/** * Attempt to log in using the given username and password. * * On a successful login, this function should return the username as 'uid' attribute, * and merged attributes from the configuration file. * On failure, it should throw an exception. A SimpleSAML_Error_Error('WRONGUSERPASS') * should be thrown in case of a wrong username OR a wrong password, to prevent the * enumeration of usernames. * * @param string $username The username the user wrote. * @param string $password The password the user wrote. * @return array Associative array with the users attributes. */ protected function login($username, $password) { assert('is_string($username)'); assert('is_string($password)'); foreach ($this->users as $userpass) { $matches = explode(':', $userpass, 2); if ($matches[0] == $username) { $crypted = $matches[1]; // This is about the only attribute we can add $attributes = array_merge(array('uid' => array($username)), $this->attributes); // Traditional crypt(3) if (crypt($password, $crypted) == $crypted) { SimpleSAML_Logger::debug('User ' . $username . ' authenticated successfully'); return $attributes; } // Apache's custom MD5 if (APR1_MD5::check($crypted, $password)) { SimpleSAML_Logger::debug('User ' . $username . ' authenticated successfully'); return $attributes; } // SHA1 or plain-text if (SimpleSAML\Utils\Crypto::pwValid($crypted, $password)) { SimpleSAML_Logger::debug('User ' . $username . ' authenticated successfully'); return $attributes; } throw new SimpleSAML_Error_Error('WRONGUSERPASS'); } } throw new SimpleSAML_Error_Error('WRONGUSERPASS'); }
/** * Attempt to log in using the given username and password. * * On a successful login, this function should return the users attributes. On failure, * it should throw an exception. If the error was caused by the user entering the wrong * username OR password, a SimpleSAML_Error_Error('WRONGUSERPASS') should be thrown. * * The username is UTF-8 encoded, and the hash is base64 encoded. * * @param string $username The username the user wrote. * @param string $password The password the user wrote. * @return array Associative array with the users attributes. */ protected function login($username, $password) { assert('is_string($username)'); assert('is_string($password)'); foreach ($this->users as $userpass => $attrs) { $matches = explode(':', $userpass, 2); if ($matches[0] === $username) { if (SimpleSAML\Utils\Crypto::pwValid($matches[1], $password)) { return $this->users[$userpass]; } else { SimpleSAML_Logger::debug('Incorrect password "' . $password . '" for user ' . $username); } } } throw new SimpleSAML_Error_Error('WRONGUSERPASS'); }
/** * Attempt to log in using the given username and password. * * On a successful login, this function should return the users attributes. On failure, * it should throw an exception. If the error was caused by the user entering the wrong * username or password, a SimpleSAML_Error_Error('WRONGUSERPASS') should be thrown. * * Note that both the username and the password are UTF-8 encoded. * * @param string $username The username the user wrote. * @param string $password The password the user wrote. * @return array Associative array with the users attributes. */ protected function login($username, $password) { assert('is_string($username)'); assert('is_string($password)'); $config = SimpleSAML_Configuration::getInstance(); $adminPassword = $config->getString('auth.adminpassword', '123'); if ($adminPassword === '123') { /* We require that the user changes the password. */ throw new SimpleSAML_Error_Error('NOTSET'); } if ($username !== "admin") { throw new SimpleSAML_Error_Error('WRONGUSERPASS'); } if (!SimpleSAML\Utils\Crypto::pwValid($adminPassword, $password)) { throw new SimpleSAML_Error_Error('WRONGUSERPASS'); } return array('user' => array('admin')); }
