/**
* Set the assertion.
*
* @param SAML2_Assertion $assertion The assertion.
* @param XMLSecurityKey $key The key we should use to encrypt the assertion.
* @throws Exception
*/
public function setAssertion(SAML2_Assertion $assertion, XMLSecurityKey $key)
{
$xml = $assertion->toXML();
SAML2_Utils::getContainer()->debugMessage($xml, 'encrypt');
$enc = new XMLSecEnc();
$enc->setNode($xml);
$enc->type = XMLSecEnc::Element;
switch ($key->type) {
case XMLSecurityKey::TRIPLEDES_CBC:
case XMLSecurityKey::AES128_CBC:
case XMLSecurityKey::AES192_CBC:
case XMLSecurityKey::AES256_CBC:
$symmetricKey = $key;
break;
case XMLSecurityKey::RSA_1_5:
case XMLSecurityKey::RSA_OAEP_MGF1P:
$symmetricKey = new XMLSecurityKey(XMLSecurityKey::AES128_CBC);
$symmetricKey->generateSessionKey();
$enc->encryptKey($key, $symmetricKey);
break;
default:
throw new Exception('Unknown key type for encryption: ' . $key->type);
}
$this->encryptedData = $enc->encryptNode($symmetricKey);
}
function is_valid($document, $x509certificate)
{
$objXMLSecDSig = new XMLSecurityDSig();
$objDSig = $objXMLSecDSig->locateSignature($document);
if (!$objDSig) {
throw new Exception("Cannot locate Signature Node");
}
$objXMLSecDSig->canonicalizeSignedInfo();
$objXMLSecDSig->idKeys = array('ID');
$retVal = $objXMLSecDSig->validateReference();
if (!$retVal) {
throw new Exception("Reference Validation Failed");
}
$objKey = $objXMLSecDSig->locateKey();
if (!$objKey) {
throw new Exception("We have no idea about the key");
}
$key = NULL;
$singleAssertion = validateNumAssertions($document);
if (!$singleAssertion) {
throw new Exception("Only one SAMLAssertion allowed");
}
$validTimestamps = validateTimestamps($document);
if (!$validTimestamps) {
throw new Exception("SAMLAssertion conditions not met");
}
$objKeyInfo = XMLSecEnc::staticLocateKeyInfo($objKey, $objDSig);
$objKey->loadKey($x509certificate, FALSE, true);
$result = $objXMLSecDSig->verify($objKey);
return $result;
}
function is_valid()
{
$objXMLSecDSig = new XMLSecurityDSig();
$objDSig = $objXMLSecDSig->locateSignature($this->doc);
if (!$objDSig) {
throw new Exception("Cannot locate Signature Node");
//, 'error', FALSE
return false;
}
$objXMLSecDSig->canonicalizeSignedInfo();
$objXMLSecDSig->idKeys = array('ID');
$retVal = $objXMLSecDSig->validateReference();
if (!$retVal) {
throw new Exception("SAML Assertion Error: Reference Validation Failed");
//, 'error', FALSE
return false;
// throw new Exception("Reference Validation Failed");
}
$objKey = $objXMLSecDSig->locateKey();
if (!$objKey) {
throw new Exception("SAML Assertion Error: We have no idea about the key");
//, 'error', FALSE
return false;
// throw new Exception("We have no idea about the key");
}
$key = NULL;
$singleAssertion = $this->validateNumAssertions();
if (!$singleAssertion) {
throw new Exception("SAML Assertion Error: Only ONE SAML Assertion Allowed");
//, 'error', FALSE
return false;
// throw new Exception("Only ONE SamlAssertion allowed");
}
$validTimestamps = $this->validateTimestamps();
if (!$validTimestamps) {
throw new Exception("SAML Assertion Error: Check your timestamp conditions");
//, 'error', FALSE
return false;
// throw new Exception("Check your timestamp conditions");
}
$objKeyInfo = XMLSecEnc::staticLocateKeyInfo($objKey, $objDSig);
$objKey->loadKey($this->x509certificate, FALSE, true);
$result = $objXMLSecDSig->verify($objKey);
return $result;
}
/**
* This function initializes the validator.
*
* @param $xmlNode The XML node which contains the Signature element.
* @param $idAttribute The ID attribute which is used in node references. If this attribute is
* NULL (the default), then we will use whatever is the default ID.
*/
public function __construct($xmlNode, $idAttribute = NULL, $publickey = FALSE)
{
assert('$xmlNode instanceof DOMNode');
/* Create an XML security object. */
$objXMLSecDSig = new XMLSecurityDSig();
/* Add the id attribute if the user passed in an id attribute. */
if ($idAttribute !== NULL) {
assert('is_string($idAttribute)');
$objXMLSecDSig->idKeys[] = $idAttribute;
}
/* Locate the XMLDSig Signature element to be used. */
$signatureElement = $objXMLSecDSig->locateSignature($xmlNode);
if (!$signatureElement) {
throw new Exception('Could not locate XML Signature element.');
}
/* Canonicalize the XMLDSig SignedInfo element in the message. */
$objXMLSecDSig->canonicalizeSignedInfo();
/* Validate referenced xml nodes. */
if (!$objXMLSecDSig->validateReference()) {
throw new Exception('XMLsec: digest validation failed');
}
/* Find the key used to sign the document. */
$objKey = $objXMLSecDSig->locateKey();
if (empty($objKey)) {
throw new Exception('Error loading key to handle XML signature');
}
/* Load the key data. */
if ($publickey) {
$objKey->loadKey($publickey);
} else {
if (!XMLSecEnc::staticLocateKeyInfo($objKey, $signatureElement)) {
throw new Exception('Error finding key data for XML signature validation.');
}
}
/* Check the signature. */
if (!$objXMLSecDSig->verify($objKey)) {
throw new Exception("Unable to validate Signature");
}
/* Extract the certificate fingerprint. */
$this->x509Fingerprint = $objKey->getX509Fingerprint();
/* Find the list of validated nodes. */
$this->validNodes = $objXMLSecDSig->getValidatedNodes();
}
function is_valid()
{
$objXMLSecDSig = new XMLSecurityDSig();
$objDSig = $objXMLSecDSig->locateSignature($this->doc);
if (!$objDSig) {
throw new Exception("Cannot locate Signature Node");
}
$objXMLSecDSig->canonicalizeSignedInfo();
$objXMLSecDSig->idKeys = array('ID');
$retVal = $objXMLSecDSig->validateReference();
if (!$retVal) {
throw new Exception("Reference Validation Failed");
}
$objKey = $objXMLSecDSig->locateKey();
if (!$objKey) {
throw new Exception("We have no idea about the key");
}
$key = NULL;
$objKeyInfo = XMLSecEnc::staticLocateKeyInfo($objKey, $objDSig);
$objKey->loadKey($this->x509certificate, FALSE, true);
$result = $objXMLSecDSig->verify($objKey);
return $result;
}
public function sendResponse($response, $idmetaindex, $spentityid, $relayState = null)
{
$idpmd = $this->metadata->getMetaData($idmetaindex, 'saml20-idp-hosted');
$spmd = $this->metadata->getMetaData($spentityid, 'saml20-sp-remote');
$destination = $spmd['AssertionConsumerService'];
if (empty($idpmd['privatekey'])) {
throw new Exception('SAML: RSA private key not configured. This is required to sign the authentication response.');
}
if (empty($idpmd['certificate'])) {
throw new Exception('SAML: X.509 certificate not configured. This is required to attach to the authentication response.');
}
// XMLDSig. Sign the complete request with the key stored in cert/server.pem
$objXMLSecDSig = new XMLSecurityDSig();
$objXMLSecDSig->setCanonicalMethod(XMLSecurityDSig::EXC_C14N);
try {
$responsedom = new DOMDocument();
$responsedom->loadXML(str_replace("\n", "", str_replace("\r", "", $response)));
} catch (Exception $e) {
throw new Exception("foo");
}
$responseroot = $responsedom->getElementsByTagName('Response')->item(0);
$firstassertionroot = $responsedom->getElementsByTagName('Assertion')->item(0);
/* Determine what we should sign - either the Response element or the Assertion. The default
* is to sign the Assertion, but that can be overridden by the 'signresponse' option in the
* SP metadata or 'saml20.signresponse' in the global configuration.
