/** * Check the Signature in a XML element. * * This function expects the XML element to contain a Signature-element * which contains a reference to the XML-element. This is common for both * messages and assertions. * * Note that this function only validates the element itself. It does not * check this against any local keys. * * If no Signature-element is located, this function will return false. All * other validation errors result in an exception. On successful validation * an array will be returned. This array contains the information required to * check the signature against a public key. * * @param \DOMElement $root The element which should be validated. * @return array|bool An array with information about the Signature-element. * @throws \Exception */ public static function validateElement(\DOMElement $root) { /* Create an XML security object. */ $objXMLSecDSig = new XMLSecurityDSig(); /* Both SAML messages and SAML assertions use the 'ID' attribute. */ $objXMLSecDSig->idKeys[] = 'ID'; /* Locate the XMLDSig Signature element to be used. */ $signatureElement = self::xpQuery($root, './ds:Signature'); if (count($signatureElement) === 0) { /* We don't have a signature element ot validate. */ return false; } elseif (count($signatureElement) > 1) { throw new \Exception('XMLSec: more than one signature element in root.'); } $signatureElement = $signatureElement[0]; $objXMLSecDSig->sigNode = $signatureElement; /* Canonicalize the XMLDSig SignedInfo element in the message. */ $objXMLSecDSig->canonicalizeSignedInfo(); /* Validate referenced xml nodes. */ if (!$objXMLSecDSig->validateReference()) { throw new \Exception('XMLsec: digest validation failed'); } /* Check that $root is one of the signed nodes. */ $rootSigned = false; /** @var \DOMNode $signedNode */ foreach ($objXMLSecDSig->getValidatedNodes() as $signedNode) { if ($signedNode->isSameNode($root)) { $rootSigned = true; break; } elseif ($root->parentNode instanceof \DOMDocument && $signedNode->isSameNode($root->ownerDocument)) { /* $root is the root element of a signed document. */ $rootSigned = true; break; } } if (!$rootSigned) { throw new \Exception('XMLSec: The root element is not signed.'); } /* Now we extract all available X509 certificates in the signature element. */ $certificates = array(); foreach (self::xpQuery($signatureElement, './ds:KeyInfo/ds:X509Data/ds:X509Certificate') as $certNode) { $certData = trim($certNode->textContent); $certData = str_replace(array("\r", "\n", "\t", ' '), '', $certData); $certificates[] = $certData; } $ret = array('Signature' => $objXMLSecDSig, 'Certificates' => $certificates); return $ret; }