/** * Send an authenticationResponse using HTTP-POST. * * @param string $response The response which should be sent. * @param SimpleSAML_Configuration $idpmd The metadata of the IdP which is sending the response. * @param SimpleSAML_Configuration $spmd The metadata of the SP which is receiving the response. * @param string|null $relayState The relaystate for the SP. * @param string $shire The shire which should receive the response. */ public function sendResponse($response, SimpleSAML_Configuration $idpmd, SimpleSAML_Configuration $spmd, $relayState, $shire) { \SimpleSAML\Utils\XML::checkSAMLMessage($response, 'saml11'); $privatekey = SimpleSAML\Utils\Crypto::loadPrivateKey($idpmd, true); $publickey = SimpleSAML\Utils\Crypto::loadPublicKey($idpmd, true); $responsedom = new DOMDocument(); $responsedom->loadXML(str_replace("\r", "", $response)); $responseroot = $responsedom->getElementsByTagName('Response')->item(0); $firstassertionroot = $responsedom->getElementsByTagName('Assertion')->item(0); /* Determine what we should sign - either the Response element or the Assertion. The default is to sign the * Assertion, but that can be overridden by the 'signresponse' option in the SP metadata or * 'saml20.signresponse' in the global configuration. * * TODO: neither 'signresponse' nor 'shib13.signresponse' are valid options any longer. Remove! */ if ($spmd->hasValue('signresponse')) { $signResponse = $spmd->getBoolean('signresponse'); } else { $signResponse = $this->configuration->getBoolean('shib13.signresponse', true); } // check if we have an assertion to sign. Force to sign the response if not if ($firstassertionroot === null) { $signResponse = true; } $signer = new SimpleSAML_XML_Signer(array('privatekey_array' => $privatekey, 'publickey_array' => $publickey, 'id' => $signResponse ? 'ResponseID' : 'AssertionID')); if ($idpmd->hasValue('certificatechain')) { $signer->addCertificate($idpmd->getString('certificatechain')); } if ($signResponse) { // sign the response - this must be done after encrypting the assertion // we insert the signature before the saml2p:Status element $statusElements = SimpleSAML\Utils\XML::getDOMChildren($responseroot, 'Status', '@saml1p'); assert('count($statusElements) === 1'); $signer->sign($responseroot, $responseroot, $statusElements[0]); } else { /* Sign the assertion */ $signer->sign($firstassertionroot, $firstassertionroot); } $response = $responsedom->saveXML(); \SimpleSAML\Utils\XML::debugSAMLMessage($response, 'out'); \SimpleSAML\Utils\HTTP::submitPOSTData($shire, array('TARGET' => $relayState, 'SAMLResponse' => base64_encode($response))); }
<?php // Load SimpleSAMLphp, configuration and metadata $config = SimpleSAML_Configuration::getInstance(); $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler(); if (!$config->getBoolean('enable.saml20-idp', false)) { throw new SimpleSAML_Error_Error('NOACCESS'); } // Check if valid local session exists.. if ($config->getBoolean('admin.protectmetadata', false)) { SimpleSAML\Utils\Auth::requireAdmin(); } $idpentityid = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted'); $idpmeta = $metadata->getMetaDataConfig($idpentityid, 'saml20-idp-hosted'); switch ($_SERVER['PATH_INFO']) { case '/new_idp.crt': $certInfo = SimpleSAML\Utils\Crypto::loadPublicKey($idpmeta, FALSE, 'new_'); break; case '/idp.crt': $certInfo = SimpleSAML\Utils\Crypto::loadPublicKey($idpmeta, TRUE); break; case '/https.crt': $certInfo = SimpleSAML\Utils\Crypto::loadPublicKey($idpmeta, TRUE, 'https.'); break; default: throw new SimpleSAML_Error_NotFound('Unknown certificate.'); } header('Content-Disposition: attachment; filename=' . substr($_SERVER['PATH_INFO'], 1)); header('Content-Type: application/x-x509-ca-cert'); echo $certInfo['PEM']; exit(0);