*/
$signResponse = FALSE;
if (array_key_exists('signresponse', $spmd) && $spmd['signresponse'] !== NULL) {
$signResponse = $spmd['signresponse'];
if (!is_bool($signResponse)) {
throw new Exception('Expected the \'signresponse\' option in the metadata of the' . ' SP \'' . $spmd['entityid'] . '\' to be a boolean value.');
}
} else {
$signResponse = $this->configuration->getBoolean('saml20.signresponse', FALSE);
}
if ($signResponse) {
// Sign the response.
$objXMLSecDSig->addReferenceList(array($responseroot), XMLSecurityDSig::SHA1, array('http://www.w3.org/2000/09/xmldsig#enveloped-signature', XMLSecurityDSig::EXC_C14N), array('id_name' => 'ID'));
} else {
// Sign the assertion.
$objXMLSecDSig->addReferenceList(array($firstassertionroot), XMLSecurityDSig::SHA1, array('http://www.w3.org/2000/09/xmldsig#enveloped-signature', XMLSecurityDSig::EXC_C14N), array('id_name' => 'ID'));
}
$objKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type' => 'private'));
if (array_key_exists('privatekey_pass', $idpmd)) {
$objKey->passphrase = $idpmd['privatekey_pass'];
}
$objKey->loadKey($idpmd['privatekey']);
$objXMLSecDSig->sign($objKey);
$objXMLSecDSig->add509Cert($idpmd['certificate'], true);
if ($signResponse) {
$objXMLSecDSig->appendSignature($responseroot, true, false);
} else {
$objXMLSecDSig->appendSignature($firstassertionroot, true, true);
}
if (isset($spmd['assertion.encryption']) && $spmd['assertion.encryption']) {
$encryptedassertion = $responsedom->createElement("saml:EncryptedAssertion");
$encryptedassertion->setAttribute("xmlns:saml", "urn:oasis:names:tc:SAML:2.0:assertion");
$firstassertionroot->parentNode->replaceChild($encryptedassertion, $firstassertionroot);
$encryptedassertion->appendChild($firstassertionroot);
$enc = new XMLSecEnc();
$enc->setNode($firstassertionroot);
$enc->type = XMLSecEnc::Element;
$objKey = new XMLSecurityKey(XMLSecurityKey::AES128_CBC);
if (isset($spmd['sharedkey'])) {
$objKey->loadkey($spmd['sharedkey']);
} else {
$key = $objKey->generateSessionKey();
$objKey->loadKey($key);
if (empty($spmd['certificate'])) {
throw new Exception("Public key for encrypting assertion needed, but not specified for saml20-sp-remote id: " . $spentityid);
}
$keyKey = new XMLSecurityKey(XMLSecurityKey::RSA_1_5, array('type' => 'public'));
$keyKey->loadKey($spmd['certificate']);
$enc->encryptKey($keyKey, $objKey);
}
$encNode = $enc->encryptNode($objKey);
# replacing the unencrypted node
}
$response = $responsedom->saveXML();
SimpleSAML_Utilities::validateXMLDocument($response, 'saml20');
# openssl genrsa -des3 -out server.key 1024
# openssl rsa -in server.key -out server.pem
# openssl req -new -key server.key -out server.csr
# openssl x509 -req -days 60 -in server.csr -signkey server.key -out server.crt
if ($this->configuration->getValue('debug')) {
$p = new SimpleSAML_XHTML_Template($this->configuration, 'post-debug.php');
$p->data['header'] = 'SAML Response Debug-mode';
$p->data['RelayStateName'] = 'RelayState';
$p->data['RelayState'] = $relayState;
$p->data['destination'] = $destination;
$p->data['response'] = str_replace("\n", "", base64_encode($response));
$p->data['responseHTML'] = htmlentities($responsedom->saveHTML());
$p->show();
} else {
$p = new SimpleSAML_XHTML_Template($this->configuration, 'post.php');
$p->data['RelayStateName'] = 'RelayState';
$p->data['RelayState'] = $relayState;
$p->data['destination'] = $destination;
$p->data['response'] = base64_encode($response);
$p->show();
}
}
public function locateKeyInfo($objBaseKey = NULL, $node = NULL)
{
if (empty($node)) {
$node = $this->rawNode;
}
return XMLSecEnc::staticLocateKeyInfo($objBaseKey, $node);
}
/**
* @return bool
* @throws Exception
*/
public function isValid()
{
$singleAssertion = $this->validateNumAssertions();
if (!$singleAssertion) {
throw new Exception('Multiple assertions are not supported');
}
$validTimestamps = $this->validateTimestamps();
if (!$validTimestamps) {
throw new Exception('Timing issues (please check your clock settings)');
}
$objXMLSecDSig = new XMLSecurityDSig();
$objDSig = $objXMLSecDSig->locateSignature($this->_document);
if (!$objDSig) {
throw new Exception('Cannot locate Signature Node');
}
$objXMLSecDSig->canonicalizeSignedInfo();
$objXMLSecDSig->idKeys = array('ID');
$objKey = $objXMLSecDSig->locateKey();
if (!$objKey) {
throw new Exception('We have no idea about the key');
}
try {
$retVal = $objXMLSecDSig->validateReference();
} catch (Exception $e) {
throw new Exception('Reference Validation Failed');
}
XMLSecEnc::staticLocateKeyInfo($objKey, $objDSig);
$objKey->loadKey($this->_settings->idpPublicCertificate, false, true);
return $objXMLSecDSig->verify($objKey) === 1;
}
public function EncryptBody($siteKey, $objKey, $token)
{
$enc = new XMLSecEnc();
foreach ($this->envelope->childNodes as $node) {
if ($node->namespaceURI == $this->soapNS && $node->localName == 'Body') {
