
+    end
+
+    # Generate a random string of the given length, composed of the
+    # specified characters.  If chars is nil, generate a string
+    # composed of characters in the range 0..255.
+    def CryptUtil.random_string(length, chars=nil)
+      s = ""
+
+      unless chars.nil?
+        length.times { s << chars[rand(chars.length)] }
+      else
+        length.times { s << rand(256).chr }
+      end
+      return s
+    end
+
+    # Convert a number to its binary representation; return a string
+    # of bytes.
+    def CryptUtil.num_to_binary(n)
+      bits = n.to_s(2)
+      prepend = (8 - bits.length % 8)
+      bits = ('0' * prepend) + bits
+      return [bits].pack('B*')
+    end
+
+    # Convert a string of bytes into a number.
+    def CryptUtil.binary_to_num(s)
+      # taken from openid-ruby 0.0.1
+      s = "\000" * (4 - (s.length % 4)) + s
+      num = 0
+      s.unpack('N*').each do |x|
+        num <<= 32
+        num |= x
+      end
+      return num
+    end
+
+    # Encode a number as a base64-encoded byte string.
+    def CryptUtil.num_to_base64(l)
+      return OpenID::Util.to_base64(num_to_binary(l))
+    end
+
+    # Decode a base64 byte string to a number.
+    def CryptUtil.base64_to_num(s)
+      return binary_to_num(OpenID::Util.from_base64(s))
+    end
+
+    def CryptUtil.const_eq(s1, s2)
+      if s1.length != s2.length
+        return false
+      end
+      result = true
+      s1.length.times do |i|
+        result &= (s1[i] == s2[i])
+      end
+      return result
+    end
+  end
+end

data/lib/openid/dh.rb

@@ -0,0 +1,89 @@
+require "openid/util"
+require "openid/cryptutil"
+
+module OpenID
+
+  # Encapsulates a Diffie-Hellman key exchange.  This class is used
+  # internally by both the consumer and server objects.
+  #
+  # Read more about Diffie-Hellman on wikipedia:
+  # http://en.wikipedia.org/wiki/Diffie-Hellman
+
+  class DiffieHellman
+
+    # From the OpenID specification
+    @@default_mod = 155172898181473697471232257763715539915724801966915404479707795314057629378541917580651227423698188993727816152646631438561595825688188889951272158842675419950341258706556549803580104870537681476726513255747040765857479291291572334510643245094715007229621094194349783925984760375594985848253359305585439638443
+    @@default_gen = 2
+
+    attr_reader :modulus, :generator, :public
+
+    # A new DiffieHellman object, using the modulus and generator from
+    # the OpenID specification
+    def DiffieHellman.from_defaults
+      DiffieHellman.new(@@default_mod, @@default_gen)
+    end
+
+    def initialize(modulus=nil, generator=nil, priv=nil)
+      @modulus = modulus.nil? ? @@default_mod : modulus
+      @generator = generator.nil? ? @@default_gen : generator
+      set_private(priv.nil? ? OpenID::CryptUtil.rand(@modulus-2) + 1 : priv)
+    end
+
+    def get_shared_secret(composite)
+      DiffieHellman.powermod(composite, @private, @modulus)
+    end
+
+    def xor_secret(algorithm, composite, secret)
+      dh_shared = get_shared_secret(composite)
+      packed_dh_shared = OpenID::CryptUtil.num_to_binary(dh_shared)
+      hashed_dh_shared = algorithm.call(packed_dh_shared)
+      return DiffieHellman.strxor(secret, hashed_dh_shared)
+    end
+
+    def using_default_values?
+      @generator == @@default_gen && @modulus == @@default_mod
+    end
+
+    private
+    def set_private(priv)
+      @private = priv
+      @public = DiffieHellman.powermod(@generator, @private, @modulus)
+    end
+
+    def DiffieHellman.strxor(s, t)
+      if s.length != t.length
+        raise ArgumentError, "strxor: lengths don't match. " +
+          "Inputs were #{s.inspect} and #{t.inspect}"
+      end
+
+      if String.method_defined? :bytes
+        s.bytes.zip(t.bytes).map{|sb,tb| sb^tb}.pack('C*')
+      else
+        indices = 0...(s.length)
+        chrs = indices.collect {|i| (s[i]^t[i]).chr}
+        chrs.join("")
+      end
+    end
+
+    # This code is taken from this post:
+    # <http://blade.nagaokaut.ac.jp/cgi-bin/scat.\rb/ruby/ruby-talk/19098>
+    # by Eric Lee Green.
