function __doRequest($request, $location, $saction, $version)
{
$dom = new DOMDocument();
$dom->loadXML($request);
$objWSSE = new WSSESoap($dom);
/* Sign all headers to include signing the WS-Addressing headers */
$objWSSE->signAllHeaders = TRUE;
$objWSSE->addTimestamp();
/* create new XMLSec Key using RSA SHA-1 and type is private key */
$objKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type' => 'private'));
/* load the private key from file - last arg is bool if key in file (TRUE) or is string (FALSE) */
$objKey->loadKey(PRIVATE_KEY, TRUE);
// Sign the message - also signs appropraite WS-Security items
$objWSSE->signSoapDoc($objKey);
/* Add certificate (BinarySecurityToken) to the message and attach pointer to Signature */
$token = $objWSSE->addBinaryToken(file_get_contents(CERT_FILE));
$objWSSE->attachTokentoSig($token);
$request = $objWSSE->saveXML();
$dom = new DOMDocument();
$dom->loadXML($request);
$objWSA = new WSASoap($dom);
$objWSA->addAction($saction);
$objWSA->addTo($location);
$objWSA->addMessageID();
$objWSA->addReplyTo();
$request = $objWSA->getDoc()->saveXML();
return parent::__doRequest($request, $location, $saction, $version);
}
/**
* BC compatible version of the signature check
*
* @param SAML2_SignedElement $element
* @param SAML2_Certificate_X509[] $pemCandidates
*
* @throws Exception
*
* @return bool
*/
protected function validateElementWithKeys(SAML2_SignedElement $element, $pemCandidates)
{
$lastException = NULL;
foreach ($pemCandidates as $index => $candidateKey) {
$key = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type' => 'public'));
$key->loadKey($candidateKey->getCertificate());
try {
/*
* Make sure that we have a valid signature on either the response or the assertion.
*/
$result = $element->validate($key);
if ($result) {
$this->logger->debug(sprintf('Validation with key "#%d" succeeded', $index));
return TRUE;
}
$this->logger->debug(sprintf('Validation with key "#%d" failed without exception.', $index));
} catch (Exception $e) {
$this->logger->debug(sprintf('Validation with key "#%d" failed with exception: %s', $index, $e->getMessage()));
$lastException = $e;
}
}
if ($lastException !== NULL) {
throw $lastException;
} else {
return FALSE;
}
}
public function __doRequest($request, $location, $saction, $version)
{
$doc = new DOMDocument('1.0');
$doc->loadXML($request);
$objWSSE = new WSSESoap($doc);
/* add Timestamp with no expiration timestamp */
$objWSSE->addTimestamp();
/* create new XMLSec Key using AES256_CBC and type is private key */
$objKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type' => 'private'));
/* load the private key from file - last arg is bool if key in file (true) or is string (false) */
$objKey->loadKey(PRIVATE_KEY, true);
/* Sign the message - also signs appropiate WS-Security items */
$options = array("insertBefore" => false);
$objWSSE->signSoapDoc($objKey, $options);
/* Add certificate (BinarySecurityToken) to the message */
$token = $objWSSE->addBinaryToken(file_get_contents(CERT_FILE));
/* Attach pointer to Signature */
$objWSSE->attachTokentoSig($token);
$objKey = new XMLSecurityKey(XMLSecurityKey::AES256_CBC);
$objKey->generateSessionKey();
$siteKey = new XMLSecurityKey(XMLSecurityKey::RSA_OAEP_MGF1P, array('type' => 'public'));
$siteKey->loadKey(SERVICE_CERT, true, true);
$options = array("KeyInfo" => array("X509SubjectKeyIdentifier" => true));
$objWSSE->encryptSoapDoc($siteKey, $objKey, $options);
$retVal = parent::__doRequest($objWSSE->saveXML(), $location, $saction, $version);
$doc = new DOMDocument();
$doc->loadXML($retVal);
$options = array("keys" => array("private" => array("key" => PRIVATE_KEY, "isFile" => true, "isCert" => false)));
$objWSSE->decryptSoapDoc($doc, $options);
return $doc->saveXML();
}
/**
* Set the assertion.
*
* @param SAML2_Assertion $assertion The assertion.
* @param XMLSecurityKey $key The key we should use to encrypt the assertion.
* @throws Exception
*/
public function setAssertion(SAML2_Assertion $assertion, XMLSecurityKey $key)
{
$xml = $assertion->toXML();
SAML2_Utils::getContainer()->debugMessage($xml, 'encrypt');
$enc = new XMLSecEnc();
$enc->setNode($xml);
$enc->type = XMLSecEnc::Element;
switch ($key->type) {
case XMLSecurityKey::TRIPLEDES_CBC:
case XMLSecurityKey::AES128_CBC:
case XMLSecurityKey::AES192_CBC:
case XMLSecurityKey::AES256_CBC:
$symmetricKey = $key;
break;
case XMLSecurityKey::RSA_1_5:
case XMLSecurityKey::RSA_OAEP_MGF1P:
$symmetricKey = new XMLSecurityKey(XMLSecurityKey::AES128_CBC);
$symmetricKey->generateSessionKey();
$enc->encryptKey($key, $symmetricKey);
break;
default:
throw new Exception('Unknown key type for encryption: ' . $key->type);
}
$this->encryptedData = $enc->encryptNode($symmetricKey);
}
public function addUserToken($userName, $password = NULL, $passwordDigest = FALSE)
{
if ($passwordDigest && empty($password)) {
throw new Exception("Cannot calculate the digest without a password");
}
$security = $this->locateSecurityHeader();
$token = $this->SOAPDoc->createElementNS(WSSESoap::WSUNS, WSSESoap::WSUPFX . ':UsernameToken');
$security->insertBefore($token, $security->firstChild);
$username = $this->SOAPDoc->createElementNS(WSSESoap::WSUNS, WSSESoap::WSUPFX . ':Username', $userName);
$token->appendChild($username);
/* Generate nonce - create a 256 bit session key to be used */
$objKey = new XMLSecurityKey(XMLSecurityKey::AES256_CBC);
$nonce = $objKey->generateSessionKey();
unset($objKey);
$createdate = gmdate("Y-m-d\\TH:i:s") . 'Z';
if ($password) {
$passType = '#PasswordText';
if ($passwordDigest) {
$password = base64_encode(sha1($nonce . $createdate . $password, true));
$passType = '#PasswordDigest';
}
$passwordNode = $this->SOAPDoc->createElementNS(WSSESoap::WSUNS, WSSESoap::WSUPFX . ':Password', $userName);
$token->appendChild($passwordNode);
$passwordNode->setAttribute('Type', $passType);
}
$nonceNode = $this->SOAPDoc->createElementNS(WSSESoap::WSUNS, WSSESoap::WSUPFX . ':Nonce', base64_encode($nonce));
$token->appendChild($nonceNode);
$created = $this->SOAPDoc->createElementNS(WSSESoap::WSUNS, WSSESoap::WSUPFX . ':Created', $createdate);
$token->appendChild($created);
return $token;
}
protected function createLogoutResponse($testrun, $logoutRequest, $logoutRelayState)
{
