/** * Encrypt the selected node with the given key. * * @param XMLSecurityKey $objKey The encryption key and algorithm. * @param bool $replace Whether the encrypted node should be replaced in the original tree. Default is true. * @return DOMElement The <xenc:EncryptedData>-element. */ public function encryptNode($objKey, $replace = true) { $data = ''; if (empty($this->rawNode)) { throw new Exception('Node to encrypt has not been set'); } if (!$objKey instanceof XMLSecurityKey) { throw new Exception('Invalid Key'); } $doc = $this->rawNode->ownerDocument; $xPath = new DOMXPath($this->encdoc); $objList = $xPath->query('/xenc:EncryptedData/xenc:CipherData/xenc:CipherValue'); $cipherValue = $objList->item(0); if ($cipherValue == null) { throw new Exception('Error locating CipherValue element within template'); } switch ($this->type) { case XMLSecEnc::Element: $data = $doc->saveXML($this->rawNode); $this->encdoc->documentElement->setAttribute('Type', XMLSecEnc::Element); break; case XMLSecEnc::Content: $children = $this->rawNode->childNodes; foreach ($children as $child) { $data .= $doc->saveXML($child); } $this->encdoc->documentElement->setAttribute('Type', XMLSecEnc::Content); break; default: throw new Exception('Type is currently not supported'); } $encMethod = $this->encdoc->documentElement->appendChild($this->encdoc->createElementNS(XMLSecEnc::XMLENCNS, 'xenc:EncryptionMethod')); $encMethod->setAttribute('Algorithm', $objKey->getAlgorithm()); $cipherValue->parentNode->parentNode->insertBefore($encMethod, $cipherValue->parentNode->parentNode->firstChild); $strEncrypt = base64_encode($objKey->encryptData($data)); $value = $this->encdoc->createTextNode($strEncrypt); $cipherValue->appendChild($value); if ($replace) { switch ($this->type) { case XMLSecEnc::Element: if ($this->rawNode->nodeType == XML_DOCUMENT_NODE) { return $this->encdoc; } $importEnc = $this->rawNode->ownerDocument->importNode($this->encdoc->documentElement, true); $this->rawNode->parentNode->replaceChild($importEnc, $this->rawNode); return $importEnc; case XMLSecEnc::Content: $importEnc = $this->rawNode->ownerDocument->importNode($this->encdoc->documentElement, true); while ($this->rawNode->firstChild) { $this->rawNode->removeChild($this->rawNode->firstChild); } $this->rawNode->appendChild($importEnc); return $importEnc; } } else { return $this->encdoc->documentElement; } }
/** * Decrypts an encrypted element. * * @param DOMElement $encryptedData The encrypted data. * @param XMLSecurityKey $inputKey The decryption key. * * @return DOMElement The decrypted element. * * @throws Exception */ public static function decryptElement(DOMElement $encryptedData, XMLSecurityKey $inputKey) { $enc = new XMLSecEnc(); $enc->setNode($encryptedData); $enc->type = $encryptedData->getAttribute("Type"); $symmetricKey = $enc->locateKey($encryptedData); if (!$symmetricKey) { throw new Exception('Could not locate key algorithm in encrypted data.'); } $symmetricKeyInfo = $enc->locateKeyInfo($symmetricKey); if (!$symmetricKeyInfo) { throw new Exception('Could not locate <dsig:KeyInfo> for the encrypted key.'); } $inputKeyAlgo = $inputKey->getAlgorithm(); if ($symmetricKeyInfo->isEncrypted) { $symKeyInfoAlgo = $symmetricKeyInfo->getAlgorithm(); if ($symKeyInfoAlgo === XMLSecurityKey::RSA_OAEP_MGF1P && $inputKeyAlgo === XMLSecurityKey::RSA_1_5) { $inputKeyAlgo = XMLSecurityKey::RSA_OAEP_MGF1P; } if ($inputKeyAlgo !== $symKeyInfoAlgo) { throw new Exception('Algorithm mismatch between input key and key used to encrypt ' . ' the symmetric key for the message. Key was: ' . var_export($inputKeyAlgo, true) . '; message was: ' . var_export($symKeyInfoAlgo, true)); } $encKey = $symmetricKeyInfo->encryptedCtx; $symmetricKeyInfo->key = $inputKey->key; $keySize = $symmetricKey->getSymmetricKeySize(); if ($keySize === null) { // To protect against "key oracle" attacks throw new Exception('Unknown key size for encryption algorithm: ' . var_export($symmetricKey->type, true)); } $key = $encKey->decryptKey($symmetricKeyInfo); if (strlen($key) != $keySize) { $encryptedKey = $encKey->getCipherValue(); $pkey = openssl_pkey_get_details($symmetricKeyInfo->key); $pkey = sha1(serialize($pkey), true); $key = sha1($encryptedKey . $pkey, true); /* Make sure that the key has the correct length. */ if (strlen($key) > $keySize) { $key = substr($key, 0, $keySize); } elseif (strlen($key) < $keySize) { $key = str_pad($key, $keySize); } } $symmetricKey->loadkey($key); } else { $symKeyAlgo = $symmetricKey->getAlgorithm(); if ($inputKeyAlgo !== $symKeyAlgo) { throw new Exception('Algorithm mismatch between input key and key in message. ' . 'Key was: ' . var_export($inputKeyAlgo, true) . '; message was: ' . var_export($symKeyAlgo, true)); } $symmetricKey = $inputKey; } $decrypted = $enc->decryptNode($symmetricKey, false); $xml = '<root xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">' . $decrypted . '</root>'; $newDoc = new DOMDocument(); $newDoc->preserveWhiteSpace = false; $newDoc->formatOutput = true; $newDoc = self::loadXML($newDoc, $xml); if (!$newDoc) { throw new Exception('Failed to parse decrypted XML.'); } $decryptedElement = $newDoc->firstChild->firstChild; if ($decryptedElement === null) { throw new Exception('Missing encrypted element.'); } return $decryptedElement; }