The signature element will be appended to the element, unless $beforeNode is specified. If $beforeNode
is specified, the signature element will be inserted as the last element before $beforeNode.
public insertSignature ( $node, $beforeNode = null ) : DOMNode | ||
$node | The node the signature element should be inserted into. | |
$beforeNode | The node the signature element should be located before. | |
return | DOMNode | The signature element node |
/** * Adds signature key and senders certificate to an element (Message or Assertion). * * @param string|DomDocument $xml The element we should sign * @param string $key The private key * @param string $cert The public */ public static function addSign($xml, $key, $cert) { if ($xml instanceof DOMDocument) { $dom = $xml; } else { $dom = new DOMDocument(); $dom = self::loadXML($dom, $xml); if (!$dom) { throw new Exception('Error parsing xml string'); } } /* Load the private key. */ $objKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type' => 'private')); $objKey->loadKey($key, false); /* Get the EntityDescriptor node we should sign. */ $rootNode = $dom->firstChild; /* Sign the metadata with our private key. */ $objXMLSecDSig = new XMLSecurityDSig(); $objXMLSecDSig->setCanonicalMethod(XMLSecurityDSig::EXC_C14N); $objXMLSecDSig->addReferenceList(array($rootNode), XMLSecurityDSig::SHA1, array('http://www.w3.org/2000/09/xmldsig#enveloped-signature', XMLSecurityDSig::EXC_C14N), array('id_name' => 'ID')); $objXMLSecDSig->sign($objKey); /* Add the certificate to the signature. */ $objXMLSecDSig->add509Cert($cert, true); $insertBefore = $rootNode->firstChild; $messageTypes = array('samlp:AuthnRequest', 'samlp:Response', 'samlp:LogoutRequest', 'samlp:LogoutResponse'); if (in_array($rootNode->tagName, $messageTypes)) { $issuerNodes = self::query($dom, '/' . $rootNode->tagName . '/saml:Issuer'); if ($issuerNodes->length == 1) { $insertBefore = $issuerNodes->item(0)->nextSibling; } } /* Add the signature. */ $objXMLSecDSig->insertSignature($rootNode, $insertBefore); /* Return the DOM tree as a string. */ $signedxml = $dom->saveXML(); return $signedxml; }
/** * Signs the given metadata if metadata signing is enabled. * * @param string $metadataString A string with the metadata. * @param array $entityMetadata The metadata of the entity. * @param string $type A string which describes the type entity this is, e.g. 'SAML 2 IdP' or 'Shib 1.3 SP'. * * @return string The $metadataString with the signature embedded. * @throws Exception If the certificate or private key cannot be loaded, or the metadata doesn't parse properly. */ public static function sign($metadataString, $entityMetadata, $type) { $config = SimpleSAML_Configuration::getInstance(); // check if metadata signing is enabled if (!self::isMetadataSigningEnabled($config, $entityMetadata, $type)) { return $metadataString; } // find the key & certificate which should be used to sign the metadata $keyCertFiles = self::findKeyCert($config, $entityMetadata, $type); $keyFile = \SimpleSAML\Utils\Config::getCertPath($keyCertFiles['privatekey']); if (!file_exists($keyFile)) { throw new Exception('Could not find private key file [' . $keyFile . '], which is needed to sign the metadata'); } $keyData = file_get_contents($keyFile); $certFile = \SimpleSAML\Utils\Config::getCertPath($keyCertFiles['certificate']); if (!file_exists($certFile)) { throw new Exception('Could not find certificate file [' . $certFile . '], which is needed to sign the metadata'); } $certData = file_get_contents($certFile); // convert the metadata to a DOM tree try { $xml = SAML2_DOMDocumentFactory::fromString($metadataString); } catch (Exception $e) { throw new Exception('Error parsing self-generated metadata.'); } // load the private key $objKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type' => 'private')); if (array_key_exists('privatekey_pass', $keyCertFiles)) { $objKey->passphrase = $keyCertFiles['privatekey_pass']; } $objKey->loadKey($keyData, false); // get the EntityDescriptor node we should sign $rootNode = $xml->firstChild; // sign the metadata with our private key if ($type == 'ADFS