break;
}
}
$enc->setNode($node);
/* encrypt the symmetric key */
$enc->encryptKey($siteKey, $objKey, FALSE);
$enc->type = XMLSecEnc::Content;
/* Using the symmetric key to actually encrypt the data */
$encNode = $enc->encryptNode($objKey);
$guid = XMLSecurityDSig::generate_GUID();
$encNode->setAttribute('Id', $guid);
$refNode = $encNode->firstChild;
while ($refNode && $refNode->nodeType != XML_ELEMENT_NODE) {
$refNode = $refNode->nextSibling;
}
if ($refNode) {
$refNode = $refNode->nextSibling;
}
if ($this->addEncryptedKey($encNode, $enc, $token)) {
$this->AddReference($enc->encKey, $guid);
}
}
/**
* This function decrypts the Assertion in the AuthnResponse
* It throws an exception if the encryptAssertion for the remote idp is true and
* the assertion is not encrypted
* To Do: handle multible assertions
*/
private function decryptAssertion()
{
$dom = $this->getDOM();
$encryptedassertion = $this->doXPathQuery('/samlp:Response/saml:EncryptedAssertion')->item(0);
$objenc = new XMLSecEnc();
$encData = $objenc->locateEncryptedData($dom);
if ($encData) {
$spmd = $this->metadata->getMetaDataCurrent('saml20-sp-hosted');
$spid = $this->metadata->getMetaDataCurrentEntityID('saml20-sp-hosted');
$objenc->setNode($encData);
$objenc->type = $encData->getAttribute("Type");
$key = NULL;
$objKey = $objenc->locateKey($encData);
if ($objKey) {
if ($objKeyInfo = $objenc->locateKeyInfo($objKey)) {
if ($objKeyInfo->isEncrypted) {
$objencKey = $objKeyInfo->encryptedCtx;
if (empty($spmd['privatekey'])) {
throw new Exception("SAML: RSA private key not configured. This is required to decrypt the response. saml20-sp-hosted: {$spid}");
}
$objKeyInfo->loadKey($spmd['privatekey']);
$key = $objencKey->decryptKey($objKeyInfo);
} else {
$idpmd = $this->metadata->getMetaData($this->issuer, 'saml20-idp-remote');
if (!isset($idpmd['sharedkey'])) {
throw new Exception("Shared key for decrypting assertion needed, but not specified for saml20-idp-remote id: " . $this->issuer);
}
$key = $idpmd['sharedkey'];
}
}
}
if (empty($objKey) || empty($key)) {
throw new Exception("Error loading key to handle Decryption: >" . var_export($objKey, true));
}
$objKey->loadkey($key);
$decrypted = $objenc->decryptNode($objKey, false);
$newdoc = new DOMDocument();
$newdoc->loadXML('<root xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">' . $decrypted . '</root>');
$importEnc = $encData->ownerDocument->importNode($newdoc->documentElement->firstChild, TRUE);
$encryptedassertion->parentNode->replaceChild($importEnc, $encryptedassertion);
} else {
$md = $this->metadata->getMetaData($this->issuer, 'saml20-idp-remote');
if (isset($md['assertion.encryption']) && $md['assertion.encryption']) {
throw new Exception('Received unencrypted assertion from [' . $this->issuer . '] contrary to its metadata attribute [assertion.encryption]: ' . $md['assertion.encryption']);
}
}
}
/**
* Decrypts the Assertion (DOMDocument)
*
* @param DomNode $dom DomDocument
*
* @return DOMDocument Decrypted Assertion
*
* @throws Exception
*/
protected function _decryptAssertion($dom)
{
$pem = $this->_settings->getSPkey();
if (empty($pem)) {
throw new Exception("No private key available, check settings");
}
$objenc = new XMLSecEnc();
$encData = $objenc->locateEncryptedData($dom);
if (!$encData) {
throw new Exception("Cannot locate encrypted assertion");
}
$objenc->setNode($encData);
$objenc->type = $encData->getAttribute("Type");
if (!($objKey = $objenc->locateKey())) {
throw new Exception("Unknown algorithm");
}
$key = null;
if ($objKeyInfo = $objenc->locateKeyInfo($objKey)) {
if ($objKeyInfo->isEncrypted) {
$objencKey = $objKeyInfo->encryptedCtx;
$objKeyInfo->loadKey($pem, false, false);
$key = $objencKey->decryptKey($objKeyInfo);
} else {
// symmetric encryption key support
$objKeyInfo->loadKey($pem, false, false);
}
}
if (empty($objKey->key)) {
$objKey->loadKey($key);
}
$decrypted = $objenc->decryptNode($objKey, true);
if ($decrypted instanceof DOMDocument) {
return $decrypted;
} else {
$encryptedAssertion = $decrypted->parentNode;
$container = $encryptedAssertion->parentNode;
# Fix possible issue with saml namespace
if (!$decrypted->hasAttributeNS('http://www.w3.org/2000/xmlns/', 'xmlns:saml') && !$decrypted->hasAttributeNS('http://www.w3.org/2000/xmlns/', 'xmlns:saml2') && !$decrypted->hasAttributeNS('http://www.w3.org/2000/xmlns/', 'xmlns') && !$container->hasAttributeNS('http://www.w3.org/2000/xmlns/', 'xmlns:saml') && !$container->hasAttributeNS('http://www.w3.org/2000/xmlns/', 'xmlns:saml2')) {
if (strpos($encryptedAssertion->tagName, 'saml2:') !== false) {
$ns = 'xmlns:saml2';
} else {
if (strpos($encryptedAssertion->tagName, 'saml:') != false) {
$ns = 'xmlns:saml';
} else {
$ns = 'xmlns';
}
}
$decrypted->setAttributeNS('http://www.w3.org/2000/xmlns/', $ns, OneLogin_Saml2_Constants::NS_SAML);
}
$container->replaceChild($decrypted, $encryptedAssertion);
