/** * @param AbstractSamlModel $object * @param XMLSecurityKey $key * * @return SerializationContext */ public function encrypt(AbstractSamlModel $object, XMLSecurityKey $key) { $oldKey = $key; $key = new XMLSecurityKey($this->keyTransportEncryption, ['type' => 'public']); $key->loadKey($oldKey->key); $serializationContext = new SerializationContext(); $object->serialize($serializationContext->getDocument(), $serializationContext); $enc = new XMLSecEnc(); $enc->setNode($serializationContext->getDocument()->firstChild); $enc->type = XMLSecEnc::Element; switch ($key->type) { case XMLSecurityKey::TRIPLEDES_CBC: case XMLSecurityKey::AES128_CBC: case XMLSecurityKey::AES192_CBC: case XMLSecurityKey::AES256_CBC: $symmetricKey = $key; break; case XMLSecurityKey::RSA_1_5: case XMLSecurityKey::RSA_SHA1: case XMLSecurityKey::RSA_SHA256: case XMLSecurityKey::RSA_SHA384: case XMLSecurityKey::RSA_SHA512: case XMLSecurityKey::RSA_OAEP_MGF1P: $symmetricKey = new XMLSecurityKey($this->blockEncryptionAlgorithm); $symmetricKey->generateSessionKey(); $enc->encryptKey($key, $symmetricKey); break; default: throw new LightSamlException(sprintf('Unknown key type for encryption: "%s"', $key->type)); } $this->encryptedElement = $enc->encryptNode($symmetricKey); return $serializationContext; }
/** * Set the assertion. * * @param \SAML2\Assertion $assertion The assertion. * @param XMLSecurityKey $key The key we should use to encrypt the assertion. * @throws \Exception */ public function setAssertion(Assertion $assertion, XMLSecurityKey $key) { $xml = $assertion->toXML(); Utils::getContainer()->debugMessage($xml, 'encrypt'); $enc = new XMLSecEnc(); $enc->setNode($xml); $enc->type = XMLSecEnc::Element; switch ($key->type) { case XMLSecurityKey::TRIPLEDES_CBC: case XMLSecurityKey::AES128_CBC: case XMLSecurityKey::AES192_CBC: case XMLSecurityKey::AES256_CBC: $symmetricKey = $key; break; case XMLSecurityKey::RSA_1_5: case XMLSecurityKey::RSA_OAEP_MGF1P: $symmetricKey = new XMLSecurityKey(XMLSecurityKey::AES128_CBC); $symmetricKey->generateSessionKey(); $enc->encryptKey($key, $symmetricKey); break; default: throw new \Exception('Unknown key type for encryption: ' . $key->type); } $this->encryptedData = $enc->encryptNode($symmetricKey); }
/** * @param XMLSecurityKey $symmetricKey * * @throws \LightSaml\Error\LightSamlXmlException * * @return XMLSecurityKey */ protected function loadSymmetricKeyInfo(XMLSecurityKey $symmetricKey) { $symmetricKeyInfo = $this->xmlEnc->locateKeyInfo($symmetricKey); if (false == $symmetricKeyInfo) { throw new LightSamlXmlException('Could not locate <dsig:KeyInfo> for the encrypted key'); } return $symmetricKeyInfo; }
/** * @param \DOMElement $node * @param DeserializationContext $context * * @throws \LightSaml\Error\LightSamlSecurityException */ public function deserialize(\DOMElement $node, DeserializationContext $context) { $this->checkXmlNodeName($node, 'Signature', SamlConstants::NS_XMLDSIG); $this->signature = new XMLSecurityDSig(); $this->signature->idKeys[] = $this->getIDName(); $this->signature->sigNode = $node; $this->signature->canonicalizeSignedInfo(); $this->key = null; $key = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type' => 'public')); XMLSecEnc::staticLocateKeyInfo($key, $node); if ($key->name || $key->key) { $this->key = $key; } $this->certificates = array(); $list = $context->getXpath()->query('./ds:KeyInfo/ds:X509Data/ds:X509Certificate', $node); foreach ($list as $certNode) { $certData = trim($certNode->textContent); $certData = str_replace(array("\r", "\n", "\t", ' '), '', $certData); $this->certificates[] = $certData; } }