IdP') { $objXMLSecDSig = new sspmod_adfs_XMLSecurityDSig($metadataString); } else { $objXMLSecDSig = new XMLSecurityDSig(); } $objXMLSecDSig->setCanonicalMethod(XMLSecurityDSig::EXC_C14N); $objXMLSecDSig->addReferenceList(array($rootNode), XMLSecurityDSig::SHA1, array('http://www.w3.org/2000/09/xmldsig#enveloped-signature', XMLSecurityDSig::EXC_C14N), array('id_name' => 'ID')); $objXMLSecDSig->sign($objKey); // add the certificate to the signature $objXMLSecDSig->add509Cert($certData, true); // add the signature to the metadata $objXMLSecDSig->insertSignature($rootNode, $rootNode->firstChild); // return the DOM tree as a string return $xml->saveXML(); }
/** * Insert a Signature-node. * * @param XMLSecurityKey $key The key we should use to sign the message. * @param array $certificates The certificates we should add to the signature node. * @param DOMElement $root The XML node we should sign. * @param DOMNode $insertBefore The XML element we should insert the signature element before. */ public static function insertSignature(XMLSecurityKey $key, array $certificates, DOMElement $root, DOMNode $insertBefore = NULL) { $objXMLSecDSig = new XMLSecurityDSig(); $objXMLSecDSig->setCanonicalMethod(XMLSecurityDSig::EXC_C14N); switch ($key->type) { case XMLSecurityKey::RSA_SHA256: $type = XMLSecurityDSig::SHA256; break; case XMLSecurityKey::RSA_SHA384: $type = XMLSecurityDSig::SHA384; break; case XMLSecurityKey::RSA_SHA512: $type = XMLSecurityDSig::SHA512; break; default: $type = XMLSecurityDSig::SHA1; } $objXMLSecDSig->addReferenceList(array($root), $type, array('http://www.w3.org/2000/09/xmldsig#enveloped-signature', XMLSecurityDSig::EXC_C14N), array('id_name' => 'ID', 'overwrite' => FALSE)); $objXMLSecDSig->sign($key); foreach ($certificates as $certificate) { $objXMLSecDSig->add509Cert($certificate, TRUE); } $objXMLSecDSig->insertSignature($root, $insertBefore); }
public static function PrepSAMLAssertion(&$saml_xml_request) { // // Gather inputs needed during assembly of SAML Assertion (e.g., keys, certs, timestamps, IDs_ // $DateTimeNow = new DateTime(null, new DateTimeZone("UTC")); $DateTimeNowString = $DateTimeNow->format("Y-m-d\\TH:i:s.B\\Z"); $DateTime15Min = new DateTime(null, new DateTimeZone("UTC")); $DateTime15Min->modify('+900 sec'); $DateTime15MinString = $DateTime15Min->format("Y-m-d\\TH:i:s.B\\Z"); $SAMLParams = array(); $SAMLParams['IssueInstant'] = $DateTimeNowString; $SAMLParams['Issuer'] = SAML_IDENTITY_PROVIDER_ID; $SAMLParams['ID'] = SimpleSAML_Utilities::generateID(); $SAMLParams['NameID'] = SAML_NAME_ID; $SAMLParams['NotBefore'] = $DateTimeNowString; $SAMLParams['NotOnOrAfter'] = $DateTime15MinString; $SAMLParams['AuthnInstant'] = $DateTimeNowString; $SAMLParams['Audience'] = SAML_IDENTITY_PROVIDER_ID; $SAMLParams['x509'] = file_get_contents(SAML_X509_CERT_PATH); $SAMLParams['private_key'] = file_get_contents(SAML_X509_PRIVATE_KEY_PATH); // // Assemble DOM containing correct SAML assertion // $xml = new DOMDocument('1.0', 'utf-8'); // Assertion $assertion = $xml->createElementNS('urn:oasis:names:tc:SAML:2.0:assertion', 'saml2:Assertion'); $assertion->setAttribute('ID', $SAMLParams['ID']); $assertion->setAttribute('Version', '2.0'); $assertion->setAttribute('IssueInstant', $SAMLParams['IssueInstant']); $xml->appendChild($assertion); // Issuer $issuer = $xml->createElement('saml2:Issuer', $SAMLParams['Issuer']); $assertion->appendChild($issuer); // Subject + NameID + SubjectConfirmation $subject = $xml->createElement('saml2:Subject'); $assertion->appendChild($subject); // NameID $nameid = $xml->createElement('saml2:NameID', $SAMLParams['NameID']); $nameid->setAttribute('Format', 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified'); $subject->appendChild($nameid); // SubjectConfirmation $confirmation = $xml->createElement('saml2:SubjectConfirmation'); $confirmation->setAttribute('Method', 'urn:oasis:names:tc:SAML:2.0:cm:bearer'); $subject->appendChild($confirmation); // Conditions + AudienceRestriction + Audience $condition = $xml->createElement('saml2:Conditions'); $condition->setAttribute('NotBefore', $SAMLParams['NotBefore']); $condition->setAttribute('NotOnOrAfter', $SAMLParams['NotOnOrAfter']); $assertion->appendChild($condition); // AudienceRestriction $audiencer = $xml->createElement('saml2:AudienceRestriction'); $condition->appendChild($audiencer); // Audience $audience = $xml->createElement('saml2:Audience', $SAMLParams['Audience']); $audiencer->appendChild($audience); // AuthnStatement + AuthnContext + AuthnContextClassRef $authnstat = $xml->createElement('saml2:AuthnStatement'); $authnstat->setAttribute('AuthnInstant', $SAMLParams['AuthnInstant']); $authnstat->setAttribute('SessionIndex', $SAMLParams['ID']); $assertion->appendChild($authnstat); // AuthnContext $authncontext = $xml->createElement('saml2:AuthnContext'); $authnstat->appendChild($authncontext); // AuthnContextClassRef $authncontext_ref = $xml->createElement('saml2:AuthnContextClassRef', 'urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified'); $authncontext->appendChild($authncontext_ref); //Private KEY $objKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type' => 'private')); $objKey->loadKey($SAMLParams['private_key']); //Sign the Assertion $objXMLSecDSig = new XMLSecurityDSig(); $objXMLSecDSig->setCanonicalMethod(XMLSecurityDSig::EXC_C14N); $objXMLSecDSig->addReferenceList(array($assertion), XMLSecurityDSig::SHA1, array('http://www.w3.org/2000/09/xmldsig#enveloped-signature', XMLSecurityDSig::EXC_C14N), array('URI' => 'ID', 'overwrite' => false, 'id_name' => 'ID')); $objXMLSecDSig->sign($objKey); $objXMLSecDSig->add509Cert($SAMLParams['x509']); $objXMLSecDSig->insertSignature($assertion, $subject); $saml = $xml->saveXML(); // // Change Reference URI locally (considered changing 'xmlseclibs.php', but // that seemed inappropriate) // preg_match("/<ds:Reference URI=\"#(.+?)\">/is", $saml, $URI); $saml = str_replace("Id=\"" . $URI[1] . "\"", "", $saml); $saml = str_replace($URI[1], $SAMLParams["ID"], $saml); // // Prepare Base64-Encoded SAML Assertion request body based on DOM // $saml = str_replace('<?xml version="1.0" encoding="utf-8"?>', '', $saml); $saml_xml_request = base64_encode(stripslashes($saml)); }
/** * Insert a Signature-node. * * @param XMLSecurityKey $key The key we should use to sign the message. * @param array $certificates The certificates we should add to the signature node. * @param DOMElement $root The XML node we should sign. * @param DomElement $insertBefore The XML element we should insert the signature element before. */ public static function insertSignature(XMLSecurityKey $key, array $certificates, DOMElement $root, DOMNode $insertBefore = NULL) { $objXMLSecDSig = new XMLSecurityDSig(); $objXMLSecDSig->setCanonicalMethod(XMLSecurityDSig::EXC_C14N); $objXMLSecDSig->addReferenceList(array($root), XMLSecurityDSig::SHA1, array('http://www.w3.org/2000/09/xmldsig#enveloped-signature', XMLSecurityDSig::EXC_C14N), array('id_name' => 'ID')); $objXMLSecDSig->sign($key); foreach ($certificates as $certificate) { $objXMLSecDSig->add509Cert($certificate, TRUE); } $objXMLSecDSig->insertSignature($root, $insertBefore); }
/** * Signs the given DOMElement and inserts the signature at the given position. * * The private key must be set before calling this function. * * @param $node The DOMElement we should generate a signature for. * @param $insertInto The DOMElement we should insert the signature element into. * @param $insertBefore The element we should insert the signature element before. Defaults to NULL, * in which case the signature will be appended to the element spesified in * $insertInto. */ public function sign($node, $insertInto, $insertBefore = NULL) { assert('$node instanceof DOMElement'); assert('$insertInto instanceof DOMElement'); assert('is_null($insertBefore) || $insertBefore instanceof DOMElement ' . '|| $insertBefore instanceof DOMComment || $insertBefore instanceof DOMText'); if ($this->privateKey === FALSE) { throw new Exception('Private key not set.'); } $objXMLSecDSig = new XMLSecurityDSig(); $objXMLSecDSig->setCanonicalMethod(XMLSecurityDSig::EXC_C14N); $options = array(); if ($this->idAttrName !== FALSE) { $options['id_name'] = $this->idAttrName; } $objXMLSecDSig->addReferenceList(array($node), XMLSecurityDSig::SHA1, array('http://www.w3.org/2000/09/xmldsig#enveloped-signature', XMLSecurityDSig::EXC_C14N), $options); $objXMLSecDSig->sign($this->privateKey); if ($this->certificate !== FALSE) { // Add the certificate to the signature $objXMLSecDSig->add509Cert($this->certificate, TRUE); } // Add extra certificates foreach ($this->extraCertificates as $certificate) { $objXMLSecDSig->add509Cert($certificate, TRUE); } $objXMLSecDSig->insertSignature($insertInto, $insertBefore); }