$idpmeta = $metadata->getMetaDataConfig($idpentityid, 'adfs-idp-hosted'); $availableCerts = array(); $keys = array(); $certInfo = SimpleSAML\Utils\Crypto::loadPublicKey($idpmeta, false, 'new_'); if ($certInfo !== null) { $availableCerts['new_idp.crt'] = $certInfo; $keys[] = array('type' => 'X509Certificate', 'signing' => true, 'encryption' => true, 'X509Certificate' => $certInfo['certData']); $hasNewCert = true; } else { $hasNewCert = false; } $certInfo = SimpleSAML\Utils\Crypto::loadPublicKey($idpmeta, true); $availableCerts['idp.crt'] = $certInfo; $keys[] = array('type' => 'X509Certificate', 'signing' => true, 'encryption' => $hasNewCert ? false : true, 'X509Certificate' => $certInfo['certData']); if ($idpmeta->hasValue('https.certificate')) { $httpsCert = SimpleSAML\Utils\Crypto::loadPublicKey($idpmeta, true, 'https.'); assert('isset($httpsCert["certData"])'); $availableCerts['https.crt'] = $httpsCert; $keys[] = array('type' => 'X509Certificate', 'signing' => true, 'encryption' => false, 'X509Certificate' => $httpsCert['certData']); } $adfs_service_location = SimpleSAML\Module::getModuleURL('adfs') . '/idp/prp.php'; $metaArray = array('metadata-set' => 'adfs-idp-remote', 'entityid' => $idpentityid, 'SingleSignOnService' => array(0 => array('Binding' => \SAML2\Constants::BINDING_HTTP_REDIRECT, 'Location' => $adfs_service_location)), 'SingleLogoutService' => array(0 => array('Binding' => \SAML2\Constants::BINDING_HTTP_REDIRECT, 'Location' => $adfs_service_location))); if (count($keys) === 1) { $metaArray['certData'] = $keys[0]['X509Certificate']; } else { $metaArray['keys'] = $keys; } $metaArray['NameIDFormat'] = $idpmeta->getString('NameIDFormat', 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'); if ($idpmeta->hasValue('OrganizationName')) { $metaArray['OrganizationName'] = $idpmeta->getLocalizedString('OrganizationName'); $metaArray['OrganizationDisplayName'] = $idpmeta->getLocalizedString('OrganizationDisplayName', $metaArray['OrganizationName']);
// This is the base directory of the SimpleSAMLphp installation $baseDir = dirname(dirname(__FILE__)); // Add library autoloader require_once $baseDir . '/lib/_autoload.php'; echo "Enter password: "******"Need at least one character for a password\n"; exit(1); } $table = ''; foreach (array_chunk(hash_algos(), 6) as $chunk) { foreach ($chunk as $algo) { $table .= sprintf('%-13s', $algo); } $table .= "\n"; } echo "The following hashing algorithms are available:\n" . $table . "\n"; echo "Which one do you want? [sha256] "; $algo = trim(fgets(STDIN)); if (empty($algo)) { $algo = 'sha256'; } if (!in_array(strtolower($algo), hash_algos())) { echo "Hashing algorithm '{$algo}' is not supported\n"; exit(1); } echo "Do you want to use a salt? (yes/no) [yes] "; $s = trim(fgets(STDIN)) == 'no' ? '' : 'S'; echo "\n " . SimpleSAML\Utils\Crypto::pwHash($password, strtoupper($s . $algo)) . "\n\n";
<?php /** * This page provides a way to create a redirect to a POST request. * * @package simpleSAMLphp */ if (array_key_exists('RedirId', $_REQUEST)) { $postId = $_REQUEST['RedirId']; $session = SimpleSAML_Session::getSessionFromRequest(); } elseif (array_key_exists('RedirInfo', $_REQUEST)) { $encData = base64_decode($_REQUEST['RedirInfo']); if (empty($encData)) { throw new SimpleSAML_Error_BadRequest('Invalid RedirInfo data.'); } list($sessionId, $postId) = explode(':', SimpleSAML\Utils\Crypto::aesDecrypt($encData)); if (empty($sessionId) || empty($postId)) { throw new SimpleSAML_Error_BadRequest('Invalid session info data.'); } $session = SimpleSAML_Session::getSession($sessionId); } else { throw new SimpleSAML_Error_BadRequest('Missing redirection info parameter.'); } if ($session === NULL) { throw new Exception('Unable to load session.'); } $postData = $session->getData('core_postdatalink', $postId); if ($postData === NULL) { /* The post data is missing, probably because it timed out. */ throw new Exception('The POST data we should restore was lost.'); }
