The array will contain the id of the referenced node as the key and the node itself
as the value.
Returns:
An associative array of validated nodes or null if no nodes have been validated.
public getValidatedNodes ( ) |
/** * Check the Signature in a XML element. * * This function expects the XML element to contain a Signature-element * which contains a reference to the XML-element. This is common for both * messages and assertions. * * Note that this function only validates the element itself. It does not * check this against any local keys. * * If no Signature-element is located, this function will return FALSE. All * other validation errors result in an exception. On successful validation * an array will be returned. This array contains the information required to * check the signature against a public key. * * @param DOMElement $root The element which should be validated. * @return array|bool An array with information about the Signature-element. * @throws Exception */ public static function validateElement(DOMElement $root) { /* Create an XML security object. */ $objXMLSecDSig = new XMLSecurityDSig(); /* Both SAML messages and SAML assertions use the 'ID' attribute. */ $objXMLSecDSig->idKeys[] = 'ID'; /* Locate the XMLDSig Signature element to be used. */ $signatureElement = self::xpQuery($root, './ds:Signature'); if (count($signatureElement) === 0) { /* We don't have a signature element ot validate. */ return FALSE; } elseif (count($signatureElement) > 1) { throw new Exception('XMLSec: more than one signature element in root.'); } $signatureElement = $signatureElement[0]; $objXMLSecDSig->sigNode = $signatureElement; /* Canonicalize the XMLDSig SignedInfo element in the message. */ $objXMLSecDSig->canonicalizeSignedInfo(); /* Validate referenced xml nodes. */ if (!$objXMLSecDSig->validateReference()) { throw new Exception('XMLsec: digest validation failed'); } /* Check that $root is one of the signed nodes. */ $rootSigned = FALSE; /** @var DOMNode $signedNode */ foreach ($objXMLSecDSig->getValidatedNodes() as $signedNode) { if ($signedNode->isSameNode($root)) { $rootSigned = TRUE; break; } elseif ($root->parentNode instanceof DOMDocument && $signedNode->isSameNode($root->ownerDocument)) { /* $root is the root element of a signed document. */ $rootSigned = TRUE; break; } } if (!$rootSigned) { throw new Exception('XMLSec: The root element is not signed.'); } /* Now we extract all available X509 certificates in the signature element. */ $certificates = array(); foreach (self::xpQuery($signatureElement, './ds:KeyInfo/ds:X509Data/ds:X509Certificate') as $certNode) { $certData = trim($certNode->textContent); $certData = str_replace(array("\r", "\n", "\t", ' '), '', $certData); $certificates[] = $certData; } $ret = array('Signature' => $objXMLSecDSig, 'Certificates' => $certificates); return $ret; }
/** * This function initializes the validator. * * @param $xmlNode The XML node which contains the Signature element. * @param $idAttribute The ID attribute which is used in node references. If this attribute is * NULL (the default), then we will use whatever is the default ID. */ public function __construct($xmlNode, $idAttribute = NULL, $publickey = FALSE) { assert('$xmlNode instanceof DOMNode'); /* Create an XML security object. */ $objXMLSecDSig = new XMLSecurityDSig(); /* Add the id attribute if the user passed in an id attribute. */ if ($idAttribute !== NULL) { assert('is_string($idAttribute)'); $objXMLSecDSig->idKeys[] = $idAttribute; } /* Locate the XMLDSig Signature element to be used. */ $signatureElement = $objXMLSecDSig->locateSignature($xmlNode); if (!$signatureElement) { throw new Exception('Could not locate XML Signature element.'); } /* Canonicalize the XMLDSig SignedInfo element in the message. */ $objXMLSecDSig->canonicalizeSignedInfo(); /* Validate referenced xml nodes. */ if (!$objXMLSecDSig->validateReference()) { throw new Exception('XMLsec: digest validation failed'); } /* Find the key used to sign the document. */ $objKey = $objXMLSecDSig->locateKey(); if (empty($objKey)) { throw new Exception('Error loading key to handle XML signature'); } /* Load the key data. */ if ($publickey) { $objKey->loadKey($publickey); } else { if (!XMLSecEnc::staticLocateKeyInfo($objKey, $signatureElement)) { throw new Exception('Error finding key data for XML signature validation.'); } } /* Check the signature. */ if (!$objXMLSecDSig->verify($objKey)) { throw new Exception("Unable to validate Signature"); } /* Extract the certificate fingerprint. */ $this->x509Fingerprint = $objKey->getX509Fingerprint(); /* Find the list of validated nodes. */ $this->validNodes = $objXMLSecDSig->getValidatedNodes(); }