$this->log($testrun, 'Creating response with relaystate [' . $logoutRelayState . ']');
$idpMetadata = SimpleSAML_Configuration::loadFromArray($this->idpmetadata);
$spMetadata = SimpleSAML_Configuration::loadFromArray($this->metadata);
// Get SingleLogoutService URL
$consumerURLf = $spMetadata->getDefaultEndpoint('SingleLogoutService', array('urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'));
$consumerURL = $consumerURLf['Location'];
/* Create an send response. */
$response = sspmod_saml2_Message::buildLogoutResponse($idpMetadata, $spMetadata);
$response->setRelayState($logoutRequest->getRelayState());
$response->setInResponseTo($logoutRequest->getId());
$keyArray = SimpleSAML_Utilities::loadPrivateKey($idpMetadata, TRUE);
$certArray = SimpleSAML_Utilities::loadPublicKey($idpMetadata, FALSE);
$privateKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type' => 'private'));
$privateKey->loadKey($keyArray['PEM'], FALSE);
$response->setSignatureKey($privateKey);
if ($certArray === NULL) {
throw new Exception('No certificates found. [1]');
}
if (!array_key_exists('PEM', $certArray)) {
throw new Exception('No certificates found. [2]');
}
$response->setCertificates(array($certArray['PEM']));
#$this->tweakResponse($testrun, $response);
$msgStr = $response->toUnsignedXML();
#$this->tweakResponseDOM($testrun, $msgStr);
$msgStr = $msgStr->ownerDocument->saveXML($msgStr);
# echo '<pre>'; echo(htmlspecialchars($msgStr)); exit;
# $msgStr = base64_encode($msgStr);
# $msgStr = htmlspecialchars($msgStr);
return array('url' => $consumerURL, 'Response' => $msgStr, 'ResponseObj' => $response, 'RelayState' => $logoutRelayState);
}
public static function setUpBeforeClass()
{
$cert = "-----BEGIN CERTIFICATE-----\n" . "MIIDfjCCAmagAwIBAQICJxAwDQYJKoZIhvcNAQEFBQAwgYExCzAJBgNVBAYTAlVT\r\n" . "MRIwEAYDVQQIEwlMYXMgVmVnYXMxEjAQBgNVBAcTCUxhcyBWZWdhczEYMBYGA1UE\r\n" . "ChMPTGF1bmNoS2V5LCBJbmMuMRgwFgYDVQQLEw9MYXVuY2hLZXksIEluYy4xFjAU\r\n" . "BgNVBAMTDWxhdW5jaGtleS5jb20wHhcNMTUxMTAyMjMyNzQ5WhcNMTYxMTAxMjMy\r\n" . "NzQ5WjCBgTELMAkGA1UEBhMCVVMxEjAQBgNVBAgTCUxhcyBWZWdhczESMBAGA1UE\r\n" . "BxMJTGFzIFZlZ2FzMRgwFgYDVQQKEw9MYXVuY2hLZXksIEluYy4xGDAWBgNVBAsT\r\n" . "D0xhdW5jaEtleSwgSW5jLjEWMBQGA1UEAxMNbGF1bmNoa2V5LmNvbTCCASIwDQYJ\r\n" . "KoZIhvcNAQEBBQADggEPADCCAQoCggEBAN1Q3Og6izyf35UaeivS88Wlzjdz2yPm\r\n" . "juOge/awYJa8V2dED0oCjdAxex9Ak8lEE9naD6ZcuA0Kta5mHKk1ho5Z4aq1493w\r\n" . "HFbPbzVFldBAzFqig7m5/k1B/QY8w7CP1QG5aM9ebQeCJwdhz7UBmNQL2r2K02zn\r\n" . "2DFhEuus1YKM+pfSO2I+yTd/AyBtq4zu+LusibNoU9ADKQ3IoJtzyZ+CUuuOG3jz\r\n" . "Z+zwuzH/0hpuTs6TnBSAGYD1Xow2X7lULLzXwZ4R3SopTesncIbXLa2luTLQIody\r\n" . "uA/gSirbW7g02zQ8G3JcO+ce6UnusklzvdBPoJ2vttpDEsWlNqbSTWcCAwEAATAN\r\n" . "BgkqhkiG9w0BAQUFAAOCAQEARz9V7cBG2et/741mdtbspQTN4HF0hUp3NEJzBrP/\r\n" . "YtdMYIVAUh2sc3sf/oiakLgqYBA78rSk9CbNlv4EJ/FEC/5X3l1o9h5dFLXt40LL\r\n" . "4I+ijYY3BlsgRL9K2CNYRCq1bJX8xlcY0hVqqsZipzR4zeyqQVMLXH/zSScTrF5j\r\n" . "b5KQcYFiRP7AF30OtGoZxhnsDUcErhdWY5lGvaSex6LsOC2UGtmwK3FWu+NMDzL0\r\n" . "+ovdBGpsmDp3IN1AKwd9/6EQ3XbQPyXoXpW0TCBzs/OxGqnhiJD9rROCtVl1SJze\r\n" . "LWllWSmosQFhsXwSO5ZlnechO+SMaxN7OrV7POOv8aRcpQ==\r\n" . "-----END CERTIFICATE-----\n";
static::$key = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type' => 'public'));
static::$key->loadKey($cert, false, true);
static::$response_data = "PG5zMDpSZXNwb25zZSB4bWxuczpuczA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2Nv" . "bCIgeG1sbnM6bnMxPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIiB4bWxuczp" . "uczI9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiIHhtbG5zOnhzaT0iaHR0cDovL3" . "d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIERlc3RpbmF0aW9uPSJodHRwOi8vMTI3L" . "jAuMC4xOjgwODAvYWNzL3Bvc3QiIElEPSJpZC0yZmRhNGZmOTlmZjBkMjZhNDg3MjI1OGY0ODk1ZDU4" . "NSIgSXNzdWVJbnN0YW50PSIyMDE1LTExLTAzVDIyOjQyOjI0WiIgVmVyc2lvbj0iMi4wIj48bnMxOkl" . "zc3VlciBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OmVudG" . "l0eSI+bGF1bmNoa2V5LmNvbTwvbnMxOklzc3Vlcj48bnMyOlNpZ25hdHVyZSB4bWxuczpuczI9Imh0d" . "HA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxuczI6U2lnbmVkSW5mbz48bnMyOkNhbm9u" . "aWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1" . "leGMtYzE0biMiLz48bnMyOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3" . "JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIvPjxuczI6UmVmZXJlbmNlIFVSST0iI2lkLTJmZGE0Z" . "mY5OWZmMGQyNmE0ODcyMjU4ZjQ4OTVkNTg1Ij48bnMyOlRyYW5zZm9ybXM+PG5zMjpUcmFuc2Zvcm0g" . "QWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25" . "hdHVyZSIvPjxuczI6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC" . "94bWwtZXhjLWMxNG4jIi8+PC9uczI6VHJhbnNmb3Jtcz48bnMyOkRpZ2VzdE1ldGhvZCBBbGdvcml0a" . "G09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8+PG5zMjpEaWdlc3RWYWx1" . "ZT5qb1dqNDRmMUZUN3Jwd1p3enBJbjE2RjMzdk09PC9uczI6RGlnZXN0VmFsdWU+PC9uczI6UmVmZXJ" . "lbmNlPjwvbnMyOlNpZ25lZEluZm8+PG5zMjpTaWduYXR1cmVWYWx1ZT5SUm5Jc091UFlDenVxcG9tMl" . "BsZjVGRG1tKzlDc1gxY2FUK0JUN01KVzRnMW1idU1sN0VMRyt4d0hmS21YMUpNCndoRnFwYUU0Snd1a" . "GhQK0Z5OE5ob3E4cWZjekNBU05STnovMHVsYk9KMlZUcmhubXI0TFExUnNuaHMwL2hGckcKKzVxaVl1" . "b0NVbmhHRlcwL1l3emF5VXlKS3pkOU0yNkhmR0pzUkNOS0tDM3dxTVhlWGNXRTB0MkxTeEdvQXNocAp" . "FYzhLMzRHK21IWWRDYUgxQnNpMldma3BpWWo0WE12RUFtSEVtUE1WSmRzc21LUmhWYmVqVnNobW53SX" . "Izck5LCmJXZW9naHc1cnNkN0NXZjVTL1FiVlUvbmtyMVBjeUozR292NUpQRkpjS2xpMDZBQTViWlVBS" . "GU1YkxvTTNnc2oKMEZNVDV0SnhQU1hRbFlJcU4yRldiUT09PC9uczI6U2lnbmF0dXJlVmFsdWU+PG5z" . "MjpLZXlJbmZvPjxuczI6WDUwOURhdGE+PG5zMjpYNTA5Q2VydGlmaWNhdGU+TUlJRGZqQ0NBbWFnQXd" . "JQkFRSUNKeEF3RFFZSktvWklodmNOQVFFRkJRQXdnWUV4Q3pBSkJnTlZCQVlUQWxWVE1SSXdFQVlEVl" . "FRSUV3bE1ZWE1nVm1WbllYTXhFakFRQmdOVkJBY1RDVXhoY3lCV1pXZGhjekVZTUJZR0ExVUVDaE1QV" . "EdGMWJtTm9TMlY1TENCSmJtTXVNUmd3RmdZRFZRUUxFdzlNWVhWdVkyaExaWGtzSUVsdVl5NHhGakFV" . "QmdOVkJBTVREV3hoZFc1amFHdGxlUzVqYjIwd0hoY05NVFV4TVRBeU1qTXlOelE1V2hjTk1UWXhNVEF" . "4TWpNeU56UTVXakNCZ1RFTE1Ba0dBMVVFQmhNQ1ZWTXhFakFRQmdOVkJBZ1RDVXhoY3lCV1pXZGhjek" . "VTTUJBR0ExVUVCeE1KVEdGeklGWmxaMkZ6TVJnd0ZnWURWUVFLRXc5TVlYVnVZMmhMWlhrc0lFbHVZe" . "TR4R0RBV0JnTlZCQXNURDB4aGRXNWphRXRsZVN3Z1NXNWpMakVXTUJRR0ExVUVBeE1OYkdGMWJtTm9h" . "MlY1TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU4xUTNPZzZ" . "penlmMzVVYWVpdlM4OFdsempkejJ5UG1qdU9nZS9hd1lKYThWMmRFRDBvQ2pkQXhleDlBazhsRUU5bm" . "FENlpjdUEwS3RhNW1IS2sxaG81WjRhcTE0OTN3SEZiUGJ6VkZsZEJBekZxaWc3bTUvazFCL1FZOHc3Q" . "1AxUUc1YU05ZWJRZUNKd2RoejdVQm1OUUwycjJLMDJ6bjJERmhFdXVzMVlLTStwZlNPMkkreVRkL0F5" . "QnRxNHp1K0x1c2liTm9VOUFES1EzSW9KdHp5WitDVXV1T0czanpaK3p3dXpILzBocHVUczZUbkJTQUd" . "ZRDFYb3cyWDdsVUxMelh3WjRSM1NvcFRlc25jSWJYTGEybHVUTFFJb2R5dUEvZ1NpcmJXN2cwMnpROE" . "czSmNPK2NlNlVudXNrbHp2ZEJQb0oydnR0cERFc1dsTnFiU1RXY0NBd0VBQVRBTkJna3Foa2lHOXcwQ" . "kFRVUZBQU9DQVFFQVJ6OVY3Y0JHMmV0Lzc0MW1kdGJzcFFUTjRIRjBoVXAzTkVKekJyUC9ZdGRNWUlW" . "QVVoMnNjM3NmL29pYWtMZ3FZQkE3OHJTazlDYk5sdjRFSi9GRUMvNVgzbDFvOWg1ZEZMWHQ0MExMNEk" . "raWpZWTNCbHNnUkw5SzJDTllSQ3ExYkpYOHhsY1kwaFZxcXNaaXB6UjR6ZXlxUVZNTFhIL3pTU2NUck" . "Y1amI1S1FjWUZpUlA3QUYzME90R29aeGhuc0RVY0VyaGRXWTVsR3ZhU2V4NkxzT0MyVUd0bXdLM0ZXd" . "StOTUR6TDArb3ZkQkdwc21EcDNJTjFBS3dkOS82RVEzWGJRUHlYb1hwVzBUQ0J6cy9PeEdxbmhpSkQ5" . "clJPQ3RWbDFTSnplTFdsbFdTbW9zUUZoc1h3U081WmxuZWNoTytTTWF4TjdPclY3UE9PdjhhUmNwUT0" . "9PC9uczI6WDUwOUNlcnRpZmljYXRlPjwvbnMyOlg1MDlEYXRhPjwvbnMyOktleUluZm8+PC9uczI6U2" . "lnbmF0dXJlPjxuczA6U3RhdHVzPjxuczA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzO" . "nRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+PC9uczA6U3RhdHVzPjxuczE6QXNzZXJ0aW9uIElE" . "PSJpZC05NmJhMjg4MTYxNmM5ODEyNGY2MmZhMWJjM2ExNGM0ZCIgSXNzdWVJbnN0YW50PSIyMDE1LTE" . "xLTAzVDIyOjQyOjI0WiIgVmVyc2lvbj0iMi4wIj48bnMxOklzc3VlciBGb3JtYXQ9InVybjpvYXNpcz" . "puYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OmVudGl0eSI+bGF1bmNoa2V5LmNvbTwvbnMxO" . "klzc3Vlcj48bnMyOlNpZ25hdHVyZSB4bWxuczpuczI9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkv" . "eG1sZHNpZyMiPjxuczI6U2lnbmVkSW5mbz48bnMyOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3J" . "pdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48bnMyOlNpZ25hdH" . "VyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc" . "2hhMSIvPjxuczI6UmVmZXJlbmNlIFVSST0iI2lkLTk2YmEyODgxNjE2Yzk4MTI0ZjYyZmExYmMzYTE0" . "YzRkIj48bnMyOlRyYW5zZm9ybXM+PG5zMjpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3Lnc" . "zLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPjxuczI6VHJhbnNmb3JtIE" . "FsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PC9uczI6V" . "HJhbnNmb3Jtcz48bnMyOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIw" . "MDAvMDkveG1sZHNpZyNzaGExIi8+PG5zMjpEaWdlc3RWYWx1ZT5MK1NJN0VvMklaanZrMElYQnFvbXh" . "ieEx5Yk09PC9uczI6RGlnZXN0VmFsdWU+PC9uczI6UmVmZXJlbmNlPjwvbnMyOlNpZ25lZEluZm8+PG" . "5zMjpTaWduYXR1cmVWYWx1ZT5wa25paTA3NGdBWlZnbG1MMk1ZbEEyZ2lyOGZzdzBIbWtyWXlUVFNmM" . "0dzRUZqRmhiby9BK0piM2dHQS9vRjY5CmxSWHgzU29MeklHdlo1c0lMaVR3aW1qek1ETmEzMWJpb2NF" . "ckpqajFzMURKVDJTeHNMdFd2L0JKd1JmeE1Rb3AKeHMyZ1JWcmhNTmlWTEtwcytFTit4Sk54MGVrTDh" . "Bc1YwYWdrZ0Z0dStQY294N0tRbnBIRmhyM0FuaVN1NExNWApWVVk3S001bkhjUksyK0lFckRVelB2Ri" . "8yQkQ0ZFFad0MzTUlWUjM3R0laU1l4d1hrWXZ3amhVcWZ3YlRRQ0VBCkxKTEp2WFVNdWtkQnhOOEorN" . "mRxZDN6L0dHRFpZaHRLS21vVUNHSVpQUzZIUEVrZUZCbkRrVkxGZEVlMEY1a1QKMDRjb2ZqZHZ4NTha" . "SEhBMzhmbjhTUT09PC9uczI6U2lnbmF0dXJlVmFsdWU+PG5zMjpLZXlJbmZvPjxuczI6WDUwOURhdGE" . "+PG5zMjpYNTA5Q2VydGlmaWNhdGU+TUlJRGZqQ0NBbWFnQXdJQkFRSUNKeEF3RFFZSktvWklodmNOQV" . "FFRkJRQXdnWUV4Q3pBSkJnTlZCQVlUQWxWVE1SSXdFQVlEVlFRSUV3bE1ZWE1nVm1WbllYTXhFakFRQ" . "mdOVkJBY1RDVXhoY3lCV1pXZGhjekVZTUJZR0ExVUVDaE1QVEdGMWJtTm9TMlY1TENCSmJtTXVNUmd3" . "RmdZRFZRUUxFdzlNWVhWdVkyaExaWGtzSUVsdVl5NHhGakFVQmdOVkJBTVREV3hoZFc1amFHdGxlUzV" . "qYjIwd0hoY05NVFV4TVRBeU1qTXlOelE1V2hjTk1UWXhNVEF4TWpNeU56UTVXakNCZ1RFTE1Ba0dBMV" . "VFQmhNQ1ZWTXhFakFRQmdOVkJBZ1RDVXhoY3lCV1pXZGhjekVTTUJBR0ExVUVCeE1KVEdGeklGWmxaM" . "kZ6TVJnd0ZnWURWUVFLRXc5TVlYVnVZMmhMWlhrc0lFbHVZeTR4R0RBV0JnTlZCQXNURDB4aGRXNWph" . "RXRsZVN3Z1NXNWpMakVXTUJRR0ExVUVBeE1OYkdGMWJtTm9hMlY1TG1OdmJUQ0NBU0l3RFFZSktvWkl" . "odmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU4xUTNPZzZpenlmMzVVYWVpdlM4OFdsempkejJ5UG" . "1qdU9nZS9hd1lKYThWMmRFRDBvQ2pkQXhleDlBazhsRUU5bmFENlpjdUEwS3RhNW1IS2sxaG81WjRhc" . "TE0OTN3SEZiUGJ6VkZsZEJBekZxaWc3bTUvazFCL1FZOHc3Q1AxUUc1YU05ZWJRZUNKd2RoejdVQm1O" . "UUwycjJLMDJ6bjJERmhFdXVzMVlLTStwZlNPMkkreVRkL0F5QnRxNHp1K0x1c2liTm9VOUFES1EzSW9" . "KdHp5WitDVXV1T0czanpaK3p3dXpILzBocHVUczZUbkJTQUdZRDFYb3cyWDdsVUxMelh3WjRSM1NvcF" . "Rlc25jSWJYTGEybHVUTFFJb2R5dUEvZ1NpcmJXN2cwMnpROEczSmNPK2NlNlVudXNrbHp2ZEJQb0oyd" . "nR0cERFc1dsTnFiU1RXY0NBd0VBQVRBTkJna3Foa2lHOXcwQkFRVUZBQU9DQVFFQVJ6OVY3Y0JHMmV0" . "Lzc0MW1kdGJzcFFUTjRIRjBoVXAzTkVKekJyUC9ZdGRNWUlWQVVoMnNjM3NmL29pYWtMZ3FZQkE3OHJ" . "TazlDYk5sdjRFSi9GRUMvNVgzbDFvOWg1ZEZMWHQ0MExMNEkraWpZWTNCbHNnUkw5SzJDTllSQ3ExYk" . "pYOHhsY1kwaFZxcXNaaXB6UjR6ZXlxUVZNTFhIL3pTU2NUckY1amI1S1FjWUZpUlA3QUYzME90R29ae" . "Ghuc0RVY0VyaGRXWTVsR3ZhU2V4NkxzT0MyVUd0bXdLM0ZXdStOTUR6TDArb3ZkQkdwc21EcDNJTjFB" . "S3dkOS82RVEzWGJRUHlYb1hwVzBUQ0J6cy9PeEdxbmhpSkQ5clJPQ3RWbDFTSnplTFdsbFdTbW9zUUZ" . "oc1h3U081WmxuZWNoTytTTWF4TjdPclY3UE9PdjhhUmNwUT09PC9uczI6WDUwOUNlcnRpZmljYXRlPj" . "wvbnMyOlg1MDlEYXRhPjwvbnMyOktleUluZm8+PC9uczI6U2lnbmF0dXJlPjxuczE6U3ViamVjdD48b" . "nMxOk5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0" . "OmVtYWlsQWRkcmVzcyI+dGVzdGVtYWlsQHRlc3RtZS5vcmc8L25zMTpOYW1lSUQ+PG5zMTpTdWJqZWN" . "0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlci" . "I+PG5zMTpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBOb3RPbk9yQWZ0ZXI9IjIwMTUtMTEtMDNUMjI6N" . "Tc6MjRaIiBSZWNpcGllbnQ9Imh0dHA6Ly8xMjcuMC4wLjE6ODA4MC9hY3MvcG9zdCIvPjwvbnMxOlN1" . "YmplY3RDb25maXJtYXRpb24+PC9uczE6U3ViamVjdD48bnMxOkNvbmRpdGlvbnMgTm90QmVmb3JlPSI" . "yMDE1LTExLTAzVDIyOjQyOjI0WiIgTm90T25PckFmdGVyPSIyMDE1LTExLTAzVDIyOjU3OjI0WiI+PG" . "5zMTpBdWRpZW5jZVJlc3RyaWN0aW9uPjxuczE6QXVkaWVuY2U+dGVzdC1zc288L25zMTpBdWRpZW5jZ" . "T48L25zMTpBdWRpZW5jZVJlc3RyaWN0aW9uPjwvbnMxOkNvbmRpdGlvbnM+PG5zMTpBdXRoblN0YXRl" . "bWVudCBBdXRobkluc3RhbnQ9IjIwMTUtMTEtMDNUMjI6NDI6MjRaIiBTZXNzaW9uSW5kZXg9ImlkLWI" . "0MzczYzg3YTZmMThmOTc4NjJjOTMxNzQ0ZmQ3OTlmIj48bnMxOkF1dGhuQ29udGV4dD48bnMxOkF1dG" . "huQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOnVuc" . "3BlY2lmaWVkPC9uczE6QXV0aG5Db250ZXh0Q2xhc3NSZWY+PG5zMTpBdXRoZW50aWNhdGluZ0F1dGhv" . "cml0eT5odHRwczovL3NhbWwubGF1bmNoa2V5LmNvbS9pZHAueG1sPC9uczE6QXV0aGVudGljYXRpbmd" . "BdXRob3JpdHk+PC9uczE6QXV0aG5Db250ZXh0PjwvbnMxOkF1dGhuU3RhdGVtZW50PjxuczE6QXR0cm" . "lidXRlU3RhdGVtZW50PjxuczE6QXR0cmlidXRlIE5hbWU9ImFrZXkiIE5hbWVGb3JtYXQ9InVybjpvY" . "XNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48bnMxOkF0dHJpYnV0ZVZh" . "bHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPmF2YWx1ZTwvbnMxOkF0dHJpYnV0ZVZhbHVlPjwvbnMxOkF" . "0dHJpYnV0ZT48L25zMTpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PC9uczE6QXNzZXJ0aW9uPjwvbnMwOlJlc3" . "BvbnNlPg==";