return $decrypted->ownerDocument;
}
}
/**
* @param $testName
* @param $testFile
*
* @dataProvider verifyProvider
*/
public function testVerify($testName, $testFile)
{
$doc = new \DOMDocument();
$doc->load($testFile);
$objXMLSecDSig = new XMLSecurityDSig();
$objDSig = $objXMLSecDSig->locateSignature($doc);
$this->assertInstanceOf('\\DOMElement', $objDSig, "Cannot locate Signature Node");
$objXMLSecDSig->canonicalizeSignedInfo();
$objXMLSecDSig->idKeys = array('wsu:Id');
$objXMLSecDSig->idNS = array('wsu' => 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd');
$retVal = $objXMLSecDSig->validateReference();
$this->assertTrue($retVal, "Reference Validation Failed");
$objKey = $objXMLSecDSig->locateKey();
$this->assertInstanceOf('\\XmlSecLibs\\XMLSecurityKey', $objKey, "We have no idea about the key");
$key = null;
$objKeyInfo = XMLSecEnc::staticLocateKeyInfo($objKey, $objDSig);
if (!$objKeyInfo->key && empty($key)) {
$objKey->loadKey(dirname(__FILE__) . '/../mycert.pem', true);
}
$this->assertEquals(1, $objXMLSecDSig->verify($objKey), "{$testName}: Signature is invalid");
}
define('DS', '\\');
$doc = new DOMDocument();
$doc->load('C:\\Users\\Miha Nahtigal\\Downloads\\Obcina_Trebnje_koledar_eslog (82).xml');
require dirname(dirname(__FILE__)) . DS . 'Plugin' . DS . 'LilInvoices' . DS . 'Lib' . DS . 'xmlseclibs_bes.php';
$objXMLSecDSig = new XMLSecurityDSig();
$objDSig = $objXMLSecDSig->locateSignature($doc);
if (!$objDSig) {
throw new Exception("Cannot locate Signature Node");
}
$objXMLSecDSig->canonicalizeSignedInfo();
//$objXMLSecDSig->idKeys = array('xds:Id');
//$objXMLSecDSig->idNS = array('xds'=>'http://uri.etsi.org/01903/v1.1.1#');
$retVal = $objXMLSecDSig->validateReference();
if (!$retVal) {
throw new Exception("Reference Validation Failed");
}
$objKey = $objXMLSecDSig->locateKey();
if (!$objKey) {
throw new Exception("We have no idea about the key");
}
$key = NULL;
$objKeyInfo = XMLSecEnc::staticLocateKeyInfo($objKey, $objDSig);
if (!$objKeyInfo->key && empty($key)) {
$objKey->loadKey(dirname(__FILE__) . '/mycert.pem', TRUE);
}
if ($objXMLSecDSig->verify($objKey)) {
print "Signature validated!";
} else {
print "Failure!!!!!!!!";
}
print "\n";
/**
* Create key from an EncryptedKey-element.
*
* @param DOMElement $element The EncryptedKey-element.
*
* @return XMLSecurityKey The new key.
*/
public static function fromEncryptedKeyElement(DOMElement $element)
{
$objenc = new XMLSecEnc();
$objenc->setNode($element);
if (!($objKey = $objenc->locateKey())) {
throw new Exception("Unable to locate algorithm for this Encrypted Key");
}
$objKey->isEncrypted = true;
$objKey->encryptedCtx = $objenc;
XMLSecEnc::staticLocateKeyInfo($objKey, $element);
return $objKey;
}
/**
* Decrypt an encrypted element.
*
* This is an internal helper function.
*
* @param DOMElement $encryptedData The encrypted data.
* @param XMLSecurityKey $inputKey The decryption key.
* @param array &$blacklist Blacklisted decryption algorithms.
* @return DOMElement The decrypted element.
* @throws Exception
*/
private static function doDecryptElement(DOMElement $encryptedData, XMLSecurityKey $inputKey, array &$blacklist)
{
$enc = new XMLSecEnc();
$enc->setNode($encryptedData);
$enc->type = $encryptedData->getAttribute("Type");
$symmetricKey = $enc->locateKey($encryptedData);
if (!$symmetricKey) {
throw new Exception('Could not locate key algorithm in encrypted data.');
}
$symmetricKeyInfo = $enc->locateKeyInfo($symmetricKey);
if (!$symmetricKeyInfo) {
throw new Exception('Could not locate <dsig:KeyInfo> for the encrypted key.');
}
$inputKeyAlgo = $inputKey->getAlgorith();
if ($symmetricKeyInfo->isEncrypted) {
$symKeyInfoAlgo = $symmetricKeyInfo->getAlgorith();
if (in_array($symKeyInfoAlgo, $blacklist, TRUE)) {
throw new Exception('Algorithm disabled: ' . var_export($symKeyInfoAlgo, TRUE));
}
if ($symKeyInfoAlgo === XMLSecurityKey::RSA_OAEP_MGF1P && $inputKeyAlgo === XMLSecurityKey::RSA_1_5) {
/*
* The RSA key formats are equal, so loading an RSA_1_5 key
* into an RSA_OAEP_MGF1P key can be done without problems.
* We therefore pretend that the input key is an
* RSA_OAEP_MGF1P key.
*/
$inputKeyAlgo = XMLSecurityKey::RSA_OAEP_MGF1P;
}
/* Make sure that the input key format is the same as the one used to encrypt the key. */
if ($inputKeyAlgo !== $symKeyInfoAlgo) {
throw new Exception('Algorithm mismatch between input key and key used to encrypt ' . ' the symmetric key for the message. Key was: ' . var_export($inputKeyAlgo, TRUE) . '; message was: ' . var_export($symKeyInfoAlgo, TRUE));
}
/** @var XMLSecEnc $encKey */
$encKey = $symmetricKeyInfo->encryptedCtx;
$symmetricKeyInfo->key = $inputKey->key;
$keySize = $symmetricKey->getSymmetricKeySize();
if ($keySize === NULL) {
/* To protect against "key oracle" attacks, we need to be able to create a
* symmetric key, and for that we need to know the key size.
