|
public static getPublicKey ( ) : |
||
| return | ||
/**
* Test that signatures no longer validate if the value has been tampered with.
*/
public function testValidateWithValueTampering()
{
// Test modification of SignatureValue.
$signedMockElementCopy = Utils::copyElement($this->signedMockElement);
$signedMockElementCopy->ownerDocument->appendChild($signedMockElementCopy);
$digestValueElements = Utils::xpQuery($signedMockElementCopy, '/root/ds:Signature/ds:SignatureValue');
$this->assertCount(1, $digestValueElements);
$digestValueElements[0]->firstChild->data = 'invalid';
$tmp = new SignedElementHelperMock($signedMockElementCopy);
$this->setExpectedException('Exception', 'Unable to validate Signature');
$tmp->validate(CertificatesMock::getPublicKey());
}
/**
* Due to the fact that the symmetric key is generated each time, we cannot test whether or not the resulting XML
* matches a specific XML, but we can test whether or not the resulting structure is actually correct, conveying
* all information required to decrypt the NameId.
*/
public function testThatAnEncryptedNameIdResultsInTheCorrectXmlStructure()
{
// the NameID we're going to encrypt
$nameId = array('Value' => md5('Arthur Dent'), 'Format' => Constants::NAMEID_ENCRYPTED);
// basic AuthnRequest
$request = new AuthnRequest();
$request->setIssuer('https://gateway.stepup.org/saml20/sp/metadata');
$request->setDestination('https://tiqr.stepup.org/idp/profile/saml2/Redirect/SSO');
$request->setNameId($nameId);
// encrypt the NameID
$key = CertificatesMock::getPublicKey();
$request->encryptNameId($key);
$expectedXml = <<<AUTHNREQUEST
<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID=""
Version=""
IssueInstant=""
Destination="">
<saml:Issuer></saml:Issuer>
<saml:Subject>
<saml:EncryptedID xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" Type="http://www.w3.org/2001/04/xmlenc#Element">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
<dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<xenc:EncryptedKey>
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<xenc:CipherData>
<xenc:CipherValue></xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedKey>
</dsig:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue></xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</saml:EncryptedID>
</saml:Subject>
</samlp:AuthnRequest>
AUTHNREQUEST;
$expectedStructure = DOMDocumentFactory::fromString($expectedXml)->documentElement;
$requestStructure = $request->toUnsignedXML();
$this->assertEqualXMLStructure($expectedStructure, $requestStructure);
}
/**
* Test validating a signed authentication request.
*/
public function testSignedRequestValidationWrongKeytype()
{
$qs = 'SAMLRequest=nVLBauMwEP0Vo7sjW7FpKpJA2rBsoNuGOruHXhZFHm8EsuRqxtv27yvbWWgvYelFgjfvzbx5zBJVazu56enkHuG5B6TktbUO5VhYsT446RUalE61gJK0rDY%2F7qSYZbILnrz2ln2QXFYoRAhkvGPJbrtiv7VoygJEoTJ9LOusXDSFuJ4vdH6cxwoIEGUjsrqoFUt%2BQcCoXLHYKMoRe9g5JOUoQlleprlI8%2FyQz6W4ksXiiSXbuI1xikbViahDyfkRSM2wD40DmjnL0bSdhcE6Hx7BTd3xqnqoIPw1GmbdqWPJNx80jCGtGIUeWLL5t8mtd9i3EM78n493%2FzWr9XVvx%2B58mj39IlUaR%2FQmKOPq4Dtkyf4c9E1EjPtzOePjREL5%2FXDYp%2FuH6sDWy6G3HDML66%2B5ayO7VlHx2dySf2y9nM7pPprabffeGv02ZNcquux5QEydNiNVUlAODTiKMVvrX24DKIJz8nw9jfx8tOt3&RelayState=https%3A%2F%2Fbeta.surfnet.nl%2Fsimplesaml%2Fmodule.php%2Fcore%2Fauthenticate.php%3Fas%3DBraindrops&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=b%2Bqe%2FXGgICOrEL1v9dwuoy0RJtJ%2FGNAr7gJGYSJzLG0riPKwo7v5CH8GPC2P9IRikaeaNeQrnhBAaf8FCWrO0cLFw4qR6msK9bxRBGk%2BhIaTUYCh54ETrVCyGlmBneMgC5%2FiCRvtEW3ESPXCCqt8Ncu98yZmv9LIVyHSl67Se%2BfbB9sDw3%2FfzwYIHRMqK2aS8jnsnqlgnBGGOXqIqN3%2Bd%2F2dwtCfz14s%2F9odoYzSUv32qfNPiPez6PSNqwhwH7dWE3TlO%2FjZmz0DnOeQ2ft6qdZEi5ZN5KCV6VmNKpkrLMq6DDPnuwPm%2F8oCAoT88R2jG7uf9QZB%2BArWJKMEhDLsCA%3D%3D';