}
public static function setUpBeforeClass()
{
$cert = "-----BEGIN CERTIFICATE-----\n" . "MIIDfjCCAmagAwIBAQICJxAwDQYJKoZIhvcNAQEFBQAwgYExCzAJBgNVBAYTAlVT\r\n" . "MRIwEAYDVQQIEwlMYXMgVmVnYXMxEjAQBgNVBAcTCUxhcyBWZWdhczEYMBYGA1UE\r\n" . "ChMPTGF1bmNoS2V5LCBJbmMuMRgwFgYDVQQLEw9MYXVuY2hLZXksIEluYy4xFjAU\r\n" . "BgNVBAMTDWxhdW5jaGtleS5jb20wHhcNMTUxMTAyMjMyNzQ5WhcNMTYxMTAxMjMy\r\n" . "NzQ5WjCBgTELMAkGA1UEBhMCVVMxEjAQBgNVBAgTCUxhcyBWZWdhczESMBAGA1UE\r\n" . "BxMJTGFzIFZlZ2FzMRgwFgYDVQQKEw9MYXVuY2hLZXksIEluYy4xGDAWBgNVBAsT\r\n" . "D0xhdW5jaEtleSwgSW5jLjEWMBQGA1UEAxMNbGF1bmNoa2V5LmNvbTCCASIwDQYJ\r\n" . "KoZIhvcNAQEBBQADggEPADCCAQoCggEBAN1Q3Og6izyf35UaeivS88Wlzjdz2yPm\r\n" . "juOge/awYJa8V2dED0oCjdAxex9Ak8lEE9naD6ZcuA0Kta5mHKk1ho5Z4aq1493w\r\n" . "HFbPbzVFldBAzFqig7m5/k1B/QY8w7CP1QG5aM9ebQeCJwdhz7UBmNQL2r2K02zn\r\n" . "2DFhEuus1YKM+pfSO2I+yTd/AyBtq4zu+LusibNoU9ADKQ3IoJtzyZ+CUuuOG3jz\r\n" . "Z+zwuzH/0hpuTs6TnBSAGYD1Xow2X7lULLzXwZ4R3SopTesncIbXLa2luTLQIody\r\n" . "uA/gSirbW7g02zQ8G3JcO+ce6UnusklzvdBPoJ2vttpDEsWlNqbSTWcCAwEAATAN\r\n" . "BgkqhkiG9w0BAQUFAAOCAQEARz9V7cBG2et/741mdtbspQTN4HF0hUp3NEJzBrP/\r\n" . "YtdMYIVAUh2sc3sf/oiakLgqYBA78rSk9CbNlv4EJ/FEC/5X3l1o9h5dFLXt40LL\r\n" . "4I+ijYY3BlsgRL9K2CNYRCq1bJX8xlcY0hVqqsZipzR4zeyqQVMLXH/zSScTrF5j\r\n" . "b5KQcYFiRP7AF30OtGoZxhnsDUcErhdWY5lGvaSex6LsOC2UGtmwK3FWu+NMDzL0\r\n" . "+ovdBGpsmDp3IN1AKwd9/6EQ3XbQPyXoXpW0TCBzs/OxGqnhiJD9rROCtVl1SJze\r\n" . "LWllWSmosQFhsXwSO5ZlnechO+SMaxN7OrV7POOv8aRcpQ==\r\n" . "-----END CERTIFICATE-----\n";
static::$key = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type' => 'public'));
static::$key->loadKey($cert, false, true);
static::$request_data = "PG5zMDpMb2dvdXRSZXF1ZXN0IHhtbG5zOm5zMD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3R" . "vY29sIiB4bWxuczpuczE9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIHhtbG5zOm" . "5zMj0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyIgRGVzdGluYXRpb249Imh0dHA6Ly8xO" . "TIuMTY4LjIuOTU6ODA4MC9zbG8vcG9zdCIgSUQ9ImlkLThjMjg1MjJiZDRhMDA0ZjBlOGUxODMyYjQwNThk" . "NjJjIiBJc3N1ZUluc3RhbnQ9IjIwMTUtMTEtMTNUMjI6MzI6MjdaIiBOb3RPbk9yQWZ0ZXI9IjIwMTUtMTE" . "tMTNUMjI6NDc6MjdaIiBWZXJzaW9uPSIyLjAiPjxuczE6SXNzdWVyIEZvcm1hdD0idXJuOm9hc2lzOm5hbW" . "VzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6ZW50aXR5Ij5sYXVuY2hrZXkuY29tPC9uczE6SXNzdWVyP" . "jxuczI6U2lnbmF0dXJlIHhtbG5zOm5zMj0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+" . "PG5zMjpTaWduZWRJbmZvPjxuczI6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly9" . "3d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjxuczI6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaX" . "RobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3JzYS1zaGExIi8+PG5zMjpSZWZlcmVuY" . "2UgVVJJPSIjaWQtOGMyODUyMmJkNGEwMDRmMGU4ZTE4MzJiNDA1OGQ2MmMiPjxuczI6VHJhbnNmb3Jtcz48" . "bnMyOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZ" . "lbG9wZWQtc2lnbmF0dXJlIi8+PG5zMjpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy" . "8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48L25zMjpUcmFuc2Zvcm1zPjxuczI6RGlnZXN0TWV0aG9kIEFsZ" . "29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiLz48bnMyOkRpZ2VzdFZh" . "bHVlPjR0S01BRHZtYTJ6a0dpa3FraHVnZzNnU00ydz08L25zMjpEaWdlc3RWYWx1ZT48L25zMjpSZWZlcmV" . "uY2U+PC9uczI6U2lnbmVkSW5mbz48bnMyOlNpZ25hdHVyZVZhbHVlPll4cmZtdG9YNHFRNktZeG5NQnVwWV" . "V1ejNmNyt2VDR0SVlWQmg5MUFhbFN5MkxVeDZsZ2R1RGVlTVpJbmJWeU8KdjV4aHRVWGtLaXB5eVlDTDBvV" . "E1RcTZUMkxMdHA0cDNhc0ZmbVhST05OUXZrbVlqVUNHZnI3Q2FubWVIZmJTegpnR3M3MVBVaUZWY2RuQWdn" . "QzU0MzZHeTV2TEZtQWRUNTB4Qkw4KzJ0dzNXbjVzcHlSczlMK2s3eEltSGdsU1NrCkRkSzBFYnl3V09TVWQ" . "zVVdHMnFvcVlldm5tZjJ3cVk3eEw3bmtxQ00rbVQ4TnRqY2dVTkRnTHpxMDV1TzVtZ00Kc2pNZTdqMzVhNn" . "lFSksrNE10ck1LYmp1RVRmRTFOMHRhaWplRVVjMEozenpoNEFnQUlwL0xzeXYzUklxTWhhSQowRFNIYk9qb" . "nRGeGJ0azFodWs4QVV3PT08L25zMjpTaWduYXR1cmVWYWx1ZT48bnMyOktleUluZm8+PG5zMjpYNTA5RGF0" . "YT48bnMyOlg1MDlDZXJ0aWZpY2F0ZT5NSUlEZmpDQ0FtYWdBd0lCQVFJQ0p4QXdEUVlKS29aSWh2Y05BUUV" . "GQlFBd2dZRXhDekFKQmdOVkJBWVRBbFZUTVJJd0VBWURWUVFJRXdsTVlYTWdWbVZuWVhNeEVqQVFCZ05WQk" . "FjVENVeGhjeUJXWldkaGN6RVlNQllHQTFVRUNoTVBUR0YxYm1Ob1MyVjVMQ0JKYm1NdU1SZ3dGZ1lEVlFRT" . "EV3OU1ZWFZ1WTJoTFpYa3NJRWx1WXk0eEZqQVVCZ05WQkFNVERXeGhkVzVqYUd0bGVTNWpiMjB3SGhjTk1U" . "VXhNVEF5TWpNeU56UTVXaGNOTVRZeE1UQXhNak15TnpRNVdqQ0JnVEVMTUFrR0ExVUVCaE1DVlZNeEVqQVF" . "CZ05WQkFnVENVeGhjeUJXWldkaGN6RVNNQkFHQTFVRUJ4TUpUR0Z6SUZabFoyRnpNUmd3RmdZRFZRUUtFdz" . "lNWVhWdVkyaExaWGtzSUVsdVl5NHhHREFXQmdOVkJBc1REMHhoZFc1amFFdGxlU3dnU1c1akxqRVdNQlFHQ" . "TFVRUF4TU5iR0YxYm1Ob2EyVjVMbU52YlRDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFv" . "Q2dnRUJBTjFRM09nNml6eWYzNVVhZWl2Uzg4V2x6amR6MnlQbWp1T2dlL2F3WUphOFYyZEVEMG9DamRBeGV" . "4OUFrOGxFRTluYUQ2WmN1QTBLdGE1bUhLazFobzVaNGFxMTQ5M3dIRmJQYnpWRmxkQkF6RnFpZzdtNS9rMU" . "IvUVk4dzdDUDFRRzVhTTllYlFlQ0p3ZGh6N1VCbU5RTDJyMkswMnpuMkRGaEV1dXMxWUtNK3BmU08ySSt5V" . "GQvQXlCdHE0enUrTHVzaWJOb1U5QURLUTNJb0p0enlaK0NVdXVPRzNqelorend1ekgvMGhwdVRzNlRuQlNB" . "R1lEMVhvdzJYN2xVTEx6WHdaNFIzU29wVGVzbmNJYlhMYTJsdVRMUUlvZHl1QS9nU2lyYlc3ZzAyelE4RzN" . "KY08rY2U2VW51c2tsenZkQlBvSjJ2dHRwREVzV2xOcWJTVFdjQ0F3RUFBVEFOQmdrcWhraUc5dzBCQVFVRk" . "FBT0NBUUVBUno5VjdjQkcyZXQvNzQxbWR0YnNwUVRONEhGMGhVcDNORUp6QnJQL1l0ZE1ZSVZBVWgyc2Mzc" . "2Yvb2lha0xncVlCQTc4clNrOUNiTmx2NEVKL0ZFQy81WDNsMW85aDVkRkxYdDQwTEw0SStpallZM0Jsc2dS" . "TDlLMkNOWVJDcTFiSlg4eGxjWTBoVnFxc1ppcHpSNHpleXFRVk1MWEgvelNTY1RyRjVqYjVLUWNZRmlSUDd" . "BRjMwT3RHb1p4aG5zRFVjRXJoZFdZNWxHdmFTZXg2THNPQzJVR3Rtd0szRld1K05NRHpMMCtvdmRCR3BzbU" . "RwM0lOMUFLd2Q5LzZFUTNYYlFQeVhvWHBXMFRDQnpzL094R3FuaGlKRDlyUk9DdFZsMVNKemVMV2xsV1Ntb" . "3NRRmhzWHdTTzVabG5lY2hPK1NNYXhON09yVjdQT092OGFSY3BRPT08L25zMjpYNTA5Q2VydGlmaWNhdGU+" . "PC9uczI6WDUwOURhdGE+PC9uczI6S2V5SW5mbz48L25zMjpTaWduYXR1cmU+PG5zMTpOYW1lSUQ+dGVzdGV" . "tYWlsQHRlc3RtZS5vcmc8L25zMTpOYW1lSUQ+PG5zMDpTZXNzaW9uSW5kZXg+aWQtMDcyNjAyMjVmZTdkMW" . "UyZWU4Zjg4Njg0NmNjNDBhZmE8L25zMDpTZXNzaW9uSW5kZXg+PC9uczA6TG9nb3V0UmVxdWVzdD4=";
}
function processDocument()
{
global $src_file, $target_file, $user_pubkey_file_path, $user_cert_file_path;
require dirname(__FILE__) . '/xmlseclibs.php';
if (file_exists($target_file)) {
unlink($target_file);
}
$doc = new DOMDocument();
$doc->load($src_file);
$objDSig = new XMLSecurityDSig();
$objDSig->setCanonicalMethod(XMLSecurityDSig::EXC_C14N);
