Collaboration diagram for sspmod_saml_Message:

Static Public Member Functions
static	addSign (SimpleSAML_Configuration $srcMetadata, SimpleSAML_Configuration $dstMetadata, \SAML2\SignedElement $element)
	Add signature key and sender certificate to an element (Message or Assertion). More...

static	checkSign (SimpleSAML_Configuration $srcMetadata, \SAML2\SignedElement $element)
	Check the signature on a SAML2 message or assertion. More...

static	validateMessage (SimpleSAML_Configuration $srcMetadata, SimpleSAML_Configuration $dstMetadata, \SAML2\Message $message)
	Check signature on a SAML2 message if enabled. More...

static	getDecryptionKeys (SimpleSAML_Configuration $srcMetadata, SimpleSAML_Configuration $dstMetadata)
	Retrieve the decryption keys from metadata. More...

static	getBlacklistedAlgorithms (SimpleSAML_Configuration $srcMetadata, SimpleSAML_Configuration $dstMetadata)
	Retrieve blacklisted algorithms. More...

static	getResponseError (\SAML2\StatusResponse $response)
	Retrieve the status code of a response as a sspmod_saml_Error. More...

static	buildAuthnRequest (SimpleSAML_Configuration $spMetadata, SimpleSAML_Configuration $idpMetadata)
	Build an authentication request based on information in the metadata. More...

static	buildLogoutRequest (SimpleSAML_Configuration $srcMetadata, SimpleSAML_Configuration $dstMetadata)
	Build a logout request based on information in the metadata. More...

static	buildLogoutResponse (SimpleSAML_Configuration $srcMetadata, SimpleSAML_Configuration $dstMetadata)
	Build a logout response based on information in the metadata. More...

static	processResponse (SimpleSAML_Configuration $spMetadata, SimpleSAML_Configuration $idpMetadata, \SAML2\Response $response)
	Process a response message. More...

static	getEncryptionKey (SimpleSAML_Configuration $metadata)
	Retrieve the encryption key for the given entity. More...

Static Private Member Functions
static	addRedirectSign (SimpleSAML_Configuration $srcMetadata, SimpleSAML_Configuration $dstMetadata, \SAML2\Message $message)
	Add signature key and and senders certificate to message. More...

static	findCertificate (array $certFingerprints, array $certificates)
	Find the certificate used to sign a message or assertion. More...

static	decryptAssertion (SimpleSAML_Configuration $srcMetadata, SimpleSAML_Configuration $dstMetadata, $assertion)
	Decrypt an assertion. More...

static	processAssertion (SimpleSAML_Configuration $spMetadata, SimpleSAML_Configuration $idpMetadata, \SAML2\Response $response, $assertion, $responseSigned)
	Process an assertion in a response. More...

Detailed Description

Definition at line 10 of file Message.php.

Member Function Documentation

◆ addRedirectSign()

static sspmod_saml_Message::addRedirectSign	(	SimpleSAML_Configuration	$srcMetadata,
		SimpleSAML_Configuration	$dstMetadata,
		\SAML2\Message	$message
	)

staticprivate

Add signature key and and senders certificate to message.

Parameters

SimpleSAML_Configuration	$srcMetadata	The metadata of the sender.
SimpleSAML_Configuration	$dstMetadata	The metadata of the recipient.
\SAML2\Message	$message	The message we should add the data to.

Definition at line 79 of file Message.php.

      {
 
        $signingEnabled = null;
        if ($message instanceof \SAML2\LogoutRequest || $message instanceof \SAML2\LogoutResponse) {
            $signingEnabled = $srcMetadata->getBoolean('sign.logout', null);
            if ($signingEnabled === null) {
                $signingEnabled = $dstMetadata->getBoolean('sign.logout', null);
            }
        } elseif ($message instanceof \SAML2\AuthnRequest) {
            $signingEnabled = $srcMetadata->getBoolean('sign.authnrequest', null);
            if ($signingEnabled === null) {
                $signingEnabled = $dstMetadata->getBoolean('sign.authnrequest', null);
            }
        }
 
        if ($signingEnabled === null) {
            $signingEnabled = $dstMetadata->getBoolean('redirect.sign', null);
            if ($signingEnabled === null) {
                $signingEnabled = $srcMetadata->getBoolean('redirect.sign', false);
            }
        }
        if (!$signingEnabled) {
            return;
        }
 
        self::addSign($srcMetadata, $dstMetadata, $message);
    }

References $message, addSign(), and SimpleSAML_Configuration\getBoolean().