+    def DiffieHellman.powermod(x, n, q)
+      counter=0
+      n_p=n
+      y_p=1
+      z_p=x
+      while n_p != 0
+        if n_p[0]==1
+          y_p=(y_p*z_p) % q
+        end
+        n_p = n_p >> 1
+        z_p = (z_p * z_p) % q
+        counter += 1
+      end
+      return y_p
+    end
+
+  end
+
+end

data/lib/openid/extension.rb

@@ -0,0 +1,39 @@
+require 'openid/message'
+
+module OpenID
+  # An interface for OpenID extensions.
+  class Extension < Object
+
+    def initialize
+      @ns_uri = nil
+      @ns_alias = nil
+    end
+
+    # Get the string arguments that should be added to an OpenID
+    # message for this extension.
+    def get_extension_args
+      raise NotImplementedError
+    end
+
+    # Add the arguments from this extension to the provided
+    # message, or create a new message containing only those
+    # arguments.  Returns the message with added extension args.
+    def to_message(message = nil)
+      if message.nil?
+#         warnings.warn('Passing None to Extension.toMessage is deprecated. '
+#                       'Creating a message assuming you want OpenID 2.',
+#                       DeprecationWarning, stacklevel=2)
+        Message.new(OPENID2_NS)
+      end
+      message = Message.new if message.nil?
+
+      implicit = message.is_openid1()
+
+      message.namespaces.add_alias(@ns_uri, @ns_alias, implicit)
+      # XXX python ignores keyerror if m.ns.getAlias(uri) == alias
+
+      message.update_args(@ns_uri, get_extension_args)
+      return message
+    end
+  end
+end

data/lib/openid/extensions/ax.rb

@@ -0,0 +1,539 @@
+# Implements the OpenID attribute exchange specification, version 1.0
+
+require 'openid/extension'
+require 'openid/trustroot'
+require 'openid/message'
+
+module OpenID
+  module AX
+
+    UNLIMITED_VALUES = "unlimited"
+    MINIMUM_SUPPORTED_ALIAS_LENGTH = 32
+
+    # check alias for invalid characters, raise AXError if found
+    def self.check_alias(name)
+      if name.match(/(,|\.)/)
+        raise Error, ("Alias #{name.inspect} must not contain a "\
+                      "comma or period.")
+      end
+    end
+
+    # Raised when data does not comply with AX 1.0 specification
+    class Error < ArgumentError
+    end
+
+    # Abstract class containing common code for attribute exchange messages
+    class AXMessage < Extension
+      attr_accessor :ns_alias, :mode, :ns_uri
+
+      NS_URI = 'http://openid.net/srv/ax/1.0'
+      def initialize
+        @ns_alias = 'ax'
+        @ns_uri = NS_URI
+        @mode = nil
+      end
+
+      protected
+
+      # Raise an exception if the mode in the attribute exchange
+      # arguments does not match what is expected for this class.
+      def check_mode(ax_args)
+        actual_mode = ax_args['mode']
+        if actual_mode != @mode
+          raise Error, "Expected mode #{mode.inspect}, got #{actual_mode.inspect}"
+        end
+      end
+
+      def new_args
+        {'mode' => @mode}
+      end
+    end
+
+    # Represents a single attribute in an attribute exchange
+    # request. This should be added to an Request object in order to
+    # request the attribute.
+    #
+    # @ivar required: Whether the attribute will be marked as required
+    #     when presented to the subject of the attribute exchange
+    #     request.
+    # @type required: bool
+    #
+    # @ivar count: How many values of this type to request from the
+    #      subject. Defaults to one.
+    # @type count: int
+    #
+    # @ivar type_uri: The identifier that determines what the attribute
+    #      represents and how it is serialized. For example, one type URI
+    #      representing dates could represent a Unix timestamp in base 10
+    #      and another could represent a human-readable string.
+    # @type type_uri: str
+    #
+    # @ivar ns_alias: The name that should be given to this alias in the
+    #      request. If it is not supplied, a generic name will be
+    #      assigned. For example, if you want to call a Unix timestamp
+    #      value 'tstamp', set its alias to that value. If two attributes
+    #      in the same message request to use the same alias, the request
+    #      will fail to be generated.
+    # @type alias: str or NoneType
+    class AttrInfo < Object
+      attr_reader :type_uri, :count, :ns_alias
+      attr_accessor :required
+      def initialize(type_uri, ns_alias=nil, required=false, count=1)
+        @type_uri = type_uri
+        @count = count
+        @required = required
+        @ns_alias = ns_alias
+      end
+
+      def wants_unlimited_values?
