| static public staticGet509XCerts ( $certs, $isPEMFormat = true ) |
/**
* Test that signatures contain the corresponding public keys.
*/
public function testGetValidatingCertificates()
{
$certData = XMLSecurityDSig::staticGet509XCerts(SAML2_CertificatesMock::PUBLIC_KEY_PEM);
$certData = $certData[0];
$signedMockElementCopy = SAML2_Utils::copyElement($this->signedMockElement);
$signedMockElementCopy->ownerDocument->appendChild($signedMockElementCopy);
$tmp = new SAML2_SignedElementHelperMock($signedMockElementCopy);
$certs = $tmp->getValidatingCertificates();
$this->assertCount(1, $certs);
$this->assertEquals($certData, $certs[0]);
// Test with two certificates.
$tmpCert = '-----BEGIN CERTIFICATE-----
MIICsDCCAhmgAwIBAgIJALU2mjA9ULI2MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX
aWRnaXRzIFB0eSBMdGQwHhcNMTAwODAzMDYzNTQ4WhcNMjAwODAyMDYzNTQ4WjBF
MQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50
ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQDG6q53nl3Gn/9JE+ZiCgEB+EPcGbvzi0NrBDkKz9SKBNflxKQ+De/OAVQ9RQZO
tEm/j0hoSCGO7maemOm1PVNtDuMchSroPs0L4szLhh6m1uMhw9RXqq34C+Cr7Wee
ZNPQTFnQhBYqnYM03/e3SeUawiZ7rGeAMJ/8BSk0CB1GAQIDAQABo4GnMIGkMB0G
A1UdDgQWBBRnHHPiQ/pV/xDZg3EBmU3ik64ORDB1BgNVHSMEbjBsgBRnHHPiQ/pV
/xDZg3EBmU3ik64ORKFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUt
U3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJALU2mjA9
ULI2MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAScv7ee6QajoSM4c4
+fX+eYdjHFsvtqHD0ng987viS8eGjIrRfKAMHVzzs1jSU0TxMM7WUFDf6FpjW+Do
r+X+X2Al/n6aDn7qAxXbl0RZuB+saxn+yFR6HFKggwkR1L2pimCuD0gTr6LlrNgf
edF1YfJgq35hcMMLY9RE/0C0bCI=
-----END CERTIFICATE-----';
$mock = new SAML2_SignedElementHelperMock();
$mock->setSignatureKey(SAML2_CertificatesMock::getPrivateKey());
$mock->setCertificates(array($tmpCert, SAML2_CertificatesMock::PUBLIC_KEY_PEM));
$this->signedMockElement = $mock->toSignedXML();
$tmp = new SAML2_SignedElementHelperMock($this->signedMockElement);
$certs = $tmp->getValidatingCertificates();
$this->assertCount(1, $certs);
$this->assertEquals($certData, $certs[0]);
}
static function staticAdd509Cert($parentRef, $cert, $isPEMFormat = TRUE, $isURL = False, $xpath = NULL, $options = NULL)
{
if ($isURL) {
$cert = file_get_contents($cert);
}
if (!$parentRef instanceof DOMElement) {
throw new Exception('Invalid parent Node parameter');
}
list($parentRef, $keyInfo) = self::auxKeyInfo($parentRef, $xpath);
// Add all certs if there are more than one
$certs = XMLSecurityDSig::staticGet509XCerts($cert, $isPEMFormat);
$baseDoc = $parentRef->ownerDocument;
// Attach X509 data node
$x509DataNode = $baseDoc->createElementNS(XMLSecurityDSig::XMLDSIGNS, 'ds:X509Data');
$keyInfo->appendChild($x509DataNode);
$issuerSerial = FALSE;
$subjectName = FALSE;
if (is_array($options)) {
if (!empty($options['issuerSerial'])) {
$issuerSerial = TRUE;
}
if (!empty($options['subjectName'])) {
$subjectName = TRUE;
}
}
// Attach all certificate nodes and any additional data
foreach ($certs as $X509Cert) {
if ($issuerSerial || $subjectName) {
