formatCert() public static méthode

Returns a x509 cert (adding header & footer if required).
public static formatCert ( string $cert, boolean $heads = true ) : string
$cert string A x509 unformated cert
$heads boolean True if we want to include head and footer
Résultat string $x509 Formatted cert
Exemple #1
0
 /**
  * Tests the generateNameId method of the OneLogin_Saml2_Utils
  *
  * @covers OneLogin_Saml2_Utils::generateNameId
  */
 public function testGenerateNameId()
 {
     //$xml = '<root xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">'.$decrypted.'</root>';
     //$newDoc = new DOMDocument();
     $nameIdValue = 'ONELOGIN_ce998811003f4e60f8b07a311dc641621379cfde';
     $entityId = 'http://stuff.com/endpoints/metadata.php';
     $nameIDFormat = 'urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified';
     $nameId = OneLogin_Saml2_Utils::generateNameId($nameIdValue, $entityId, $nameIDFormat);
     $expectedNameId = '<saml:NameID SPNameQualifier="http://stuff.com/endpoints/metadata.php" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified">ONELOGIN_ce998811003f4e60f8b07a311dc641621379cfde</saml:NameID>';
     $this->assertEquals($nameId, $expectedNameId);
     $settingsDir = TEST_ROOT . '/settings/';
     include $settingsDir . 'settings1.php';
     $x509cert = $settingsInfo['idp']['x509cert'];
     $key = OneLogin_Saml2_Utils::formatCert($x509cert);
     $nameIdEnc = OneLogin_Saml2_Utils::generateNameId($nameIdValue, $entityId, $nameIDFormat, $key);
     $nameidExpectedEnc = '<saml:EncryptedID><xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" Type="http://www.w3.org/2001/04/xmlenc#Element"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/><dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><xenc:EncryptedKey><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/><xenc:CipherData><xenc:CipherValue>';
     $this->assertContains($nameidExpectedEnc, $nameIdEnc);
 }
Exemple #2
0
 /**
  * Formats the SP cert.
  */
 public function formatSPCert()
 {
     if (isset($this->_sp['x509cert'])) {
         $this->_sp['x509cert'] = OneLogin_Saml2_Utils::formatCert($this->_sp['x509cert']);
     }
 }
Exemple #3
0
 /**
  * Tests the getIdPData method of the OneLogin_Saml2_Settings
  *
  * @covers OneLogin_Saml2_Settings::getIdPData
  */
 public function testGetIdPData()
 {
     $settingsDir = TEST_ROOT . '/settings/';
     include $settingsDir . 'settings1.php';
     $settings = new OneLogin_Saml2_Settings($settingsInfo);
     $idpData = $settings->getIdPData();
     $this->assertNotEmpty($idpData);
     $this->assertArrayHasKey('entityId', $idpData);
     $this->assertArrayHasKey('singleSignOnService', $idpData);
     $this->assertArrayHasKey('singleLogoutService', $idpData);
     $this->assertArrayHasKey('x509cert', $idpData);
     $this->assertEquals('http://idp.example.com/', $idpData['entityId']);
     $this->assertEquals('http://idp.example.com/SSOService.php', $idpData['singleSignOnService']['url']);
     $this->assertEquals('http://idp.example.com/SingleLogoutService.php', $idpData['singleLogoutService']['url']);
     $x509cert = 'MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo';
     $formatedx509cert = OneLogin_Saml2_Utils::formatCert($x509cert);
     $this->assertEquals($formatedx509cert, $idpData['x509cert']);
 }
Exemple #4
0
 /**
  * Adds the x509 descriptors (sign/encriptation) to the metadata
  * The same cert will be used for sign/encrypt
  *
  * @param string $metadata SAML Metadata XML
  * @param string $cert     x509 cert
  *
  * @return string Metadata with KeyDescriptors
  */
 public static function addX509KeyDescriptors($metadata, $cert)
 {
     $xml = new DOMDocument();
     $xml->preserveWhiteSpace = false;
     $xml->formatOutput = true;
     try {
         $xml = OneLogin_Saml2_Utils::loadXML($xml, $metadata);
         if (!$xml) {
             throw new Exception('Error parsing metadata');
         }
     } catch (Exception $e) {
         throw new Exception('Error parsing metadata. ' . $e->getMessage());
     }
     $formatedCert = OneLogin_Saml2_Utils::formatCert($cert, false);
     $x509Certificate = $xml->createElementNS(OneLogin_Saml2_Constants::NS_DS, 'X509Certificate', $formatedCert);
     $keyData = $xml->createElementNS(OneLogin_Saml2_Constants::NS_DS, 'ds:X509Data');
     $keyData->appendChild($x509Certificate);
     $keyInfo = $xml->createElementNS(OneLogin_Saml2_Constants::NS_DS, 'ds:KeyInfo');
     $keyInfo->appendChild($keyData);
     $keyDescriptor = $xml->createElementNS(OneLogin_Saml2_Constants::NS_MD, "md:KeyDescriptor");
     $SPSSODescriptor = $xml->getElementsByTagName('SPSSODescriptor')->item(0);
     $SPSSODescriptor->insertBefore($keyDescriptor->cloneNode(), $SPSSODescriptor->firstChild);
     $SPSSODescriptor->insertBefore($keyDescriptor->cloneNode(), $SPSSODescriptor->firstChild);
     $signing = $xml->getElementsByTagName('KeyDescriptor')->item(0);
     $signing->setAttribute('use', 'signing');
     $encryption = $xml->getElementsByTagName('KeyDescriptor')->item(1);
     $encryption->setAttribute('use', 'encryption');
     $signing->appendChild($keyInfo);
     $encryption->appendChild($keyInfo->cloneNode(true));
     return $xml->saveXML();
 }
    /**
     * Constructs the AuthnRequest object.
     *
     * @param OneLogin_Saml2_Settings $settings Settings
     * @param bool   $forceAuthn When true the AuthNReuqest will set the ForceAuthn='true'
     * @param bool   $isPassive  When true the AuthNReuqest will set the Ispassive='true' 
     */
    public function __construct(OneLogin_Saml2_Settings $settings, $forceAuthn = false, $isPassive = false)
    {
        $this->_settings = $settings;
        $spData = $this->_settings->getSPData();
        $idpData = $this->_settings->getIdPData();
        $security = $this->_settings->getSecurityData();
        $id = OneLogin_Saml2_Utils::generateUniqueID();
        $issueInstant = OneLogin_Saml2_Utils::parseTime2SAML(time());
        $nameIDPolicyFormat = $spData['NameIDFormat'];
        if (isset($security['wantNameIdEncrypted']) && $security['wantNameIdEncrypted']) {
            $nameIDPolicyFormat = OneLogin_Saml2_Constants::NAMEID_ENCRYPTED;
        }
        $providerNameStr = '';
        $organizationData = $settings->getOrganization();
        if (!empty($organizationData)) {
            $langs = array_keys($organizationData);
            if (in_array('en-US', $langs)) {
                $lang = 'en-US';
            } else {
                $lang = $langs[0];
            }
            if (isset($organizationData[$lang]['displayname']) && !empty($organizationData[$lang]['displayname'])) {
                $providerNameStr = <<<PROVIDERNAME
    ProviderName="{$organizationData[$lang]['displayname']}" 
PROVIDERNAME;
            }
        }
        $forceAuthnStr = '';
        if ($forceAuthn) {
            $forceAuthnStr = <<<FORCEAUTHN