$_SERVER['QUERY_STRING'] = $qs;
$hr = new HTTPRedirect();
$request = $hr->receive();
// validate with wrong type of cert
$this->setExpectedException('Exception', 'Invalid key type for validating signature');
$result = $request->validate(CertificatesMock::getPublicKey());
}
public function testTypedEncryptedAttributeValuesAreParsedCorrectly()
{
$xml = <<<XML
<saml:Assertion
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
Version="2.0"
ID="_93af655219464fb403b34436cfb0c5cb1d9a5502"
IssueInstant="1970-01-01T01:33:31Z">
<saml:Issuer>Provider</saml:Issuer>
<saml:Conditions/>
<saml:AttributeStatement>
<saml:Attribute Name="urn:some:string">
<saml:AttributeValue xsi:type="xs:string">string</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="urn:some:integer">
<saml:AttributeValue xsi:type="xs:integer">42</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
XML;
$privateKey = CertificatesMock::getPublicKey();
$assertion = new Assertion(DOMDocumentFactory::fromString($xml)->firstChild);
$assertion->setEncryptionKey($privateKey);
$assertion->setEncryptedAttributes(true);
$encryptedAssertion = $assertion->toXML()->ownerDocument->saveXML();
$assertionToVerify = new Assertion(DOMDocumentFactory::fromString($encryptedAssertion)->firstChild);
$this->assertTrue($assertionToVerify->hasEncryptedAttributes());
$assertionToVerify->decryptAttributes(CertificatesMock::getPrivateKey());
$attributes = $assertionToVerify->getAttributes();
$this->assertInternalType('int', $attributes['urn:some:integer'][0]);
$this->assertInternalType('string', $attributes['urn:some:string'][0]);
$this->assertXmlStringEqualsXmlString($xml, $assertionToVerify->toXML()->ownerDocument->saveXML());
}
/**
* Test NameID Encryption and Decryption.
*/
public function testNameIdEncryption()
{
// Create an assertion
$assertion = new Assertion();
$assertion->setIssuer('testIssuer');
$assertion->setValidAudiences(array('audience1', 'audience2'));
$assertion->setAuthnContext('someAuthnContext');
$assertion->setNameId(array("Value" => "just_a_basic_identifier", "Format" => "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"));
$this->assertFalse($assertion->isNameIdEncrypted());
$publicKey = CertificatesMock::getPublicKey();
$assertion->encryptNameId($publicKey);
$this->assertTrue($assertion->isNameIdEncrypted());
// Marshall it to a \DOMElement
$assertionElement = $assertion->toXML()->ownerDocument->saveXML();
$assertionToVerify = new Assertion(DOMDocumentFactory::fromString($assertionElement)->firstChild);
$this->assertTrue($assertionToVerify->isNameIdEncrypted());
$privateKey = CertificatesMock::getPrivateKey();
$assertionToVerify->decryptNameId($privateKey);
$this->assertFalse($assertionToVerify->isNameIdEncrypted());
$nameID = $assertionToVerify->getNameID();
$this->assertEquals('just_a_basic_identifier', $nameID['Value']);
$this->assertEquals('urn:oasis:names:tc:SAML:2.0:nameid-format:transient', $nameID['Format']);
}