/** * Try to extract the public key from DOM node. * * Sets publicKey and keyAlgorithm properties if success. * * @see publicKey * @see keyAlgorithm * * @param DOMNode $dom * * @return bool `true` If public key was extracted or `false` if cannot be possible */ protected function setPublicKeyFromNode(DOMNode $dom) { // try to get the public key from the certificate $objXMLSecDSig = new XMLSecurityDSig(); $objDSig = $objXMLSecDSig->locateSignature($dom); if (!$objDSig) { return false; } $objKey = $objXMLSecDSig->locateKey(); if (!$objKey) { return false; } XMLSecEnc::staticLocateKeyInfo($objKey, $objDSig); $this->publicKey = $objKey->getX509Certificate(); $this->keyAlgorithm = $objKey->getAlgorith(); return true; }
/** * Create key from an EncryptedKey-element. * * @param DOMElement $element The EncryptedKey-element. * @throws Exception * * @return XMLSecurityKey The new key. */ public static function fromEncryptedKeyElement(DOMElement $element) { $objenc = new XMLSecEnc(); $objenc->setNode($element); if (!($objKey = $objenc->locateKey())) { throw new Exception("Unable to locate algorithm for this Encrypted Key"); } $objKey->isEncrypted = true; $objKey->encryptedCtx = $objenc; XMLSecEnc::staticLocateKeyInfo($objKey, $element); return $objKey; }
/** * Add an EncryptedAttribute Statement-node to the assertion. * * @param \DOMElement $root The assertion element we should add the Encrypted Attribute Statement to. */ private function addEncryptedAttributeStatement(\DOMElement $root) { if ($this->requiredEncAttributes == false) { return; } $document = $root->ownerDocument; $attributeStatement = $document->createElementNS(Constants::NS_SAML, 'saml:AttributeStatement'); $root->appendChild($attributeStatement); foreach ($this->attributes as $name => $values) { $document2 = DOMDocumentFactory::create(); $attribute = $document2->createElementNS(Constants::NS_SAML, 'saml:Attribute'); $attribute->setAttribute('Name', $name); $document2->appendChild($attribute); if ($this->nameFormat !== Constants::NAMEFORMAT_UNSPECIFIED) { $attribute->setAttribute('NameFormat', $this->nameFormat); } foreach ($values as $value) { if (is_string($value)) { $type = 'xs:string'; } elseif (is_int($value)) { $type = 'xs:integer'; } else { $type = null; } $attributeValue = $document2->createElementNS(Constants::NS_SAML, 'saml:AttributeValue'); $attribute->appendChild($attributeValue); if ($type !== null) { $attributeValue->setAttributeNS(Constants::NS_XSI, 'xsi:type', $type); } if ($value instanceof \DOMNodeList) { for ($i = 0; $i < $value->length; $i++) { $node = $document2->importNode($value->item($i), true); $attributeValue->appendChild($node); } } else { $attributeValue->appendChild($document2->createTextNode($value)); } } /*Once the attribute nodes are built, the are encrypted*/ $EncAssert = new XMLSecEnc(); $EncAssert->setNode($document2->documentElement); $EncAssert->type = 'http://www.w3.org/2001/04/xmlenc#Element'; /* * Attributes are encrypted with a session key and this one with * $EncryptionKey */ $symmetricKey = new XMLSecurityKey(XMLSecurityKey::AES256_CBC); $symmetricKey->generateSessionKey(); $EncAssert->encryptKey($this->encryptionKey, $symmetricKey); $EncrNode = $EncAssert->encryptNode($symmetricKey); $EncAttribute = $document->createElementNS(Constants::NS_SAML, 'saml:EncryptedAttribute'); $attributeStatement->appendChild($EncAttribute); $n = $document->importNode($EncrNode, true); $EncAttribute->appendChild($n); } }