$objDSig->addReference($doc, XMLSecurityDSig::SHA1, array('http://www.w3.org/2000/09/xmldsig#enveloped-signature'));
/* gako pribatu bat behar dugu prozesua burutzeko. orain edozein erabiliko dugu. gero txartelekoarekin ordezkatzeko */
$objKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type' => 'private'));
/* if key has Passphrase, set it using $objKey->passphrase = <passphrase> " */
$objKey->loadKey(dirname(__FILE__) . '/privkey.pem', TRUE);
$objDSig->sign($objKey);
/* Add associated public key */
// $objDSig->add509Cert(file_get_contents(dirname(__FILE__) . '/mycert.pem'));
// $objDSig->add509Cert(file_get_contents($user_cert_file_path));
if (!file_exists($user_cert_file_path)) {
debug('File not found', $user_cert_file_path);
} else {
$objDSig->add509Cert($user_cert_file_path);
}
$objDSig->appendSignature($doc->documentElement);
$doc->save($target_file);
}
public function testThumbPrint()
{
$siteKey = new XMLSecurityKey(XMLSecurityKey::RSA_OAEP_MGF1P, array('type' => 'public'));
$siteKey->loadKey(dirname(__FILE__) . '/../mycert.pem', true, true);
$thumbprint = $siteKey->getX509Thumbprint();
$this->assertEquals('8b600d9155e8e8dfa3c10998f736be086e83ef3b', $thumbprint, "Thumbprint doesn't match");
$this->assertEquals('OGI2MDBkOTE1NWU4ZThkZmEzYzEwOTk4ZjczNmJlMDg2ZTgzZWYzYg==', base64_encode($thumbprint), "Base64 Thumbprint doesn't match");
}
/**
* @param SAML2_Certificate_PrivateKey $privateKey
*
* @return XMLSecurityKey
* @throws Exception
*/
private function convertPrivateKeyToRsaKey(SAML2_Certificate_PrivateKey $privateKey)
{
$key = new XMLSecurityKey(XMLSecurityKey::RSA_1_5, array('type' => 'private'));
$passphrase = $privateKey->getPassphrase();
if ($passphrase) {
$key->passphrase = $passphrase;
}
$key->loadKey($privateKey->getKeyAsString());
return $key;
}
function __doRequest($request, $location, $saction, $version)
{
$doc = new DOMDocument('1.0');
$doc->loadXML($request);
$objWSSE = new WSSESoap($doc);
$objKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type' => 'private'));
$objKey->loadKey(PRIVATE_KEY, TRUE);
$options = array("insertBefore" => TRUE);
$objWSSE->signSoapDoc($objKey, $options);
$objWSSE->addIssuerSerial(CERT_FILE);
$objKey = new XMLSecurityKey(XMLSecurityKey::AES256_CBC);
$objKey->generateSessionKey();
#está wea está rara, no pasa el wsdl y cambía el puerto o.O
$location = "https://201.238.207.130:7200/WSWebpayTransaction/cxf/WSWebpayService?wsdl";
#die($location);
#die(CERT_FILE." ".PRIVATE_KEY);
$retVal = parent::__doRequest($objWSSE->saveXML(), $location, $saction, $version);
$doc = new DOMDocument();
$doc->loadXML($retVal);
return $doc->saveXML();
/*
if ($this->useSSL){
$locationparts = parse_url($location);
$location = 'https://';
if(isset($locationparts['host'])) $location .= $locationparts['host'];
if(isset($locationparts['port'])) $location .= ':'.$locationparts['port'];
if(isset($locationparts['path'])) $location .= $locationparts['path'];
if(isset($locationparts['query'])) $location .= '?'.$locationparts['query'];
}
$doc = new DOMDocument('1.0');
$doc->loadXML($request);
$objWSSE = new WSSESoap($doc);
$objKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1,array('type' => 'private'));
$objKey->loadKey(PRIVATE_KEY, TRUE);
$options = array("insertBefore" => TRUE);
$objWSSE->signSoapDoc($objKey, $options);
$objWSSE->addIssuerSerial(CERT_FILE);
$objKey = new XMLSecurityKey(XMLSecurityKey::AES256_CBC);
$objKey->generateSessionKey();
$retVal = parent::__doRequest($objWSSE->saveXML(), $location, $saction, $version);
$doc = new DOMDocument();
$doc->loadXML($retVal);
return $doc->saveXML();
*/
}
/**
* @return \AerialShip\LightSaml\Model\Protocol\AuthnRequest
*/
protected function getRequest()
{
$request = CommonHelper::buildAuthnRequestFromEntityDescriptors(__DIR__ . '/../../../../../resources/sample/EntityDescriptor/sp-ed2.xml', __DIR__ . '/../../../../../resources/sample/EntityDescriptor/idp2-ed.xml');
$certificate = new X509Certificate();
$certificate->loadFromFile(__DIR__ . '/../../../../../resources/sample/Certificate/saml.crt');
$key = new \XMLSecurityKey(\XMLSecurityKey::RSA_SHA1, array('type' => 'private'));
$key->loadKey(__DIR__ . '/../../../../../resources/sample/Certificate/saml.pem', true, false);
$signature = new SignatureCreator();
$signature->setCertificate($certificate);
$signature->setXmlSecurityKey($key);
$request->setSignature($signature);
$request->setRelayState($this->relayState);
return $request;
}
function signXML($token, $privkey)
{
$sigdoc = new DOMDocument();
if (!$sigdoc->loadXML($token)) {
throw new Exception("Invalid XML!");
}
$sigNode = $sigdoc->firstChild;
$enc = new XMLSecurityDSig();
$enc->idKeys[] = 'ID';
$enc->setCanonicalMethod(XMLSecurityDSig::EXC_C14N);
$enc->addReference($sigNode, XMLSecurityDSig::SHA1, array('http://www.w3.org/2000/09/xmldsig#enveloped-signature', XMLSecurityDSig::EXC_C14N));
$key = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type' => 'private', 'library' => 'openssl'));
$key->loadKey($privkey, false, false);
$enc->sign($key);
$enc->appendSignature($sigNode);
return $sigdoc->saveXML();
}
/**
* @dataProvider provider
*/
public function testAuthnRequestBuilder($name, array $idpData, array $spData, array $spMetaData, $expectedSendUrl, $expectedResponseType, $expectedReceiveUrl, $expectedReceiveBinding, $expectedException = null, $expectedExceptionMessage = '')
{
if ($expectedException) {
$this->setExpectedException($expectedException, $expectedExceptionMessage);
}
$idp = new IdpSsoDescriptor();
foreach ($idpData as $data) {
$idp->addService(new SingleSignOnService($data['binding'], $data['url']));
}
$edIDP = new EntityDescriptor('idp');
$edIDP->addItem($idp);
$sp = new SpSsoDescriptor();
foreach ($spData as $data) {
$sp->addService(new AssertionConsumerService($data['binding'], $data['url']));
}
$edSP = new EntityDescriptor('sp');
$edSP->addItem($sp);
$spMeta = new SpMeta();
foreach ($spMetaData as $name => $value) {
$spMeta->{$name}($value);
}
// without signing
$builder = new AuthnRequestBuilder($edSP, $edIDP, $spMeta);
$message = $builder->build();
$response = $builder->send($message);
$this->assertStringStartsWith($expectedSendUrl, $response->getDestination(), $name);
$this->assertInstanceOf($expectedResponseType, $response, $name);
