/**
* Extracts the Signed Token from an EncryptedData block
*
* @throws Zend_InfoCard_Exception
* @param string $strXmlToken The EncryptedData XML block
* @return string The XML of the Signed Token inside of the EncryptedData block
*/
protected function _extractSignedToken($strXmlToken)
{
$encryptedData = Zend_InfoCard_Xml_EncryptedData::getInstance($strXmlToken);
// Determine the Encryption Method used to encrypt the token
switch ($encryptedData->getEncryptionMethod()) {
case Zend_InfoCard_Cipher::ENC_AES128CBC:
case Zend_InfoCard_Cipher::ENC_AES256CBC:
break;
default:
require_once 'Zend/InfoCard/Exception.php';
throw new Zend_InfoCard_Exception("Unknown Encryption Method used in the secure token");
}
// Figure out the Key we are using to decrypt the token
$keyinfo = $encryptedData->getKeyInfo();
if (!$keyinfo instanceof Zend_InfoCard_Xml_KeyInfo_XmlDSig) {
require_once 'Zend/InfoCard/Exception.php';
throw new Zend_InfoCard_Exception("Expected a XML digital signature KeyInfo, but was not found");
}
$encryptedKey = $keyinfo->getEncryptedKey();
switch ($encryptedKey->getEncryptionMethod()) {
case Zend_InfoCard_Cipher::ENC_RSA:
case Zend_InfoCard_Cipher::ENC_RSA_OAEP_MGF1P:
break;
default:
require_once 'Zend/InfoCard/Exception.php';
throw new Zend_InfoCard_Exception("Unknown Key Encryption Method used in secure token");
}
$securityTokenRef = $encryptedKey->getKeyInfo()->getSecurityTokenReference();
$key_id = $this->_findCertifiatePairByDigest($securityTokenRef->getKeyReference());
if (!$key_id) {
require_once 'Zend/InfoCard/Exception.php';
throw new Zend_InfoCard_Exception("Unable to find key pair used to encrypt symmetric InfoCard Key");
}
$certificate_pair = $this->getCertificatePair($key_id);
// Santity Check
if ($certificate_pair['type_uri'] != $encryptedKey->getEncryptionMethod()) {
require_once 'Zend/InfoCard/Exception.php';
throw new Zend_InfoCard_Exception("Certificate Pair which matches digest is not of same algorithm type as document, check addCertificate()");
}
$PKcipher = Zend_InfoCard_Cipher::getInstanceByURI($encryptedKey->getEncryptionMethod());
$base64DecodeSupportsStrictParam = version_compare(PHP_VERSION, '5.2.0', '>=');
if ($base64DecodeSupportsStrictParam) {
$keyCipherValueBase64Decoded = base64_decode($encryptedKey->getCipherValue(), true);
} else {
$keyCipherValueBase64Decoded = base64_decode($encryptedKey->getCipherValue());
}
$symmetricKey = $PKcipher->decrypt($keyCipherValueBase64Decoded, file_get_contents($certificate_pair['private']), $certificate_pair['password']);
$symCipher = Zend_InfoCard_Cipher::getInstanceByURI($encryptedData->getEncryptionMethod());
if ($base64DecodeSupportsStrictParam) {
$dataCipherValueBase64Decoded = base64_decode($encryptedData->getCipherValue(), true);
} else {
$dataCipherValueBase64Decoded = base64_decode($encryptedData->getCipherValue());
}
$signedToken = $symCipher->decrypt($dataCipherValueBase64Decoded, $symmetricKey);
return $signedToken;
}
public function testSecurityTokenReference()
{
$sectoken = Zend_InfoCard_Xml_EncryptedData::getInstance($this->_xmlDocument)->getKeyInfo()->getEncryptedKey()->getKeyInfo()->getSecurityTokenReference();
$this->assertTrue($sectoken instanceof Zend_InfoCard_Xml_SecurityTokenReference);
$this->assertSame($sectoken->getKeyThumbprintType(), 'http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1');
$this->assertSame($sectoken->getKeyThumbprintEncodingType(), 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary');
$this->assertSame($sectoken->getKeyReference(false), '/OCqQ7Np25sOiA+4OsFh1R6qIeY=');
}