Пример #1
0
 /**
  * Send an authenticationResponse using HTTP-POST.
  *
  * @param string                   $response The response which should be sent.
  * @param SimpleSAML_Configuration $idpmd The metadata of the IdP which is sending the response.
  * @param SimpleSAML_Configuration $spmd The metadata of the SP which is receiving the response.
  * @param string|null              $relayState The relaystate for the SP.
  * @param string                   $shire The shire which should receive the response.
  */
 public function sendResponse($response, SimpleSAML_Configuration $idpmd, SimpleSAML_Configuration $spmd, $relayState, $shire)
 {
     \SimpleSAML\Utils\XML::checkSAMLMessage($response, 'saml11');
     $privatekey = SimpleSAML\Utils\Crypto::loadPrivateKey($idpmd, true);
     $publickey = SimpleSAML\Utils\Crypto::loadPublicKey($idpmd, true);
     $responsedom = new DOMDocument();
     $responsedom->loadXML(str_replace("\r", "", $response));
     $responseroot = $responsedom->getElementsByTagName('Response')->item(0);
     $firstassertionroot = $responsedom->getElementsByTagName('Assertion')->item(0);
     /* Determine what we should sign - either the Response element or the Assertion. The default is to sign the
      * Assertion, but that can be overridden by the 'signresponse' option in the SP metadata or
      * 'saml20.signresponse' in the global configuration.
      *
      * TODO: neither 'signresponse' nor 'shib13.signresponse' are valid options any longer. Remove!
      */
     if ($spmd->hasValue('signresponse')) {
         $signResponse = $spmd->getBoolean('signresponse');
     } else {
         $signResponse = $this->configuration->getBoolean('shib13.signresponse', true);
     }
     // check if we have an assertion to sign. Force to sign the response if not
     if ($firstassertionroot === null) {
         $signResponse = true;
     }
     $signer = new SimpleSAML_XML_Signer(array('privatekey_array' => $privatekey, 'publickey_array' => $publickey, 'id' => $signResponse ? 'ResponseID' : 'AssertionID'));
     if ($idpmd->hasValue('certificatechain')) {
         $signer->addCertificate($idpmd->getString('certificatechain'));
     }
     if ($signResponse) {
         // sign the response - this must be done after encrypting the assertion
         // we insert the signature before the saml2p:Status element
         $statusElements = SimpleSAML\Utils\XML::getDOMChildren($responseroot, 'Status', '@saml1p');
         assert('count($statusElements) === 1');
         $signer->sign($responseroot, $responseroot, $statusElements[0]);
     } else {
         /* Sign the assertion */
         $signer->sign($firstassertionroot, $firstassertionroot);
     }
     $response = $responsedom->saveXML();
     \SimpleSAML\Utils\XML::debugSAMLMessage($response, 'out');
     \SimpleSAML\Utils\HTTP::submitPOSTData($shire, array('TARGET' => $relayState, 'SAMLResponse' => base64_encode($response)));
 }
Пример #2
0
 /**
  * Add signature key and sender certificate to an element (Message or Assertion).
  *
  * @param SimpleSAML_Configuration $srcMetadata  The metadata of the sender.
  * @param SimpleSAML_Configuration $dstMetadata  The metadata of the recipient.
  * @param \SAML2\Message $element  The element we should add the data to.
  */
 public static function addSign(SimpleSAML_Configuration $srcMetadata, SimpleSAML_Configuration $dstMetadata, \SAML2\SignedElement $element)
 {
     $dstPrivateKey = $dstMetadata->getString('signature.privatekey', NULL);
     if ($dstPrivateKey !== NULL) {
         $keyArray = SimpleSAML\Utils\Crypto::loadPrivateKey($dstMetadata, TRUE, 'signature.');
         $certArray = SimpleSAML\Utils\Crypto::loadPublicKey($dstMetadata, FALSE, 'signature.');
     } else {
         $keyArray = SimpleSAML\Utils\Crypto::loadPrivateKey($srcMetadata, TRUE);
         $certArray = SimpleSAML\Utils\Crypto::loadPublicKey($srcMetadata, FALSE);
     }
     $algo = $dstMetadata->getString('signature.algorithm', NULL);
     if ($algo === NULL) {
         /*
          * In the NIST Special Publication 800-131A, SHA-1 became deprecated for generating
          * new digital signatures in 2011, and will be explicitly disallowed starting the 1st
          * of January, 2014. We'll keep this as a default for the next release and mark it
          * as deprecated, as part of the transition to SHA-256.
