/** * Add signature key and sender certificate to an element (Message or Assertion). * * @param SimpleSAML_Configuration $srcMetadata The metadata of the sender. * @param SimpleSAML_Configuration $dstMetadata The metadata of the recipient. * @param SAML2_Message $element The element we should add the data to. */ public static function addSign(SimpleSAML_Configuration $srcMetadata, SimpleSAML_Configuration $dstMetadata, SAML2_SignedElement $element) { $keyArray = SimpleSAML_Utilities::loadPrivateKey($srcMetadata, TRUE); $certArray = SimpleSAML_Utilities::loadPublicKey($srcMetadata, FALSE); $algo = $dstMetadata->getString('signature.algorithm', NULL); if ($algo === NULL) { /* * In the NIST Special Publication 800-131A, SHA-1 became deprecated for generating * new digital signatures in 2011, and will be explicitly disallowed starting the 1st * of January, 2014. We'll keep this as a default for the next release and mark it * as deprecated, as part of the transition to SHA-256. * * See http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf for more info. * * TODO: change default to XMLSecurityKey::RSA_SHA256. */ $algo = $srcMetadata->getString('signature.algorithm', XMLSecurityKey::RSA_SHA1); } $privateKey = new XMLSecurityKey($algo, array('type' => 'private')); if (array_key_exists('password', $keyArray)) { $privateKey->passphrase = $keyArray['password']; } $privateKey->loadKey($keyArray['PEM'], FALSE); $element->setSignatureKey($privateKey); if ($certArray === NULL) { /* We don't have a certificate to add. */ return; } if (!array_key_exists('PEM', $certArray)) { /* We have a public key with only a fingerprint. */ return; } $element->setCertificates(array($certArray['PEM'])); }
/** * Add signature key and and senders certificate to an element (Message or Assertion). * * @param SimpleSAML_Configuration $srcMetadata The metadata of the sender. * @param SimpleSAML_Configuration $dstMetadata The metadata of the recipient. * @param SAML2_Message $element The element we should add the data to. */ public static function addSign(SimpleSAML_Configuration $srcMetadata, SimpleSAML_Configuration $dstMetadata, SAML2_SignedElement $element) { $keyArray = SimpleSAML_Utilities::loadPrivateKey($srcMetadata, TRUE); $certArray = SimpleSAML_Utilities::loadPublicKey($srcMetadata, FALSE); $privateKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type' => 'private')); if (array_key_exists('password', $keyArray)) { $privateKey->passphrase = $keyArray['password']; } $privateKey->loadKey($keyArray['PEM'], FALSE); $element->setSignatureKey($privateKey); if ($certArray === NULL) { /* We don't have a certificate to add. */ return; } if (!array_key_exists('PEM', $certArray)) { /* We have a public key with only a fingerprint. */ return; } $element->setCertificates(array($certArray['PEM'])); }
/** * Sign the generated EntitiesDescriptor. */ protected function addSignature(SAML2_SignedElement $element) { if ($this->signKey === NULL) { return; } $privateKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type' => 'private')); if ($this->signKeyPass !== NULL) { $privateKey->passphrase = $this->signKeyPass; } $privateKey->loadKey($this->signKey, FALSE); $element->setSignatureKey($privateKey); if ($this->signCert !== NULL) { $element->setCertificates(array($this->signCert)); } }