public function decryptSoapDoc($doc, $options) { $privKey = null; $privKey_isFile = false; $privKey_isCert = false; if (is_array($options)) { $privKey = !empty($options['keys']['private']['key']) ? $options['keys']['private']['key'] : null; $privKey_isFile = !empty($options['keys']['private']['isFile']) ? true : false; $privKey_isCert = !empty($options['keys']['private']['isCert']) ? true : false; } $objenc = new XMLSecEnc(); $xpath = new DOMXPath($doc); $envns = $doc->documentElement->namespaceURI; $xpath->registerNamespace('soapns', $envns); $xpath->registerNamespace('soapenc', 'http://www.w3.org/2001/04/xmlenc#'); $nodes = $xpath->query('/soapns:Envelope/soapns:Header/*[local-name()="Security"]/soapenc:EncryptedKey'); $references = array(); if ($node = $nodes->item(0)) { $objenc = new XMLSecEnc(); $objenc->setNode($node); if (!($objKey = $objenc->locateKey())) { throw new Exception('Unable to locate algorithm for this Encrypted Key'); } $objKey->isEncrypted = true; $objKey->encryptedCtx = $objenc; XMLSecEnc::staticLocateKeyInfo($objKey, $node); if ($objKey && $objKey->isEncrypted) { $objencKey = $objKey->encryptedCtx; $objKey->loadKey($privKey, $privKey_isFile, $privKey_isCert); $key = $objencKey->decryptKey($objKey); $objKey->loadKey($key); } $refnodes = $xpath->query('./soapenc:ReferenceList/soapenc:DataReference/@URI', $node); foreach ($refnodes as $reference) { $references[] = $reference->nodeValue; } } foreach ($references as $reference) { $arUrl = parse_url($reference); $reference = $arUrl['fragment']; $query = '//*[@Id="' . $reference . '"]'; $nodes = $xpath->query($query); $encData = $nodes->item(0); if ($algo = $xpath->evaluate('string(./soapenc:EncryptionMethod/@Algorithm)', $encData)) { $objKey = new XMLSecurityKey($algo); $objKey->loadKey($key); } $objenc->setNode($encData); $objenc->type = $encData->getAttribute('Type'); $decrypt = $objenc->decryptNode($objKey, true); } return true; }
/** * Decrypt an encrypted element. * * This is an internal helper function. * * @param \DOMElement $encryptedData The encrypted data. * @param XMLSecurityKey $inputKey The decryption key. * @param array &$blacklist Blacklisted decryption algorithms. * @return \DOMElement The decrypted element. * @throws \Exception */ private static function doDecryptElement(\DOMElement $encryptedData, XMLSecurityKey $inputKey, array &$blacklist) { $enc = new XMLSecEnc(); $enc->setNode($encryptedData); $enc->type = $encryptedData->getAttribute("Type"); $symmetricKey = $enc->locateKey($encryptedData); if (!$symmetricKey) { throw new \Exception('Could not locate key algorithm in encrypted data.'); } $symmetricKeyInfo = $enc->locateKeyInfo($symmetricKey); if (!$symmetricKeyInfo) { throw new \Exception('Could not locate <dsig:KeyInfo> for the encrypted key.'); } $inputKeyAlgo = $inputKey->getAlgorith(); if ($symmetricKeyInfo->isEncrypted) { $symKeyInfoAlgo = $symmetricKeyInfo->getAlgorith(); if (in_array($symKeyInfoAlgo, $blacklist, true)) { throw new \Exception('Algorithm disabled: ' . var_export($symKeyInfoAlgo, true)); } if ($symKeyInfoAlgo === XMLSecurityKey::RSA_OAEP_MGF1P && $inputKeyAlgo === XMLSecurityKey::RSA_1_5) { /* * The RSA key formats are equal, so loading an RSA_1_5 key * into an RSA_OAEP_MGF1P key can be done without problems. * We therefore pretend that the input key is an * RSA_OAEP_MGF1P key. */ $inputKeyAlgo = XMLSecurityKey::RSA_OAEP_MGF1P; } /* Make sure that the input key format is the same as the one used to encrypt the key. */ if ($inputKeyAlgo !