/** * Test that signatures contain the corresponding public keys. */ public function testGetValidatingCertificates() { $certData = XMLSecurityDSig::staticGet509XCerts(SAML2_CertificatesMock::PUBLIC_KEY_PEM); $certData = $certData[0]; $signedMockElementCopy = SAML2_Utils::copyElement($this->signedMockElement); $signedMockElementCopy->ownerDocument->appendChild($signedMockElementCopy); $tmp = new SAML2_SignedElementHelperMock($signedMockElementCopy); $certs = $tmp->getValidatingCertificates(); $this->assertCount(1, $certs); $this->assertEquals($certData, $certs[0]); // Test with two certificates. $tmpCert = '-----BEGIN CERTIFICATE----- MIICsDCCAhmgAwIBAgIJALU2mjA9ULI2MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX aWRnaXRzIFB0eSBMdGQwHhcNMTAwODAzMDYzNTQ4WhcNMjAwODAyMDYzNTQ4WjBF MQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50 ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB gQDG6q53nl3Gn/9JE+ZiCgEB+EPcGbvzi0NrBDkKz9SKBNflxKQ+De/OAVQ9RQZO tEm/j0hoSCGO7maemOm1PVNtDuMchSroPs0L4szLhh6m1uMhw9RXqq34C+Cr7Wee ZNPQTFnQhBYqnYM03/e3SeUawiZ7rGeAMJ/8BSk0CB1GAQIDAQABo4GnMIGkMB0G A1UdDgQWBBRnHHPiQ/pV/xDZg3EBmU3ik64ORDB1BgNVHSMEbjBsgBRnHHPiQ/pV /xDZg3EBmU3ik64ORKFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUt U3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJALU2mjA9 ULI2MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAScv7ee6QajoSM4c4 +fX+eYdjHFsvtqHD0ng987viS8eGjIrRfKAMHVzzs1jSU0TxMM7WUFDf6FpjW+Do r+X+X2Al/n6aDn7qAxXbl0RZuB+saxn+yFR6HFKggwkR1L2pimCuD0gTr6LlrNgf edF1YfJgq35hcMMLY9RE/0C0bCI= -----END CERTIFICATE-----'; $mock = new SAML2_SignedElementHelperMock(); $mock->setSignatureKey(SAML2_CertificatesMock::getPrivateKey()); $mock->setCertificates(array($tmpCert, SAML2_CertificatesMock::PUBLIC_KEY_PEM)); $this->signedMockElement = $mock->toSignedXML(); $tmp = new SAML2_SignedElementHelperMock($this->signedMockElement); $certs = $tmp->getValidatingCertificates(); $this->assertCount(1, $certs); $this->assertEquals($certData, $certs[0]); }
static function staticAdd509Cert($parentRef, $cert, $isPEMFormat = TRUE, $isURL = False, $xpath = NULL, $options = NULL) { if ($isURL) { $cert = file_get_contents($cert); } if (!$parentRef instanceof DOMElement) { throw new Exception('Invalid parent Node parameter'); } list($parentRef, $keyInfo) = self::auxKeyInfo($parentRef, $xpath); // Add all certs if there are more than one $certs = XMLSecurityDSig::staticGet509XCerts($cert, $isPEMFormat); $baseDoc = $parentRef->ownerDocument; // Attach X509 data node $x509DataNode = $baseDoc->createElementNS(XMLSecurityDSig::XMLDSIGNS, 'ds:X509Data'); $keyInfo->appendChild($x509DataNode); $issuerSerial = FALSE; $subjectName = FALSE; if (is_array($options)) { if (!empty($options['issuerSerial'])) { $issuerSerial = TRUE; } if (!empty($options['subjectName'])) { $subjectName = TRUE; } } // Attach all certificate nodes and any additional data foreach ($certs as $X509Cert) { if ($issuerSerial || $subjectName) { if ($certData = openssl_x509_parse("-----BEGIN CERTIFICATE-----\n" . chunk_split($X509Cert, 64, "\n") . "-----END CERTIFICATE-----\n")) { if ($subjectName && !empty($certData['subject'])) { if (is_array($certData['subject'])) { $parts = array(); foreach ($certData['subject'] as $key => $value) { array_unshift($parts, "{$key}={$value}"); } $subjectNameValue = implode(',', $parts); } else { $subjectNameValue = $certData['issuer']; } $x509SubjectNode = $baseDoc->createElementNS(XMLSecurityDSig::XMLDSIGNS, 'ds:X509SubjectName', $subjectNameValue); $x509DataNode->appendChild($x509SubjectNode); } if ($issuerSerial && !empty($certData['issuer']) && !empty($certData['serialNumber'])) { if (is_array($certData['issuer'])) { $parts = array(); foreach ($certData['issuer'] as $key => $value) { array_unshift($parts, "{$key}={$value}"); } $issuerName = implode(',', $parts); } else { $issuerName = $certData['issuer']; } $x509IssuerNode = $baseDoc->createElementNS(XMLSecurityDSig::XMLDSIGNS, 'ds:X509IssuerSerial'); $x509DataNode->appendChild($x509IssuerNode); $x509Node = $baseDoc->createElementNS(XMLSecurityDSig::XMLDSIGNS, 'ds:X509IssuerName', $issuerName); $x509IssuerNode->appendChild($x509Node); $x509Node = $baseDoc->createElementNS(XMLSecurityDSig::XMLDSIGNS, 'ds:X509SerialNumber', $certData['serialNumber']); $x509IssuerNode->appendChild($x509Node); } } } $x509CertNode = $baseDoc->createElementNS(XMLSecurityDSig::XMLDSIGNS, 'ds:X509Certificate', $X509Cert); $x509DataNode->appendChild($x509CertNode); } }