Referenced by buildAuthnRequest(), buildLogoutRequest(), and buildLogoutResponse().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ addSign()

static sspmod_saml_Message::addSign	(	SimpleSAML_Configuration	$srcMetadata,
		SimpleSAML_Configuration	$dstMetadata,
		\SAML2\SignedElement	$element
	)

static

Add signature key and sender certificate to an element (Message or Assertion).

Parameters

SimpleSAML_Configuration	$srcMetadata	The metadata of the sender.
SimpleSAML_Configuration	$dstMetadata	The metadata of the recipient.
\SAML2\SignedElement	$element	The element we should add the data to.

Definition at line 20 of file Message.php.

      {
        $dstPrivateKey = $dstMetadata->getString('signature.privatekey', null);
 
        if ($dstPrivateKey !== null) {
            $keyArray = SimpleSAML\Utils\Crypto::loadPrivateKey($dstMetadata, true, 'signature.');
            $certArray = SimpleSAML\Utils\Crypto::loadPublicKey($dstMetadata, false, 'signature.');
        } else {
            $keyArray = SimpleSAML\Utils\Crypto::loadPrivateKey($srcMetadata, true);
            $certArray = SimpleSAML\Utils\Crypto::loadPublicKey($srcMetadata, false);
        }
 
        $algo = $dstMetadata->getString('signature.algorithm', null);
        if ($algo === null) {
            /*
             * In the NIST Special Publication 800-131A, SHA-1 became deprecated for generating
             * new digital signatures in 2011, and will be explicitly disallowed starting the 1st
             * of January, 2014. We'll keep this as a default for the next release and mark it
             * as deprecated, as part of the transition to SHA-256.
             *
             * See http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf for more info.
             *
             * TODO: change default to XMLSecurityKey::RSA_SHA256.
             */
            $algo = $srcMetadata->getString('signature.algorithm', XMLSecurityKey::RSA_SHA1);
        }
 
        $privateKey = new XMLSecurityKey($algo, array('type' => 'private'));
        if (array_key_exists('password', $keyArray)) {
            $privateKey->passphrase = $keyArray['password'];
        }
        $privateKey->loadKey($keyArray['PEM'], false);
 
        $element->setSignatureKey($privateKey);
 
        if ($certArray === null) {
            // we don't have a certificate to add
            return;
        }
 
        if (!array_key_exists('PEM', $certArray)) {
            // we have a public key with only a fingerprint
            return;
        }
 
        $element->setCertificates(array($certArray['PEM']));
    }

References $algo, SimpleSAML_Configuration\getString(), SimpleSAML\Utils\Crypto\loadPrivateKey(), and SimpleSAML\Utils\Crypto\loadPublicKey().

Referenced by addRedirectSign(), sspmod_saml_IdP_SAML2\buildAssertion(), and sspmod_saml_IdP_SAML2\buildResponse().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ buildAuthnRequest()

static sspmod_saml_Message::buildAuthnRequest	(	SimpleSAML_Configuration	$spMetadata,
		SimpleSAML_Configuration	$idpMetadata
	)

static

Build an authentication request based on information in the metadata.

Parameters

SimpleSAML_Configuration	$spMetadata	The metadata of the service provider.
SimpleSAML_Configuration	$idpMetadata	The metadata of the identity provider.

Returns: \SAML2\AuthnRequest An authentication request object.

Definition at line 431 of file Message.php.

      {
        $ar = new \SAML2\AuthnRequest();
 
        // get the NameIDPolicy to apply. IdP metadata has precedence.
        $nameIdPolicy = array();
        if ($idpMetadata->hasValue('NameIDPolicy')) {
            $nameIdPolicy = $idpMetadata->getValue('NameIDPolicy');
        } elseif ($spMetadata->hasValue('NameIDPolicy')) {
            $nameIdPolicy = $spMetadata->getValue('NameIDPolicy');
        }
 
        if (!is_array($nameIdPolicy)) {
            // handle old configurations where 'NameIDPolicy' was used to specify just the format
            $nameIdPolicy = array('Format' => $nameIdPolicy);
        }
 