          *
          * See http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf for more info.
          *
          * TODO: change default to XMLSecurityKey::RSA_SHA256.
          */
         $algo = $srcMetadata->getString('signature.algorithm', XMLSecurityKey::RSA_SHA1);
     }
     $privateKey = new XMLSecurityKey($algo, array('type' => 'private'));
     if (array_key_exists('password', $keyArray)) {
         $privateKey->passphrase = $keyArray['password'];
     }
     $privateKey->loadKey($keyArray['PEM'], FALSE);
     $element->setSignatureKey($privateKey);
     if ($certArray === NULL) {
         // We don't have a certificate to add
         return;
     }
     if (!array_key_exists('PEM', $certArray)) {
         // We have a public key with only a fingerprint.
         return;
     }
     $element->setCertificates(array($certArray['PEM']));
 }
Пример #3
0
<?php

// Load SimpleSAMLphp, configuration and metadata
$config = SimpleSAML_Configuration::getInstance();
$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
if (!$config->getBoolean('enable.saml20-idp', false)) {
    throw new SimpleSAML_Error_Error('NOACCESS');
}
// Check if valid local session exists..
if ($config->getBoolean('admin.protectmetadata', false)) {
    SimpleSAML\Utils\Auth::requireAdmin();
}
$idpentityid = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted');
$idpmeta = $metadata->getMetaDataConfig($idpentityid, 'saml20-idp-hosted');
switch ($_SERVER['PATH_INFO']) {
    case '/new_idp.crt':
        $certInfo = SimpleSAML\Utils\Crypto::loadPublicKey($idpmeta, FALSE, 'new_');
        break;
    case '/idp.crt':
        $certInfo = SimpleSAML\Utils\Crypto::loadPublicKey($idpmeta, TRUE);
        break;
    case '/https.crt':
        $certInfo = SimpleSAML\Utils\Crypto::loadPublicKey($idpmeta, TRUE, 'https.');
        break;
    default:
        throw new SimpleSAML_Error_NotFound('Unknown certificate.');
}
header('Content-Disposition: attachment; filename=' . substr($_SERVER['PATH_INFO'], 1));
header('Content-Type: application/x-x509-ca-cert');
echo $certInfo['PEM'];
exit(0);
Пример #4
0
 $idpmeta = $metadata->getMetaDataConfig($idpentityid, 'adfs-idp-hosted');
 $availableCerts = array();
 $keys = array();
 $certInfo = SimpleSAML\Utils\Crypto::loadPublicKey($idpmeta, false, 'new_');
 if ($certInfo !== null) {
     $availableCerts['new_idp.crt'] = $certInfo;
     $keys[] = array('type' => 'X509Certificate', 'signing' => true, 'encryption' => true, 'X509Certificate' => $certInfo['certData']);
     $hasNewCert = true;
 } else {
     $hasNewCert = false;
 }
 $certInfo = SimpleSAML\Utils\Crypto::loadPublicKey($idpmeta, true);
 $availableCerts['idp.crt'] = $certInfo;
 $keys[] = array('type' => 'X509Certificate', 'signing' => true, 'encryption' => $hasNewCert ? false : true, 'X509Certificate' => $certInfo['certData']);
 if ($idpmeta->hasValue('https.certificate')) {
     $httpsCert = SimpleSAML\Utils\Crypto::loadPublicKey($idpmeta, true, 'https.');
     assert('isset($httpsCert["certData"])');
     $availableCerts['https.crt'] = $httpsCert;
     $keys[] = array('type' => 'X509Certificate', 'signing' => true, 'encryption' => false, 'X509Certificate' => $httpsCert['certData']);
 }
 $adfs_service_location = SimpleSAML\Module::getModuleURL('adfs') . '/idp/prp.php';
 $metaArray = array('metadata-set' => 'adfs-idp-remote', 'entityid' => $idpentityid, 'SingleSignOnService' => array(0 => array('Binding' => \SAML2\Constants::BINDING_HTTP_REDIRECT, 'Location' => $adfs_service_location)), 'SingleLogoutService' => array(0 => array('Binding' => \SAML2\Constants::BINDING_HTTP_REDIRECT, 'Location' => $adfs_service_location)));
 if (count($keys) === 1) {
     $metaArray['certData'] = $keys[0]['X509Certificate'];
 } else {
     $metaArray['keys'] = $keys;
 }
 $metaArray['NameIDFormat'] = $idpmeta->getString('NameIDFormat', 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient');
