/** * @param ProfileContext $context */ protected function doExecute(ProfileContext $context) { $response = MessageContextHelper::asResponse($context->getInboundContext()); if (count($response->getAllEncryptedAssertions()) === 0) { $this->logger->debug('Response has no encrypted assertions', LogHelper::getActionContext($context, $this)); return; } $ownEntityDescriptor = $context->getOwnEntityDescriptor(); $query = $this->credentialResolver->query(); $query->add(new EntityIdCriteria($ownEntityDescriptor->getEntityID()))->add(new MetadataCriteria(ProfileContext::ROLE_IDP === $context->getOwnRole() ? MetadataCriteria::TYPE_IDP : MetadataCriteria::TYPE_SP, SamlConstants::PROTOCOL_SAML2))->add(new UsageCriteria(UsageType::ENCRYPTION)); $query->resolve(); $privateKeys = $query->getPrivateKeys(); if (empty($privateKeys)) { $message = 'No credentials resolved for assertion decryption'; $this->logger->emergency($message, LogHelper::getActionErrorContext($context, $this)); throw new LightSamlContextException($context, $message); } $this->logger->info('Trusted decryption candidates', LogHelper::getActionContext($context, $this, array('credentials' => array_map(function (CredentialInterface $credential) { return sprintf("Entity: '%s'; PK X509 Thumb: '%s'", $credential->getEntityId(), $credential->getPublicKey() ? $credential->getPublicKey()->getX509Thumbprint() : ''); }, $privateKeys)))); foreach ($response->getAllEncryptedAssertions() as $index => $encryptedAssertion) { if ($encryptedAssertion instanceof EncryptedAssertionReader) { $name = sprintf('assertion_encrypted_%s', $index); /** @var DeserializationContext $deserializationContext */ $deserializationContext = $context->getInboundContext()->getSubContext($name, DeserializationContext::class); $assertion = $encryptedAssertion->decryptMultiAssertion($privateKeys, $deserializationContext); $response->addAssertion($assertion); $this->logger->info('Assertion decrypted', LogHelper::getActionContext($context, $this, array('assertion' => $deserializationContext->getDocument()->saveXML()))); } } }
/** * @param AssertionContext $context * * @return void */ protected function doExecute(AssertionContext $context) { $profileContext = $context->getProfileContext(); $trustOptions = $profileContext->getTrustOptions(); if (false === $trustOptions->getEncryptAssertions()) { return; } if (null == ($assertion = $context->getAssertion())) { throw new LightSamlContextException($context, 'Assertion for encryption is not set'); } $context->setAssertion(null); $query = $this->credentialResolver->query(); $query->add(new EntityIdCriteria($profileContext->getPartyEntityDescriptor()->getEntityID()))->add(new MetadataCriteria(ProfileContext::ROLE_IDP === $profileContext->getOwnRole() ? MetadataCriteria::TYPE_SP : MetadataCriteria::TYPE_IDP, SamlConstants::PROTOCOL_SAML2))->add(new UsageCriteria(UsageType::ENCRYPTION)); $query->resolve(); /** @var CredentialInterface $credential */ $credential = $query->firstCredential(); if (null == $credential) { throw new LightSamlContextException($context, 'Unable to resolve encrypting credential'); } if (null == $credential->getPublicKey()) { throw new LightSamlContextException($context, 'Credential resolved for assertion encryption does not have a public key'); } $encryptedAssertionWriter = new EncryptedAssertionWriter($trustOptions->getBlockEncryptionAlgorithm(), $trustOptions->getKeyTransportEncryptionAlgorithm()); $encryptedAssertionWriter->encrypt($assertion, $credential->getPublicKey()); $context->setEncryptedAssertion($encryptedAssertionWriter); }
/** * @param AbstractSignatureReader $signature * @param string $issuer * @param string $metadataType * * @return CredentialInterface|null */ public function validate(AbstractSignatureReader $signature, $issuer, $metadataType) { $query = $this->credentialResolver->query(); $query->add(new EntityIdCriteria($issuer))->add(new MetadataCriteria($metadataType, SamlConstants::VERSION_20))->add(new UsageCriteria(UsageType::SIGNING)); $query->resolve(); $credentialCandidates = $query->allCredentials(); if (empty($credentialCandidates)) { throw new LightSamlSecurityException('No credentials resolved for signature verification'); } $credential = $signature->validateMulti($credentialCandidates); return $credential; }
/** * @param AbstractProfileContext $context * * @return X509CredentialInterface|null */ private function getSigningCredential(AbstractProfileContext $context) { $profileContext = $context->getProfileContext(); $entityDescriptor = $profileContext->getOwnEntityDescriptor(); $query = $this->credentialResolver->query(); $query->add(new EntityIdCriteria($entityDescriptor->getEntityID()))->add(new UsageCriteria(UsageType::SIGNING))->add(new X509CredentialCriteria())->addIf(ProfileContext::ROLE_IDP === $profileContext->getOwnRole(), function () { return new MetadataCriteria(MetadataCriteria::TYPE_IDP, SamlConstants::VERSION_20); })->addIf(ProfileContext::ROLE_SP === $profileContext->getOwnRole(), function () { return new MetadataCriteria(MetadataCriteria::TYPE_SP, SamlConstants::VERSION_20); }); $query->resolve(); $result = $query->firstCredential(); if ($result && false === $result instanceof X509CredentialInterface) { throw new \LogicException(sprintf('Expected X509CredentialInterface but got %s', get_class($result))); } return $result; }
/** * @return CredentialResolverQuery */ public function resolve() { $this->arrCredentials = $this->resolver->resolve($this); return $this; }