Check the signature on a SAML2 message or assertion.
public static checkSign ( SimpleSAML_Configuration $srcMetadata, SAML2\SignedElement $element ) | ||
$srcMetadata | SimpleSAML_Configuration | The metadata of the sender. |
$element | SAML2\SignedElement | Either a \SAML2\Response or a \SAML2\Assertion. |
private function authenticate() { $client_is_authenticated = false; /* Authenticate the requestor by verifying the TLS certificate used for the HTTP query */ if (array_key_exists('SSL_CLIENT_VERIFY', $_SERVER)) { SimpleSAML_Logger::debug('[aa] Request was made using the following certificate: ' . var_export($_SERVER['SSL_CLIENT_VERIFY'], 1)); } if (array_key_exists('SSL_CLIENT_VERIFY', $_SERVER) && $_SERVER['SSL_CLIENT_VERIFY'] && $_SERVER['SSL_CLIENT_VERIFY'] != 'NONE') { /* compare certificate fingerprints */ $clientCertData = trim(preg_replace('/--.* CERTIFICATE-+-/', '', $_SERVER['SSL_CLIENT_CERT'])); $clientCertFingerprint = strtolower(sha1(base64_decode($clientCertData))); if (!$clientCertFingerprint) { throw new SimpleSAML_Error_Exception('[aa] Can not calculate certificate fingerprint from the request.'); } $spCertArray = SimpleSAML_Utilities::loadPublicKey($this->spMetadata); if (!$spCertArray) { throw new SimpleSAML_Error_Exception('[aa] Can not find the public key of the requestor in the metadata!'); } foreach ($spCertArray['certFingerprint'] as $fingerprint) { if ($fingerprint && $clientCertFingerprint == $fingerprint) { $client_is_authenticated = true; SimpleSAML_Logger::debug('[aa] SSL certificate is checked and valid.'); break; } } /* Reject the request if the TLS certificate used for the request does not match metadata */ if (!$client_is_authenticated) { throw new SimpleSAML_Error_Exception('[aa] SSL certificate check failed.'); } } else { /* The request may be signed, so this is not fatal */ SimpleSAML_Logger::debug('[aa] SSL client certificate does not exist.'); } /* Authenticate the requestor by verifying the XML signature on the query */ $certs_of_query = $this->query->getCertificates(); if (count($certs_of_query) > 0) { if (sspmod_saml_Message::checkSign($this->spMetadata, $this->query)) { $client_is_authenticated = true; SimpleSAML_Logger::debug('[aa] AttributeQuery signature is checked and valid.'); } else { /* An invalid or unverifiable signature is fatal */ throw new SimpleSAML_Error_Exception('[aa] The signature of the AttributeQuery is wrong!'); } } else { /* The request may be protected by HTTP TLS (X.509) authentication, so this is not fatal */ SimpleSAML_Logger::debug('[aa] AttributeQuery has no signature.'); } if (!$client_is_authenticated) { SimpleSAML_Logger::info('[aa] Attribute query was not authenticated. Drop.'); header('HTTP/1.1 401 Unauthorized'); header('WWW-Authenticate: None', false); echo 'Not authenticated. Neither query signature nor SSL client certificate was available.'; exit; } else { SimpleSAML_Logger::debug('[aa] Attribute query was authenticated.'); } }
/** * Check a SOAP AuthnRequest. * * @param SimpleSAML_Configuration $idpMetadata The metadata for the IdP. * @param SimpleSAML_Configuration $spMetadata The metadata for the SP. * @param array &$state The state array. */ private static function processSOAPAuthnRequest(SimpleSAML_Configuration $idpMetadata, SimpleSAML_Configuration $spMetadata, SAML2_AuthnRequest $request, array &$state) { // Send the response via SOAP. $state['saml:Binding'] = SAML2_Const::BINDING_SOAP; if (!sspmod_saml_Message::checkSign($spMetadata, $request)) { throw new SimpleSAML_Error_Exception('SOAP authentication request not signed.'); } // Add basic auth data. if (!isset($_SERVER['PHP_AUTH_USER']) || !isset($_SERVER['PHP_AUTH_PW'])) { SimpleSAML_Logger::debug('SOAP auth without authentication data.'); throw new SimpleSAML_Error_Error('ECP_AUTH_FAILURE'); } $state['core:auth:username'] = $_SERVER['PHP_AUTH_USER']; $state['core:auth:password'] = $_SERVER['PHP_AUTH_PW']; }