 if ($idpmeta->hasValue('OrganizationName')) {
     $metaArray['OrganizationName'] = $idpmeta->getLocalizedString('OrganizationName');
     $metaArray['OrganizationDisplayName'] = $idpmeta->getLocalizedString('OrganizationDisplayName', $metaArray['OrganizationName']);
Пример #5
0
if (!$config->getBoolean('enable.shib13-idp', false)) {
    throw new SimpleSAML_Error_Error('NOACCESS');
}
// check if valid local session exists
if ($config->getBoolean('admin.protectmetadata', false)) {
    SimpleSAML\Utils\Auth::requireAdmin();
}
try {
    $idpentityid = isset($_GET['idpentityid']) ? $_GET['idpentityid'] : $metadata->getMetaDataCurrentEntityID('shib13-idp-hosted');
    $idpmeta = $metadata->getMetaDataConfig($idpentityid, 'shib13-idp-hosted');
    $keys = array();
    $certInfo = SimpleSAML\Utils\Crypto::loadPublicKey($idpmeta, false, 'new_');
    if ($certInfo !== null) {
        $keys[] = array('type' => 'X509Certificate', 'signing' => true, 'encryption' => false, 'X509Certificate' => $certInfo['certData']);
    }
    $certInfo = SimpleSAML\Utils\Crypto::loadPublicKey($idpmeta, true);
    $keys[] = array('type' => 'X509Certificate', 'signing' => true, 'encryption' => false, 'X509Certificate' => $certInfo['certData']);
    $metaArray = array('metadata-set' => 'shib13-idp-remote', 'entityid' => $idpentityid, 'SingleSignOnService' => $metadata->getGenerated('SingleSignOnService', 'shib13-idp-hosted'));
    if (count($keys) === 1) {
        $metaArray['certData'] = $keys[0]['X509Certificate'];
    } else {
        $metaArray['keys'] = $keys;
    }
    $metaArray['NameIDFormat'] = $idpmeta->getString('NameIDFormat', 'urn:mace:shibboleth:1.0:nameIdentifier');
    if ($idpmeta->hasValue('OrganizationName')) {
        $metaArray['OrganizationName'] = $idpmeta->getLocalizedString('OrganizationName');
        $metaArray['OrganizationDisplayName'] = $idpmeta->getLocalizedString('OrganizationDisplayName', $metaArray['OrganizationName']);
        if (!$idpmeta->hasValue('OrganizationURL')) {
            throw new SimpleSAML_Error_Exception('If OrganizationName is set, OrganizationURL must also be set.');
        }
        $metaArray['OrganizationURL'] = $idpmeta->getLocalizedString('OrganizationURL');
Пример #6
0
 /**
  * @deprecated This method will be removed in SSP 2.0. Please use SimpleSAML\Utils\Crypto::loadPublicKey() instead.
  */
 public static function loadPublicKey(SimpleSAML_Configuration $metadata, $required = FALSE, $prefix = '')
 {
     return SimpleSAML\Utils\Crypto::loadPublicKey($metadata, $required, $prefix);
 }
Пример #7
0
            break;
    }
    $eps[] = $acsArray;
    $index++;
}
$metaArray20['AssertionConsumerService'] = $eps;
$keys = array();
$certInfo = SimpleSAML\Utils\Crypto::loadPublicKey($spconfig, FALSE, 'new_');
if ($certInfo !== NULL && array_key_exists('certData', $certInfo)) {
    $hasNewCert = TRUE;
    $certData = $certInfo['certData'];
    $keys[] = array('type' => 'X509Certificate', 'signing' => TRUE, 'encryption' => TRUE, 'X509Certificate' => $certInfo['certData']);
} else {
    $hasNewCert = FALSE;
}
$certInfo = SimpleSAML\Utils\Crypto::loadPublicKey($spconfig);
if ($certInfo !== NULL && array_key_exists('certData', $certInfo)) {
    $certData = $certInfo['certData'];
    $keys[] = array('type' => 'X509Certificate', 'signing' => TRUE, 'encryption' => $hasNewCert ? FALSE : TRUE, 'X509Certificate' => $certInfo['certData']);
} else {
    $certData = NULL;
}
$format = $spconfig->getString('NameIDPolicy', NULL);
if ($format !== NULL) {
    $metaArray20['NameIDFormat'] = $format;
}
$name = $spconfig->getLocalizedString('name', NULL);
$attributes = $spconfig->getArray('attributes', array());
if ($name !== NULL && !empty($attributes)) {
    $metaArray20['name'] = $name;
    $metaArray20['attributes'] = $attributes;