*/
throw new Exception('Unknown key size for encryption algorithm: ' . var_export($symmetricKey->type, TRUE));
}
try {
$key = $encKey->decryptKey($symmetricKeyInfo);
if (strlen($key) != $keySize) {
throw new Exception('Unexpected key size (' . strlen($key) * 8 . 'bits) for encryption algorithm: ' . var_export($symmetricKey->type, TRUE));
}
} catch (Exception $e) {
/* We failed to decrypt this key. Log it, and substitute a "random" key. */
SAML2_Utils::getContainer()->getLogger()->error('Failed to decrypt symmetric key: ' . $e->getMessage());
/* Create a replacement key, so that it looks like we fail in the same way as if the key was correctly padded. */
/* We base the symmetric key on the encrypted key and private key, so that we always behave the
* same way for a given input key.
*/
$encryptedKey = $encKey->getCipherValue();
$pkey = openssl_pkey_get_details($symmetricKeyInfo->key);
$pkey = sha1(serialize($pkey), TRUE);
$key = sha1($encryptedKey . $pkey, TRUE);
/* Make sure that the key has the correct length. */
if (strlen($key) > $keySize) {
$key = substr($key, 0, $keySize);
} elseif (strlen($key) < $keySize) {
$key = str_pad($key, $keySize);
}
}
$symmetricKey->loadkey($key);
} else {
$symKeyAlgo = $symmetricKey->getAlgorith();
/* Make sure that the input key has the correct format. */
if ($inputKeyAlgo !== $symKeyAlgo) {
throw new Exception('Algorithm mismatch between input key and key in message. ' . 'Key was: ' . var_export($inputKeyAlgo, TRUE) . '; message was: ' . var_export($symKeyAlgo, TRUE));
}
$symmetricKey = $inputKey;
}
$algorithm = $symmetricKey->getAlgorith();
if (in_array($algorithm, $blacklist, TRUE)) {
throw new Exception('Algorithm disabled: ' . var_export($algorithm, TRUE));
}
/** @var string $decrypted */
$decrypted = $enc->decryptNode($symmetricKey, FALSE);
/*
* This is a workaround for the case where only a subset of the XML
* tree was serialized for encryption. In that case, we may miss the
* namespaces needed to parse the XML.
*/
$xml = '<root xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ' . 'xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">' . $decrypted . '</root>';
$newDoc = new DOMDocument();
if (!@$newDoc->loadXML($xml)) {
throw new Exception('Failed to parse decrypted XML. Maybe the wrong sharedkey was used?');
}
$decryptedElement = $newDoc->firstChild->firstChild;
if ($decryptedElement === NULL) {
throw new Exception('Missing encrypted element.');
}
if (!$decryptedElement instanceof DOMElement) {
throw new Exception('Decrypted element was not actually a DOMElement.');
}
return $decryptedElement;
}
function checkXMLSignature($token)
{
$objXMLSecDSig = new XMLSecurityDSig();
$objXMLSecDSig->idKeys[] = 'ID';
$objDSig = $objXMLSecDSig->locateSignature($token);
/* Must check certificate fingerprint now - validateReference removes it */
if (!validateCertFingerprint($token)) {
throw new Exception("Fingerprint Validation Failed");
}
/* Canonicalize the signed info */
$objXMLSecDSig->canonicalizeSignedInfo();
$retVal = NULL;
if ($objDSig) {
$retVal = $objXMLSecDSig->validateReference();
}
if (!$retVal) {
throw new Exception("SAML Validation Failed");
}
$key = NULL;
$objKey = $objXMLSecDSig->locateKey();
if ($objKey) {
if ($objKeyInfo = XMLSecEnc::staticLocateKeyInfo($objKey, $objDSig)) {
/* Handle any additional key processing such as encrypted keys here */
}
}
if (empty($objKey)) {
throw new Exception("Error loading key to handle Signature");
}
return $objXMLSecDSig->verify($objKey) == 1;
}
public function processSignature($refNode)
{
$objXMLSecDSig = new XMLSecurityDSig();
$objXMLSecDSig->idKeys[] = 'wswsu:Id';
$objXMLSecDSig->idNS['wswsu'] = WSSESoapServer::WSUNS;
$objXMLSecDSig->sigNode = $refNode;
/* Canonicalize the signed info */
$objXMLSecDSig->canonicalizeSignedInfo();
$retVal = $objXMLSecDSig->validateReference();
if (!$retVal) {
throw new Exception("Validation Failed");
}
$key = NULL;
$objKey = $objXMLSecDSig->locateKey();
if ($objKey) {
if ($objKeyInfo = XMLSecEnc::staticLocateKeyInfo($objKey, $refNode)) {
/* Handle any additional key processing such as encrypted keys here */
}
}
if (empty($objKey)) {
throw new Exception("Error loading key to handle Signature");
}
do {
if (empty($objKey->key)) {
$this->SOAPXPath->registerNamespace('xmlsecdsig', XMLSecurityDSig::XMLDSIGNS);
$query = "./xmlsecdsig:KeyInfo/wswsse:SecurityTokenReference/wswsse:Reference";
$nodeset = $this->SOAPXPath->query($query, $refNode);
if ($encmeth = $nodeset->item(0)) {
if ($uri = $encmeth->getAttribute("URI")) {
$arUrl = parse_url($uri);
if (empty($arUrl['path']) && ($identifier = $arUrl['fragment'])) {
$query = '//wswsse:BinarySecurityToken[@wswsu:Id="' . $identifier . '"]';
$nodeset = $this->SOAPXPath->query($query);
if ($encmeth = $nodeset->item(0)) {
$x509cert = $encmeth->textContent;
$x509cert = str_replace(array("\r", "\n"), "", $x509cert);
$x509cert = "-----BEGIN CERTIFICATE-----\n" . chunk_split($x509cert, 64, "\n") . "-----END CERTIFICATE-----\n";
$objKey->loadKey($x509cert);
break;
}
}
}
}
throw new Exception("Error loading key to handle Signature");
}
} while (0);
if (!$objXMLSecDSig->verify($objKey)) {
throw new Exception("Unable to validate Signature");
}
return TRUE;
}
/**
* Encrypt the NameID in the LogoutRequest.
