/** * Test that signatures no longer validate if the value has been tampered with. */ public function testValidateWithValueTampering() { // Test modification of SignatureValue. $signedMockElementCopy = Utils::copyElement($this->signedMockElement); $signedMockElementCopy->ownerDocument->appendChild($signedMockElementCopy); $digestValueElements = Utils::xpQuery($signedMockElementCopy, '/root/ds:Signature/ds:SignatureValue'); $this->assertCount(1, $digestValueElements); $digestValueElements[0]->firstChild->data = 'invalid'; $tmp = new SignedElementHelperMock($signedMockElementCopy); $this->setExpectedException('Exception', 'Unable to validate Signature'); $tmp->validate(CertificatesMock::getPublicKey()); }
/** * Due to the fact that the symmetric key is generated each time, we cannot test whether or not the resulting XML * matches a specific XML, but we can test whether or not the resulting structure is actually correct, conveying * all information required to decrypt the NameId. */ public function testThatAnEncryptedNameIdResultsInTheCorrectXmlStructure() { // the NameID we're going to encrypt $nameId = array('Value' => md5('Arthur Dent'), 'Format' => Constants::NAMEID_ENCRYPTED); // basic AuthnRequest $request = new AuthnRequest(); $request->setIssuer('https://gateway.stepup.org/saml20/sp/metadata'); $request->setDestination('https://tiqr.stepup.org/idp/profile/saml2/Redirect/SSO'); $request->setNameId($nameId); // encrypt the NameID $key = CertificatesMock::getPublicKey(); $request->encryptNameId($key); $expectedXml = <<<AUTHNREQUEST <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="" Version="" IssueInstant="" Destination=""> <saml:Issuer></saml:Issuer> <saml:Subject> <saml:EncryptedID xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"> <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" Type="http://www.w3.org/2001/04/xmlenc#Element"> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/> <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"> <xenc:EncryptedKey> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/> <xenc:CipherData> <xenc:CipherValue></xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedKey> </dsig:KeyInfo> <xenc:CipherData> <xenc:CipherValue></xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </saml:EncryptedID> </saml:Subject> </samlp:AuthnRequest> AUTHNREQUEST; $expectedStructure = DOMDocumentFactory::fromString($expectedXml)->documentElement; $requestStructure = $request->toUnsignedXML(); $this->assertEqualXMLStructure($expectedStructure, $requestStructure); }
/** * Test validating a signed authentication request. */ public function testSignedRequestValidationWrongKeytype() { $qs = 'SAMLRequest=nVLBauMwEP0Vo7sjW7FpKpJA2rBsoNuGOruHXhZFHm8EsuRqxtv27yvbWWgvYelFgjfvzbx5zBJVazu56enkHuG5B6TktbUO5VhYsT446RUalE61gJK0rDY%2F7qSYZbILnrz2ln2QXFYoRAhkvGPJbrtiv7VoygJEoTJ9LOusXDSFuJ4vdH6cxwoIEGUjsrqoFUt%2BQcCoXLHYKMoRe9g5JOUoQlleprlI8%2FyQz6W4ksXiiSXbuI1xikbViahDyfkRSM2wD40DmjnL0bSdhcE6Hx7BTd3xqnqoIPw1GmbdqWPJNx80jCGtGIUeWLL5t8mtd9i3EM78n493%2FzWr9XVvx%2B58mj39IlUaR%2FQmKOPq4Dtkyf4c9E1EjPtzOePjREL5%2FXDYp%2FuH6sDWy6G3HDML66%2B5ayO7VlHx2dySf2y9nM7pPprabffeGv02ZNcquux5QEydNiNVUlAODTiKMVvrX24DKIJz8nw9jfx8tOt3&RelayState=https%3A%2F%2Fbeta.surfnet.nl%2Fsimplesaml%2Fmodule.php%2Fcore%2Fauthenticate.php%3Fas%3DBraindrops&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=b%2Bqe%2FXGgICOrEL1v9dwuoy0RJtJ%2FGNAr7gJGYSJzLG0riPKwo7v5CH8GPC2P9IRikaeaNeQrnhBAaf8FCWrO0cLFw4qR6msK9bxRBGk%2BhIaTUYCh54ETrVCyGlmBneMgC5%2FiCRvtEW3ESPXCCqt8Ncu98yZmv9LIVyHSl67Se%2BfbB9sDw3%2FfzwYIHRMqK2aS8jnsnqlgnBGGOXqIqN3%2Bd%2F2dwtCfz14s%2F9odoYzSUv32qfNPiPez6PSNqwhwH7dWE3TlO%2FjZmz0DnOeQ2ft6qdZEi5ZN5KCV6VmNKpkrLMq6DDPnuwPm%2F8oCAoT88R2jG7uf9QZB%2BArWJKMEhDLsCA%3D%3D'; $_SERVER['QUERY_STRING'] = $qs; $hr = new HTTPRedirect(); $request = $hr->receive(); // validate with wrong type of cert $this->setExpectedException('Exception', 'Invalid key type for validating signature'); $result = $request->validate(CertificatesMock::getPublicKey()); }
public function testTypedEncryptedAttributeValuesAreParsedCorrectly() { $xml = <<<XML <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Version="2.0" ID="_93af655219464fb403b34436cfb0c5cb1d9a5502" IssueInstant="1970-01-01T01:33:31Z"> <saml:Issuer>Provider</saml:Issuer> <saml:Conditions/> <saml:AttributeStatement> <saml:Attribute Name="urn:some:string"> <saml:AttributeValue xsi:type="xs:string">string</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="urn:some:integer"> <saml:AttributeValue xsi:type="xs:integer">42</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion> XML; $privateKey = CertificatesMock::getPublicKey(); $assertion = new Assertion(DOMDocumentFactory::fromString($xml)->firstChild); $assertion->setEncryptionKey($privateKey); $assertion->setEncryptedAttributes(true); $encryptedAssertion = $assertion->toXML()->ownerDocument->saveXML(); $assertionToVerify = new Assertion(DOMDocumentFactory::fromString($encryptedAssertion)->firstChild); $this->assertTrue($assertionToVerify->hasEncryptedAttributes()); $assertionToVerify->decryptAttributes(CertificatesMock::getPrivateKey()); $attributes = $assertionToVerify->getAttributes(); $this->assertInternalType('int', $attributes['urn:some:integer'][0]); $this->assertInternalType('string', $attributes['urn:some:string'][0]); $this->assertXmlStringEqualsXmlString($xml, $assertionToVerify->toXML()->ownerDocument->saveXML()); }
/** * Test NameID Encryption and Decryption. */ public function testNameIdEncryption() { // Create an assertion $assertion = new Assertion(); $assertion->setIssuer('testIssuer'); $assertion->setValidAudiences(array('audience1', 'audience2')); $assertion->setAuthnContext('someAuthnContext'); $assertion->setNameId(array("Value" => "just_a_basic_identifier", "Format" => "urn:oasis:names:tc:SAML:2.0:nameid-format:transient")); $this->assertFalse($assertion->isNameIdEncrypted()); $publicKey = CertificatesMock::getPublicKey(); $assertion->encryptNameId($publicKey); $this->assertTrue($assertion->isNameIdEncrypted()); // Marshall it to a \DOMElement $assertionElement = $assertion->toXML()->ownerDocument->saveXML(); $assertionToVerify = new Assertion(DOMDocumentFactory::fromString($assertionElement)->firstChild); $this->assertTrue($assertionToVerify->isNameIdEncrypted()); $privateKey = CertificatesMock::getPrivateKey(); $assertionToVerify->decryptNameId($privateKey); $this->assertFalse($assertionToVerify->isNameIdEncrypted()); $nameID = $assertionToVerify->getNameID(); $this->assertEquals('just_a_basic_identifier', $nameID['Value']); $this->assertEquals('urn:oasis:names:tc:SAML:2.0:nameid-format:transient', $nameID['Format']); }