ILIAS  release_5-3 Revision v5.3.23-19-g915713cf615
SimpleSAML_Metadata_Signer Class Reference
+ Collaboration diagram for SimpleSAML_Metadata_Signer:

Static Public Member Functions

static sign ($metadataString, $entityMetadata, $type)
 Signs the given metadata if metadata signing is enabled. More...
 

Static Private Member Functions

static findKeyCert ($config, $entityMetadata, $type)
 This functions finds what key & certificate files should be used to sign the metadata for the given entity. More...
 
static isMetadataSigningEnabled ($config, $entityMetadata, $type)
 Determine whether metadata signing is enabled for the given metadata. More...
 
static getMetadataSigningAlgorithm ($config, $entityMetadata, $type)
 Determine the signature and digest algorithms to use when signing metadata. More...
 

Detailed Description

Definition at line 10 of file Signer.php.

Member Function Documentation

◆ findKeyCert()

static SimpleSAML_Metadata_Signer::findKeyCert (   $config,
  $entityMetadata,
  $type 
)
staticprivate

This functions finds what key & certificate files should be used to sign the metadata for the given entity.

Parameters
SimpleSAML_Configuration$configOur SimpleSAML_Configuration instance.
array$entityMetadataThe metadata of the entity.
string$typeA string which describes the type entity this is, e.g. 'SAML 2 IdP' or 'Shib 1.3 SP'.
Returns
array An associative array with the keys 'privatekey', 'certificate', and optionally 'privatekey_pass'.
Exceptions
ExceptionIf the key and certificate used to sign is unknown.

Definition at line 25 of file Signer.php.

26 {
27 // first we look for metadata.privatekey and metadata.certificate in the metadata
28 if (array_key_exists('metadata.sign.privatekey', $entityMetadata)
29 || array_key_exists('metadata.sign.certificate', $entityMetadata)
30 ) {
31
32 if (!array_key_exists('metadata.sign.privatekey', $entityMetadata)
33 || !array_key_exists('metadata.sign.certificate', $entityMetadata)
34 ) {
35
36 throw new Exception(
37 'Missing either the "metadata.sign.privatekey" or the'.
38 ' "metadata.sign.certificate" configuration option in the metadata for'.
39 ' the '.$type.' "'.$entityMetadata['entityid'].'". If one of'.
40 ' these options is specified, then the other must also be specified.'
41 );
42 }
43
44 $ret = array(
45 'privatekey' => $entityMetadata['metadata.sign.privatekey'],
46 'certificate' => $entityMetadata['metadata.sign.certificate']
47 );
48
49 if (array_key_exists('metadata.sign.privatekey_pass', $entityMetadata)) {
50 $ret['privatekey_pass'] = $entityMetadata['metadata.sign.privatekey_pass'];
51 }
52
53 return $ret;
54 }
55
56 // then we look for default values in the global configuration
57 $privatekey = $config->getString('metadata.sign.privatekey', null);
58 $certificate = $config->getString('metadata.sign.certificate', null);
59 if ($privatekey !== null || $certificate !== null) {
60 if ($privatekey === null || $certificate === null) {
61 throw new Exception(
62 'Missing either the "metadata.sign.privatekey" or the'.
63 ' "metadata.sign.certificate" configuration option in the global'.
64 ' configuration. If one of these options is specified, then the other'.
65 ' must also be specified.'
66 );
67 }
68 $ret = array('privatekey' => $privatekey, 'certificate' => $certificate);
69
70 $privatekey_pass = $config->getString('metadata.sign.privatekey_pass', null);
71 if ($privatekey_pass !== null) {
72 $ret['privatekey_pass'] = $privatekey_pass;
73 }
74
75 return $ret;
76 }
77
78 // as a last resort we attempt to use the privatekey and certificate option from the metadata
79 if (array_key_exists('privatekey', $entityMetadata)
80 || array_key_exists('certificate', $entityMetadata)
81 ) {
82
83 if (!array_key_exists('privatekey', $entityMetadata)
84 || !array_key_exists('certificate', $entityMetadata)
85 ) {
86 throw new Exception(
87 'Both the "privatekey" and the "certificate" option must'.
88 ' be set in the metadata for the '.$type.' "'.
89 $entityMetadata['entityid'].'" before it is possible to sign metadata'.
90 ' from this entity.'
91 );
92 }
93
94 $ret = array(
95 'privatekey' => $entityMetadata['privatekey'],
96 'certificate' => $entityMetadata['certificate']
97 );
98
99 if (array_key_exists('privatekey_pass', $entityMetadata)) {
100 $ret['privatekey_pass'] = $entityMetadata['privatekey_pass'];
101 }
102
103 return $ret;
104 }
105
106 throw new Exception(
107 'Could not find what key & certificate should be used to sign the metadata'.
108 ' for the '.$type.' "'.$entityMetadata['entityid'].'".'
109 );
110 }
if(@file_exists(dirname(__FILE__).'/lang/eng.php')) $certificate
Definition: example_052.php:77
$ret
Definition: parser.php:6
$type

References $certificate, $config, $ret, and $type.