static function staticAdd509Cert($parentRef, $cert, $isPEMFormat = TRUE, $isURL = False, $xpath = NULL) { if ($isURL) { $cert = file_get_contents($cert); } if (!$parentRef instanceof DOMElement) { throw new Exception('Invalid parent Node parameter'); } $baseDoc = $parentRef->ownerDocument; if (empty($xpath)) { $xpath = new DOMXPath($parentRef->ownerDocument); $xpath->registerNamespace('secdsig', XMLSecurityDSig::XMLDSIGNS); } $query = "./secdsig:KeyInfo"; $nodeset = $xpath->query($query, $parentRef); $keyInfo = $nodeset->item(0); if (!$keyInfo) { $inserted = FALSE; $keyInfo = $baseDoc->createElementNS(XMLSecurityDSig::XMLDSIGNS, 'ds:KeyInfo'); $query = "./secdsig:Object"; $nodeset = $xpath->query($query, $parentRef); if ($sObject = $nodeset->item(0)) { $sObject->parentNode->insertBefore($keyInfo, $sObject); $inserted = TRUE; } if (!$inserted) { $parentRef->appendChild($keyInfo); } } // Add all certs if there are more than one $certs = XMLSecurityDSig::staticGet509XCerts($cert, $isPEMFormat); // Atach X509 data node $x509DataNode = $baseDoc->createElementNS(XMLSecurityDSig::XMLDSIGNS, 'ds:X509Data'); $keyInfo->appendChild($x509DataNode); // Atach all certificate nodes foreach ($certs as $X509Cert) { $x509CertNode = $baseDoc->createElementNS(XMLSecurityDSig::XMLDSIGNS, 'ds:X509Certificate', $X509Cert); $x509DataNode->appendChild($x509CertNode); } }
static function staticAdd509Cert($parentRef, $cert, $isPEMFormat = TRUE, $isURL = False, $xpath = NULL, $options = NULL) { if ($isURL) { $cert = file_get_contents($cert); } if (!$parentRef instanceof DOMElement) { throw new Exception('Invalid parent Node parameter'); } $baseDoc = $parentRef->ownerDocument; if (empty($xpath)) { $xpath = new DOMXPath($parentRef->ownerDocument); $xpath->registerNamespace('secdsig', XMLSecurityDSig::XMLDSIGNS); } $query = "./secdsig:KeyInfo"; $nodeset = $xpath->query($query, $parentRef); $keyInfo = $nodeset->item(0); if (!$keyInfo) { $inserted = FALSE; $keyInfo = $baseDoc->createElementNS(XMLSecurityDSig::XMLDSIGNS, 'ds:KeyInfo'); $query = "./secdsig:Object"; $nodeset = $xpath->query($query, $parentRef); if ($sObject = $nodeset->item(0)) { $sObject->parentNode->insertBefore($keyInfo, $sObject); $inserted = TRUE; } if (!$inserted) { $parentRef->appendChild($keyInfo); } } // Add all certs if there are more than one $certs = XMLSecurityDSig::staticGet509XCerts($cert, $isPEMFormat); // Attach X509 data node $x509DataNode = $baseDoc->createElementNS(XMLSecurityDSig::XMLDSIGNS, 'ds:X509Data'); $keyInfo->appendChild($x509DataNode); $issuerSerial = FALSE; $subjectName = FALSE; if (is_array($options)) { if (!empty($options['issuerSerial'])) { $issuerSerial = TRUE; } } // Attach all certificate nodes and any additional data foreach ($certs as $X509Cert) { if ($issuerSerial) { if ($certData = openssl_x509_parse("-----BEGIN CERTIFICATE-----\n" . chunk_split($X509Cert, 64, "\n") . "-----END CERTIFICATE-----\n")) { if ($issuerSerial && !empty($certData['issuer']) && !empty($certData['serialNumber'])) { if (is_array($certData['issuer'])) { $parts = array(); foreach ($certData['issuer'] as $key => $value) { array_unshift($parts, "{$key}={$value}" . $issuer); } $issuerName = implode(',', $parts); } else { $issuerName = $certData['issuer']; } $x509IssuerNode = $baseDoc->createElementNS(XMLSecurityDSig::XMLDSIGNS, 'ds:X509IssuerSerial'); $x509DataNode->appendChild($x509IssuerNode); $x509Node = $baseDoc->createElementNS(XMLSecurityDSig::XMLDSIGNS, 'ds:X509IssuerName', $issuerName); $x509IssuerNode->appendChild($x509Node); $x509Node = $baseDoc->createElementNS(XMLSecurityDSig::XMLDSIGNS, 'ds:X509SerialNumber', $certData['serialNumber']); $x509IssuerNode->appendChild($x509Node); } } } $x509CertNode = $baseDoc->createElementNS(XMLSecurityDSig::XMLDSIGNS, 'ds:X509Certificate', $X509Cert); $x509DataNode->appendChild($x509CertNode); } }
