function testOne()
{
$doc = new \DOMDocument();
$doc->load(__DIR__ . '/../../../../../../../resources/sample/Response/response01.xml');
$xpath = new \DOMXPath($doc);
$xpath->registerNamespace('samlp', Protocol::SAML2);
$xpath->registerNamespace('ds', Protocol::NS_XMLDSIG);
$xpath->registerNamespace('a', Protocol::NS_ASSERTION);
$list = $xpath->query('/samlp:Response/a:Assertion/ds:Signature');
$this->assertEquals(1, $list->length);
/** @var $signatureNode \DOMElement */
$signatureNode = $list->item(0);
$signatureValidator = new SignatureXmlValidator();
$signatureValidator->loadFromXml($signatureNode);
$list = $xpath->query('./ds:KeyInfo/ds:X509Data/ds:X509Certificate', $signatureNode);
$this->assertEquals(1, $list->length);
/** @var $signatureNode \DOMElement */
$certificateDataNode = $list->item(0);
$certData = $certificateDataNode->textContent;
$certificate = new X509Certificate();
$certificate->setData($certData);
$key = KeyHelper::createPublicKey($certificate);
$ok = $signatureValidator->validate($key);
$this->assertTrue($ok);
}
/**
* @return \XMLSecurityKey
*/
public function getPrivateKey()
{
if (!$this->_key) {
$filename = $this->keyFile;
if ($filename[0] == '@') {
$filename = $this->kernel->locateResource($filename);
}
$this->_key = KeyHelper::createPrivateKey($filename, $this->keyPass, true, false);
}
return $this->_key;
}
/**
* @param \XMLSecurityKey $key
* @return bool True if validated, False if validation was not performed
* @throws \AerialShip\LightSaml\Error\SecurityException If validation fails
*/
public function validate(\XMLSecurityKey $key)
{
if ($this->getSignature() == null) {
return false;
}
if ($key->type !== \XMLSecurityKey::RSA_SHA1) {
throw new SecurityException('Invalid key type for validating signature on query string');
}
if ($key->type !== $this->getAlgorithm()) {
$key = KeyHelper::castKey($key, $this->getAlgorithm());
}
$signature = base64_decode($this->getSignature());
if (!$key->verifySignature($this->getData(), $signature)) {
throw new SecurityException('Unable to validate signature on query string');
}
return true;
}
private function verifySignature($xml)
{
$doc = new \DOMDocument();
$doc->loadXML($xml);
$xpath = new \DOMXPath($doc);
$xpath->registerNamespace('ds', Protocol::NS_XMLDSIG);
$list = $xpath->query('/root/ds:Signature');
$this->assertEquals(1, $list->length);
/** @var $signatureNode \DOMElement */
$signatureNode = $list->item(0);
$signatureValidator = new SignatureXmlValidator();
$signatureValidator->loadFromXml($signatureNode);
$certificate = new X509Certificate();
$certificate->loadFromFile(__DIR__ . '/../../../../../../../resources/sample/Certificate/saml.crt');
$key = KeyHelper::createPublicKey($certificate);
$ok = $signatureValidator->validate($key);
$this->assertTrue($ok);
}
protected function checkRequest(AuthnRequest $request, $id, $time)
{
$this->assertEquals($id, $request->getID());
$this->assertEquals('2.0', $request->getVersion());
$this->assertEquals($this->destination, $request->getDestination());
$this->assertEquals($this->ascURL, $request->getAssertionConsumerServiceURL());
$this->assertEquals($this->protocolBinding, $request->getProtocolBinding());
$this->assertEquals($time, $request->getIssueInstant());
$this->assertEquals($this->issuer, $request->getIssuer());
$this->assertEquals($this->nameIDPolicyFormat, $request->getNameIdPolicyFormat());
$this->assertTrue($request->getNameIdPolicyAllowCreate());
/** @var SignatureValidatorInterface $signature */
$signature = $request->getSignature();
$this->assertNotNull($signature);
$this->assertTrue($signature instanceof SignatureValidatorInterface);
$certificate = new X509Certificate();
$certificate->loadFromFile(__DIR__ . '/../../../../../resources/sample/Certificate/saml.crt');
$key = KeyHelper::createPublicKey($certificate);
$signature->validate($key);
}
/**
* @param \AerialShip\SamlSPBundle\Config\ServiceInfo $serviceInfo
* @param LogoutRequest $logoutRequest
* @throws \RuntimeException
*/
protected function validateLogoutRequest(ServiceInfo $serviceInfo, LogoutRequest $logoutRequest)
{
$idp = $serviceInfo->getIdpProvider()->getEntityDescriptor();
$keyDescriptors = $idp->getFirstIdpSsoDescriptor()->getKeyDescriptors();
if (empty($keyDescriptors)) {
throw new \RuntimeException('IDP must support signing for logout requests');
}
/** @var $signature SignatureValidatorInterface */
$signature = $logoutRequest->getSignature();
if (!$signature) {
throw new \RuntimeException('Logout request must be signed');
}
$keys = array();
foreach ($keyDescriptors as $keyDescriptor) {
$key = KeyHelper::createPublicKey($keyDescriptor->getCertificate());
$keys[] = $key;
}
$signature->validateMulti($keys);
}
/**
* @test
*/
public function shouldCreatePublicKeyWhenLoadedFromPem()
{
$cert = new X509Certificate();
$cert->loadPem($this->getPEM());
KeyHelper::createPublicKey($cert);
}
/**
* @param \AerialShip\SamlSPBundle\Config\ServiceInfo $metaProvider
* @return null|\XMLSecurityKey
*/
protected function getSigningKey(ServiceInfo $metaProvider)
{
$result = null;
$edIDP = $metaProvider->getIdpProvider()->getEntityDescriptor();
if ($edIDP) {
$arr = $edIDP->getAllIdpSsoDescriptors();
if ($arr) {
$idp = $arr[0];
$arr = $idp->findKeyDescriptors('signing');
if ($arr) {
$keyDescriptor = $arr[0];
$certificate = $keyDescriptor->getCertificate();
$result = KeyHelper::createPublicKey($certificate);
}
}
}
return $result;
}
/**
* @return \XMLSecurityKey
*/
private function getXmlKey()
{
$cert = $this->getCertificate();
return KeyHelper::createPublicKey($cert);
}
/**
* @param \XMLSecurityKey $key
* @return \XMLSecurityKey
*/
private function castKeyIfNecessary(\XMLSecurityKey $key)
{
$algorithm = $this->getAlgorithm();
if ($key->type === \XMLSecurityKey::RSA_SHA1 && $algorithm !== $key->type) {
$key = KeyHelper::castKey($key, $algorithm);
}
return $key;
}