        $nameIdPolicy_cf = SimpleSAML_Configuration::loadFromArray($nameIdPolicy);
        $policy = array(
            'Format'      => $nameIdPolicy_cf->getString('Format', \SAML2\Constants::NAMEID_TRANSIENT),
            'AllowCreate' => $nameIdPolicy_cf->getBoolean('AllowCreate', true),
        );
        $spNameQualifier = $nameIdPolicy_cf->getString('SPNameQualifier', false);
        if ($spNameQualifier !== false) {
            $policy['SPNameQualifier'] = $spNameQualifier;
        }
        $ar->setNameIdPolicy($policy);
 
        $ar->setForceAuthn($spMetadata->getBoolean('ForceAuthn', false));
        $ar->setIsPassive($spMetadata->getBoolean('IsPassive', false));
 
        $protbind = $spMetadata->getValueValidate('ProtocolBinding', array(
            \SAML2\Constants::BINDING_HTTP_POST,
            \SAML2\Constants::BINDING_HOK_SSO,
            \SAML2\Constants::BINDING_HTTP_ARTIFACT,
            \SAML2\Constants::BINDING_HTTP_REDIRECT,
        ), \SAML2\Constants::BINDING_HTTP_POST);
 
        // Shoaib: setting the appropriate binding based on parameter in sp-metadata defaults to HTTP_POST
        $ar->setProtocolBinding($protbind);
        $ar->setIssuer($spMetadata->getString('entityid'));
        $ar->setAssertionConsumerServiceIndex($spMetadata->getInteger('AssertionConsumerServiceIndex', null));
        $ar->setAttributeConsumingServiceIndex($spMetadata->getInteger('AttributeConsumingServiceIndex', null));
 
        if ($spMetadata->hasValue('AuthnContextClassRef')) {
            $accr = $spMetadata->getArrayizeString('AuthnContextClassRef');
            $comp = $spMetadata->getValueValidate('AuthnContextComparison', array(
                \SAML2\Constants::COMPARISON_EXACT,
                \SAML2\Constants::COMPARISON_MINIMUM,
                \SAML2\Constants::COMPARISON_MAXIMUM,
                \SAML2\Constants::COMPARISON_BETTER,
            ), \SAML2\Constants::COMPARISON_EXACT);
            $ar->setRequestedAuthnContext(array('AuthnContextClassRef' => $accr, 'Comparison' => $comp));
        }
 
        self::addRedirectSign($spMetadata, $idpMetadata, $ar);
 
        return $ar;
    }

References $idpMetadata, $spMetadata, addRedirectSign(), and SimpleSAML_Configuration\loadFromArray().

Referenced by sspmod_saml_Auth_Source_SP\startSSO2().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ buildLogoutRequest()

static sspmod_saml_Message::buildLogoutRequest	(	SimpleSAML_Configuration	$srcMetadata,
		SimpleSAML_Configuration	$dstMetadata
	)

static

Build a logout request based on information in the metadata.

Parameters

SimpleSAML_Configuration	$srcMetadata	The metadata of the sender.
SimpleSAML_Configuration	$dstMetadata	The metadata of the recipient.

Returns: \SAML2\LogoutRequest A logout request object.

Definition at line 501 of file Message.php.

      {
        $lr = new \SAML2\LogoutRequest();
        $lr->setIssuer($srcMetadata->getString('entityid'));
 
        self::addRedirectSign($srcMetadata, $dstMetadata, $lr);
 
        return $lr;
    }

References $lr, addRedirectSign(), and SimpleSAML_Configuration\getString().

Referenced by sspmod_saml_IdP_SAML2\buildLogoutRequest(), and sspmod_saml_Auth_Source_SP\startSLO2().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ buildLogoutResponse()

static sspmod_saml_Message::buildLogoutResponse	(	SimpleSAML_Configuration	$srcMetadata,
		SimpleSAML_Configuration	$dstMetadata
	)

static

Build a logout response based on information in the metadata.

Parameters

SimpleSAML_Configuration	$srcMetadata	The metadata of the sender.
SimpleSAML_Configuration	$dstMetadata	The metadata of the recipient.

Returns: \SAML2\LogoutResponse A logout response object.

Definition at line 521 of file Message.php.

      {
        $lr = new \SAML2\LogoutResponse();
        $lr->setIssuer($srcMetadata->getString('entityid'));
 
        self::addRedirectSign($srcMetadata, $dstMetadata, $lr);
 
        return $lr;
    }

References $lr, addRedirectSign(), and SimpleSAML_Configuration\getString().