$this->assertEquals($expectedReceiveUrl, $message->getAssertionConsumerServiceURL(), $name);
$this->assertEquals($expectedReceiveBinding, $message->getProtocolBinding(), $name);
// with signing
$signature = new SignatureCreator();
$certificate = new X509Certificate();
$certificate->loadFromFile(__DIR__ . '/../../../../../resources/sample/Certificate/saml.crt');
$key = new \XMLSecurityKey(\XMLSecurityKey::RSA_SHA1, array('type' => 'private'));
$key->loadKey(__DIR__ . '/../../../../../resources/sample/Certificate/saml.pem', true);
$signature->setCertificate($certificate);
$signature->setXmlSecurityKey($key);
$builder = new AuthnRequestBuilder($edSP, $edIDP, $spMeta, $signature);
$message = $builder->build();
$response = $builder->send($message);
$this->assertStringStartsWith($expectedSendUrl, $response->getDestination(), $name);
$this->assertInstanceOf($expectedResponseType, $response, $name);
$this->assertEquals($expectedReceiveUrl, $message->getAssertionConsumerServiceURL(), $name);
$this->assertEquals($expectedReceiveBinding, $message->getProtocolBinding(), $name);
}
public function __doRequest($request, $location, $saction, $version)
{
$doc = new DOMDocument('1.0');
$doc->loadXML($request);
$objWSSE = new WSSESoap($doc);
/* add Timestamp with no expiration timestamp */
$objWSSE->addTimestamp();
/* create new XMLSec Key using RSA SHA-1 and type is private key */
$objKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type' => 'private'));
/* load the private key from file - last arg is bool if key in file (true) or is string (FALSE) */
$objKey->loadKey(PRIVATE_KEY, true);
/* Sign the message - also signs appropraite WS-Security items */
$objWSSE->signSoapDoc($objKey);
/* Add certificate (BinarySecurityToken) to the message and attach pointer to Signature */
$token = $objWSSE->addBinaryToken(file_get_contents(CERT_FILE));
$objWSSE->attachTokentoSig($token);
return parent::__doRequest($objWSSE->saveXML(), $location, $saction, $version);
}
/**
* @param \XMLSecurityKey $key
* @param string $algorithm
* @throws \AerialShip\LightSaml\Error\SecurityException
* @throws \InvalidArgumentException
* @return \XMLSecurityKey
*/
static function castKey(\XMLSecurityKey $key, $algorithm)
{
if (!is_string($algorithm)) {
throw new \InvalidArgumentException('Algorithm must be string');
}
// do nothing if algorithm is already the type of the key
if ($key->type === $algorithm) {
return $key;
}
$keyInfo = openssl_pkey_get_details($key->key);
if ($keyInfo === FALSE) {
throw new SecurityException('Unable to get key details from XMLSecurityKey.');
}
if (!isset($keyInfo['key'])) {
throw new SecurityException('Missing key in public key details.');
}
$newKey = new \XMLSecurityKey($algorithm, array('type' => 'public'));
$newKey->loadKey($keyInfo['key']);
return $newKey;
}
function __doRequest($request, $location, $saction, $version)
{
$doc = new DOMDocument('1.0');
$doc->loadXML($request);
$objWSSE = new WSSESoap($doc);
#echo "<pre>"; var_dump($request); #die();
/* add Timestamp with no expiration timestamp */
$objWSSE->addTimestamp();
/* create new XMLSec Key using RSA SHA-1 and type is private key */
$objKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type'=>'private'));
/* load the private key from file - last arg is bool if key in file (TRUE) or is string (FALSE) */
$objKey->loadKey($this->KeyPath, TRUE);
try
{
/* Sign the message - also signs appropraite WS-Security items */
$objWSSE->signSoapDoc($objKey);
}
catch (Exception $e)
{
Core::RaiseError("[".__METHOD__."] ".$e->getMessage(), E_ERROR);
}
/* Add certificate (BinarySecurityToken) to the message and attach pointer to Signature */
$token = $objWSSE->addBinaryToken(file_get_contents($this->CertPath));
$objWSSE->attachTokentoSig($token);
try
{
return parent::__doRequest($objWSSE->saveXML(), $location, $saction, $version);
}
catch (Exception $e)
{
Core::RaiseError("[".__METHOD__."] ".$e->__toString(), E_ERROR);
}
}
private function getSignedXml()
{
$doc = new \DOMDocument();
$doc->appendChild($doc->createElement('root'));
/** @var $root \DOMElement */
$root = $doc->firstChild;
$root->setAttribute('foo', 'bar');
$other = $doc->createElement('other');
$root->appendChild($other);
$child = $doc->createElement('child', 'something');
$other->appendChild($child);
$certificate = new X509Certificate();
$certificate->loadFromFile(__DIR__ . '/../../../../../../../resources/sample/Certificate/saml.crt');
$key = new \XMLSecurityKey(\XMLSecurityKey::RSA_SHA1, array('type' => 'private'));
$key->loadKey(__DIR__ . '/../../../../../../../resources/sample/Certificate/saml.pem', true);
$signatureCreator = new SignatureCreator();
$signatureCreator->setCertificate($certificate);
$signatureCreator->setXmlSecurityKey($key);
$context = new SerializationContext($doc);
$signatureCreator->getXml($root, $context);
$xml = $doc->saveXML();
return $xml;
}
function x509_from_rsa($key)
{
$result = FALSE;
if (class_exists('XMLSecurityKey')) {
$parts = explode(' ', $key);
$bytes = $parts[1];
$bytes = base64_decode($bytes);
$offset = 0;
$encoding = read_rsa_bytes($bytes, $offset);
$exponent = read_rsa_bytes($bytes, $offset);
$modulus = read_rsa_bytes($bytes, $offset);
$result = XMLSecurityKey::convertRSA($modulus, $exponent);
}
return $result;
}
function ADFS_SignResponse($response, $key, $cert)
{
$objXMLSecDSig = new XMLSecurityDSig();
$objXMLSecDSig->idKeys = array('AssertionID');
$objXMLSecDSig->setCanonicalMethod(XMLSecurityDSig::EXC_C14N);
$responsedom = new DOMDocument();
$responsedom->loadXML(str_replace("\r", "", $response));
$firstassertionroot = $responsedom->getElementsByTagName('Assertion')->item(0);
$objXMLSecDSig->addReferenceList(array($firstassertionroot), XMLSecurityDSig::SHA1, array('http://www.w3.org/2000/09/xmldsig#enveloped-signature', XMLSecurityDSig::EXC_C14N), array('id_name' => 'AssertionID'));
$objKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type' => 'private'));
$objKey->loadKey($key, TRUE);
$objXMLSecDSig->sign($objKey);
if ($cert) {
$public_cert = file_get_contents($cert);
$objXMLSecDSig->add509Cert($public_cert, TRUE);
}
$newSig = $responsedom->importNode($objXMLSecDSig->sigNode, TRUE);
$firstassertionroot->appendChild($newSig);
return $responsedom->saveXML();
}
/**
* Add an EncryptedAttribute Statement-node to the assertion.