== $symKeyInfoAlgo) { throw new \Exception('Algorithm mismatch between input key and key used to encrypt ' . ' the symmetric key for the message. Key was: ' . var_export($inputKeyAlgo, true) . '; message was: ' . var_export($symKeyInfoAlgo, true)); } /** @var XMLSecEnc $encKey */ $encKey = $symmetricKeyInfo->encryptedCtx; $symmetricKeyInfo->key = $inputKey->key; $keySize = $symmetricKey->getSymmetricKeySize(); if ($keySize === null) { /* To protect against "key oracle" attacks, we need to be able to create a * symmetric key, and for that we need to know the key size. */ throw new \Exception('Unknown key size for encryption algorithm: ' . var_export($symmetricKey->type, true)); } try { $key = $encKey->decryptKey($symmetricKeyInfo); if (strlen($key) != $keySize) { throw new \Exception('Unexpected key size (' . strlen($key) * 8 . 'bits) for encryption algorithm: ' . var_export($symmetricKey->type, true)); } } catch (\Exception $e) { /* We failed to decrypt this key. Log it, and substitute a "random" key. */ Utils::getContainer()->getLogger()->error('Failed to decrypt symmetric key: ' . $e->getMessage()); /* Create a replacement key, so that it looks like we fail in the same way as if the key was correctly padded. */ /* We base the symmetric key on the encrypted key and private key, so that we always behave the * same way for a given input key. */ $encryptedKey = $encKey->getCipherValue(); $pkey = openssl_pkey_get_details($symmetricKeyInfo->key); $pkey = sha1(serialize($pkey), true); $key = sha1($encryptedKey . $pkey, true); /* Make sure that the key has the correct length. */ if (strlen($key) > $keySize) { $key = substr($key, 0, $keySize); } elseif (strlen($key) < $keySize) { $key = str_pad($key, $keySize); } } $symmetricKey->loadkey($key); } else { $symKeyAlgo = $symmetricKey->getAlgorith(); /* Make sure that the input key has the correct format. */ if ($inputKeyAlgo !== $symKeyAlgo) { throw new \Exception('Algorithm mismatch between input key and key in message. ' . 'Key was: ' . var_export($inputKeyAlgo, true) . '; message was: ' . var_export($symKeyAlgo, true)); } $symmetricKey = $inputKey; } $algorithm = $symmetricKey->getAlgorith(); if (in_array($algorithm, $blacklist, true)) { throw new \Exception('Algorithm disabled: ' . var_export($algorithm, true)); } /** @var string $decrypted */ $decrypted = $enc->decryptNode($symmetricKey, false); /* * This is a workaround for the case where only a subset of the XML * tree was serialized for encryption. In that case, we may miss the * namespaces needed to parse the XML. */ $xml = '<root xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ' . 'xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">' . $decrypted . '</root>'; try { $newDoc = DOMDocumentFactory::fromString($xml); } catch (RuntimeException $e) { throw new \Exception('Failed to parse decrypted XML. Maybe the wrong sharedkey was used?', 0, $e); } $decryptedElement = $newDoc->firstChild->firstChild; if ($decryptedElement === null) { throw new \Exception('Missing encrypted element.'); } if (!$decryptedElement instanceof \DOMElement) { throw new \Exception('Decrypted element was not actually a \\DOMElement.'); } return $decryptedElement; }