Referenced by sign().

+ Here is the caller graph for this function:

◆ getMetadataSigningAlgorithm()

static SimpleSAML_Metadata_Signer::getMetadataSigningAlgorithm (   $config,
  $entityMetadata,
  $type 
)
staticprivate

Determine the signature and digest algorithms to use when signing metadata.

This method will look for the 'metadata.sign.algorithm' key in the $entityMetadata array, or look for such a configuration option in the $config object.

Parameters
SimpleSAML_Configuration$configThe global configuration.
array$entityMetadataAn array containing the metadata related to this entity.
string$typeA string describing the type of entity. E.g. 'SAML 2 IdP' or 'Shib 1.3 SP'.
Returns
array An array with two keys, 'algorithm' and 'digest', corresponding to the signature and digest algorithms to use, respectively.
Exceptions

SimpleSAML\Error\CriticalConfigurationError

Todo:
change to SHA256 by default.

Definition at line 162 of file Signer.php.

163 {
164 // configure the algorithm to use
165 if (array_key_exists('metadata.sign.algorithm', $entityMetadata)) {
166 if (!is_string($entityMetadata['metadata.sign.algorithm'])) {
167 throw new \SimpleSAML\Error\CriticalConfigurationError(
168 "Invalid value for the 'metadata.sign.algorithm' configuration option for the ".$type.
169 "'".$entityMetadata['entityid']."'. This option has restricted values"
170 );
171 }
172 $alg = $entityMetadata['metadata.sign.algorithm'];
173 } else {
174 $alg = $config->getString('metadata.sign.algorithm', XMLSecurityKey::RSA_SHA1);
175 }
176
177 $supported_algs = array(
178 XMLSecurityKey::RSA_SHA1,
179 XMLSecurityKey::RSA_SHA256,
180 XMLSecurityKey::RSA_SHA384,
181 XMLSecurityKey::RSA_SHA512,
182 );
183
184 if (!in_array($alg, $supported_algs, true)) {
185 throw new \SimpleSAML\Error\CriticalConfigurationError("Unknown signature algorithm '$alg'");
186 }
187
188 switch ($alg) {
189 case XMLSecurityKey::RSA_SHA256:
190 $digest = XMLSecurityDSig::SHA256;
191 break;
192 case XMLSecurityKey::RSA_SHA384:
193 $digest = XMLSecurityDSig::SHA384;
194 break;
195 case XMLSecurityKey::RSA_SHA512:
196 $digest = XMLSecurityDSig::SHA512;
197 break;
198 default:
199 $digest = XMLSecurityDSig::SHA1;
200 }
201
202 return array(
203 'algorithm' => $alg,
204 'digest' => $digest,
205 );
206 }

References $config, and $type.

Referenced by sign().

+ Here is the caller graph for this function:

◆ isMetadataSigningEnabled()

static SimpleSAML_Metadata_Signer::isMetadataSigningEnabled (   $config,
  $entityMetadata,
  $type 
)
staticprivate

Determine whether metadata signing is enabled for the given metadata.

Parameters
SimpleSAML_Configuration$configOur SimpleSAML_Configuration instance.
array$entityMetadataThe metadata of the entity.
string$typeA string which describes the type entity this is, e.g. 'SAML 2 IdP' or 'Shib 1.3 SP'.
Returns
boolean True if metadata signing is enabled, false otherwise.
Exceptions
ExceptionIf the value of the 'metadata.sign.enable' option is not a boolean.

Definition at line 124 of file Signer.php.

125 {
126 // first check the metadata for the entity
127 if (array_key_exists('metadata.sign.enable', $entityMetadata)) {
128 if (!is_bool($entityMetadata['metadata.sign.enable'])) {
129 throw new Exception(
130 'Invalid value for the "metadata.sign.enable" configuration option for'.
131 ' the '.$type.' "'.$entityMetadata['entityid'].'". This option'.
132 ' should be a boolean.'
133 );
134 }
135
136 return $entityMetadata['metadata.sign.enable'];
137 }
138
139 $enabled = $config->getBoolean('metadata.sign.enable', false);
140
141 return $enabled;
142 }

References $config, and $type.

