SimpleSAML_Metadata_Signer Class Reference

Collaboration diagram for SimpleSAML_Metadata_Signer:

Static Public Member Functions
static	sign ($metadataString, $entityMetadata, $type)
	Signs the given metadata if metadata signing is enabled. More...

Static Private Member Functions
static	findKeyCert ($config, $entityMetadata, $type)
	This functions finds what key & certificate files should be used to sign the metadata for the given entity. More...
static	isMetadataSigningEnabled ($config, $entityMetadata, $type)
	Determine whether metadata signing is enabled for the given metadata. More...
static	getMetadataSigningAlgorithm ($config, $entityMetadata, $type)
	Determine the signature and digest algorithms to use when signing metadata. More...

Detailed Description

Definition at line 10 of file Signer.php.

Member Function Documentation

findKeyCert()

static SimpleSAML_Metadata_Signer::findKeyCert (   $config,   $entityMetadata,   $type  )

staticprivate

This functions finds what key & certificate files should be used to sign the metadata for the given entity.

Parameters

SimpleSAML_Configuration	$config	Our SimpleSAML_Configuration instance.
array	$entityMetadata	The metadata of the entity.
string	$type	A string which describes the type entity this is, e.g. 'SAML 2 IdP' or 'Shib 1.3 SP'.

Returns

array An associative array with the keys 'privatekey', 'certificate', and optionally 'privatekey_pass'.

Exceptions

Exception

If the key and certificate used to sign is unknown.

Definition at line 25 of file Signer.php.

    {
        // first we look for metadata.privatekey and metadata.certificate in the metadata
        if (array_key_exists('metadata.sign.privatekey', $entityMetadata)
            || array_key_exists('metadata.sign.certificate', $entityMetadata)
        ) {
 
            if (!array_key_exists('metadata.sign.privatekey', $entityMetadata)
                || !array_key_exists('metadata.sign.certificate', $entityMetadata)
            ) {
 
                throw new Exception(
                    'Missing either the "metadata.sign.privatekey" or the'.
                    ' "metadata.sign.certificate" configuration option in the metadata for'.
                    ' the '.$type.' "'.$entityMetadata['entityid'].'". If one of'.
                    ' these options is specified, then the other must also be specified.'
                );
            }
 
            $ret = array(
                'privatekey'  => $entityMetadata['metadata.sign.privatekey'],
                'certificate' => $entityMetadata['metadata.sign.certificate']
            );
 
            if (array_key_exists('metadata.sign.privatekey_pass', $entityMetadata)) {
                $ret['privatekey_pass'] = $entityMetadata['metadata.sign.privatekey_pass'];
            }
 
            return $ret;
        }
 
        // then we look for default values in the global configuration
        $privatekey = $config->getString('metadata.sign.privatekey', null);
        $certificate = $config->getString('metadata.sign.certificate', null);
        if ($privatekey !== null || $certificate !== null) {
            if ($privatekey === null || $certificate === null) {
                throw new Exception(
                    'Missing either the "metadata.sign.privatekey" or the'.
                    ' "metadata.sign.certificate" configuration option in the global'.
                    ' configuration. If one of these options is specified, then the other'.
                    ' must also be specified.'
                );
            }
            $ret = array('privatekey' => $privatekey, 'certificate' => $certificate);
 
            $privatekey_pass = $config->getString('metadata.sign.privatekey_pass', null);
            if ($privatekey_pass !== null) {
                $ret['privatekey_pass'] = $privatekey_pass;
            }
 
            return $ret;
        }
 
        // as a last resort we attempt to use the privatekey and certificate option from the metadata
        if (array_key_exists('privatekey', $entityMetadata)
            || array_key_exists('certificate', $entityMetadata)
        ) {
 
            if (!array_key_exists('privatekey', $entityMetadata)
                || !array_key_exists('certificate', $entityMetadata)
            ) {
                throw new Exception(
                    'Both the "privatekey" and the "certificate" option must'.
                    ' be set in the metadata for the '.$type.' "'.
                    $entityMetadata['entityid'].'" before it is possible to sign metadata'.
                    ' from this entity.'
                );
            }
 
            $ret = array(
                'privatekey'  => $entityMetadata['privatekey'],
                'certificate' => $entityMetadata['certificate']
            );
 
            if (array_key_exists('privatekey_pass', $entityMetadata)) {
                $ret['privatekey_pass'] = $entityMetadata['privatekey_pass'];
            }
 
            return $ret;
        }
 
        throw new Exception(
            'Could not find what key & certificate should be used to sign the metadata'.
            ' for the '.$type.' "'.$entityMetadata['entityid'].'".'
        );
    }

References $certificate, $config, $ret, and $type.