/** * Retrieve the decryption keys from metadata. * * @param SimpleSAML_Configuration $srcMetadata The metadata of the sender (IdP). * @param SimpleSAML_Configuration $dstMetadata The metadata of the recipient (SP). * @return array Array of decryption keys. */ public static function getDecryptionKeys(SimpleSAML_Configuration $srcMetadata, SimpleSAML_Configuration $dstMetadata) { $sharedKey = $srcMetadata->getString('sharedkey', NULL); if ($sharedKey !== NULL) { $key = new XMLSecurityKey(XMLSecurityKey::AES128_CBC); $key->loadKey($sharedKey); return array($key); } $keys = array(); /* Load the new private key if it exists. */ $keyArray = SimpleSAML\Utils\Crypto::loadPrivateKey($dstMetadata, FALSE, 'new_'); if ($keyArray !== NULL) { assert('isset($keyArray["PEM"])'); $key = new XMLSecurityKey(XMLSecurityKey::RSA_1_5, array('type' => 'private')); if (array_key_exists('password', $keyArray)) { $key->passphrase = $keyArray['password']; } $key->loadKey($keyArray['PEM']); $keys[] = $key; } /* Find the existing private key. */ $keyArray = SimpleSAML\Utils\Crypto::loadPrivateKey($dstMetadata, TRUE); assert('isset($keyArray["PEM"])'); $key = new XMLSecurityKey(XMLSecurityKey::RSA_1_5, array('type' => 'private')); if (array_key_exists('password', $keyArray)) { $key->passphrase = $keyArray['password']; } $key->loadKey($keyArray['PEM']); $keys[] = $key; return $keys; }
if (!$config->getBoolean('enable.shib13-idp', false)) { throw new SimpleSAML_Error_Error('NOACCESS'); } // check if valid local session exists if ($config->getBoolean('admin.protectmetadata', false)) { SimpleSAML\Utils\Auth::requireAdmin(); } try { $idpentityid = isset($_GET['idpentityid']) ? $_GET['idpentityid'] : $metadata->getMetaDataCurrentEntityID('shib13-idp-hosted'); $idpmeta = $metadata->getMetaDataConfig($idpentityid, 'shib13-idp-hosted'); $keys = array(); $certInfo = SimpleSAML\Utils\Crypto::loadPublicKey($idpmeta, false, 'new_'); if ($certInfo !== null) { $keys[] = array('type' => 'X509Certificate', 'signing' => true, 'encryption' => false, 'X509Certificate' => $certInfo['certData']); } $certInfo = SimpleSAML\Utils\Crypto::loadPublicKey($idpmeta, true); $keys[] = array('type' => 'X509Certificate', 'signing' => true, 'encryption' => false, 'X509Certificate' => $certInfo['certData']); $metaArray = array('metadata-set' => 'shib13-idp-remote', 'entityid' => $idpentityid, 'SingleSignOnService' => $metadata->getGenerated('SingleSignOnService', 'shib13-idp-hosted')); if (count($keys) === 1) { $metaArray['certData'] = $keys[0]['X509Certificate']; } else { $metaArray['keys'] = $keys; } $metaArray['NameIDFormat'] = $idpmeta->getString('NameIDFormat', 'urn:mace:shibboleth:1.0:nameIdentifier'); if ($idpmeta->hasValue('OrganizationName')) { $metaArray['OrganizationName'] = $idpmeta->getLocalizedString('OrganizationName'); $metaArray['OrganizationDisplayName'] = $idpmeta->getLocalizedString('OrganizationDisplayName', $metaArray['OrganizationName']); if (!$idpmeta->hasValue('OrganizationURL')) { throw new SimpleSAML_Error_Exception('If OrganizationName is set, OrganizationURL must also be set.'); } $metaArray['OrganizationURL'] = $idpmeta->getLocalizedString('OrganizationURL');
/** * @deprecated This method will be removed in SSP 2.0. Please use SimpleSAML\Utils\Crypto::aesDecrypt() instead. */ public static function aesDecrypt($encData) { return SimpleSAML\Utils\Crypto::aesDecrypt($encData); }
break; } $eps[] = $acsArray; $index++; } $metaArray20['AssertionConsumerService'] = $eps; $keys = array(); $certInfo = SimpleSAML\Utils\Crypto::loadPublicKey($spconfig, FALSE, 'new_'); if ($certInfo !== NULL && array_key_exists('certData', $certInfo)) { $hasNewCert = TRUE; $certData = $certInfo['certData']; $keys[] = array('type' => 'X509Certificate', 'signing' => TRUE, 'encryption' => TRUE, 'X509Certificate' => $certInfo['certData']); } else { $hasNewCert = FALSE; } $certInfo = SimpleSAML\Utils\Crypto::loadPublicKey($spconfig); if ($certInfo !== NULL && array_key_exists('certData', $certInfo)) { $certData = $certInfo['certData']; $keys[] = array('type' => 'X509Certificate', 'signing' => TRUE, 'encryption' => $hasNewCert ? FALSE : TRUE, 'X509Certificate' => $certInfo['certData']); } else { $certData = NULL; } $format = $spconfig->getString('NameIDPolicy', NULL); if ($format !== NULL) { $metaArray20['NameIDFormat'] = $format; } $name = $spconfig->getLocalizedString('name', NULL); $attributes = $spconfig->getArray('attributes', array()); if ($name !== NULL && !empty($attributes)) { $metaArray20['name'] = $name; $metaArray20['attributes'] = $attributes;