function testOne()
{
$doc = new \DOMDocument();
$doc->load(__DIR__ . '/../../../../../../../resources/sample/Response/response01.xml');
$xpath = new \DOMXPath($doc);
$xpath->registerNamespace('samlp', Protocol::SAML2);
$xpath->registerNamespace('ds', Protocol::NS_XMLDSIG);
$xpath->registerNamespace('a', Protocol::NS_ASSERTION);
$list = $xpath->query('/samlp:Response/a:Assertion/ds:Signature');
$this->assertEquals(1, $list->length);
/** @var $signatureNode \DOMElement */
$signatureNode = $list->item(0);
$signatureValidator = new SignatureXmlValidator();
$signatureValidator->loadFromXml($signatureNode);
$list = $xpath->query('./ds:KeyInfo/ds:X509Data/ds:X509Certificate', $signatureNode);
$this->assertEquals(1, $list->length);
/** @var $signatureNode \DOMElement */
$certificateDataNode = $list->item(0);
$certData = $certificateDataNode->textContent;
$certificate = new X509Certificate();
$certificate->setData($certData);
$key = KeyHelper::createPublicKey($certificate);
$ok = $signatureValidator->validate($key);
$this->assertTrue($ok);
}
protected function askForCertificate(DialogHelper $dialog, OutputInterface $output, EntityDescriptor $ed)
{
$certificatePath = $this->askFile($dialog, $output, 'Signing Certificate path', false);
if ($certificatePath) {
$certificate = new X509Certificate();
$certificate->loadFromFile($certificatePath);
$keyDescriptor = new KeyDescriptor('signing', $certificate);
$ed->addItem($keyDescriptor);
}
}
/**
* @return X509Certificate
*/
public function getCertificate()
{
if (!$this->_certificate) {
$this->_certificate = new X509Certificate();
$filename = $this->certificateFile;
if ($filename[0] == '@') {
$filename = $this->kernel->locateResource($filename);
}
$this->_certificate->loadFromFile($filename);
}
return $this->_certificate;
}
/**
* @dataProvider provider
*/
public function testAuthnRequestBuilder($name, array $idpData, array $spData, array $spMetaData, $expectedSendUrl, $expectedResponseType, $expectedReceiveUrl, $expectedReceiveBinding, $expectedException = null, $expectedExceptionMessage = '')
{
if ($expectedException) {
$this->setExpectedException($expectedException, $expectedExceptionMessage);
}
$idp = new IdpSsoDescriptor();
foreach ($idpData as $data) {
$idp->addService(new SingleSignOnService($data['binding'], $data['url']));
}
$edIDP = new EntityDescriptor('idp');
$edIDP->addItem($idp);
$sp = new SpSsoDescriptor();
foreach ($spData as $data) {
$sp->addService(new AssertionConsumerService($data['binding'], $data['url']));
}
$edSP = new EntityDescriptor('sp');
$edSP->addItem($sp);
$spMeta = new SpMeta();
foreach ($spMetaData as $name => $value) {
$spMeta->{$name}($value);
}
// without signing
$builder = new AuthnRequestBuilder($edSP, $edIDP, $spMeta);
$message = $builder->build();
$response = $builder->send($message);
$this->assertStringStartsWith($expectedSendUrl, $response->getDestination(), $name);
$this->assertInstanceOf($expectedResponseType, $response, $name);
$this->assertEquals($expectedReceiveUrl, $message->getAssertionConsumerServiceURL(), $name);
$this->assertEquals($expectedReceiveBinding, $message->getProtocolBinding(), $name);
// with signing
$signature = new SignatureCreator();
$certificate = new X509Certificate();
$certificate->loadFromFile(__DIR__ . '/../../../../../resources/sample/Certificate/saml.crt');
$key = new \XMLSecurityKey(\XMLSecurityKey::RSA_SHA1, array('type' => 'private'));
$key->loadKey(__DIR__ . '/../../../../../resources/sample/Certificate/saml.pem', true);
$signature->setCertificate($certificate);
$signature->setXmlSecurityKey($key);
$builder = new AuthnRequestBuilder($edSP, $edIDP, $spMeta, $signature);
$message = $builder->build();
$response = $builder->send($message);
$this->assertStringStartsWith($expectedSendUrl, $response->getDestination(), $name);
$this->assertInstanceOf($expectedResponseType, $response, $name);
$this->assertEquals($expectedReceiveUrl, $message->getAssertionConsumerServiceURL(), $name);
$this->assertEquals($expectedReceiveBinding, $message->getProtocolBinding(), $name);
}
protected function checkRequest(AuthnRequest $request, $id, $time)
{
$this->assertEquals($id, $request->getID());
$this->assertEquals('2.0', $request->getVersion());
$this->assertEquals($this->destination, $request->getDestination());
$this->assertEquals($this->ascURL, $request->getAssertionConsumerServiceURL());
$this->assertEquals($this->protocolBinding, $request->getProtocolBinding());
$this->assertEquals($time, $request->getIssueInstant());
$this->assertEquals($this->issuer, $request->getIssuer());
$this->assertEquals($this->nameIDPolicyFormat, $request->getNameIdPolicyFormat());
$this->assertTrue($request->getNameIdPolicyAllowCreate());
/** @var SignatureValidatorInterface $signature */
$signature = $request->getSignature();
$this->assertNotNull($signature);