/** * This function initializes the validator. * * This function accepts an optional parameter $publickey, which is the public key * or certificate which should be used to validate the signature. This parameter can * take the following values: * - NULL/FALSE: No validation will be performed. This is the default. * - A string: Assumed to be a PEM-encoded certificate / public key. * - An array: Assumed to be an array returned by SimpleSAML_Utilities::loadPublicKey. * * @param DOMNode $xmlNode The XML node which contains the Signature element. * @param string|array $idAttribute The ID attribute which is used in node references. If * this attribute is NULL (the default), then we will use whatever is the default * ID. Can be eigther a string with one value, or an array with multiple ID * attrbute names. * @param array $publickey The public key / certificate which should be used to validate the XML node. */ public function __construct($xmlNode, $idAttribute = NULL, $publickey = FALSE) { assert('$xmlNode instanceof DOMNode'); if ($publickey === NULL) { $publickey = FALSE; } elseif (is_string($publickey)) { $publickey = array('PEM' => $publickey); } else { assert('$publickey === FALSE || is_array($publickey)'); } /* Create an XML security object. */ $objXMLSecDSig = new XMLSecurityDSig(); /* Add the id attribute if the user passed in an id attribute. */ if ($idAttribute !== NULL) { if (is_string($idAttribute)) { $objXMLSecDSig->idKeys[] = $idAttribute; } elseif (is_array($idAttribute)) { foreach ($idAttribute as $ida) { $objXMLSecDSig->idKeys[] = $ida; } } } /* Locate the XMLDSig Signature element to be used. */ $signatureElement = $objXMLSecDSig->locateSignature($xmlNode); if (!$signatureElement) { throw new Exception('Could not locate XML Signature element.'); } /* Canonicalize the XMLDSig SignedInfo element in the message. */ $objXMLSecDSig->canonicalizeSignedInfo(); /* Validate referenced xml nodes. */ if (!$objXMLSecDSig->validateReference()) { throw new Exception('XMLsec: digest validation failed'); } /* Find the key used to sign the document. */ $objKey = $objXMLSecDSig->locateKey(); if (empty($objKey)) { throw new Exception('Error loading key to handle XML signature'); } /* Load the key data. */ if ($publickey !== FALSE && array_key_exists('PEM', $publickey)) { /* We have PEM data for the public key / certificate. */ $objKey->loadKey($publickey['PEM']); } else { /* No PEM data. Search for key in signature. */ if (!XMLSecEnc::staticLocateKeyInfo($objKey, $signatureElement)) { throw new Exception('Error finding key data for XML signature validation.'); } if ($publickey !== FALSE) { /* $publickey is set, and should therefore contain one or more fingerprints. * Check that the response contains a certificate with a matching * fingerprint. */ assert('is_array($publickey["certFingerprint"])'); $certificate = $objKey->getX509Certificate(); if ($certificate === NULL) { /* Wasn't signed with an X509 certificate. */ throw new Exception('Message wasn\'t signed with an X509 certificate,' . ' and no public key was provided in the metadata.'); } self::validateCertificateFingerprint($certificate, $publickey['certFingerprint']); /* Key OK. */ } } /* Check the signature. */ if (!$objXMLSecDSig->verify($objKey)) { throw new Exception("Unable to validate Signature"); } /* Extract the certificate. */ $this->x509Certificate = $objKey->getX509Certificate(); /* Find the list of validated nodes. */ $this->validNodes = $objXMLSecDSig->getValidatedNodes(); }