*
* @param XMLSecurityKey $key The encryption key.
*/
public function encryptNameId(XMLSecurityKey $key)
{
/* First create a XML representation of the NameID. */
$doc = new DOMDocument();
$root = $doc->createElement('root');
$doc->appendChild($root);
SAML2_Utils::addNameId($root, $this->nameId);
$nameId = $root->firstChild;
SAML2_Utils::getContainer()->debugMessage($nameId, 'encrypt');
/* Encrypt the NameID. */
$enc = new XMLSecEnc();
$enc->setNode($nameId);
$enc->type = XMLSecEnc::Element;
$symmetricKey = new XMLSecurityKey(XMLSecurityKey::AES128_CBC);
$symmetricKey->generateSessionKey();
$enc->encryptKey($key, $symmetricKey);
$this->encryptedNameId = $enc->encryptNode($symmetricKey);
$this->nameId = NULL;
}
/**
* This function initializes the validator.
*
* This function accepts an optional parameter $publickey, which is the public key
* or certificate which should be used to validate the signature. This parameter can
* take the following values:
* - NULL/FALSE: No validation will be performed. This is the default.
* - A string: Assumed to be a PEM-encoded certificate / public key.
* - An array: Assumed to be an array returned by SimpleSAML_Utilities::loadPublicKey.
*
* @param DOMNode $xmlNode The XML node which contains the Signature element.
* @param string|array $idAttribute The ID attribute which is used in node references. If
* this attribute is NULL (the default), then we will use whatever is the default
* ID. Can be eigther a string with one value, or an array with multiple ID
* attrbute names.
* @param array $publickey The public key / certificate which should be used to validate the XML node.
*/
public function __construct($xmlNode, $idAttribute = NULL, $publickey = FALSE)
{
assert('$xmlNode instanceof DOMNode');
if ($publickey === NULL) {
$publickey = FALSE;
} elseif (is_string($publickey)) {
$publickey = array('PEM' => $publickey);
} else {
assert('$publickey === FALSE || is_array($publickey)');
}
/* Create an XML security object. */
$objXMLSecDSig = new XMLSecurityDSig();
/* Add the id attribute if the user passed in an id attribute. */
if ($idAttribute !== NULL) {
if (is_string($idAttribute)) {
$objXMLSecDSig->idKeys[] = $idAttribute;
} elseif (is_array($idAttribute)) {
foreach ($idAttribute as $ida) {
$objXMLSecDSig->idKeys[] = $ida;
}
}
}
/* Locate the XMLDSig Signature element to be used. */
$signatureElement = $objXMLSecDSig->locateSignature($xmlNode);
if (!$signatureElement) {
throw new Exception('Could not locate XML Signature element.');
}
/* Canonicalize the XMLDSig SignedInfo element in the message. */
$objXMLSecDSig->canonicalizeSignedInfo();
/* Validate referenced xml nodes. */
if (!$objXMLSecDSig->validateReference()) {
throw new Exception('XMLsec: digest validation failed');
}
/* Find the key used to sign the document. */
$objKey = $objXMLSecDSig->locateKey();
if (empty($objKey)) {
throw new Exception('Error loading key to handle XML signature');
}
/* Load the key data. */
if ($publickey !== FALSE && array_key_exists('PEM', $publickey)) {
/* We have PEM data for the public key / certificate. */
$objKey->loadKey($publickey['PEM']);
} else {
/* No PEM data. Search for key in signature. */
if (!XMLSecEnc::staticLocateKeyInfo($objKey, $signatureElement)) {
throw new Exception('Error finding key data for XML signature validation.');
}
if ($publickey !== FALSE) {
/* $publickey is set, and should therefore contain one or more fingerprints.
* Check that the response contains a certificate with a matching
* fingerprint.
*/
assert('is_array($publickey["certFingerprint"])');
$certificate = $objKey->getX509Certificate();
if ($certificate === NULL) {
/* Wasn't signed with an X509 certificate. */
throw new Exception('Message wasn\'t signed with an X509 certificate,' . ' and no public key was provided in the metadata.');
}
self::validateCertificateFingerprint($certificate, $publickey['certFingerprint']);
/* Key OK. */
}
}
/* Check the signature. */
if (!$objXMLSecDSig->verify($objKey)) {
throw new Exception("Unable to validate Signature");
}
/* Extract the certificate. */
$this->x509Certificate = $objKey->getX509Certificate();
/* Find the list of validated nodes. */
$this->validNodes = $objXMLSecDSig->getValidatedNodes();
}
/**
* Decrypt an encrypted element.
*
* @param DOMElement $encryptedData The encrypted data.
* @param XMLSecurityKey $inputKey The decryption key.
* @return DOMElement The decrypted element.
*/
public static function decryptElement(DOMElement $encryptedData, XMLSecurityKey $inputKey)
{
$enc = new XMLSecEnc();
$enc->setNode($encryptedData);
$enc->type = $encryptedData->getAttribute("Type");
$symmetricKey = $enc->locateKey($encryptedData);
if (!$symmetricKey) {
throw new Exception('Could not locate key algorithm in encrypted data.');
}
$symmetricKeyInfo = $enc->locateKeyInfo($symmetricKey);
if (!$symmetricKeyInfo) {
throw new Exception('Could not locate <dsig:KeyInfo> for the encrypted key.');
}
$inputKeyAlgo = $inputKey->getAlgorith();
if ($symmetricKeyInfo->isEncrypted) {
$symKeyInfoAlgo = $symmetricKeyInfo->getAlgorith();
if ($symKeyInfoAlgo === XMLSecurityKey::RSA_OAEP_MGF1P && $inputKeyAlgo === XMLSecurityKey::RSA_1_5) {
/*
* The RSA key formats are equal, so loading an RSA_1_5 key
* into an RSA_OAEP_MGF1P key can be done without problems.
* We therefore pretend that the input key is an
* RSA_OAEP_MGF1P key.