$this->assertTrue($signature instanceof SignatureValidatorInterface);
$certificate = new X509Certificate();
$certificate->loadFromFile(__DIR__ . '/../../../../../resources/sample/Certificate/saml.crt');
$key = KeyHelper::createPublicKey($certificate);
$signature->validate($key);
}
private function getSignedXml()
{
$doc = new \DOMDocument();
$doc->appendChild($doc->createElement('root'));
/** @var $root \DOMElement */
$root = $doc->firstChild;
$root->setAttribute('foo', 'bar');
$other = $doc->createElement('other');
$root->appendChild($other);
$child = $doc->createElement('child', 'something');
$other->appendChild($child);
$certificate = new X509Certificate();
$certificate->loadFromFile(__DIR__ . '/../../../../../../../resources/sample/Certificate/saml.crt');
$key = new \XMLSecurityKey(\XMLSecurityKey::RSA_SHA1, array('type' => 'private'));
$key->loadKey(__DIR__ . '/../../../../../../../resources/sample/Certificate/saml.pem', true);
$signatureCreator = new SignatureCreator();
$signatureCreator->setCertificate($certificate);
$signatureCreator->setXmlSecurityKey($key);
$context = new SerializationContext($doc);
$signatureCreator->getXml($root, $context);
$xml = $doc->saveXML();
return $xml;
}
/**
* @param \DOMElement $xml
* @throws \AerialShip\LightSaml\Error\InvalidXmlException
*/
public function loadFromXml(\DOMElement $xml)
{
if ($xml->localName != 'KeyDescriptor' || $xml->namespaceURI != Protocol::NS_METADATA) {
throw new InvalidXmlException('Expected KeyDescriptor element and ' . Protocol::NS_METADATA . ' namespace but got ' . $xml->localName);
}
$this->setUse($xml->getAttribute('use'));
$xpath = new \DOMXPath($xml instanceof \DOMDocument ? $xml : $xml->ownerDocument);
$xpath->registerNamespace('ds', \XMLSecurityDSig::XMLDSIGNS);
$list = $xpath->query('./ds:KeyInfo/ds:X509Data/ds:X509Certificate', $xml);
if ($list->length != 1) {
throw new InvalidXmlException("Missing X509Certificate node");
}
/** @var $x509CertificateNode \DOMElement */
$x509CertificateNode = $list->item(0);
$certificateData = trim($x509CertificateNode->nodeValue);
if (!$certificateData) {
throw new InvalidXmlException("Missing certificate data");
}
$this->certificate = new X509Certificate();
$this->certificate->setData($certificateData);
}
/**
* @param X509Certificate $certificate
* @return \XMLSecurityKey
*/
static function createPublicKey(X509Certificate $certificate)
{
$key = new \XMLSecurityKey(\XMLSecurityKey::RSA_SHA1, array('type' => 'public'));
$key->loadKey($certificate->toPem(), false, true);
return $key;
}
/**
* @test
*/
public function shouldCreatePublicKeyWhenLoadedFromPem()
{
$cert = new X509Certificate();
$cert->loadPem($this->getPEM());
KeyHelper::createPublicKey($cert);
}
private function checkDeserializaton(\DOMElement $root, $entityID, $locationLogout, $locationLogin, X509Certificate $certificate)
{
$ed = new EntityDescriptor();
$ed->loadFromXml($root);
$this->assertEquals($entityID, $ed->getEntityID());
$items = $ed->getItems();
$this->assertEquals(2, count($items));
$this->assertTrue($items[0] instanceof SpSsoDescriptor);
$arrSP = $ed->getItemsByType('SpSsoDescriptor');
$this->assertNotEmpty($arrSP);
/** @var $sp SpSsoDescriptor */
$sp = $arrSP[0];
$this->assertNotNull($sp);
$this->assertTrue($sp instanceof SpSsoDescriptor);
$keys = $sp->getKeyDescriptors();
$this->assertEquals(2, count($keys));
$this->assertEquals(KeyDescriptor::USE_SIGNING, $keys[0]->getUse());
$this->assertEquals($certificate->getData(), $keys[0]->getCertificate()->getData());
$this->assertEquals(KeyDescriptor::USE_ENCRYPTION, $keys[1]->getUse());
$this->assertEquals($certificate->getData(), $keys[1]->getCertificate()->getData());
$this->assertEquals(Protocol::SAML2, $sp->getProtocolSupportEnumeration());
$items = $sp->getServices();
$this->assertEquals(3, count($items), print_r($items, true));
$arrLogout = $sp->findSingleLogoutServices();
$this->assertNotEmpty($arrLogout);
$logout = $arrLogout[0];
$this->assertNotNull($logout);
$this->assertEquals(Bindings::SAML2_HTTP_REDIRECT, $logout->getBinding());
$this->assertEquals($locationLogout, $logout->getLocation());
$arr = $sp->findAssertionConsumerServices();
$this->assertEquals(2, count($arr));
$arr = $sp->findAssertionConsumerServices(Bindings::SAML2_HTTP_POST);
$this->assertNotEmpty($arr);
$as1 = $arr[0];
$this->assertNotNull($as1);
$this->assertEquals(Bindings::SAML2_HTTP_POST, $as1->getBinding());
$this->assertEquals($locationLogin, $as1->getLocation());
$this->assertEquals(0, $as1->getIndex());
$arr = $sp->findAssertionConsumerServices(Bindings::SAML2_HTTP_ARTIFACT);
$this->assertNotEmpty($arr);
$as2 = $arr[0];
$this->assertNotNull($as2);
$this->assertEquals(Bindings::SAML2_HTTP_ARTIFACT, $as2->getBinding());
$this->assertEquals($locationLogin, $as2->getLocation());
$this->assertEquals(1, $as2->getIndex());
}