Referenced by sspmod_saml_IdP_SAML2\sendLogoutResponse().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ checkSign()

static sspmod_saml_Message::checkSign	(	SimpleSAML_Configuration	$srcMetadata,
		\SAML2\SignedElement	$element
	)

static

Check the signature on a SAML2 message or assertion.

Parameters

SimpleSAML_Configuration	$srcMetadata	The metadata of the sender.
\SAML2\SignedElement	$element	Either a \SAML2\Response or a \SAML2\Assertion.

Returns: boolean True if the signature is correct, false otherwise.

Exceptions

SimpleSAML_Error_Exception if there is not certificate in the metadata for the entity.

Exceptions

Exception if the signature validation fails with an exception.

Definition at line 159 of file Message.php.

    {
        // find the public key that should verify signatures by this entity
        $keys = $srcMetadata->getPublicKeys('signing');
        if ($keys !== null) {
            $pemKeys = array();
            foreach ($keys as $key) {
                switch ($key['type']) {
                    case 'X509Certificate':
                        $pemKeys[] = "-----BEGIN CERTIFICATE-----\n".
                            chunk_split($key['X509Certificate'], 64).
                            "-----END CERTIFICATE-----\n";
                        break;
                    default:
                        SimpleSAML\Logger::debug('Skipping unknown key type: '.$key['type']);
                }
            }
        } elseif ($srcMetadata->hasValue('certFingerprint')) {
            SimpleSAML\Logger::notice(
                "Validating certificates by fingerprint is deprecated. Please use ".
                "certData or certificate options in your remote metadata configuration."
            );
 
            $certFingerprint = $srcMetadata->getArrayizeString('certFingerprint');
            foreach ($certFingerprint as &$fp) {
                $fp = strtolower(str_replace(':', '', $fp));
            }
 
            $certificates = $element->getCertificates();
 
            // we don't have the full certificate stored. Try to find it in the message or the assertion instead
            if (count($certificates) === 0) {
                /* We need the full certificate in order to match it against the fingerprint. */
                SimpleSAML\Logger::debug('No certificate in message when validating against fingerprint.');
                return false;
            } else {
                SimpleSAML\Logger::debug('Found '.count($certificates).' certificates in '.get_class($element));
            }
 
            $pemCert = self::findCertificate($certFingerprint, $certificates);
            $pemKeys = array($pemCert);
        } else {
            throw new SimpleSAML_Error_Exception(
                'Missing certificate in metadata for '.
                var_export($srcMetadata->getString('entityid'), true)
            );
        }
 
        SimpleSAML\Logger::debug('Has '.count($pemKeys).' candidate keys for validation.');
 
        $lastException = null;
        foreach ($pemKeys as $i => $pem) {
            $key = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type' => 'public'));
            $key->loadKey($pem);
 
            try {
                // make sure that we have a valid signature on either the response or the assertion
                $res = $element->validate($key);
                if ($res) {
                    SimpleSAML\Logger::debug('Validation with key #'.$i.' succeeded.');
                    return true;
                }
                SimpleSAML\Logger::debug('Validation with key #'.$i.' failed without exception.');
            } catch (Exception $e) {
                SimpleSAML\Logger::debug('Validation with key #'.$i.' failed with exception: '.$e->getMessage());
                $lastException = $e;
            }
        }
 
        // we were unable to validate the signature with any of our keys
        if ($lastException !== null) {
            throw $lastException;
        } else {
            return false;
        }
    }

References $certificates, $i, $key, $keys, $res, SimpleSAML\Logger\debug(), findCertificate(), SimpleSAML_Configuration\getArrayizeString(), SimpleSAML_Configuration\getPublicKeys(), SimpleSAML_Configuration\getString(), SimpleSAML_Configuration\hasValue(), and SimpleSAML\Logger\notice().

Referenced by processResponse().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ decryptAssertion()

static sspmod_saml_Message::decryptAssertion	(	SimpleSAML_Configuration	$srcMetadata,
		SimpleSAML_Configuration	$dstMetadata,
			$assertion
	)

staticprivate

Decrypt an assertion.

Parameters

SimpleSAML_Configuration	$srcMetadata	The metadata of the sender (IdP).
SimpleSAML_Configuration	$dstMetadata	The metadata of the recipient (SP).
\SAML2\Assertion \| \SAML2\EncryptedAssertion	$assertion	The assertion we are decrypting.

Returns: \SAML2\Assertion The assertion.

Exceptions

SimpleSAML_Error_Exception if encryption is enabled but the assertion is not encrypted, or if we cannot get the decryption keys.