◆ sign()

static SimpleSAML_Metadata_Signer::sign (   $metadataString,
  $entityMetadata,
  $type 
)
static

Signs the given metadata if metadata signing is enabled.

Parameters
string$metadataStringA string with the metadata.
array$entityMetadataThe metadata of the entity.
string$typeA string which describes the type entity this is, e.g. 'SAML 2 IdP' or 'Shib 1.3 SP'.
Returns
string The $metadataString with the signature embedded.
Exceptions
ExceptionIf the certificate or private key cannot be loaded, or the metadata doesn't parse properly.

Definition at line 219 of file Signer.php.

220 {
222
223 // check if metadata signing is enabled
224 if (!self::isMetadataSigningEnabled($config, $entityMetadata, $type)) {
225 return $metadataString;
226 }
227
228 // find the key & certificate which should be used to sign the metadata
229 $keyCertFiles = self::findKeyCert($config, $entityMetadata, $type);
230
231 $keyFile = \SimpleSAML\Utils\Config::getCertPath($keyCertFiles['privatekey']);
232 if (!file_exists($keyFile)) {
233 throw new Exception('Could not find private key file ['.$keyFile.'], which is needed to sign the metadata');
234 }
235 $keyData = file_get_contents($keyFile);
236
237 $certFile = \SimpleSAML\Utils\Config::getCertPath($keyCertFiles['certificate']);
238 if (!file_exists($certFile)) {
239 throw new Exception(
240 'Could not find certificate file ['.$certFile.'], which is needed to sign the metadata'
241 );
242 }
243 $certData = file_get_contents($certFile);
244
245
246 // convert the metadata to a DOM tree
247 try {
249 } catch(Exception $e) {
250 throw new Exception('Error parsing self-generated metadata.');
251 }
252
253 $signature_cf = self::getMetadataSigningAlgorithm($config, $entityMetadata, $type);
254
255 // load the private key
256 $objKey = new XMLSecurityKey($signature_cf['algorithm'], array('type' => 'private'));
257 if (array_key_exists('privatekey_pass', $keyCertFiles)) {
258 $objKey->passphrase = $keyCertFiles['privatekey_pass'];
259 }
260 $objKey->loadKey($keyData, false);
261
262 // get the EntityDescriptor node we should sign
263 $rootNode = $xml->firstChild;
264
265 // sign the metadata with our private key
266 if ($type == 'ADFS IdP') {
267 $objXMLSecDSig = new sspmod_adfs_XMLSecurityDSig($metadataString);
268 } else {
269 $objXMLSecDSig = new XMLSecurityDSig();
270 }
271
272 $objXMLSecDSig->setCanonicalMethod(XMLSecurityDSig::EXC_C14N);
273
274 $objXMLSecDSig->addReferenceList(
275 array($rootNode),
276 $signature_cf['digest'],
277 array('http://www.w3.org/2000/09/xmldsig#enveloped-signature', XMLSecurityDSig::EXC_C14N),
278 array('id_name' => 'ID')
279 );
280
281 $objXMLSecDSig->sign($objKey);
282
283 // add the certificate to the signature
284 $objXMLSecDSig->add509Cert($certData, true);
285
286 // add the signature to the metadata
287 $objXMLSecDSig->insertSignature($rootNode, $rootNode->firstChild);
288
289 // return the DOM tree as a string
290 return $xml->saveXML();
291 }
static getCertPath($path)
Resolves a path that may be relative to the cert-directory.
Definition: Config.php:22
static getInstance($instancename='simplesaml')
Get a configuration file by its instance name.
static findKeyCert($config, $entityMetadata, $type)
This functions finds what key & certificate files should be used to sign the metadata for the given e...
Definition: Signer.php:25
static getMetadataSigningAlgorithm($config, $entityMetadata, $type)
Determine the signature and digest algorithms to use when signing metadata.
Definition: Signer.php:162
$xml
Definition: metadata.php:240

References $config, $type, $xml, findKeyCert(), SAML2\DOMDocumentFactory\fromString(), SimpleSAML\Utils\Config\getCertPath(), SimpleSAML_Configuration\getInstance(), and getMetadataSigningAlgorithm().

+ Here is the call graph for this function:

The documentation for this class was generated from the following file: