Beispiel #1
0
 /**
  * Check the Signature in a XML element.
  *
  * This function expects the XML element to contain a Signature-element
  * which contains a reference to the XML-element. This is common for both
  * messages and assertions.
  *
  * Note that this function only validates the element itself. It does not
  * check this against any local keys.
  *
  * If no Signature-element is located, this function will return false. All
  * other validation errors result in an exception. On successful validation
  * an array will be returned. This array contains the information required to
  * check the signature against a public key.
  *
  * @param  \DOMElement  $root The element which should be validated.
  * @return array|bool An array with information about the Signature-element.
  * @throws \Exception
  */
 public static function validateElement(\DOMElement $root)
 {
     /* Create an XML security object. */
     $objXMLSecDSig = new XMLSecurityDSig();
     /* Both SAML messages and SAML assertions use the 'ID' attribute. */
     $objXMLSecDSig->idKeys[] = 'ID';
     /* Locate the XMLDSig Signature element to be used. */
     $signatureElement = self::xpQuery($root, './ds:Signature');
     if (count($signatureElement) === 0) {
         /* We don't have a signature element ot validate. */
         return false;
     } elseif (count($signatureElement) > 1) {
         throw new \Exception('XMLSec: more than one signature element in root.');
     }
     $signatureElement = $signatureElement[0];
     $objXMLSecDSig->sigNode = $signatureElement;
     /* Canonicalize the XMLDSig SignedInfo element in the message. */
     $objXMLSecDSig->canonicalizeSignedInfo();
     /* Validate referenced xml nodes. */
     if (!$objXMLSecDSig->validateReference()) {
         throw new \Exception('XMLsec: digest validation failed');
     }
     /* Check that $root is one of the signed nodes. */
     $rootSigned = false;
     /** @var \DOMNode $signedNode */
     foreach ($objXMLSecDSig->getValidatedNodes() as $signedNode) {
         if ($signedNode->isSameNode($root)) {
             $rootSigned = true;
             break;
         } elseif ($root->parentNode instanceof \DOMDocument && $signedNode->isSameNode($root->ownerDocument)) {
             /* $root is the root element of a signed document. */
             $rootSigned = true;
             break;
         }
     }
     if (!$rootSigned) {
         throw new \Exception('XMLSec: The root element is not signed.');
     }
     /* Now we extract all available X509 certificates in the signature element. */
     $certificates = array();
     foreach (self::xpQuery($signatureElement, './ds:KeyInfo/ds:X509Data/ds:X509Certificate') as $certNode) {
         $certData = trim($certNode->textContent);
         $certData = str_replace(array("\r", "\n", "\t", ' '), '', $certData);
         $certificates[] = $certData;
     }
     $ret = array('Signature' => $objXMLSecDSig, 'Certificates' => $certificates);
     return $ret;
 }
 /**
  * @param \DOMElement            $node
  * @param DeserializationContext $context
  *
  * @throws \LightSaml\Error\LightSamlSecurityException
  */
 public function deserialize(\DOMElement $node, DeserializationContext $context)
 {
     $this->checkXmlNodeName($node, 'Signature', SamlConstants::NS_XMLDSIG);
     $this->signature = new XMLSecurityDSig();
     $this->signature->idKeys[] = $this->getIDName();
     $this->signature->sigNode = $node;
     $this->signature->canonicalizeSignedInfo();
     $this->key = null;
     $key = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type' => 'public'));
     XMLSecEnc::staticLocateKeyInfo($key, $node);
     if ($key->name || $key->key) {
         $this->key = $key;
     }
     $this->certificates = array();
     $list = $context->getXpath()->query('./ds:KeyInfo/ds:X509Data/ds:X509Certificate', $node);
     foreach ($list as $certNode) {
         $certData = trim($certNode->textContent);
         $certData = str_replace(array("\r", "\n", "\t", ' '), '', $certData);
         $this->certificates[] = $certData;
     }
 }
 /**
  * Validate the receipt contained in the given XML element using the
  * certificate provided.
  *
  * @param  DOMDocument $dom
  * @param  resource    $certificate
  * @return bool
  */
 protected function validateXml(DOMDocument $dom, $certificate)
 {
     $secDsig = new XMLSecurityDSig();
     // Locate the signature in the receipt XML.
     $dsig = $secDsig->locateSignature($dom);
     if ($dsig === null) {
         throw new RunTimeException('Cannot locate receipt signature');
     }
     $secDsig->canonicalizeSignedInfo();
     $secDsig->idKeys = array('wsu:Id');
     $secDsig->idNS = array('wsu' => 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd');
     if (!$secDsig->validateReference()) {
         throw new RunTimeException('Reference validation failed');
     }
     $key = $secDsig->locateKey();
     if ($key === null) {
         throw new RunTimeException('Could not locate key in receipt');
     }
     $keyInfo = XMLSecEnc::staticLocateKeyInfo($key, $dsig);
     if (!$keyInfo->key) {
         $key->loadKey($certificate);
     }
     return $secDsig->verify($key) == 1;
 }
Beispiel #4
0
 public function verify(DOMDocument $data)
 {
     $objKey = null;
     $objXMLSecDSig = new XMLSecurityDSig();
     $objDSig = $objXMLSecDSig->locateSignature($data);
     if (!$objDSig) {
         throw new UnexpectedValueException('Signature DOM element not found.');
     }
     $objXMLSecDSig->canonicalizeSignedInfo();
     if (!$this->getPublicKey()) {
         // try to get the public key from the certificate
         $objKey = $objXMLSecDSig->locateKey();
         if (!$objKey) {
             throw new RuntimeException('There is no set either private key or public key for signature verification.');
         }
         XMLSecEnc::staticLocateKeyInfo($objKey, $objDSig);
         $this->publicKey = $objKey->getX509Certificate();
         $this->keyAlgorithm = $objKey->getAlgorith();
     }
     if (!$objKey) {
         $objKey = new XMLSecurityKey($this->keyAlgorithm, ['type' => 'public']);
         $objKey->loadKey($this->getPublicKey());
     }
     // Check signature
     if (1 !== $objXMLSecDSig->verify($objKey)) {
         return false;
     }
     // Check references (data)
     try {
         $objXMLSecDSig->validateReference();
     } catch (\Exception $e) {
         return false;
     }
     return true;
 }
Beispiel #5
0
 public function processSignature($refNode)
 {
     $objXMLSecDSig = new XMLSecurityDSig();
     $objXMLSecDSig->idKeys[] = 'wswsu:Id';
     $objXMLSecDSig->idNS['wswsu'] = self::WSUNS;
     $objXMLSecDSig->sigNode = $refNode;
     /* Canonicalize the signed info */
     $objXMLSecDSig->canonicalizeSignedInfo();
     $retVal = $objXMLSecDSig->validateReference();
     if (!$retVal) {
         throw new Exception('Validation Failed');
     }
     $key = null;
     $objKey = $objXMLSecDSig->locateKey();
     if ($objKey) {
         if ($objKeyInfo = XMLSecEnc::staticLocateKeyInfo($objKey, $refNode)) {
             /* Handle any additional key processing such as encrypted keys here */
         }
     }
     if (empty($objKey)) {
         throw new Exception('Error loading key to handle Signature');
     }
     do {
         if (empty($objKey->key)) {
             $this->SOAPXPath->registerNamespace('xmlsecdsig', XMLSecurityDSig::XMLDSIGNS);
             $query = './xmlsecdsig:KeyInfo/wswsse:SecurityTokenReference/wswsse:Reference';
             $nodeset = $this->SOAPXPath->query($query, $refNode);
             if ($encmeth = $nodeset->item(0)) {
                 if ($uri = $encmeth->getAttribute('URI')) {
                     $arUrl = parse_url($uri);
                     if (empty($arUrl['path']) && ($identifier = $arUrl['fragment'])) {
                         $query = '//wswsse:BinarySecurityToken[@wswsu:Id="' . $identifier . '"]';
                         $nodeset = $this->SOAPXPath->query($query);
                         if ($encmeth = $nodeset->item(0)) {
                             $x509cert = $encmeth->textContent;
                             $x509cert = str_replace(array("\r", "\n"), '', $x509cert);
                             $x509cert = "-----BEGIN CERTIFICATE-----\n" . chunk_split($x509cert, 64, "\n") . "-----END CERTIFICATE-----\n";
                             $objKey->loadKey($x509cert);
                             break;
                         }
                     }
                 }
             }
             throw new Exception('Error loading key to handle Signature');
         }
     } while (0);
     if (!$objXMLSecDSig->verify($objKey)) {
         throw new Exception('Unable to validate Signature');
     }
     return true;
 }