Check the signature on a SAML2 message or assertion.
| public static checkSign ( SimpleSAML_Configuration $srcMetadata, SAML2\SignedElement $element ) | ||
| $srcMetadata | SimpleSAML_Configuration | The metadata of the sender. |
| $element | SAML2\SignedElement | Either a \SAML2\Response or a \SAML2\Assertion. |
private function authenticate()
{
$client_is_authenticated = false;
/* Authenticate the requestor by verifying the TLS certificate used for the HTTP query */
if (array_key_exists('SSL_CLIENT_VERIFY', $_SERVER)) {
SimpleSAML_Logger::debug('[aa] Request was made using the following certificate: ' . var_export($_SERVER['SSL_CLIENT_VERIFY'], 1));
}
if (array_key_exists('SSL_CLIENT_VERIFY', $_SERVER) && $_SERVER['SSL_CLIENT_VERIFY'] && $_SERVER['SSL_CLIENT_VERIFY'] != 'NONE') {
/* compare certificate fingerprints */
$clientCertData = trim(preg_replace('/--.* CERTIFICATE-+-/', '', $_SERVER['SSL_CLIENT_CERT']));
$clientCertFingerprint = strtolower(sha1(base64_decode($clientCertData)));
if (!$clientCertFingerprint) {
throw new SimpleSAML_Error_Exception('[aa] Can not calculate certificate fingerprint from the request.');
}
$spCertArray = SimpleSAML_Utilities::loadPublicKey($this->spMetadata);
if (!$spCertArray) {
throw new SimpleSAML_Error_Exception('[aa] Can not find the public key of the requestor in the metadata!');
}
foreach ($spCertArray['certFingerprint'] as $fingerprint) {
if ($fingerprint && $clientCertFingerprint == $fingerprint) {
$client_is_authenticated = true;
SimpleSAML_Logger::debug('[aa] SSL certificate is checked and valid.');
break;
}
}
/* Reject the request if the TLS certificate used for the request does not match metadata */
if (!$client_is_authenticated) {
throw new SimpleSAML_Error_Exception('[aa] SSL certificate check failed.');
}
} else {
/* The request may be signed, so this is not fatal */
SimpleSAML_Logger::debug('[aa] SSL client certificate does not exist.');
}
/* Authenticate the requestor by verifying the XML signature on the query */
$certs_of_query = $this->query->getCertificates();
if (count($certs_of_query) > 0) {
if (sspmod_saml_Message::checkSign($this->spMetadata, $this->query)) {
$client_is_authenticated = true;
SimpleSAML_Logger::debug('[aa] AttributeQuery signature is checked and valid.');
} else {
/* An invalid or unverifiable signature is fatal */
throw new SimpleSAML_Error_Exception('[aa] The signature of the AttributeQuery is wrong!');
}
} else {
/* The request may be protected by HTTP TLS (X.509) authentication, so this is not fatal */
SimpleSAML_Logger::debug('[aa] AttributeQuery has no signature.');
}
if (!$client_is_authenticated) {
SimpleSAML_Logger::info('[aa] Attribute query was not authenticated. Drop.');
header('HTTP/1.1 401 Unauthorized');
header('WWW-Authenticate: None', false);
echo 'Not authenticated. Neither query signature nor SSL client certificate was available.';
exit;
} else {
SimpleSAML_Logger::debug('[aa] Attribute query was authenticated.');
}
}
/**
* Check a SOAP AuthnRequest.
*
* @param SimpleSAML_Configuration $idpMetadata The metadata for the IdP.
* @param SimpleSAML_Configuration $spMetadata The metadata for the SP.
* @param array &$state The state array.
*/
private static function processSOAPAuthnRequest(SimpleSAML_Configuration $idpMetadata, SimpleSAML_Configuration $spMetadata, SAML2_AuthnRequest $request, array &$state)
{
// Send the response via SOAP.
$state['saml:Binding'] = SAML2_Const::BINDING_SOAP;
if (!sspmod_saml_Message::checkSign($spMetadata, $request)) {
throw new SimpleSAML_Error_Exception('SOAP authentication request not signed.');
}
// Add basic auth data.
if (!isset($_SERVER['PHP_AUTH_USER']) || !isset($_SERVER['PHP_AUTH_PW'])) {
SimpleSAML_Logger::debug('SOAP auth without authentication data.');
throw new SimpleSAML_Error_Error('ECP_AUTH_FAILURE');
}
$state['core:auth:username'] = $_SERVER['PHP_AUTH_USER'];
$state['core:auth:password'] = $_SERVER['PHP_AUTH_PW'];
}
