/** * Insert a Signature-node. * * @param XMLSecurityKey $key The key we should use to sign the message. * @param array $certificates The certificates we should add to the signature node. * @param \DOMElement $root The XML node we should sign. * @param \DOMNode $insertBefore The XML element we should insert the signature element before. */ public static function insertSignature(XMLSecurityKey $key, array $certificates, \DOMElement $root, \DOMNode $insertBefore = null) { $objXMLSecDSig = new XMLSecurityDSig(); $objXMLSecDSig->setCanonicalMethod(XMLSecurityDSig::EXC_C14N); switch ($key->type) { case XMLSecurityKey::RSA_SHA256: $type = XMLSecurityDSig::SHA256; break; case XMLSecurityKey::RSA_SHA384: $type = XMLSecurityDSig::SHA384; break; case XMLSecurityKey::RSA_SHA512: $type = XMLSecurityDSig::SHA512; break; default: $type = XMLSecurityDSig::SHA1; } $objXMLSecDSig->addReferenceList(array($root), $type, array('http://www.w3.org/2000/09/xmldsig#enveloped-signature', XMLSecurityDSig::EXC_C14N), array('id_name' => 'ID', 'overwrite' => false)); $objXMLSecDSig->sign($key); foreach ($certificates as $certificate) { $objXMLSecDSig->add509Cert($certificate, true); } $objXMLSecDSig->insertSignature($root, $insertBefore); }
public function signSoapDoc($objKey, $options = null) { $objDSig = new XMLSecurityDSig(); $objDSig->setCanonicalMethod(XMLSecurityDSig::EXC_C14N); $arNodes = array(); foreach ($this->secNode->childNodes as $node) { if ($node->nodeType == XML_ELEMENT_NODE) { $arNodes[] = $node; } } if ($this->signAllHeaders) { foreach ($this->secNode->parentNode->childNodes as $node) { if ($node->nodeType == XML_ELEMENT_NODE && $node->namespaceURI != self::WSSENS) { $arNodes[] = $node; } } } if ($this->signBody) { foreach ($this->envelope->childNodes as $node) { if ($node->namespaceURI == $this->soapNS && $node->localName == 'Body') { $arNodes[] = $node; break; } } } $algorithm = XMLSecurityDSig::SHA1; if (is_array($options) && isset($options['algorithm'])) { $algorithm = $options['algorithm']; } $arOptions = array('prefix' => self::WSUPFX, 'prefix_ns' => self::WSUNS); $objDSig->addReferenceList($arNodes, $algorithm, null, $arOptions); $objDSig->sign($objKey); $insertTop = true; if (is_array($options) && isset($options['insertBefore'])) { $insertTop = (bool) $options['insertBefore']; } $objDSig->appendSignature($this->secNode, $insertTop); /* New suff */ if (is_array($options)) { if (!empty($options['KeyInfo'])) { if (!empty($options['KeyInfo']['X509SubjectKeyIdentifier'])) { $sigNode = $this->secNode->firstChild->nextSibling; $objDoc = $sigNode->ownerDocument; $keyInfo = $sigNode->ownerDocument->createElementNS(XMLSecurityDSig::XMLDSIGNS, 'ds:KeyInfo'); $sigNode->appendChild($keyInfo); $tokenRef = $objDoc->createElementNS(self::WSSENS, self::WSSEPFX . ':SecurityTokenReference'); $keyInfo->appendChild($tokenRef); $reference = $objDoc->createElementNS(self::WSSENS, self::WSSEPFX . ':KeyIdentifier'); $reference->setAttribute('ValueType', 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier'); $reference->setAttribute('EncodingType', 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary'); $tokenRef->appendChild($reference); $x509 = openssl_x509_parse($objKey->getX509Certificate()); $keyid = $x509['extensions']['subjectKeyIdentifier']; $arkeyid = split(':', $keyid); $data = ''; foreach ($arkeyid as $hexchar) { $data .= chr(hexdec($hexchar)); } $dataNode = new DOMText(base64_encode($data)); $reference->appendChild($dataNode); } } } }
/** * @param \DOMNode $parent * @param SerializationContext $context */ public function serialize(\DOMNode $parent, SerializationContext $context) { if ($this->signingOptions && false === $this->signingOptions->isEnabled()) { return; } $objXMLSecDSig = new XMLSecurityDSig(); $objXMLSecDSig->setCanonicalMethod($this->getCanonicalMethod()); $key = $this->getXmlSecurityKey(); switch ($key->type) { case XMLSecurityKey::RSA_SHA256: $type = XMLSecurityDSig::SHA256; break; case XMLSecurityKey::RSA_SHA384: $type = XMLSecurityDSig::SHA384; break; case XMLSecurityKey::RSA_SHA512: $type = XMLSecurityDSig::SHA512; break; default: $type = XMLSecurityDSig::SHA1; } $objXMLSecDSig->addReferenceList(array($parent), $type, array(SamlConstants::XMLSEC_TRANSFORM_ALGORITHM_ENVELOPED_SIGNATURE, XMLSecurityDSig::EXC_C14N), array('id_name' => $this->getIDName(), 'overwrite' => false)); $objXMLSecDSig->sign($key); $objXMLSecDSig->add509Cert($this->getCertificate()->getData(), false, false, $this->signingOptions ? $this->signingOptions->getCertificateOptions()->all() : null); $firstChild = $parent->hasChildNodes() ? $parent->firstChild : null; if ($firstChild && $firstChild->localName == 'Issuer') { // The signature node should come after the issuer node $firstChild = $firstChild->nextSibling; } $objXMLSecDSig->insertSignature($parent, $firstChild); }