*/
$inputKeyAlgo = XMLSecurityKey::RSA_OAEP_MGF1P;
}
/* Make sure that the input key format is the same as the one used to encrypt the key. */
if ($inputKeyAlgo !== $symKeyInfoAlgo) {
throw new Exception('Algorithm mismatch between input key and key used to encrypt ' . ' the symmetric key for the message. Key was: ' . var_export($inputKeyAlgo, TRUE) . '; message was: ' . var_export($symKeyInfoAlgo, TRUE));
}
$encKey = $symmetricKeyInfo->encryptedCtx;
$symmetricKeyInfo->key = $inputKey->key;
$key = $encKey->decryptKey($symmetricKeyInfo);
$symmetricKey->loadkey($key);
} else {
$symKeyAlgo = $symmetricKey->getAlgorith();
/* Make sure that the input key has the correct format. */
if ($inputKeyAlgo !== $symKeyAlgo) {
throw new Exception('Algorithm mismatch between input key and key in message. ' . 'Key was: ' . var_export($inputKeyAlgo, TRUE) . '; message was: ' . var_export($symKeyAlgo, TRUE));
}
$symmetricKey = $inputKey;
}
$decrypted = $enc->decryptNode($symmetricKey, FALSE);
/*
* This is a workaround for the case where only a subset of the XML
* tree was serialized for encryption. In that case, we may miss the
* namespaces needed to parse the XML.
*/
$xml = '<root xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">' . $decrypted . '</root>';
$newDoc = new DOMDocument();
if (!$newDoc->loadXML($xml)) {
throw new Exception('Failed to parse decrypted XML. Maybe the wrong sharedkey was used?');
}
$decryptedElement = $newDoc->firstChild->firstChild;
if ($decryptedElement === NULL) {
throw new Exception('Missing encrypted element.');
}
return $decryptedElement;
}
/**
* Validates a signature (Message or Assertion).
*
* @param string|DomDocument $xml The element we should validate
* @param string|null $cert The pubic cert
* @param string|null $fingerprint The fingerprint of the public cert
*/
public static function validateSign($xml, $cert = null, $fingerprint = null)
{
if ($xml instanceof DOMDocument) {
$dom = clone $xml;
} else {
if ($xml instanceof DOMElement) {
$dom = clone $xml->ownerDocument;
} else {
$dom = new DOMDocument();
$dom = self::loadXML($dom, $xml);
}
}
$objXMLSecDSig = new XMLSecurityDSig();
$objXMLSecDSig->idKeys = array('ID');
$objDSig = $objXMLSecDSig->locateSignature($dom);
if (!$objDSig) {
throw new Exception('Cannot locate Signature Node');
}
$objKey = $objXMLSecDSig->locateKey();
if (!$objKey) {
throw new Exception('We have no idea about the key');
}
$objXMLSecDSig->canonicalizeSignedInfo();
try {
$retVal = $objXMLSecDSig->validateReference();
} catch (Exception $e) {
throw $e;
}
XMLSecEnc::staticLocateKeyInfo($objKey, $objDSig);
if (!empty($cert)) {
$objKey->loadKey($cert, false, true);
return $objXMLSecDSig->verify($objKey) === 1;
} else {
$domCert = $objKey->getX509Certificate();
$domCertFingerprint = OneLogin_Saml2_Utils::calculateX509Fingerprint($domCert);
if (OneLogin_Saml2_Utils::formatFingerPrint($fingerprint) !== $domCertFingerprint) {
return false;
} else {
$objKey->loadKey($domCert, false, true);
return $objXMLSecDSig->verify($objKey) === 1;
}
}
}
/**
* Decrypts the Assertion (DOMDocument)
*
* @param string $dom DomDocument
*
* @throws Exception
* @return DOMDocument Decrypted Assertion
*/
private function _decryptAssertion($dom)
{
$pem = $this->_settings->getSPkey();
if (empty($pem)) {
throw new Exception("No private key available, check settings");
}
$objenc = new XMLSecEnc();
$encData = $objenc->locateEncryptedData($dom);
if (!$encData) {
throw new Exception("Cannot locate encrypted assertion");
}
$objenc->setNode($encData);
$objenc->type = $encData->getAttribute("Type");
if (!($objKey = $objenc->locateKey())) {
throw new Exception("Unknown algorithm");
}
$key = null;
if ($objKeyInfo = $objenc->locateKeyInfo($objKey)) {
if ($objKeyInfo->isEncrypted) {
$objencKey = $objKeyInfo->encryptedCtx;
$objKeyInfo->loadKey($pem, false, false);
$key = $objencKey->decryptKey($objKeyInfo);
}
}
if (empty($objKey->key)) {
$objKey->loadKey($key);
}
$decrypt = $objenc->decryptNode($objKey, true);
if ($decrypt instanceof DOMDocument) {
return $decrypt;
} else {
return $decrypt->ownerDocument;
}
}
public function decryptSoapDoc($doc, $options)
{
$privKey = null;
$privKey_isFile = false;
$privKey_isCert = false;
if (is_array($options)) {
$privKey = !empty($options["keys"]["private"]["key"]) ? $options["keys"]["private"]["key"] : null;
$privKey_isFile = !empty($options["keys"]["private"]["isFile"]) ? true : false;
$privKey_isCert = !empty($options["keys"]["private"]["isCert"]) ? true : false;
}
$objenc = new XMLSecEnc();
$xpath = new DOMXPath($doc);
$envns = $doc->documentElement->namespaceURI;
$xpath->registerNamespace("soapns", $envns);
$xpath->registerNamespace("soapenc", "http://www.w3.org/2001/04/xmlenc#");
$nodes = $xpath->query('/soapns:Envelope/soapns:Header/*[local-name()="Security"]/soapenc:EncryptedKey');
$references = array();
if ($node = $nodes->item(0)) {
$objenc = new XMLSecEnc();
$objenc->setNode($node);
if (!($objKey = $objenc->locateKey())) {
throw new Exception("Unable to locate algorithm for this Encrypted Key");
}
$objKey->isEncrypted = true;
$objKey->encryptedCtx = $objenc;
XMLSecEnc::staticLocateKeyInfo($objKey, $node);
if ($objKey && $objKey->isEncrypted) {
$objencKey = $objKey->encryptedCtx;
$objKey->loadKey($privKey, $privKey_isFile, $privKey_isCert);
$key = $objencKey->decryptKey($objKey);
$objKey->loadKey($key);
}
$refnodes = $xpath->query('./soapenc:ReferenceList/soapenc:DataReference/@URI', $node);
foreach ($refnodes as $reference) {
$references[] = $reference->nodeValue;
}
}
foreach ($references as $reference) {
$arUrl = parse_url($reference);
$reference = $arUrl['fragment'];
$query = '//*[@Id="' . $reference . '"]';
$nodes = $xpath->query($query);
$encData = $nodes->item(0);
if ($algo = $xpath->evaluate("string(./soapenc:EncryptionMethod/@Algorithm)", $encData)) {
$objKey = new XMLSecurityKey($algo);
$objKey->loadKey($key);
}
$objenc->setNode($encData);
$objenc->type = $encData->getAttribute("Type");
$decrypt = $objenc->decryptNode($objKey, true);
}
return true;
}
/**
* Validates a signature (Message or Assertion).