if ($certData = openssl_x509_parse("-----BEGIN CERTIFICATE-----\n" . chunk_split($X509Cert, 64, "\n") . "-----END CERTIFICATE-----\n")) {
if ($subjectName && !empty($certData['subject'])) {
if (is_array($certData['subject'])) {
$parts = array();
foreach ($certData['subject'] as $key => $value) {
array_unshift($parts, "{$key}={$value}");
}
$subjectNameValue = implode(',', $parts);
} else {
$subjectNameValue = $certData['issuer'];
}
$x509SubjectNode = $baseDoc->createElementNS(XMLSecurityDSig::XMLDSIGNS, 'ds:X509SubjectName', $subjectNameValue);
$x509DataNode->appendChild($x509SubjectNode);
}
if ($issuerSerial && !empty($certData['issuer']) && !empty($certData['serialNumber'])) {
if (is_array($certData['issuer'])) {
$parts = array();
foreach ($certData['issuer'] as $key => $value) {
array_unshift($parts, "{$key}={$value}");
}
$issuerName = implode(',', $parts);
} else {
$issuerName = $certData['issuer'];
}
$x509IssuerNode = $baseDoc->createElementNS(XMLSecurityDSig::XMLDSIGNS, 'ds:X509IssuerSerial');
$x509DataNode->appendChild($x509IssuerNode);
$x509Node = $baseDoc->createElementNS(XMLSecurityDSig::XMLDSIGNS, 'ds:X509IssuerName', $issuerName);
$x509IssuerNode->appendChild($x509Node);
$x509Node = $baseDoc->createElementNS(XMLSecurityDSig::XMLDSIGNS, 'ds:X509SerialNumber', $certData['serialNumber']);
$x509IssuerNode->appendChild($x509Node);
}
}
}
$x509CertNode = $baseDoc->createElementNS(XMLSecurityDSig::XMLDSIGNS, 'ds:X509Certificate', $X509Cert);
$x509DataNode->appendChild($x509CertNode);
}
}
static function staticAdd509Cert($parentRef, $cert, $isPEMFormat = TRUE, $isURL = False, $xpath = NULL)
{
if ($isURL) {
$cert = file_get_contents($cert);
}
if (!$parentRef instanceof DOMElement) {
throw new Exception('Invalid parent Node parameter');
}
$baseDoc = $parentRef->ownerDocument;
if (empty($xpath)) {
$xpath = new DOMXPath($parentRef->ownerDocument);
$xpath->registerNamespace('secdsig', XMLSecurityDSig::XMLDSIGNS);
}
$query = "./secdsig:KeyInfo";
$nodeset = $xpath->query($query, $parentRef);
$keyInfo = $nodeset->item(0);
if (!$keyInfo) {
$inserted = FALSE;
$keyInfo = $baseDoc->createElementNS(XMLSecurityDSig::XMLDSIGNS, 'ds:KeyInfo');
$query = "./secdsig:Object";
$nodeset = $xpath->query($query, $parentRef);
if ($sObject = $nodeset->item(0)) {
$sObject->parentNode->insertBefore($keyInfo, $sObject);
$inserted = TRUE;
}
if (!$inserted) {
$parentRef->appendChild($keyInfo);
}
}
// Add all certs if there are more than one
$certs = XMLSecurityDSig::staticGet509XCerts($cert, $isPEMFormat);
// Atach X509 data node
$x509DataNode = $baseDoc->createElementNS(XMLSecurityDSig::XMLDSIGNS, 'ds:X509Data');
$keyInfo->appendChild($x509DataNode);
// Atach all certificate nodes
foreach ($certs as $X509Cert) {
$x509CertNode = $baseDoc->createElementNS(XMLSecurityDSig::XMLDSIGNS, 'ds:X509Certificate', $X509Cert);
$x509DataNode->appendChild($x509CertNode);
}
}
static function staticAdd509Cert($parentRef, $cert, $isPEMFormat = TRUE, $isURL = False, $xpath = NULL, $options = NULL)
{
if ($isURL) {
$cert = file_get_contents($cert);