Referenced by sign().

Here is the caller graph for this function:

getMetadataSigningAlgorithm()

static SimpleSAML_Metadata_Signer::getMetadataSigningAlgorithm (   $config,   $entityMetadata,   $type  )

staticprivate

Determine the signature and digest algorithms to use when signing metadata.

This method will look for the 'metadata.sign.algorithm' key in the $entityMetadata array, or look for such a configuration option in the $config object.

Parameters

SimpleSAML_Configuration	$config	The global configuration.
array	$entityMetadata	An array containing the metadata related to this entity.
string	$type	A string describing the type of entity. E.g. 'SAML 2 IdP' or 'Shib 1.3 SP'.

Returns

array An array with two keys, 'algorithm' and 'digest', corresponding to the signature and digest algorithms to use, respectively.

Exceptions

SimpleSAML\Error\CriticalConfigurationError

Todo:

change to SHA256 by default.

Definition at line 162 of file Signer.php.

    {
        // configure the algorithm to use
        if (array_key_exists('metadata.sign.algorithm', $entityMetadata)) {
            if (!is_string($entityMetadata['metadata.sign.algorithm'])) {
                throw new \SimpleSAML\Error\CriticalConfigurationError(
                    "Invalid value for the 'metadata.sign.algorithm' configuration option for the ".$type.
                    "'".$entityMetadata['entityid']."'. This option has restricted values"
                );
            }
            $alg = $entityMetadata['metadata.sign.algorithm'];
        } else {
            $alg = $config->getString('metadata.sign.algorithm', XMLSecurityKey::RSA_SHA1);
        }
 
        $supported_algs = array(
            XMLSecurityKey::RSA_SHA1,
            XMLSecurityKey::RSA_SHA256,
            XMLSecurityKey::RSA_SHA384,
            XMLSecurityKey::RSA_SHA512,
        );
 
        if (!in_array($alg, $supported_algs, true)) {
            throw new \SimpleSAML\Error\CriticalConfigurationError("Unknown signature algorithm '$alg'");
        }
 
        switch ($alg) {
            case XMLSecurityKey::RSA_SHA256:
                $digest = XMLSecurityDSig::SHA256;
                break;
            case XMLSecurityKey::RSA_SHA384:
                $digest = XMLSecurityDSig::SHA384;
                break;
            case XMLSecurityKey::RSA_SHA512:
                $digest = XMLSecurityDSig::SHA512;
                break;
            default:
                $digest = XMLSecurityDSig::SHA1;
        }
 
        return array(
            'algorithm' => $alg,
            'digest' => $digest,
        );
    }

References $config, and $type.

Referenced by sign().

Here is the caller graph for this function:

isMetadataSigningEnabled()

static SimpleSAML_Metadata_Signer::isMetadataSigningEnabled (   $config,   $entityMetadata,   $type  )

staticprivate

Determine whether metadata signing is enabled for the given metadata.

Parameters

SimpleSAML_Configuration	$config	Our SimpleSAML_Configuration instance.
array	$entityMetadata	The metadata of the entity.
string	$type	A string which describes the type entity this is, e.g. 'SAML 2 IdP' or 'Shib 1.3 SP'.

Returns

boolean True if metadata signing is enabled, false otherwise.

Exceptions

Exception

If the value of the 'metadata.sign.enable' option is not a boolean.

Definition at line 124 of file Signer.php.