*
* @param string|DomDocument $xml The element we should validate
* @param string|null $cert The pubic cert
* @param string|null $fingerprint The fingerprint of the public cert
* @param string|null $fingerprintalg The algorithm used to get the fingerprint
*/
public static function validateSign($xml, $cert = null, $fingerprint = null, $fingerprintalg = 'sha1')
{
if ($xml instanceof DOMDocument) {
$dom = clone $xml;
} else {
if ($xml instanceof DOMElement) {
$dom = clone $xml->ownerDocument;
} else {
$dom = new DOMDocument();
$dom = self::loadXML($dom, $xml);
}
}
# Check if Reference URI is empty
try {
$signatureElems = $dom->getElementsByTagName('Signature');
foreach ($signatureElems as $signatureElem) {
$referenceElems = $dom->getElementsByTagName('Reference');
if (count($referenceElems) > 0) {
$referenceElem = $referenceElems->item(0);
if ($referenceElem->getAttribute('URI') == '') {
$referenceElem->setAttribute('URI', '#' . $signatureElem->parentNode->getAttribute('ID'));
}
}
}
} catch (Exception $e) {
continue;
}
$objXMLSecDSig = new XMLSecurityDSig();
$objXMLSecDSig->idKeys = array('ID');
$objDSig = $objXMLSecDSig->locateSignature($dom);
if (!$objDSig) {
throw new Exception('Cannot locate Signature Node');
}
$objKey = $objXMLSecDSig->locateKey();
if (!$objKey) {
throw new Exception('We have no idea about the key');
}
$objXMLSecDSig->canonicalizeSignedInfo();
try {
$retVal = $objXMLSecDSig->validateReference();
} catch (Exception $e) {
throw $e;
}
XMLSecEnc::staticLocateKeyInfo($objKey, $objDSig);
if (!empty($cert)) {
$objKey->loadKey($cert, false, true);
return $objXMLSecDSig->verify($objKey) === 1;
} else {
$domCert = $objKey->getX509Certificate();
$domCertFingerprint = OneLogin_Saml2_Utils::calculateX509Fingerprint($domCert, $fingerprintalg);
if (OneLogin_Saml2_Utils::formatFingerPrint($fingerprint) !== $domCertFingerprint) {
return false;
} else {
$objKey->loadKey($domCert, false, true);
return $objXMLSecDSig->verify($objKey) === 1;
}
}
}
/**
* Add an EncryptedAttribute Statement-node to the assertion.
*
* @param DOMElement $root The assertion element we should add the Encrypted Attribute Statement to.
*/
private function addEncryptedAttributeStatement(DOMElement $root)
{
if ($this->requiredEncAttributes == FALSE) {
return;
}
$document = $root->ownerDocument;
$attributeStatement = $document->createElementNS(SAML2_Const::NS_SAML, 'saml:AttributeStatement');
$root->appendChild($attributeStatement);
foreach ($this->attributes as $name => $values) {
$document2 = new DOMDocument();
$attribute = $document2->createElementNS(SAML2_Const::NS_SAML, 'saml:Attribute');
$attribute->setAttribute('Name', $name);
$document2->appendChild($attribute);
if ($this->nameFormat !== SAML2_Const::NAMEFORMAT_UNSPECIFIED) {
$attribute->setAttribute('NameFormat', $this->nameFormat);
}
foreach ($values as $value) {
if (is_string($value)) {
$type = 'xs:string';
} elseif (is_int($value)) {
$type = 'xs:integer';
} else {
$type = NULL;
}
$attributeValue = $document2->createElementNS(SAML2_Const::NS_SAML, 'saml:AttributeValue');
$attribute->appendChild($attributeValue);
if ($type !== NULL) {
$attributeValue->setAttributeNS(SAML2_Const::NS_XSI, 'xsi:type', $type);
}
if ($value instanceof DOMNodeList) {
for ($i = 0; $i < $value->length; $i++) {
$node = $document2->importNode($value->item($i), TRUE);
$attributeValue->appendChild($node);
}
} else {
$attributeValue->appendChild($document2->createTextNode($value));
}
}
/*Once the attribute nodes are built, the are encrypted*/
$EncAssert = new XMLSecEnc();
$EncAssert->setNode($document2->documentElement);
$EncAssert->type = 'http://www.w3.org/2001/04/xmlenc#Element';
/*
* Attributes are encrypted with a session key and this one with
* $EncryptionKey
*/
$symmetricKey = new XMLSecurityKey(XMLSecurityKey::AES256_CBC);
$symmetricKey->generateSessionKey();
$EncAssert->encryptKey($this->encryptionKey, $symmetricKey);
$EncrNode = $EncAssert->encryptNode($symmetricKey);
$EncAttribute = $document->createElementNS(SAML2_Const::NS_SAML, 'saml:EncryptedAttribute');
$attributeStatement->appendChild($EncAttribute);
$n = $document->importNode($EncrNode, true);
$EncAttribute->appendChild($n);
}
}
/**
* Validate the SAML Response Signature
*/
private function _validateSignature()
{
$dom = $this->_responseXmlDom;
$xmlSec = new XMLSecurityDSig();
$signature = $xmlSec->locateSignature($dom);
if (!$signature) {
throw Sperantus_SAML2_SP_Response_Exception::signatureNotFound();
}
$xmlSec->canonicalizeSignedInfo();
$xmlSec->idKeys = array('ID');
if (!$xmlSec->validateReference()) {
throw Sperantus_SAML2_SP_Response_Exception::invalidReference();
}
$secKey = $xmlSec->locateKey();
if (!$secKey) {
throw Sperantus_SAML2_SP_Response_Exception::invalidAlgorithm();
}
$objKeyInfo = XMLSecEnc::staticLocateKeyInfo($secKey, $signature);
$secKey->loadKey($this->_publicKey);
if (!$xmlSec->verify($secKey)) {
throw Sperantus_SAML2_SP_Response_Exception::invalidSignature();
}
}