In case of using DES3-CBC the key is checked for a proper parity bits set - Mcrypt doesn't care about the parity bits,
but others may care.
| public generateSessionKey ( ) : string | ||
| return | string | |
public function __doRequest($request, $location, $saction, $version)
{
$doc = new DOMDocument('1.0');
$doc->loadXML($request);
$objWSSE = new WSSESoap($doc);
/* add Timestamp with no expiration timestamp */
$objWSSE->addTimestamp();
/* create new XMLSec Key using AES256_CBC and type is private key */
$objKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type' => 'private'));
/* load the private key from file - last arg is bool if key in file (true) or is string (false) */
$objKey->loadKey(PRIVATE_KEY, true);
/* Sign the message - also signs appropiate WS-Security items */
$options = array("insertBefore" => false);
$objWSSE->signSoapDoc($objKey, $options);
/* Add certificate (BinarySecurityToken) to the message */
$token = $objWSSE->addBinaryToken(file_get_contents(CERT_FILE));
/* Attach pointer to Signature */
$objWSSE->attachTokentoSig($token);
$objKey = new XMLSecurityKey(XMLSecurityKey::AES256_CBC);
$objKey->generateSessionKey();
$siteKey = new XMLSecurityKey(XMLSecurityKey::RSA_OAEP_MGF1P, array('type' => 'public'));
$siteKey->loadKey(SERVICE_CERT, true, true);
$options = array("KeyInfo" => array("X509SubjectKeyIdentifier" => true));
$objWSSE->encryptSoapDoc($siteKey, $objKey, $options);
$retVal = parent::__doRequest($objWSSE->saveXML(), $location, $saction, $version);
$doc = new DOMDocument();
$doc->loadXML($retVal);
$options = array("keys" => array("private" => array("key" => PRIVATE_KEY, "isFile" => true, "isCert" => false)));
$objWSSE->decryptSoapDoc($doc, $options);
return $doc->saveXML();
}
/**
* @param AbstractSamlModel $object
* @param XMLSecurityKey $key
*
* @return SerializationContext
*/
public function encrypt(AbstractSamlModel $object, XMLSecurityKey $key)
{
$oldKey = $key;
$key = new XMLSecurityKey($this->keyTransportEncryption, ['type' => 'public']);
$key->loadKey($oldKey->key);
$serializationContext = new SerializationContext();
$object->serialize($serializationContext->getDocument(), $serializationContext);
$enc = new XMLSecEnc();
$enc->setNode($serializationContext->getDocument()->firstChild);
$enc->type = XMLSecEnc::Element;
switch ($key->type) {
case XMLSecurityKey::TRIPLEDES_CBC:
case XMLSecurityKey::AES128_CBC:
case XMLSecurityKey::AES192_CBC:
case XMLSecurityKey::AES256_CBC:
$symmetricKey = $key;
break;
case XMLSecurityKey::RSA_1_5:
case XMLSecurityKey::RSA_SHA1:
case XMLSecurityKey::RSA_SHA256:
case XMLSecurityKey::RSA_SHA384:
case XMLSecurityKey::RSA_SHA512:
case XMLSecurityKey::RSA_OAEP_MGF1P:
$symmetricKey = new XMLSecurityKey($this->blockEncryptionAlgorithm);
$symmetricKey->generateSessionKey();
$enc->encryptKey($key, $symmetricKey);
break;
default:
throw new LightSamlException(sprintf('Unknown key type for encryption: "%s"', $key->type));
}
$this->encryptedElement = $enc->encryptNode($symmetricKey);
return $serializationContext;
}
/**
* Set the assertion.
*
* @param \SAML2\Assertion $assertion The assertion.
* @param XMLSecurityKey $key The key we should use to encrypt the assertion.
* @throws \Exception
*/
public function setAssertion(Assertion $assertion, XMLSecurityKey $key)
{
$xml = $assertion->toXML();
Utils::getContainer()->debugMessage($xml, 'encrypt');
$enc = new XMLSecEnc();
$enc->setNode($xml);
$enc->type = XMLSecEnc::Element;
switch ($key->type) {
case XMLSecurityKey::TRIPLEDES_CBC:
case XMLSecurityKey::AES128_CBC:
case XMLSecurityKey::AES192_CBC:
case XMLSecurityKey::AES256_CBC:
$symmetricKey = $key;
break;
case XMLSecurityKey::RSA_1_5:
case XMLSecurityKey::RSA_OAEP_MGF1P:
$symmetricKey = new XMLSecurityKey(XMLSecurityKey::AES128_CBC);
$symmetricKey->generateSessionKey();
$enc->encryptKey($key, $symmetricKey);
break;
default:
throw new \Exception('Unknown key type for encryption: ' . $key->type);
}
$this->encryptedData = $enc->encryptNode($symmetricKey);
}
/**
* Add an EncryptedAttribute Statement-node to the assertion.
*
* @param \DOMElement $root The assertion element we should add the Encrypted Attribute Statement to.
*/
private function addEncryptedAttributeStatement(\DOMElement $root)
{
if ($this->requiredEncAttributes == false) {
return;
}
$document = $root->ownerDocument;
$attributeStatement = $document->createElementNS(Constants::NS_SAML, 'saml:AttributeStatement');
$root->appendChild($attributeStatement);
foreach ($this->attributes as $name => $values) {
$document2 = DOMDocumentFactory::create();
$attribute = $document2->createElementNS(Constants::NS_SAML, 'saml:Attribute');
$attribute->setAttribute('Name', $name);
$document2->appendChild($attribute);
if ($this->nameFormat !== Constants::NAMEFORMAT_UNSPECIFIED) {
$attribute->setAttribute('NameFormat', $this->nameFormat);
}
foreach ($values as $value) {
if (is_string($value)) {
$type = 'xs:string';
} elseif (is_int($value)) {
$type = 'xs:integer';
} else {
$type = null;
}
$attributeValue = $document2->createElementNS(Constants::NS_SAML, 'saml:AttributeValue');
$attribute->appendChild($attributeValue);
if ($type !== null) {
$attributeValue->setAttributeNS(Constants::NS_XSI, 'xsi:type', $type);
}
if ($value instanceof \DOMNodeList) {
for ($i = 0; $i < $value->length; $i++) {
$node = $document2->importNode($value->item($i), true);
$attributeValue->appendChild($node);
}
} else {
$attributeValue->appendChild($document2->createTextNode($value));
}
}
/*Once the attribute nodes are built, the are encrypted*/
$EncAssert = new XMLSecEnc();
$EncAssert->setNode($document2->documentElement);
$EncAssert->type = 'http://www.w3.org/2001/04/xmlenc#Element';
/*
* Attributes are encrypted with a session key and this one with
* $EncryptionKey
*/
$symmetricKey = new XMLSecurityKey(XMLSecurityKey::AES256_CBC);
$symmetricKey->generateSessionKey();
$EncAssert->encryptKey($this->encryptionKey, $symmetricKey);
$EncrNode = $EncAssert->encryptNode($symmetricKey);
$EncAttribute = $document->createElementNS(Constants::NS_SAML, 'saml:EncryptedAttribute');
$attributeStatement->appendChild($EncAttribute);
$n = $document->importNode($EncrNode, true);
$EncAttribute->appendChild($n);
}
}
public function addUserToken($userName, $password = null, $passwordDigest = false)
{
if ($passwordDigest && empty($password)) {
throw new Exception('Cannot calculate the digest without a password');
}
$security = $this->locateSecurityHeader();
$token = $this->soapDoc->createElementNS(self::WSSENS, self::WSSEPFX . ':UsernameToken');
$security->insertBefore($token, $security->firstChild);
$username = $this->soapDoc->createElementNS(self::WSSENS, self::WSSEPFX . ':Username');
$usernameText = $this->soapDoc->createTextNode($userName);
$username->appendChild($usernameText);
$token->appendChild($username);
/* Generate nonce - create a 256 bit session key to be used */
$objKey = new XMLSecurityKey(XMLSecurityKey::AES256_CBC);
$nonce = $objKey->generateSessionKey();
unset($objKey);
$createdate = gmdate("Y-m-d\\TH:i:s") . 'Z';
if ($password) {
$passType = self::WSUNAME . '#PasswordText';
if ($passwordDigest) {
$password = base64_encode(sha1($nonce . $createdate . $password, true));
$passType = self::WSUNAME . '#PasswordDigest';
}
$passwordNode = $this->soapDoc->createElementNS(self::WSSENS, self::WSSEPFX . ':Password');
$token->appendChild($passwordNode);
$passwordText = $this->soapDoc->createTextNode($password);
$passwordNode->appendChild($passwordText);
$passwordNode->setAttribute('Type', $passType);
}
$nonceNode = $this->soapDoc->createElementNS(self::WSSENS, self::WSSEPFX . ':Nonce', base64_encode($nonce));
$token->appendChild($nonceNode);
$created = $this->soapDoc->createElementNS(self::WSUNS, self::WSUPFX . ':Created', $createdate);
$token->appendChild($created);
}
/**
* Encrypt the NameID in the AuthnRequest.
*
* @param XMLSecurityKey $key The encryption key.
*/
public function encryptNameId(XMLSecurityKey $key)
{
/* First create a XML representation of the NameID. */
$doc = new \DOMDocument();
$root = $doc->createElement('root');
$doc->appendChild($root);
Utils::addNameId($root, $this->nameId);
$nameId = $root->firstChild;
Utils::getContainer()->debugMessage($nameId, 'encrypt');
/* Encrypt the NameID. */
$enc = new XMLSecEnc();
$enc->setNode($nameId);
// @codingStandardsIgnoreStart
$enc->type = XMLSecEnc::Element;
// @codingStandardsIgnoreEnd
$symmetricKey = new XMLSecurityKey(XMLSecurityKey::AES128_CBC);
$symmetricKey->generateSessionKey();
$enc->encryptKey($key, $symmetricKey);
$this->encryptedNameId = $enc->encryptNode($symmetricKey);
$this->nameId = null;
}