    ForceAuthn="true"
FORCEAUTHN;
        }
        $isPassiveStr = '';
        if ($isPassive) {
            $isPassiveStr = <<<ISPASSIVE

    IsPassive="true"
ISPASSIVE;
        }
        $requestedAuthnStr = '';
        if (isset($security['requestedAuthnContext']) && $security['requestedAuthnContext'] !== false) {
            if ($security['requestedAuthnContext'] === true) {
                $requestedAuthnStr = <<<REQUESTEDAUTHN
    <samlp:RequestedAuthnContext Comparison="exact">
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
    </samlp:RequestedAuthnContext>
REQUESTEDAUTHN;
            } else {
                $requestedAuthnStr .= "    <samlp:RequestedAuthnContext Comparison=\"exact\">\n";
                foreach ($security['requestedAuthnContext'] as $contextValue) {
                    $requestedAuthnStr .= "        <saml:AuthnContextClassRef>" . $contextValue . "</saml:AuthnContextClassRef>\n";
                }
                $requestedAuthnStr .= '    </samlp:RequestedAuthnContext>';
            }
        }
        $signature = '';
        if (isset($security['authnRequestsSigned']) && $security['authnRequestsSigned']) {
            $key = $this->_settings->getSPkey();
            $objKey = new XMLSecurityKey($security['signatureAlgorithm'], array('type' => 'private'));
            $objKey->loadKey($key, false);
            $signatureValue = $objKey->signData(time());
            $signatureValue = base64_encode($signatureValue);
            $digestValue = base64_encode(sha1(time()));
            $x509Cert = $this->_settings->getSPcert();
            $x509Cert = OneLogin_Saml2_Utils::formatCert($x509Cert, false);
            $signature = <<<SIGNATURE
            <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
        <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
        <ds:Reference>
            <ds:Transforms>
                <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
            <ds:DigestValue>{$digestValue}</ds:DigestValue>
        </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>asd{$signatureValue}</ds:SignatureValue>
    <ds:KeyInfo>
        <ds:X509Data>
            <ds:X509Certificate>{$x509Cert}</ds:X509Certificate>
        </ds:X509Data>
    </ds:KeyInfo>
</ds:Signature>
SIGNATURE;
        }
        $request = <<<AUTHNREQUEST
<samlp:AuthnRequest
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    ID="{$id}"
    Version="2.0"
{$providerNameStr}{$forceAuthnStr}{$isPassiveStr}
    IssueInstant="{$issueInstant}"
    Destination="{$idpData['singleSignOnService']['url']}"
    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    AssertionConsumerServiceURL="{$spData['assertionConsumerService']['url']}">
    <saml:Issuer>{$spData['entityId']}</saml:Issuer>
    {$signature}
    <samlp:NameIDPolicy
        Format="{$nameIDPolicyFormat}"
        AllowCreate="true" />
{$requestedAuthnStr}
</samlp:AuthnRequest>
AUTHNREQUEST;
        $this->_id = $id;
        $this->_authnRequest = $request;
    }