*
* @param DOMElement $root The assertion element we should add the Encrypted Attribute Statement to.
*/
private function addEncryptedAttributeStatement(DOMElement $root)
{
if ($this->requiredEncAttributes == FALSE) {
return;
}
$document = $root->ownerDocument;
$attributeStatement = $document->createElementNS(SAML2_Const::NS_SAML, 'saml:AttributeStatement');
$root->appendChild($attributeStatement);
foreach ($this->attributes as $name => $values) {
$document2 = new DOMDocument();
$attribute = $document2->createElementNS(SAML2_Const::NS_SAML, 'saml:Attribute');
$attribute->setAttribute('Name', $name);
$document2->appendChild($attribute);
if ($this->nameFormat !== SAML2_Const::NAMEFORMAT_UNSPECIFIED) {
$attribute->setAttribute('NameFormat', $this->nameFormat);
}
foreach ($values as $value) {
if (is_string($value)) {
$type = 'xs:string';
} elseif (is_int($value)) {
$type = 'xs:integer';
} else {
$type = NULL;
}
$attributeValue = $document2->createElementNS(SAML2_Const::NS_SAML, 'saml:AttributeValue');
$attribute->appendChild($attributeValue);
if ($type !== NULL) {
$attributeValue->setAttributeNS(SAML2_Const::NS_XSI, 'xsi:type', $type);
}
if ($value instanceof DOMNodeList) {
for ($i = 0; $i < $value->length; $i++) {
$node = $document2->importNode($value->item($i), TRUE);
$attributeValue->appendChild($node);
}
} else {
$attributeValue->appendChild($document2->createTextNode($value));
}
}
/*Once the attribute nodes are built, the are encrypted*/
$EncAssert = new XMLSecEnc();
$EncAssert->setNode($document2->documentElement);
$EncAssert->type = 'http://www.w3.org/2001/04/xmlenc#Element';
/*
* Attributes are encrypted with a session key and this one with
* $EncryptionKey
*/
$symmetricKey = new XMLSecurityKey(XMLSecurityKey::AES256_CBC);
$symmetricKey->generateSessionKey();
$EncAssert->encryptKey($this->encryptionKey, $symmetricKey);
$EncrNode = $EncAssert->encryptNode($symmetricKey);
$EncAttribute = $document->createElementNS(SAML2_Const::NS_SAML, 'saml:EncryptedAttribute');
$attributeStatement->appendChild($EncAttribute);
$n = $document->importNode($EncrNode, true);
$EncAttribute->appendChild($n);
}
}
static function staticLocateKeyInfo($objBaseKey = NULL, $node = NULL)
{
if (empty($node) || !$node instanceof \DOMNode) {
return NULL;
}
if ($doc = $node->ownerDocument) {
$xpath = new \DOMXPath($doc);
$xpath->registerNamespace('xmlsecenc', XMLSecEnc::XMLENCNS);
$xpath->registerNamespace('xmlsecdsig', XMLSecurityDSig::XMLDSIGNS);
$query = "./xmlsecdsig:KeyInfo";
$nodeset = $xpath->query($query, $node);
if ($encmeth = $nodeset->item(0)) {
foreach ($encmeth->childNodes as $child) {
switch ($child->localName) {
case 'KeyName':
if (!empty($objBaseKey)) {
$objBaseKey->name = $child->nodeValue;
}
break;
case 'KeyValue':
foreach ($child->childNodes as $keyval) {
switch ($keyval->localName) {
case 'DSAKeyValue':
throw new \Exception("DSAKeyValue currently not supported");
break;
case 'RSAKeyValue':
$modulus = NULL;
$exponent = NULL;
if ($modulusNode = $keyval->getElementsByTagName('Modulus')->item(0)) {
$modulus = base64_decode($modulusNode->nodeValue);
}
if ($exponentNode = $keyval->getElementsByTagName('Exponent')->item(0)) {
$exponent = base64_decode($exponentNode->nodeValue);
}
if (empty($modulus) || empty($exponent)) {
throw new \Exception("Missing Modulus or Exponent");
}
$publicKey = XMLSecurityKey::convertRSA($modulus, $exponent);
$objBaseKey->loadKey($publicKey);
break;
}
}
break;
case 'RetrievalMethod':
/* Not currently supported */
break;
case 'EncryptedKey':
$objenc = new XMLSecEnc();
$objenc->setNode($child);
if (!($objKey = $objenc->locateKey())) {
throw new \Exception("Unable to locate algorithm for this Encrypted Key");
}
$objKey->isEncrypted = TRUE;
$objKey->encryptedCtx = $objenc;
XMLSecEnc::staticLocateKeyInfo($objKey, $child);
return $objKey;
break;
case 'X509Data':
if ($x509certNodes = $child->getElementsByTagName('X509Certificate')) {
if ($x509certNodes->length > 0) {
$x509cert = $x509certNodes->item(0)->textContent;
$x509cert = str_replace(array("\r", "\n"), "", $x509cert);
$x509cert = "-----BEGIN CERTIFICATE-----\n" . chunk_split($x509cert, 64, "\n") . "-----END CERTIFICATE-----\n";
$objBaseKey->loadKey($x509cert, FALSE, TRUE);
}
}
break;
}
}
}
return $objBaseKey;
}
return NULL;
}
static function staticLocateKeyInfo($objBaseKey = NULL, $node = NULL)
{
if (empty($node) || !$node instanceof DOMNode) {
return NULL;
}
$doc = $node->ownerDocument;
if (!$doc) {
return NULL;
}
$xpath = new DOMXPath($doc);
$xpath->registerNamespace('xmlsecenc', DBSeller_Helper_Xml_Security_XMLSecEnc::XMLENCNS);
$xpath->registerNamespace('xmlsecdsig', DBSeller_Helper_Xml_Security_XMLSecurityDSig::XMLDSIGNS);
$query = "./xmlsecdsig:KeyInfo";
$nodeset = $xpath->query($query, $node);
$encmeth = $nodeset->item(0);
if (!$encmeth) {
/* No KeyInfo in EncryptedData / EncryptedKey. */
return $objBaseKey;
}
foreach ($encmeth->childNodes as $child) {
switch ($child->localName) {
case 'KeyName':
if (!empty($objBaseKey)) {
$objBaseKey->name = $child->nodeValue;
}
break;
case 'KeyValue':
foreach ($child->childNodes as $keyval) {
switch ($keyval->localName) {
case 'DSAKeyValue':
throw new Exception("DSAKeyValue currently not supported");
break;
case 'RSAKeyValue':
$modulus = NULL;
$exponent = NULL;
if ($modulusNode = $keyval->getElementsByTagName('Modulus')->item(0)) {
$modulus = base64_decode($modulusNode->nodeValue);
}
if ($exponentNode = $keyval->getElementsByTagName('Exponent')->item(0)) {
$exponent = base64_decode($exponentNode->nodeValue);
}
if (empty($modulus) || empty($exponent)) {
throw new Exception("Missing Modulus or Exponent");
}
$publicKey = XMLSecurityKey::convertRSA($modulus, $exponent);
$objBaseKey->loadKey($publicKey);
break;
}
}
break;
case 'RetrievalMethod':
$type = $child->getAttribute('Type');
if ($type !== 'http://www.w3.org/2001/04/xmlenc#EncryptedKey') {
/* Unsupported key type. */
break;
}
$uri = $child->getAttribute('URI');
if ($uri[0] !== '#') {
/* URI not a reference - unsupported. */
break;
}
$id = substr($uri, 1);
$query = "//xmlsecenc:EncryptedKey[@Id='{$id}']";
$keyElement = $xpath->query($query)->item(0);
if (!$keyElement) {
throw new Exception("Unable to locate EncryptedKey with @Id='{$id}'.");
}
return XMLSecurityKey::fromEncryptedKeyElement($keyElement);
case 'EncryptedKey':
return XMLSecurityKey::fromEncryptedKeyElement($child);
case 'X509Data':
if ($x509certNodes = $child->getElementsByTagName('X509Certificate')) {
if ($x509certNodes->length > 0) {
$x509cert = $x509certNodes->item(0)->textContent;
$x509cert = str_replace(array("\r", "\n"), "", $x509cert);
$x509cert = "-----BEGIN CERTIFICATE-----\n" . chunk_split($x509cert, 64, "\n") . "-----END CERTIFICATE-----\n";
$objBaseKey->loadKey($x509cert, FALSE, TRUE);
}
}
break;
}
}
return $objBaseKey;
}
public function decryptSoapDoc($doc, $options)
{
$privKey = null;
$privKey_isFile = false;
$privKey_isCert = false;
if (is_array($options)) {
$privKey = !empty($options["keys"]["private"]["key"]) ? $options["keys"]["private"]["key"] : null;
$privKey_isFile = !empty($options["keys"]["private"]["isFile"]) ? true : false;
$privKey_isCert = !empty($options["keys"]["private"]["isCert"]) ? true : false;
}
$objenc = new XMLSecEnc();
$xpath = new DOMXPath($doc);
$envns = $doc->documentElement->namespaceURI;
$xpath->registerNamespace("soapns", $envns);
$xpath->registerNamespace("soapenc", "http://www.w3.org/2001/04/xmlenc#");
$nodes = $xpath->query('/soapns:Envelope/soapns:Header/*[local-name()="Security"]/soapenc:EncryptedKey');
$references = array();
if ($node = $nodes->item(0)) {
$objenc = new XMLSecEnc();
$objenc->setNode($node);
if (!($objKey = $objenc->locateKey())) {
throw new Exception("Unable to locate algorithm for this Encrypted Key");
}
$objKey->isEncrypted = true;
$objKey->encryptedCtx = $objenc;
XMLSecEnc::staticLocateKeyInfo($objKey, $node);
if ($objKey && $objKey->isEncrypted) {
$objencKey = $objKey->encryptedCtx;
$objKey->loadKey($privKey, $privKey_isFile, $privKey_isCert);
$key = $objencKey->decryptKey($objKey);
$objKey->loadKey($key);
}
$refnodes = $xpath->query('./soapenc:ReferenceList/soapenc:DataReference/@URI', $node);
foreach ($refnodes as $reference) {
$references[] = $reference->nodeValue;
}
}
foreach ($references as $reference) {
$arUrl = parse_url($reference);
$reference = $arUrl['fragment'];
$query = '//*[@Id="' . $reference . '"]';
$nodes = $xpath->query($query);
$encData = $nodes->item(0);
if ($algo = $xpath->evaluate("string(./soapenc:EncryptionMethod/@Algorithm)", $encData)) {
$objKey = new XMLSecurityKey($algo);
$objKey->loadKey($key);
}
$objenc->setNode($encData);
$objenc->type = $encData->getAttribute("Type");
$decrypt = $objenc->decryptNode($objKey, true);
}
return true;
}
/**
* Encrypt an assertion.