+        @count == UNLIMITED_VALUES
+      end
+    end
+
+    # Given a namespace mapping and a string containing a
+    # comma-separated list of namespace aliases, return a list of type
+    # URIs that correspond to those aliases.
+    # namespace_map: OpenID::NamespaceMap
+    def self.to_type_uris(namespace_map, alias_list_s)
+      return [] if alias_list_s.nil?
+      alias_list_s.split(',').inject([]) {|uris, name|
+        type_uri = namespace_map.get_namespace_uri(name)
+        raise IndexError, "No type defined for attribute name #{name.inspect}" if type_uri.nil?
+        uris << type_uri
+      }
+    end
+
+
+    # An attribute exchange 'fetch_request' message. This message is
+    # sent by a relying party when it wishes to obtain attributes about
+    # the subject of an OpenID authentication request.
+    class FetchRequest < AXMessage
+      attr_reader :requested_attributes
+      attr_accessor :update_url
+      
+      MODE = 'fetch_request'
+
+      def initialize(update_url = nil)
+        super()
+        @mode = MODE
+        @requested_attributes = {}
+        @update_url = update_url
+      end
+
+      # Add an attribute to this attribute exchange request.
+      # attribute: AttrInfo, the attribute being requested
+      # Raises IndexError if the requested attribute is already present
+      #   in this request.
+      def add(attribute)
+        if @requested_attributes[attribute.type_uri]
+          raise IndexError, "The attribute #{attribute.type_uri} has already been requested"
+        end
+        @requested_attributes[attribute.type_uri] = attribute
+      end
+
+      # Get the serialized form of this attribute fetch request.
+      # returns a hash of the arguments
+      def get_extension_args
+        aliases = NamespaceMap.new
+        required = []
+        if_available = []
+        ax_args = new_args 
+        @requested_attributes.each{|type_uri, attribute|
+          if attribute.ns_alias
+            name = aliases.add_alias(type_uri, attribute.ns_alias)
+          else
+            name = aliases.add(type_uri)
+          end
+          if attribute.required
+            required << name
+          else
+            if_available << name
+          end
+          if attribute.count != 1
+            ax_args["count.#{name}"] = attribute.count.to_s
+          end
+          ax_args["type.#{name}"] = type_uri
+        }
+
+        unless required.empty?
+          ax_args['required'] = required.join(',')
+        end
+        unless if_available.empty?
+          ax_args['if_available'] = if_available.join(',')
+        end
+        return ax_args
+      end
+
+      # Get the type URIs for all attributes that have been marked
+      # as required.
+      def get_required_attrs
+        @requested_attributes.inject([]) {|required, (type_uri, attribute)|
+          if attribute.required
+            required << type_uri
+          else
+            required
+          end
+        }
+      end
+
+      # Extract a FetchRequest from an OpenID message
+      # message: OpenID::Message
+      # return a FetchRequest or nil if AX arguments are not present
+      def self.from_openid_request(oidreq)
+        message = oidreq.message
+        ax_args = message.get_args(NS_URI)
+        return nil if ax_args == {} or ax_args['mode'] != MODE
+        req = new
+        req.parse_extension_args(ax_args)
+
+        if req.update_url
+          realm = message.get_arg(OPENID_NS, 'realm',
+                                  message.get_arg(OPENID_NS, 'return_to'))
+          if realm.nil? or realm.empty?
+            raise Error, "Cannot validate update_url #{req.update_url.inspect} against absent realm"
+          end
+          tr = TrustRoot::TrustRoot.parse(realm)
+          unless tr.validate_url(req.update_url)
+            raise Error, "Update URL #{req.update_url.inspect} failed validation against realm #{realm.inspect}"
+          end
+        end
+
+        return req
+      end
+
+      def parse_extension_args(ax_args)
+        check_mode(ax_args)
+
+        aliases = NamespaceMap.new
+
+        ax_args.each{|k,v|
+          if k.index('type.') == 0
+            name = k[5..-1]
+            type_uri = v
+            aliases.add_alias(type_uri, name)
+
+            count_key = 'count.'+name
+            count_s = ax_args[count_key]
+            count = 1
+            if count_s
+              if count_s == UNLIMITED_VALUES
+                count = count_s
+              else
+                count = count_s.to_i
+                if count <= 0
+                  raise Error, "Invalid value for count #{count_key.inspect}: #{count_s.inspect}"
+                end
+              end
+            end
+            add(AttrInfo.new(type_uri, name, false, count))
+          end
+        }
+
+        required = AX.to_type_uris(aliases, ax_args['required'])
+        required.each{|type_uri|
+          @requested_attributes[type_uri].required = true
+        }
+        if_available = AX.to_type_uris(aliases, ax_args['if_available'])
+        all_type_uris = required + if_available
+
+        aliases.namespace_uris.each{|type_uri|
+          unless all_type_uris.member? type_uri
+            raise Error, "Type URI #{type_uri.inspect} was in the request but not present in 'required' or 'if_available'"
+          end
+        }
+        @update_url = ax_args['update_url']
+      end
+
+      # return the list of AttrInfo objects contained in the FetchRequest
+      def attributes
+        @requested_attributes.values
+      end
+
+      # return the list of requested attribute type URIs
+      def requested_types
+        @requested_attributes.keys
+      end
+
+      def member?(type_uri)
+        ! @requested_attributes[type_uri].nil?
