public function test__signed_serialize_deserialize()
{
$certificate = new X509Certificate();
$certificate->loadFromFile(__DIR__ . '/../../../../../../web/sp/saml.crt');
$privateKey = KeyHelper::createPrivateKey(__DIR__ . '/../../../../../../web/sp/saml.key', null, true);
$authnRequest = new AuthnRequest();
$authnRequest->setID('_894da3368874d2dd637983b6812f66c444f100f205');
$authnRequest->setIssueInstant('2015-09-13T11:47:33Z');
$authnRequest->setDestination('https://idp.testshib.org/idp/profile/SAML2/POST/SSO');
$authnRequest->setIssuer((new Issuer())->setValue('https://mt.evo.loc/sp')->setFormat('urn:oasis:names:tc:SAML:2.0:nameid-format:entity'));
$authnRequest->setSignature(new SignatureWriter($certificate, $privateKey));
$serializationContext = new SerializationContext();
$authnRequest->serialize($serializationContext->getDocument(), $serializationContext);
$temporaryFilename = tempnam(sys_get_temp_dir(), 'lightsaml-');
$serializationContext->getDocument()->save($temporaryFilename);
$xml = file_get_contents($temporaryFilename);
$deserializationContext = new DeserializationContext();
$deserializationContext->getDocument()->loadXML($xml);
$authnRequest = new AuthnRequest();
$authnRequest->deserialize($deserializationContext->getDocument()->firstChild, $deserializationContext);
$signatureReader = $authnRequest->getSignature();
if ($signatureReader instanceof SignatureXmlReader) {
$certificate = new X509Certificate();
$certificate->loadFromFile(__DIR__ . '/../../../../../../web/sp/saml.crt');
$key = KeyHelper::createPublicKey($certificate);
$ok = $signatureReader->validate($key);
$this->assertTrue($ok);
} else {
throw new \LogicException('Expected Signature Xml Reader');
}
}
public function test_signs_message_when_signing_enabled()
{
$action = new SignMessageAction($loggerMock = TestHelper::getLoggerMock($this), $signatureResolverMock = TestHelper::getSignatureResolverMock($this));
$context = TestHelper::getProfileContext();
$context->getPartyEntityContext()->setTrustOptions(new TrustOptions());
$context->getTrustOptions()->setSignAuthnRequest(true);
$context->getOutboundContext()->setMessage($message = new AuthnRequest());
$signature = new SignatureWriter($certificateMock = TestHelper::getX509CertificateMock($this));
$certificateMock->expects($this->any())->method('getInfo')->willReturn($expectedInfo = ['a' => 1]);
$certificateMock->expects($this->any())->method('getFingerprint')->willReturn($expectedFingerprint = '123123123');
$signatureResolverMock->expects($this->once())->method('getSignature')->with($context)->willReturn($signature);
$loggerMock->expects($this->once())->method('debug')->with('Message signed with fingerprint "123123123"', $this->isType('array'));
$action->execute($context);
$this->assertSame($signature, $message->getSignature());
}
/**
* @param AuthnRequest $message
* @throws Exception
*/
private function validateSignature(AuthnRequest $message)
{
$key = KeyHelper::createPublicKey(X509Certificate::fromFile($this->saml_crt));
/** @var SignatureStringReader $signature_reader */
$signature_reader = $message->getSignature();
try {
if ($signature_reader->validate($key)) {
return;
}
throw new Exception('Signature not validated');
} catch (Exception $e) {
if ($this->logger) {
$this->logger->error("AuthnRequest validation failed with message {$e->getMessage()}.", ['exception' => $e]);
}
throw $e;
}
}