static function staticAddBes($parentRef, $cert, $isPEMFormat = TRUE, $isURL = False, $xpath = NULL, $digest = NULL) { if ($isURL) { $cert = file_get_contents($cert); } if (!$parentRef instanceof DOMElement) { throw new Exception('Invalid parent Node parameter'); } $baseDoc = $parentRef->ownerDocument; // Add all certs if there are more than one $certs = XMLSecurityDSig::staticGet509XCerts($cert, $isPEMFormat); // Attach X509 data node //$objectNode = $baseDoc->createElementNS(XMLSecurityDSig::XMLDSIGNS, 'ds:Object'); $objectNode = $baseDoc->createElementNS(XMLSecurityDSig::XMLDSIGNS, 'ds:Object'); $parentRef->appendChild($objectNode); $qProps = $baseDoc->createElement('QualifyingProperties'); $qProps->setAttribute('xmlns:xsi', 'http://www.w3.org/2001/XMLSchema-instance'); $qProps->setAttribute('xmlns:xsd', 'http://www.w3.org/2001/XMLSchema'); $qProps->setAttribute('xmlns', 'http://uri.etsi.org/01903/v1.1.1#'); $qProps->setAttribute('Target', '#SignatureId'); $objectNode->appendChild($qProps); $SignedProps = $baseDoc->createElement('SignedProperties'); $SignedProps->setAttribute('Id', 'SignedPropertiesId'); $qProps->appendChild($SignedProps); $SignedSignatureProperties = $baseDoc->createElement('SignedSignatureProperties'); $SignedProps->appendChild($SignedSignatureProperties); $SigningTime = $baseDoc->createElement('SigningTime', date('c', strtotime('2014-01-27'))); $SignedSignatureProperties->appendChild($SigningTime); $SigningCertificate = $baseDoc->createElement('SigningCertificate'); $SignedSignatureProperties->appendChild($SigningCertificate); $Cert = $baseDoc->createElement('Cert'); $SigningCertificate->appendChild($Cert); $CertDigest = $baseDoc->createElement('CertDigest'); $Cert->appendChild($CertDigest); $DigestMethod = $baseDoc->createElement('DigestMethod'); $DigestMethodAttrAlgorithm = $baseDoc->createAttribute('Algorithm'); $DigestMethodAttrAlgorithm->value = self::SHA1; $DigestMethod->appendChild($DigestMethodAttrAlgorithm); $CertDigest->appendChild($DigestMethod); $DigestValue = $baseDoc->createElement('DigestValue', $digest); $CertDigest->appendChild($DigestValue); // ADD CERS foreach ($certs as $X509Cert) { if ($certData = openssl_x509_parse("-----BEGIN CERTIFICATE-----\n" . chunk_split($X509Cert, 64, "\n") . "-----END CERTIFICATE-----\n")) { if (!empty($certData['issuer']) && !empty($certData['serialNumber'])) { if (is_array($certData['issuer'])) { $parts = array(); foreach ($certData['issuer'] as $key => $value) { array_unshift($parts, "{$key}={$value}"); } $issuerName = implode(', ', $parts); } else { $issuerName = $certData['issuer']; } $IssuerSerial = $baseDoc->createElement('IssuerSerial'); $Cert->appendChild($IssuerSerial); $x509Node = $baseDoc->createElement('X509IssuerName', $issuerName); $x509NodeAttr = $baseDoc->createAttribute('xmlns'); $x509NodeAttr->value = 'http://www.w3.org/2000/09/xmldsig#'; $x509Node->appendChild($x509NodeAttr); $IssuerSerial->appendChild($x509Node); $x509Node = $baseDoc->createElement('X509SerialNumber', $certData['serialNumber']); $x509NodeAttr = $baseDoc->createAttribute('xmlns'); $x509NodeAttr->value = 'http://www.w3.org/2000/09/xmldsig#'; $x509Node->appendChild($x509NodeAttr); $IssuerSerial->appendChild($x509Node); } } } $SignaturePolicyIdentifier = $baseDoc->createElement('SignaturePolicyIdentifier'); $SignedSignatureProperties->appendChild($SignaturePolicyIdentifier); $SignaturePolicyImplied = $baseDoc->createElement('SignaturePolicyImplied'); $SignaturePolicyIdentifier->appendChild($SignaturePolicyImplied); return $SignedProps; }
static function get509XCert($cert, $isPEMFormat = TRUE) { $certs = XMLSecurityDSig::staticGet509XCerts($cert, $isPEMFormat); if (!empty($certs)) { return $certs[0]; } return ''; }