+      end
+
+    end
+
+    # Abstract class that implements a message that has attribute
+    # keys and values. It contains the common code between
+    # fetch_response and store_request.
+    class KeyValueMessage < AXMessage
+      attr_reader :data
+      def initialize
+        super()
+        @mode = nil
+        @data = {}
+        @data.default = []
+      end
+
+      # Add a single value for the given attribute type to the
+      # message. If there are already values specified for this type,
+      # this value will be sent in addition to the values already
+      # specified.
+      def add_value(type_uri, value)
+        @data[type_uri] = @data[type_uri] << value
+      end
+
+      # Set the values for the given attribute type. This replaces
+      # any values that have already been set for this attribute.
+      def set_values(type_uri, values)
+        @data[type_uri] = values
+      end
+
+      # Get the extension arguments for the key/value pairs
+      # contained in this message.
+      def _get_extension_kv_args(aliases = nil)
+        aliases = NamespaceMap.new if aliases.nil?
+
+        ax_args = new_args
+
+        @data.each{|type_uri, values|
+          name = aliases.add(type_uri)
+          ax_args['type.'+name] = type_uri
+          ax_args['count.'+name] = values.size.to_s
+
+          values.each_with_index{|value, i|
+            key = "value.#{name}.#{i+1}"
+            ax_args[key] = value
+          }
+        }
+        return ax_args
+      end
+
+      # Parse attribute exchange key/value arguments into this object.
+
+      def parse_extension_args(ax_args)
+        check_mode(ax_args)
+        aliases = NamespaceMap.new
+
+        ax_args.each{|k, v|
+          if k.index('type.') == 0
+            type_uri = v
+            name = k[5..-1]
+
+            AX.check_alias(name)
+            aliases.add_alias(type_uri,name)
+          end
+        }
+
+        aliases.each{|type_uri, name|
+          count_s = ax_args['count.'+name]
+          count = count_s.to_i
+          if count_s.nil?
+            value = ax_args['value.'+name]
+            if value.nil?
+              raise IndexError, "Missing #{'value.'+name} in FetchResponse" 
+            elsif value.empty?
+              values = []
+            else
+              values = [value]
+            end
+          elsif count_s.to_i == 0
+            values = []
+          else
+            values = (1..count).inject([]){|l,i|
+              key = "value.#{name}.#{i}"
+              v = ax_args[key]
+              raise IndexError, "Missing #{key} in FetchResponse" if v.nil?
+              l << v
+            }
+          end
+          @data[type_uri] = values
+        }
+      end
+
+      # Get a single value for an attribute. If no value was sent
+      # for this attribute, use the supplied default. If there is more
+      # than one value for this attribute, this method will fail.
+      def get_single(type_uri, default = nil)
+        values = @data[type_uri]
+        return default if values.empty?
+        if values.size != 1
+          raise Error, "More than one value present for #{type_uri.inspect}"
+        else
+          return values[0]
+        end
+      end
+
+      # retrieve the list of values for this attribute
+      def get(type_uri)
+        @data[type_uri]
+      end
+      
+      # retrieve the list of values for this attribute
+      def [](type_uri)
+        @data[type_uri]
+      end
+
+      # get the number of responses for this attribute
+      def count(type_uri)
+        @data[type_uri].size
+      end
+
+    end
+
+    # A fetch_response attribute exchange message
+    class FetchResponse < KeyValueMessage
+      attr_reader :update_url
+
+      def initialize(update_url = nil)
+        super()
+        @mode = 'fetch_response'
+        @update_url = update_url
+      end
+
+      # Serialize this object into arguments in the attribute
+      # exchange namespace
+      # Takes an optional FetchRequest.  If specified, the response will be
+      # validated against this request, and empty responses for requested
+      # fields with no data will be sent.