/** * Encrypt the NameID in the AuthnRequest. * * @param XMLSecurityKey $key The encryption key. */ public function encryptNameId(XMLSecurityKey $key) { /* First create a XML representation of the NameID. */ $doc = new \DOMDocument(); $root = $doc->createElement('root'); $doc->appendChild($root); Utils::addNameId($root, $this->nameId); $nameId = $root->firstChild; Utils::getContainer()->debugMessage($nameId, 'encrypt'); /* Encrypt the NameID. */ $enc = new XMLSecEnc(); $enc->setNode($nameId); // @codingStandardsIgnoreStart $enc->type = XMLSecEnc::Element; // @codingStandardsIgnoreEnd $symmetricKey = new XMLSecurityKey(XMLSecurityKey::AES128_CBC); $symmetricKey->generateSessionKey(); $enc->encryptKey($key, $symmetricKey); $this->encryptedNameId = $enc->encryptNode($symmetricKey); $this->nameId = null; }
/** * Validate the receipt contained in the given XML element using the * certificate provided. * * @param DOMDocument $dom * @param resource $certificate * @return bool */ protected function validateXml(DOMDocument $dom, $certificate) { $secDsig = new XMLSecurityDSig(); // Locate the signature in the receipt XML. $dsig = $secDsig->locateSignature($dom); if ($dsig === null) { throw new RunTimeException('Cannot locate receipt signature'); } $secDsig->canonicalizeSignedInfo(); $secDsig->idKeys = array('wsu:Id'); $secDsig->idNS = array('wsu' => 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'); if (!$secDsig->validateReference()) { throw new RunTimeException('Reference validation failed'); } $key = $secDsig->locateKey(); if ($key === null) { throw new RunTimeException('Could not locate key in receipt'); } $keyInfo = XMLSecEnc::staticLocateKeyInfo($key, $dsig); if (!$keyInfo->key) { $key->loadKey($certificate); } return $secDsig->verify($key) == 1; }
public function processSignature($refNode) { $objXMLSecDSig = new XMLSecurityDSig(); $objXMLSecDSig->idKeys[] = 'wswsu:Id'; $objXMLSecDSig->idNS['wswsu'] = self::WSUNS; $objXMLSecDSig->sigNode = $refNode; /* Canonicalize the signed info */ $objXMLSecDSig->canonicalizeSignedInfo(); $retVal = $objXMLSecDSig->validateReference(); if (!$retVal) { throw new Exception('Validation Failed'); } $key = null; $objKey = $objXMLSecDSig->locateKey(); if ($objKey) { if ($objKeyInfo = XMLSecEnc::staticLocateKeyInfo($objKey, $refNode)) { /* Handle any additional key processing such as encrypted keys here */ } } if (empty($objKey)) { throw new Exception('Error loading key to handle Signature'); } do { if (empty($objKey->key)) { $this->SOAPXPath->registerNamespace('xmlsecdsig', XMLSecurityDSig::XMLDSIGNS); $query = './xmlsecdsig:KeyInfo/wswsse:SecurityTokenReference/wswsse:Reference'; $nodeset = $this->SOAPXPath->query($query, $refNode); if ($encmeth = $nodeset->item(0)) { if ($uri = $encmeth->getAttribute('URI')) { $arUrl = parse_url($uri); if (empty($arUrl['path']) && ($identifier = $arUrl['fragment'])) { $query = '//wswsse:BinarySecurityToken[@wswsu:Id="' . $identifier . '"]'; $nodeset = $this->SOAPXPath->query($query); if ($encmeth = $nodeset->item(0)) { $x509cert = $encmeth->textContent; $x509cert = str_replace(array("\r", "\n"), '', $x509cert); $x509cert = "-----BEGIN CERTIFICATE-----\n" . chunk_split($x509cert, 64, "\n") . "-----END CERTIFICATE-----\n"; $objKey->loadKey($x509cert); break; } } } } throw new Exception('Error loading key to handle Signature'); } } while (0); if (!$objXMLSecDSig->verify($objKey)) { throw new Exception('Unable to validate Signature'); } return true; }