}
if (!$parentRef instanceof DOMElement) {
throw new Exception('Invalid parent Node parameter');
}
$baseDoc = $parentRef->ownerDocument;
if (empty($xpath)) {
$xpath = new DOMXPath($parentRef->ownerDocument);
$xpath->registerNamespace('secdsig', XMLSecurityDSig::XMLDSIGNS);
}
$query = "./secdsig:KeyInfo";
$nodeset = $xpath->query($query, $parentRef);
$keyInfo = $nodeset->item(0);
if (!$keyInfo) {
$inserted = FALSE;
$keyInfo = $baseDoc->createElementNS(XMLSecurityDSig::XMLDSIGNS, 'ds:KeyInfo');
$query = "./secdsig:Object";
$nodeset = $xpath->query($query, $parentRef);
if ($sObject = $nodeset->item(0)) {
$sObject->parentNode->insertBefore($keyInfo, $sObject);
$inserted = TRUE;
}
if (!$inserted) {
$parentRef->appendChild($keyInfo);
}
}
// Add all certs if there are more than one
$certs = XMLSecurityDSig::staticGet509XCerts($cert, $isPEMFormat);
// Attach X509 data node
$x509DataNode = $baseDoc->createElementNS(XMLSecurityDSig::XMLDSIGNS, 'ds:X509Data');
$keyInfo->appendChild($x509DataNode);
$issuerSerial = FALSE;
$subjectName = FALSE;
if (is_array($options)) {
if (!empty($options['issuerSerial'])) {
$issuerSerial = TRUE;
}
}
// Attach all certificate nodes and any additional data
foreach ($certs as $X509Cert) {
if ($issuerSerial) {
if ($certData = openssl_x509_parse("-----BEGIN CERTIFICATE-----\n" . chunk_split($X509Cert, 64, "\n") . "-----END CERTIFICATE-----\n")) {
if ($issuerSerial && !empty($certData['issuer']) && !empty($certData['serialNumber'])) {
if (is_array($certData['issuer'])) {
$parts = array();
foreach ($certData['issuer'] as $key => $value) {
array_unshift($parts, "{$key}={$value}" . $issuer);
}
$issuerName = implode(',', $parts);
} else {
$issuerName = $certData['issuer'];
}
$x509IssuerNode = $baseDoc->createElementNS(XMLSecurityDSig::XMLDSIGNS, 'ds:X509IssuerSerial');
$x509DataNode->appendChild($x509IssuerNode);
$x509Node = $baseDoc->createElementNS(XMLSecurityDSig::XMLDSIGNS, 'ds:X509IssuerName', $issuerName);
$x509IssuerNode->appendChild($x509Node);
$x509Node = $baseDoc->createElementNS(XMLSecurityDSig::XMLDSIGNS, 'ds:X509SerialNumber', $certData['serialNumber']);
$x509IssuerNode->appendChild($x509Node);
}
}
}
$x509CertNode = $baseDoc->createElementNS(XMLSecurityDSig::XMLDSIGNS, 'ds:X509Certificate', $X509Cert);
$x509DataNode->appendChild($x509CertNode);
}
}
static function staticAddBes($parentRef, $cert, $isPEMFormat = TRUE, $isURL = False, $xpath = NULL, $digest = NULL)
{
if ($isURL) {
$cert = file_get_contents($cert);
}
if (!$parentRef instanceof DOMElement) {
throw new Exception('Invalid parent Node parameter');
}
$baseDoc = $parentRef->ownerDocument;
// Add all certs if there are more than one
$certs = XMLSecurityDSig::staticGet509XCerts($cert, $isPEMFormat);
// Attach X509 data node
//$objectNode = $baseDoc->createElementNS(XMLSecurityDSig::XMLDSIGNS, 'ds:Object');
$objectNode = $baseDoc->createElementNS(XMLSecurityDSig::XMLDSIGNS, 'ds:Object');
$parentRef->appendChild($objectNode);
$qProps = $baseDoc->createElement('QualifyingProperties');