    {
        // first check the metadata for the entity
        if (array_key_exists('metadata.sign.enable', $entityMetadata)) {
            if (!is_bool($entityMetadata['metadata.sign.enable'])) {
                throw new Exception(
                    'Invalid value for the "metadata.sign.enable" configuration option for'.
                    ' the '.$type.' "'.$entityMetadata['entityid'].'". This option'.
                    ' should be a boolean.'
                );
            }
 
            return $entityMetadata['metadata.sign.enable'];
        }
 
        $enabled = $config->getBoolean('metadata.sign.enable', false);
 
        return $enabled;
    }

References $config, and $type.

sign()

static SimpleSAML_Metadata_Signer::sign (   $metadataString,   $entityMetadata,   $type  )

static

Signs the given metadata if metadata signing is enabled.

Parameters

string	$metadataString	A string with the metadata.
array	$entityMetadata	The metadata of the entity.
string	$type	A string which describes the type entity this is, e.g. 'SAML 2 IdP' or 'Shib 1.3 SP'.

Returns

string The $metadataString with the signature embedded.

Exceptions

Exception

If the certificate or private key cannot be loaded, or the metadata doesn't parse properly.

Definition at line 219 of file Signer.php.

    {
        $config = SimpleSAML_Configuration::getInstance();
 
        // check if metadata signing is enabled
        if (!self::isMetadataSigningEnabled($config, $entityMetadata, $type)) {
            return $metadataString;
        }
 
        // find the key & certificate which should be used to sign the metadata
        $keyCertFiles = self::findKeyCert($config, $entityMetadata, $type);
 
        $keyFile = \SimpleSAML\Utils\Config::getCertPath($keyCertFiles['privatekey']);
        if (!file_exists($keyFile)) {
            throw new Exception('Could not find private key file ['.$keyFile.'], which is needed to sign the metadata');
        }
        $keyData = file_get_contents($keyFile);
 
        $certFile = \SimpleSAML\Utils\Config::getCertPath($keyCertFiles['certificate']);
        if (!file_exists($certFile)) {
            throw new Exception(
                'Could not find certificate file ['.$certFile.'], which is needed to sign the metadata'
            );
        }
        $certData = file_get_contents($certFile);
 
 
        // convert the metadata to a DOM tree
        try {
            $xml = \SAML2\DOMDocumentFactory::fromString($metadataString);
        } catch(Exception $e) {
            throw new Exception('Error parsing self-generated metadata.');
        }
 
        $signature_cf = self::getMetadataSigningAlgorithm($config, $entityMetadata, $type);
 
        // load the private key
        $objKey = new XMLSecurityKey($signature_cf['algorithm'], array('type' => 'private'));
        if (array_key_exists('privatekey_pass', $keyCertFiles)) {
            $objKey->passphrase = $keyCertFiles['privatekey_pass'];
        }
        $objKey->loadKey($keyData, false);
 
        // get the EntityDescriptor node we should sign
        $rootNode = $xml->firstChild;
 
        // sign the metadata with our private key
        if ($type == 'ADFS IdP') {
            $objXMLSecDSig = new sspmod_adfs_XMLSecurityDSig($metadataString);
        } else {
            $objXMLSecDSig = new XMLSecurityDSig();
        }
 
        $objXMLSecDSig->setCanonicalMethod(XMLSecurityDSig::EXC_C14N);
 
        $objXMLSecDSig->addReferenceList(
            array($rootNode),
            $signature_cf['digest'],
            array('http://www.w3.org/2000/09/xmldsig#enveloped-signature', XMLSecurityDSig::EXC_C14N),
            array('id_name' => 'ID')
        );
 
        $objXMLSecDSig->sign($objKey);
 
        // add the certificate to the signature
        $objXMLSecDSig->add509Cert($certData, true);
 
        // add the signature to the metadata
        $objXMLSecDSig->insertSignature($rootNode, $rootNode->firstChild);
 
        // return the DOM tree as a string
        return $xml->saveXML();
    }

References $config, $type, $xml, findKeyCert(), SAML2\DOMDocumentFactory\fromString(), SimpleSAML\Utils\Config\getCertPath(), SimpleSAML_Configuration\getInstance(), and getMetadataSigningAlgorithm().

Here is the call graph for this function:

---

The documentation for this class was generated from the following file:

• libs/composer/vendor/simplesamlphp/simplesamlphp/lib/SimpleSAML/Metadata/Signer.php