public function testEncryptedNameId()
{
$logoutRequest = new SAML2_LogoutRequest();
$logoutRequest->setNameID(array('Value' => 'NameIDValue'));
$logoutRequest->encryptNameId(SAML2_CertificatesMock::getPublicKey());
$logoutRequestElement = $logoutRequest->toUnsignedXML();
$this->assertCount(1, SAML2_Utils::xpQuery($logoutRequestElement, './saml_assertion:EncryptedID/xenc:EncryptedData'));
}
/**
* Test that signatures no longer validate if the value has been tampered with.
*/
public function testValidateWithValueTampering()
{
// Test modification of SignatureValue.
$signedMockElementCopy = SAML2_Utils::copyElement($this->signedMockElement);
$signedMockElementCopy->ownerDocument->appendChild($signedMockElementCopy);
$digestValueElements = SAML2_Utils::xpQuery($signedMockElementCopy, '/root/ds:Signature/ds:SignatureValue');
$this->assertCount(1, $digestValueElements);
$digestValueElements[0]->firstChild->data = 'invalid';
$tmp = new SAML2_SignedElementHelperMock($signedMockElementCopy);
$this->setExpectedException('Exception', 'Unable to validate Signature');
$tmp->validate(SAML2_CertificatesMock::getPublicKey());
}
/**
* Due to the fact that the symmetric key is generated each time, we cannot test whether or not the resulting XML
* matches a specific XML, but we can test whether or not the resulting structure is actually correct, conveying
* all information required to decrypt the NameId.
*/
public function testThatAnEncryptedNameIdResultsInTheCorrectXmlStructure()
{
// the NameID we're going to encrypt
$nameId = array('Value' => md5('Arthur Dent'), 'Format' => SAML2_Const::NAMEID_ENCRYPTED);
// basic AuthnRequest
$request = new SAML2_AuthnRequest();
$request->setIssuer('https://gateway.stepup.org/saml20/sp/metadata');
$request->setDestination('https://tiqr.stepup.org/idp/profile/saml2/Redirect/SSO');
$request->setNameId($nameId);
// encrypt the NameID
$key = SAML2_CertificatesMock::getPublicKey();
$request->encryptNameId($key);
$expectedStructureDocument = new DOMDocument();
$expectedStructureDocument->loadXML(<<<AUTHNREQUEST
<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID=""
Version=""
IssueInstant=""
Destination="">
<saml:Issuer></saml:Issuer>
<saml:Subject>
<saml:EncryptedID xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" Type="http://www.w3.org/2001/04/xmlenc#Element">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
<dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<xenc:EncryptedKey>
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<xenc:CipherData>
<xenc:CipherValue></xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedKey>
</dsig:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue></xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</saml:EncryptedID>
</saml:Subject>
</samlp:AuthnRequest>
AUTHNREQUEST
);
$expectedStructure = $expectedStructureDocument->documentElement;
$requestStructure = $request->toUnsignedXML();
$this->assertEqualXMLStructure($expectedStructure, $requestStructure);
}