*
* This function takes in a SAML2_Assertion and encrypts it if encryption of
* assertions are enabled in the metadata.
*
* @param SimpleSAML_Configuration $idpMetadata The metadata of the IdP.
* @param SimpleSAML_Configuration $spMetadata The metadata of the SP.
* @param SAML2_Assertion $assertion The assertion we are encrypting.
* @return SAML2_Assertion|SAML2_EncryptedAssertion The assertion.
*/
private static function encryptAssertion(SimpleSAML_Configuration $idpMetadata, SimpleSAML_Configuration $spMetadata, SAML2_Assertion $assertion)
{
$encryptAssertion = $spMetadata->getBoolean('assertion.encryption', NULL);
if ($encryptAssertion === NULL) {
$encryptAssertion = $idpMetadata->getBoolean('assertion.encryption', FALSE);
}
if (!$encryptAssertion) {
/* We are _not_ encrypting this assertion, and are therefore done. */
return $assertion;
}
$sharedKey = $spMetadata->getString('sharedkey', NULL);
if ($sharedKey !== NULL) {
$key = new XMLSecurityKey(XMLSecurityKey::AES128_CBC);
$key->loadKey($sharedKey);
} else {
$keys = $spMetadata->getPublicKeys('encryption', TRUE);
$key = $keys[0];
switch ($key['type']) {
case 'X509Certificate':
$pemKey = "-----BEGIN CERTIFICATE-----\n" . chunk_split($key['X509Certificate'], 64) . "-----END CERTIFICATE-----\n";
break;
default:
throw new SimpleSAML_Error_Exception('Unsupported encryption key type: ' . $key['type']);
}
/* Extract the public key from the certificate for encryption. */
$key = new XMLSecurityKey(XMLSecurityKey::RSA_OAEP_MGF1P, array('type' => 'public'));
$key->loadKey($pemKey);
}
$ea = new SAML2_EncryptedAssertion();
$ea->setAssertion($assertion, $key);
return $ea;
}
/**
* Adds signature key and senders certificate to an element (Message or Assertion).
*
* @param string|DomDocument $xml The element we should sign
* @param string $key The private key
* @param string $cert The public
*/
public static function addSign($xml, $key, $cert)
{
if ($xml instanceof DOMDocument) {
$dom = $xml;
} else {
$dom = new DOMDocument();
$dom = self::loadXML($dom, $xml);
if (!$dom) {
throw new Exception('Error parsing xml string');
}
}
/* Load the private key. */
$objKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type' => 'private'));
$objKey->loadKey($key, false);
/* Get the EntityDescriptor node we should sign. */
$rootNode = $dom->firstChild;
/* Sign the metadata with our private key. */
$objXMLSecDSig = new XMLSecurityDSig();
$objXMLSecDSig->setCanonicalMethod(XMLSecurityDSig::EXC_C14N);
$objXMLSecDSig->addReferenceList(array($rootNode), XMLSecurityDSig::SHA1, array('http://www.w3.org/2000/09/xmldsig#enveloped-signature', XMLSecurityDSig::EXC_C14N), array('id_name' => 'ID'));
$objXMLSecDSig->sign($objKey);
/* Add the certificate to the signature. */
$objXMLSecDSig->add509Cert($cert, true);
$insertBefore = $rootNode->firstChild;
$messageTypes = array('samlp:AuthnRequest', 'samlp:Response', 'samlp:LogoutRequest', 'samlp:LogoutResponse');
if (in_array($rootNode->tagName, $messageTypes)) {
$issuerNodes = self::query($dom, '/' . $rootNode->tagName . '/saml:Issuer');
if ($issuerNodes->length == 1) {
$insertBefore = $issuerNodes->item(0)->nextSibling;
}
}
/* Add the signature. */
$objXMLSecDSig->insertSignature($rootNode, $insertBefore);
/* Return the DOM tree as a string. */
$signedxml = $dom->saveXML();
return $signedxml;
}
/**
* Retrieve certificates that sign this element.
*
* @return array Array with certificates.
*/
public function getValidatingCertificates()
{
$ret = array();
foreach ($this->certificates as $cert) {
/* We have found a matching fingerprint. */
$pemCert = "-----BEGIN CERTIFICATE-----\n" . chunk_split($cert, 64) . "-----END CERTIFICATE-----\n";
/* Extract the public key from the certificate for validation. */
$key = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type' => 'public'));
$key->loadKey($pemCert);
try {
/* Check the signature. */
if ($this->validate($key)) {
$ret[] = $cert;
}
} catch (Exception $e) {
/* This certificate does not sign this element. */
}
}
return $ret;
}
/**
* Retrieve the encryption key for the given entity.
*
* @param SimpleSAML_Configuration $metadata The metadata of the entity.
* @return XMLSecurityKey The encryption key.
*/
public static function getEncryptionKey(SimpleSAML_Configuration $metadata)
{
$sharedKey = $metadata->getString('sharedkey', NULL);
if ($sharedKey !== NULL) {
$key = new XMLSecurityKey(XMLSecurityKey::AES128_CBC);
$key->loadKey($sharedKey);
return $key;
}
$keys = $metadata->getPublicKeys('encryption', TRUE);
foreach ($keys as $key) {
switch ($key['type']) {
case 'X509Certificate':
$pemKey = "-----BEGIN CERTIFICATE-----\n" . chunk_split($key['X509Certificate'], 64) . "-----END CERTIFICATE-----\n";
$key = new XMLSecurityKey(XMLSecurityKey::RSA_OAEP_MGF1P, array('type' => 'public'));
$key->loadKey($pemKey);
return $key;
}
}
throw new SimpleSAML_Error_Exception('No supported encryption key in ' . var_export($metadata->getString('entityid'), TRUE));
}
/**
* Validate the signature on a HTTP-Redirect message.
*
* Throws an exception if we are unable to validate the signature.
*
* @param array $data The data we need to validate the query string.
* @param XMLSecurityKey $key The key we should validate the query against.
*/
public static function validateSignature(array $data, XMLSecurityKey $key)
{
assert('array_key_exists("Query", $data)');
assert('array_key_exists("SigAlg", $data)');
assert('array_key_exists("Signature", $data)');
$query = $data['Query'];
$sigAlg = $data['SigAlg'];
$signature = $data['Signature'];
$signature = base64_decode($signature);
switch ($sigAlg) {
case XMLSecurityKey::RSA_SHA1:
if ($key->type !== XMLSecurityKey::RSA_SHA1) {
throw new Exception('Invalid key type for validating signature on query string.');
}
if (!$key->verifySignature($query, $signature)) {
throw new Exception('Unable to validate signature on query string.');
}
break;
default:
throw new Exception('Unknown signature algorithm: ' . var_export($sigAlg, TRUE));
}
}