/** * @param \DOMNode $parent * @param \AerialShip\LightSaml\Meta\SerializationContext $context * @return \DOMNode */ function getXml(\DOMNode $parent, SerializationContext $context) { $objXMLSecDSig = new \XMLSecurityDSig(); $objXMLSecDSig->setCanonicalMethod($this->getCanonicalMethod()); $key = $this->getXmlSecurityKey(); switch ($key->type) { case \XMLSecurityKey::RSA_SHA256: $type = \XMLSecurityDSig::SHA256; break; case \XMLSecurityKey::RSA_SHA384: $type = \XMLSecurityDSig::SHA384; break; case \XMLSecurityKey::RSA_SHA512: $type = \XMLSecurityDSig::SHA512; break; default: $type = \XMLSecurityDSig::SHA1; } $objXMLSecDSig->addReferenceList(array($parent), $type, array(Protocol::XMLSEC_TRANSFORM_ALGORITHM_ENVELOPED_SIGNATURE, \XMLSecurityDSig::EXC_C14N), array('id_name' => $this->getIDName(), 'overwrite' => FALSE)); $objXMLSecDSig->sign($key); $objXMLSecDSig->add509Cert($this->getCertificate()->getData(), false, false); $firstChild = $parent->hasChildNodes() ? $parent->firstChild : null; if ($firstChild && $firstChild->localName == 'Issuer') { // The signature node should come after the issuer node $firstChild = $firstChild->nextSibling; } $objXMLSecDSig->insertSignature($parent, $firstChild); }
/** * Signs the given metadata if metadata signing is enabled. * * @param $metadataString A string with the metadata. * @param $entityMetadata The metadata of the entity. * @param $type A string which describes the type entity this is, e.g. 'SAML 2 IdP' or 'Shib 1.3 SP'. * @return The $metadataString with the signature embedded. */ public static function sign($metadataString, $entityMetadata, $type) { $config = SimpleSAML_Configuration::getInstance(); /* Check if metadata signing is enabled. */ if (!self::isMetadataSigningEnabled($config, $entityMetadata, $type)) { return $metadataString; } /* Find the key & certificate which should be used to sign the metadata. */ $keyCertFiles = self::findKeyCert($config, $entityMetadata, $type); $keyFile = $config->getPathValue('certdir', 'cert/') . $keyCertFiles['privatekey']; if (!file_exists($keyFile)) { throw new Exception('Could not find private key file [' . $keyFile . '], which is needed to sign the metadata'); } $keyData = file_get_contents($keyFile); $certFile = $config->getPathValue('certdir', 'cert/') . $keyCertFiles['certificate']; if (!file_exists($certFile)) { throw new Exception('Could not find certificate file [' . $certFile . '], which is needed to sign the metadata'); } $certData = file_get_contents($certFile); /* Convert the metadata to a DOM tree. */ $xml = new DOMDocument(); if (!$xml->loadXML($metadataString)) { throw new Exception('Error parsing self-generated metadata.'); } /* Load the private key. */ $objKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type' => 'private')); if (array_key_exists('privatekey_pass', $keyCertFiles)) { $objKey->passphrase = $keyCertFiles['privatekey_pass']; } $objKey->loadKey($keyData, FALSE); /* Get the EntityDescriptor node we should sign. */ $rootNode = $xml->firstChild; /* Sign the metadata with our private key. */ $objXMLSecDSig = new XMLSecurityDSig(); $objXMLSecDSig->setCanonicalMethod(XMLSecurityDSig::EXC_C14N); $objXMLSecDSig->addReferenceList(array($rootNode), XMLSecurityDSig::SHA1, array('http://www.w3.org/2000/09/xmldsig#enveloped-signature', XMLSecurityDSig::EXC_C14N), array('id_name' => 'ID')); $objXMLSecDSig->sign($objKey); /* Add the certificate to the signature. */ $objXMLSecDSig->add509Cert($certData, true); /* Add the signature to the metadata. */ $objXMLSecDSig->insertSignature($rootNode, $rootNode->firstChild); /* Return the DOM tree as a string. */ return $xml->saveXML(); }