Exceptions

Exception if decryption fails for whatever reason.

Definition at line 367 of file Message.php.

      {
        assert('$assertion instanceof \SAML2\Assertion || $assertion instanceof \SAML2\EncryptedAssertion');
 
        if ($assertion instanceof \SAML2\Assertion) {
            $encryptAssertion = $srcMetadata->getBoolean('assertion.encryption', null);
            if ($encryptAssertion === null) {
                $encryptAssertion = $dstMetadata->getBoolean('assertion.encryption', false);
            }
            if ($encryptAssertion) {
                /* The assertion was unencrypted, but we have encryption enabled. */
                throw new Exception('Received unencrypted assertion, but encryption was enabled.');
            }
 
            return $assertion;
        }
 
        try {
            $keys = self::getDecryptionKeys($srcMetadata, $dstMetadata);
        } catch (Exception $e) {
            throw new SimpleSAML_Error_Exception('Error decrypting assertion: '.$e->getMessage());
        }
 
        $blacklist = self::getBlacklistedAlgorithms($srcMetadata, $dstMetadata);
 
        $lastException = null;
        foreach ($keys as $i => $key) {
            try {
                $ret = $assertion->getAssertion($key, $blacklist);
                SimpleSAML\Logger::debug('Decryption with key #'.$i.' succeeded.');
                return $ret;
            } catch (Exception $e) {
                SimpleSAML\Logger::debug('Decryption with key #'.$i.' failed with exception: '.$e->getMessage());
                $lastException = $e;
            }
        }
        throw $lastException;
    }

References $i, $key, $keys, $ret, SimpleSAML\Logger\debug(), getBlacklistedAlgorithms(), SimpleSAML_Configuration\getBoolean(), and getDecryptionKeys().

Referenced by processAssertion().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ findCertificate()

static sspmod_saml_Message::findCertificate	(	array	$certFingerprints,
		array	$certificates
	)

staticprivate

Find the certificate used to sign a message or assertion.

An exception is thrown if we are unable to locate the certificate.

Parameters

array	$certFingerprints	The fingerprints we are looking for.
array	$certificates	Array of certificates.

Returns: string Certificate, in PEM-format.

Exceptions

SimpleSAML_Error_Exception if we cannot find the certificate matching the fingerprint.

Definition at line 124 of file Message.php.

    {
        $candidates = array();
 
        foreach ($certificates as $cert) {
            $fp = strtolower(sha1(base64_decode($cert)));
            if (!in_array($fp, $certFingerprints, true)) {
                $candidates[] = $fp;
                continue;
            }
 
            /* We have found a matching fingerprint. */
            $pem = "-----BEGIN CERTIFICATE-----\n".
                chunk_split($cert, 64).
                "-----END CERTIFICATE-----\n";
            return $pem;
        }
 
        $candidates = "'".implode("', '", $candidates)."'";
        $fps = "'".implode("', '", $certFingerprints)."'";
        throw new SimpleSAML_Error_Exception('Unable to find a certificate matching the configured '.
            'fingerprint. Candidates: '.$candidates.'; certFingerprint: '.$fps.'.');
    }

References $certificates.

Referenced by checkSign().

Here is the caller graph for this function:

◆ getBlacklistedAlgorithms()

static sspmod_saml_Message::getBlacklistedAlgorithms	(	SimpleSAML_Configuration	$srcMetadata,
		SimpleSAML_Configuration	$dstMetadata
	)

static

Retrieve blacklisted algorithms.

Remote configuration overrides local configuration.

Parameters

SimpleSAML_Configuration	$srcMetadata	The metadata of the sender.
SimpleSAML_Configuration	$dstMetadata	The metadata of the recipient.

Returns: array Array of blacklisted algorithms.

Definition at line 342 of file Message.php.

      {
        $blacklist = $srcMetadata->getArray('encryption.blacklisted-algorithms', null);
        if ($blacklist === null) {
            $blacklist = $dstMetadata->getArray('encryption.blacklisted-algorithms', array(XMLSecurityKey::RSA_1_5));
        }
        return $blacklist;
    }

References SimpleSAML_Configuration\getArray().

Referenced by decryptAssertion(), and processAssertion().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ getDecryptionKeys()

static sspmod_saml_Message::getDecryptionKeys	(	SimpleSAML_Configuration	$srcMetadata,
		SimpleSAML_Configuration	$dstMetadata
	)

static

Retrieve the decryption keys from metadata.