$qProps->setAttribute('xmlns:xsi', 'http://www.w3.org/2001/XMLSchema-instance');
$qProps->setAttribute('xmlns:xsd', 'http://www.w3.org/2001/XMLSchema');
$qProps->setAttribute('xmlns', 'http://uri.etsi.org/01903/v1.1.1#');
$qProps->setAttribute('Target', '#SignatureId');
$objectNode->appendChild($qProps);
$SignedProps = $baseDoc->createElement('SignedProperties');
$SignedProps->setAttribute('Id', 'SignedPropertiesId');
$qProps->appendChild($SignedProps);
$SignedSignatureProperties = $baseDoc->createElement('SignedSignatureProperties');
$SignedProps->appendChild($SignedSignatureProperties);
$SigningTime = $baseDoc->createElement('SigningTime', date('c', strtotime('2014-01-27')));
$SignedSignatureProperties->appendChild($SigningTime);
$SigningCertificate = $baseDoc->createElement('SigningCertificate');
$SignedSignatureProperties->appendChild($SigningCertificate);
$Cert = $baseDoc->createElement('Cert');
$SigningCertificate->appendChild($Cert);
$CertDigest = $baseDoc->createElement('CertDigest');
$Cert->appendChild($CertDigest);
$DigestMethod = $baseDoc->createElement('DigestMethod');
$DigestMethodAttrAlgorithm = $baseDoc->createAttribute('Algorithm');
$DigestMethodAttrAlgorithm->value = self::SHA1;
$DigestMethod->appendChild($DigestMethodAttrAlgorithm);
$CertDigest->appendChild($DigestMethod);
$DigestValue = $baseDoc->createElement('DigestValue', $digest);
$CertDigest->appendChild($DigestValue);
// ADD CERS
foreach ($certs as $X509Cert) {
if ($certData = openssl_x509_parse("-----BEGIN CERTIFICATE-----\n" . chunk_split($X509Cert, 64, "\n") . "-----END CERTIFICATE-----\n")) {
if (!empty($certData['issuer']) && !empty($certData['serialNumber'])) {
if (is_array($certData['issuer'])) {
$parts = array();
foreach ($certData['issuer'] as $key => $value) {
array_unshift($parts, "{$key}={$value}");
}
$issuerName = implode(', ', $parts);
} else {
$issuerName = $certData['issuer'];
}
$IssuerSerial = $baseDoc->createElement('IssuerSerial');
$Cert->appendChild($IssuerSerial);
$x509Node = $baseDoc->createElement('X509IssuerName', $issuerName);
$x509NodeAttr = $baseDoc->createAttribute('xmlns');
$x509NodeAttr->value = 'http://www.w3.org/2000/09/xmldsig#';
$x509Node->appendChild($x509NodeAttr);
$IssuerSerial->appendChild($x509Node);
$x509Node = $baseDoc->createElement('X509SerialNumber', $certData['serialNumber']);
$x509NodeAttr = $baseDoc->createAttribute('xmlns');
$x509NodeAttr->value = 'http://www.w3.org/2000/09/xmldsig#';
$x509Node->appendChild($x509NodeAttr);
$IssuerSerial->appendChild($x509Node);
}
}
}
$SignaturePolicyIdentifier = $baseDoc->createElement('SignaturePolicyIdentifier');
$SignedSignatureProperties->appendChild($SignaturePolicyIdentifier);
$SignaturePolicyImplied = $baseDoc->createElement('SignaturePolicyImplied');
$SignaturePolicyIdentifier->appendChild($SignaturePolicyImplied);
return $SignedProps;
}
static function get509XCert($cert, $isPEMFormat = TRUE)
{
$certs = XMLSecurityDSig::staticGet509XCerts($cert, $isPEMFormat);
if (!empty($certs)) {
return $certs[0];
}
return '';
}
