/** * @test * @group signature */ public function signed_message_with_valid_signature_is_validated_correctly() { $pattern = SAML2_Utilities_Certificate::CERTIFICATE_PATTERN; preg_match($pattern, SAML2_CertificatesMock::PUBLIC_KEY_PEM, $matches); $config = new SAML2_Configuration_IdentityProvider(array('certificateData' => $matches[1])); $validator = new SAML2_Signature_PublicKeyValidator(new SAML2_SimpleTestLogger(), new SAML2_Certificate_KeyLoader()); $doc = SAML2_DOMDocumentFactory::fromFile(__DIR__ . '/response.xml'); $response = new SAML2_Response($doc->firstChild); $response->setSignatureKey(SAML2_CertificatesMock::getPrivateKey()); $response->setCertificates(array(SAML2_CertificatesMock::PUBLIC_KEY_PEM)); // convert to signed response $response = new SAML2_Response($response->toSignedXML()); $this->assertTrue($validator->canValidate($response, $config), 'Cannot validate the element'); $this->assertTrue($validator->hasValidSignature($response, $config), 'The signature is not valid'); }
/** * @test * @group signature */ public function signed_message_with_valid_signature_is_validated_correctly() { $pattern = SAML2_Utilities_Certificate::CERTIFICATE_PATTERN; preg_match($pattern, SAML2_CertificatesMock::PUBLIC_KEY_PEM, $matches); $certdata = SAML2_Certificate_X509::createFromCertificateData($matches[1]); $fingerprint = $certdata->getFingerprint(); $fingerprint_retry = $certdata->getFingerprint(); $this->assertTrue($fingerprint->equals($fingerprint_retry), 'Cached fingerprint does not match original'); $config = new SAML2_Configuration_IdentityProvider(array('certificateFingerprints' => array($fingerprint->getRaw()))); $validator = new SAML2_Signature_FingerprintValidator(new SAML2_SimpleTestLogger(), new SAML2_Certificate_FingerprintLoader()); $doc = SAML2_DOMDocumentFactory::fromFile(__DIR__ . '/response.xml'); $response = new SAML2_Response($doc->firstChild); $response->setSignatureKey(SAML2_CertificatesMock::getPrivateKey()); $response->setCertificates(array(SAML2_CertificatesMock::PUBLIC_KEY_PEM)); // convert to signed response $response = new SAML2_Response($response->toSignedXML()); $this->assertTrue($validator->canValidate($response, $config), 'Cannot validate the element'); $this->assertTrue($validator->hasValidSignature($response, $config), 'The signature is not valid'); }
/** * @return SAML2_Response */ private function getSignedResponseWithSignedAssertion() { $doc = new DOMDocument(); $doc->load(__DIR__ . '/response.xml'); $response = new SAML2_Response($doc->firstChild); $response->setSignatureKey(SAML2_CertificatesMock::getPrivateKey()); $response->setCertificates(array(SAML2_CertificatesMock::PUBLIC_KEY_PEM)); $assertions = $response->getAssertions(); $assertion = $assertions[0]; $assertion->setSignatureKey(SAML2_CertificatesMock::getPrivateKey()); $assertion->setCertificates(array(SAML2_CertificatesMock::PUBLIC_KEY_PEM)); return new SAML2_Response($response->toSignedXML()); }
private static function combine_response(array $values, \SAML2_Response $response = NULL) { if (!isset($response)) { $response = new \SAML2_Response(); } $presented_assertions = $response->getAssertions(); $assertion = empty($presented_assertions) ? new \SAML2_Assertion() : $presented_assertions[0]; if (self::original_spid_isset($values)) { $response->setInResponseTo($values['InResponseTo']); } if (array_key_exists('ResponseID', $values)) { $response->setId($values['ResponseID']); } if (array_key_exists('AssertionID', $values)) { $assertion->setId($values['AssertionID']); } if (array_key_exists('Issuer', $values)) { $response->setIssuer($values['Issuer']); $assertion->setIssuer($values['Issuer']); } if (array_key_exists('NameID', $values)) { $assertion->setNameId(self::build_name_id($values['NameID'])); } $not_on_or_after_time = time(); if (array_key_exists('AllowedTimeDelta', $values)) { $not_on_or_after_time += $values['AllowedTimeDelta']; $assertion->setNotBefore(time() - $values['AllowedTimeDelta']); $assertion->setNotOnOrAfter($not_on_or_after_time); } else { $not_on_or_after_time += DEFAULT_RESPONSE_TIME_DELTA; } if (array_key_exists('Audience', $values)) { $assertion->setValidAudiences(array($values['Audience'])); } if (array_key_exists('Attributes', $values)) { $assertion->setAttributes($values['Attributes']); } $assertion->setAuthnInstant(time()); if (array_key_exists('AuthnContextClassRef', $values)) { $assertion->setAuthnContextClassRef($values['AuthnContextClassRef']); } if (array_key_exists('SessionIndex', $values)) { $assertion->setSessionIndex($values['SessionIndex']); } if (self::original_spid_isset($values) || array_key_exists('Destination', $values)) { $original_confirmations = $assertion->getSubjectConfirmation(); $confirmation = NULL; if (empty($original_confirmations)) { $confirmation = new \SAML2_XML_saml_SubjectConfirmation(); $confirmation->Method = SAML_CONFIGURATION_METHOD; } else { $confirmation = $original_confirmations[0]; } $original_data = $confirmation->SubjectConfirmationData; $data = NULL; if (empty($original_data)) { $data = new \SAML2_XML_saml_SubjectConfirmationData(); $data->NotOnOrAfter = $not_on_or_after_time; } else { $data = $original_data; if (empty($data->NotOnOrAfter)) { $data->NotOnOrAfter = $not_on_or_after_time; } } if (array_key_exists('Destination', $values)) { $data->Recipient = $values['Destination']; } if (self::original_spid_isset($values)) { $data->InResponseTo = $values['InResponseTo']; } $confirmation->SubjectConfirmationData = $data; $assertion->setSubjectConfirmation(array($confirmation)); } if (array_key_exists('Destination', $values)) { $response->setDestination($values['Destination']); } if (self::need_sign($values)) { if (array_key_exists('SHA256KeyFile', $values)) { $ekey = new \XMLSecurityKey(\XMLSecurityKey::RSA_SHA256, array('type' => 'private')); $ekey->loadKey($values['SHA256KeyFile'], true); if (self::need_sign_attributes($values)) { $assertion->setSignatureKey($ekey); } if (self::need_sign_message($values)) { $response->setSignatureKey($ekey); } } if (array_key_exists('SHA256CertFile', $values)) { $certifictaes = array(file_get_contents($values['SHA256CertFile'])); if (self::need_sign_attributes($values)) { $assertion->setCertificates($certifictaes); } if (self::need_sign_message($values)) { $response->setCertificates($certifictaes); } } } $response->setAssertions(array($assertion)); return $response; }