+      def get_extension_args(request = nil)
+        aliases = NamespaceMap.new
+        zero_value_types = []
+
+        if request
+          # Validate the data in the context of the request (the
+          # same attributes should be present in each, and the
+          # counts in the response must be no more than the counts
+          # in the request)
+          @data.keys.each{|type_uri|
+            unless request.member? type_uri
+              raise IndexError, "Response attribute not present in request: #{type_uri.inspect}"
+            end
+          }
+
+          request.attributes.each{|attr_info|
+            # Copy the aliases from the request so that reading
+            # the response in light of the request is easier
+            if attr_info.ns_alias.nil?
+              aliases.add(attr_info.type_uri)
+            else
+              aliases.add_alias(attr_info.type_uri, attr_info.ns_alias)
+            end
+            values = @data[attr_info.type_uri]
+            if values.empty? # @data defaults to []
+              zero_value_types << attr_info
+            end
+            if attr_info.count != UNLIMITED_VALUES and attr_info.count < values.size
+              raise Error, "More than the number of requested values were specified for #{attr_info.type_uri.inspect}"
+            end
+          }
+        end
+
+        kv_args = _get_extension_kv_args(aliases)
+
+        # Add the KV args into the response with the args that are
+        # unique to the fetch_response
+        ax_args = new_args
+
+        zero_value_types.each{|attr_info|
+          name = aliases.get_alias(attr_info.type_uri)
+          kv_args['type.' + name] = attr_info.type_uri
+          kv_args['count.' + name] = '0'
+        }
+        update_url = (request and request.update_url or @update_url)
+        ax_args['update_url'] = update_url unless update_url.nil?
+        ax_args.update(kv_args)
+        return ax_args
+      end
+
+      def parse_extension_args(ax_args)
+        super
+        @update_url = ax_args['update_url']
+      end
+
+      # Construct a FetchResponse object from an OpenID library
+      # SuccessResponse object.
+      def self.from_success_response(success_response, signed=true)
+        obj = self.new
+        if signed
+          ax_args = success_response.get_signed_ns(obj.ns_uri)
+        else
+          ax_args = success_response.message.get_args(obj.ns_uri)
+        end
+
+        begin
+          obj.parse_extension_args(ax_args)
+          return obj
+        rescue Error => e
+          return nil
+        end
+      end
+    end
+
+    # A store request attribute exchange message representation
+    class StoreRequest < KeyValueMessage
+      
+      MODE = 'store_request'
+      
+      def initialize
+        super
+        @mode = MODE
+      end
+      
+      # Extract a StoreRequest from an OpenID message
+      # message: OpenID::Message
+      # return a StoreRequest or nil if AX arguments are not present
+      def self.from_openid_request(oidreq)
+        message = oidreq.message 
+        ax_args = message.get_args(NS_URI)
+        return nil if ax_args.empty? or ax_args['mode'] != MODE
+        req = new
+        req.parse_extension_args(ax_args)
+        req
+      end
+      
+      def get_extension_args(aliases=nil)
+        ax_args = new_args
+        kv_args = _get_extension_kv_args(aliases)
+        ax_args.update(kv_args)
+        return ax_args
+      end
+    end
+
+    # An indication that the store request was processed along with
+    # this OpenID transaction.
+    class StoreResponse < AXMessage
+      SUCCESS_MODE = 'store_response_success'
+      FAILURE_MODE = 'store_response_failure'
+      attr_reader :error_message
+
+      def initialize(succeeded = true, error_message = nil)
+        super()
+        if succeeded and error_message
+          raise Error, "Error message included in a success response"
+        end
+        if succeeded
+          @mode = SUCCESS_MODE
+        else
+          @mode = FAILURE_MODE
+        end
+        @error_message = error_message
+      end
+      
+      def self.from_success_response(success_response)
+        resp = nil
+        ax_args = success_response.message.get_args(NS_URI)
+        resp = ax_args.key?('error') ? new(false, ax_args['error']) : new
+      end
+      
+      def succeeded?
+        @mode == SUCCESS_MODE
+      end
+
+      def get_extension_args
+        ax_args = new_args
+        if !succeeded? and error_message
+          ax_args['error'] = @error_message
+        end
+        return ax_args
+      end
+    end
+  end
+end