Decrypts an encrypted element.
public static decryptElement ( DOMElement $encryptedData, XMLSecurityKey $inputKey ) : DOMElement | ||
$encryptedData | DOMElement | The encrypted data. |
$inputKey | XMLSecurityKey | The decryption key. |
return | DOMElement | The decrypted element. |
/** * Tests the decryptElement method of the OneLogin_Saml2_Utils * * @covers OneLogin_Saml2_Utils::decryptElement */ public function testDecryptElement() { $settingsDir = TEST_ROOT . '/settings/'; include $settingsDir . 'settings1.php'; $settings = new OneLogin_Saml2_Settings($settingsInfo); $key = $settings->getSPkey(); $seckey = new XMLSecurityKey(XMLSecurityKey::RSA_1_5, array('type' => 'private')); $seckey->loadKey($key); $xmlNameIdEnc = base64_decode(file_get_contents(TEST_ROOT . '/data/responses/response_encrypted_nameid.xml.base64')); $domNameIdEnc = new DOMDocument(); $domNameIdEnc->loadXML($xmlNameIdEnc); $encryptedNameIDNodes = $domNameIdEnc->getElementsByTagName('EncryptedID'); $encryptedData = $encryptedNameIDNodes->item(0)->firstChild; $decryptedNameId = OneLogin_Saml2_Utils::decryptElement($encryptedData, $seckey); $this->assertEquals('saml:NameID', $decryptedNameId->tagName); $this->assertEquals('2de11defd199f8d5bb63f9b7deb265ba5c675c10', $decryptedNameId->nodeValue); $xmlAsssertionEnc = base64_decode(file_get_contents(TEST_ROOT . '/data/responses/valid_encrypted_assertion.xml.base64')); $domAsssertionEnc = new DOMDocument(); $domAsssertionEnc->loadXML($xmlAsssertionEnc); $encryptedAssertionEncNodes = $domAsssertionEnc->getElementsByTagName('EncryptedAssertion'); $encryptedAssertionEncNode = $encryptedAssertionEncNodes->item(0); $encryptedDataAssertNodes = $encryptedAssertionEncNode->getElementsByTagName('EncryptedData'); $encryptedDataAssert = $encryptedDataAssertNodes->item(0); $decryptedAssertion = OneLogin_Saml2_Utils::decryptElement($encryptedDataAssert, $seckey); $this->assertEquals('saml:Assertion', $decryptedAssertion->tagName); try { $res = OneLogin_Saml2_Utils::decryptElement($encryptedNameIDNodes->item(0), $seckey); $this->assertTrue(false); } catch (Exception $e) { $this->assertContains('Algorithm mismatch between input key and key in message', $e->getMessage()); } $key2 = file_get_contents(TEST_ROOT . '/data/misc/sp2.key'); $seckey2 = new XMLSecurityKey(XMLSecurityKey::RSA_1_5, array('type' => 'private')); $seckey2->loadKey($key2); $decryptedNameId2 = OneLogin_Saml2_Utils::decryptElement($encryptedData, $seckey2); $this->assertEquals('saml:NameID', $decryptedNameId2->tagName); $this->assertEquals('2de11defd199f8d5bb63f9b7deb265ba5c675c10', $decryptedNameId2->nodeValue); $key3 = file_get_contents(TEST_ROOT . '/data/misc/sp2.key'); $seckey3 = new XMLSecurityKey(XMLSecurityKey::RSA_SHA512, array('type' => 'private')); $seckey3->loadKey($key3); try { $res = OneLogin_Saml2_Utils::decryptElement($encryptedData, $seckey3); $this->assertTrue(false); } catch (Exception $e) { $this->assertContains('Algorithm mismatch between input key and key used to encrypt the symmetric key for the message', $e->getMessage()); } $xmlNameIdEnc2 = base64_decode(file_get_contents(TEST_ROOT . '/data/responses/invalids/encrypted_nameID_without_EncMethod.xml.base64')); $domNameIdEnc2 = new DOMDocument(); $domNameIdEnc2->loadXML($xmlNameIdEnc2); $encryptedNameIDNodes2 = $domNameIdEnc2->getElementsByTagName('EncryptedID'); $encryptedData2 = $encryptedNameIDNodes2->item(0)->firstChild; try { $res = OneLogin_Saml2_Utils::decryptElement($encryptedData2, $seckey); $this->assertTrue(false); } catch (Exception $e) { $this->assertContains('Unable to locate algorithm for this Encrypted Key', $e->getMessage()); } $xmlNameIdEnc3 = base64_decode(file_get_contents(TEST_ROOT . '/data/responses/invalids/encrypted_nameID_without_keyinfo.xml.base64')); $domNameIdEnc3 = new DOMDocument(); $domNameIdEnc3->loadXML($xmlNameIdEnc3); $encryptedNameIDNodes3 = $domNameIdEnc3->getElementsByTagName('EncryptedID'); $encryptedData3 = $encryptedNameIDNodes3->item(0)->firstChild; try { $res = OneLogin_Saml2_Utils::decryptElement($encryptedData3, $seckey); $this->assertTrue(false); } catch (Exception $e) { $this->assertContains('Algorithm mismatch between input key and key in message', $e->getMessage()); } }
/** * Gets the NameID Data of the the Logout Request. * * @param string|DOMDocument $request Logout Request Message * @param string $key The SP key * * @return array Name ID Data (Value, Format, NameQualifier, SPNameQualifier) */ public static function getNameIdData($request, $key = null) { if ($request instanceof DOMDocument) { $dom = $request; } else { $dom = new DOMDocument(); $dom = OneLogin_Saml2_Utils::loadXML($dom, $request); } $encryptedEntries = OneLogin_Saml2_Utils::query($dom, '/samlp:LogoutRequest/saml:EncryptedID'); if ($encryptedEntries->length == 1) { $encryptedDataNodes = $encryptedEntries->item(0)->getElementsByTagName('EncryptedData'); $encryptedData = $encryptedDataNodes->item(0); if (empty($key)) { throw new Exception("Key is required in order to decrypt the NameID"); } $seckey = new XMLSecurityKey(XMLSecurityKey::RSA_1_5, array('type' => 'private')); $seckey->loadKey($key); $nameId = OneLogin_Saml2_Utils::decryptElement($encryptedData, $seckey); } else { $entries = OneLogin_Saml2_Utils::query($dom, '/samlp:LogoutRequest/saml:NameID'); if ($entries->length == 1) { $nameId = $entries->item(0); } } if (!isset($nameId)) { throw new Exception("Not NameID found in the Logout Request"); } $nameIdData = array(); $nameIdData['Value'] = $nameId->nodeValue; foreach (array('Format', 'SPNameQualifier', 'NameQualifier') as $attr) { if ($nameId->hasAttribute($attr)) { $nameIdData[$attr] = $nameId->getAttribute($attr); } } return $nameIdData; }
/** * Gets the NameID Data provided by the SAML response from the IdP. * * @return array Name ID Data (Value, Format, NameQualifier, SPNameQualifier) */ public function getNameIdData() { $encryptedIdDataEntries = $this->_queryAssertion('/saml:Subject/saml:EncryptedID/xenc:EncryptedData'); if ($encryptedIdDataEntries->length == 1) { $encryptedData = $encryptedIdDataEntries->item(0); $key = $this->_settings->getSPkey(); $seckey = new XMLSecurityKey(XMLSecurityKey::RSA_1_5, array('type' => 'private')); $seckey->loadKey($key); $nameId = OneLogin_Saml2_Utils::decryptElement($encryptedData, $seckey); } else { $entries = $this->_queryAssertion('/saml:Subject/saml:NameID'); if ($entries->length == 1) { $nameId = $entries->item(0); } } if (!isset($nameId)) { throw new Exception("Not NameID found in the assertion of the Response"); } $nameIdData = array(); $nameIdData['Value'] = $nameId->nodeValue; foreach (array('Format', 'SPNameQualifier', 'NameQualifier') as $attr) { if ($nameId->hasAttribute($attr)) { $nameIdData[$attr] = $nameId->getAttribute($attr); } } return $nameIdData; }