Parameters

SimpleSAML_Configuration	$srcMetadata	The metadata of the sender (IdP).
SimpleSAML_Configuration	$dstMetadata	The metadata of the recipient (SP).

Returns: array Array of decryption keys.

Definition at line 291 of file Message.php.

      {
        $sharedKey = $srcMetadata->getString('sharedkey', null);
        if ($sharedKey !== null) {
            $key = new XMLSecurityKey(XMLSecurityKey::AES128_CBC);
            $key->loadKey($sharedKey);
            return array($key);
        }
 
        $keys = array();
 
        // load the new private key if it exists
        $keyArray = SimpleSAML\Utils\Crypto::loadPrivateKey($dstMetadata, false, 'new_');
        if ($keyArray !== null) {
            assert('isset($keyArray["PEM"])');
 
            $key = new XMLSecurityKey(XMLSecurityKey::RSA_1_5, array('type' => 'private'));
            if (array_key_exists('password', $keyArray)) {
                $key->passphrase = $keyArray['password'];
            }
            $key->loadKey($keyArray['PEM']);
            $keys[] = $key;
        }
 
        // find the existing private key
        $keyArray = SimpleSAML\Utils\Crypto::loadPrivateKey($dstMetadata, true);
        assert('isset($keyArray["PEM"])');
 
        $key = new XMLSecurityKey(XMLSecurityKey::RSA_1_5, array('type' => 'private'));
        if (array_key_exists('password', $keyArray)) {
            $key->passphrase = $keyArray['password'];
        }
        $key->loadKey($keyArray['PEM']);
        $keys[] = $key;
 
        return $keys;
    }

References $key, $keys, SimpleSAML_Configuration\getString(), and SimpleSAML\Utils\Crypto\loadPrivateKey().

Referenced by decryptAssertion(), and processAssertion().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ getEncryptionKey()

static sspmod_saml_Message::getEncryptionKey ( SimpleSAML_Configuration $metadata )

static

Retrieve the encryption key for the given entity.

Parameters

SimpleSAML_Configuration $metadata The metadata of the entity.

Returns: \RobRichards\XMLSecLibs\XMLSecurityKey The encryption key.

Exceptions

SimpleSAML_Error_Exception if there is no supported encryption key in the metadata of this entity.

Definition at line 829 of file Message.php.

    {
 
        $sharedKey = $metadata->getString('sharedkey', null);
        if ($sharedKey !== null) {
            $key = new XMLSecurityKey(XMLSecurityKey::AES128_CBC);
            $key->loadKey($sharedKey);
            return $key;
        }
 
        $keys = $metadata->getPublicKeys('encryption', true);
        foreach ($keys as $key) {
            switch ($key['type']) {
                case 'X509Certificate':
                    $pemKey = "-----BEGIN CERTIFICATE-----\n".
                        chunk_split($key['X509Certificate'], 64).
                        "-----END CERTIFICATE-----\n";
                    $key = new XMLSecurityKey(XMLSecurityKey::RSA_OAEP_MGF1P, array('type' => 'public'));
                    $key->loadKey($pemKey);
                    return $key;
            }
        }
 
        throw new SimpleSAML_Error_Exception('No supported encryption key in '.
            var_export($metadata->getString('entityid'), true));
    }

References $key, $keys, and $metadata.

Referenced by sspmod_saml_IdP_SAML2\buildAssertion(), sspmod_saml_IdP_SAML2\buildLogoutRequest(), and sspmod_saml_Auth_Source_SP\startSLO2().

Here is the caller graph for this function:

◆ getResponseError()

static sspmod_saml_Message::getResponseError ( \SAML2\StatusResponse $response )

static

Retrieve the status code of a response as a sspmod_saml_Error.

Parameters

\SAML2\StatusResponse $response The response.

Returns: sspmod_saml_Error The error.

Definition at line 417 of file Message.php.

    {
        $status = $response->getStatus();
        return new sspmod_saml_Error($status['Code'], $status['SubCode'], $status['Message']);
    }

References $response.

Referenced by processResponse(), and sspmod_saml_IdP_SAML2\receiveLogoutMessage().

Here is the caller graph for this function:

◆ processAssertion()

static sspmod_saml_Message::processAssertion	(	SimpleSAML_Configuration	$spMetadata,
		SimpleSAML_Configuration	$idpMetadata,
		\SAML2\Response	$response,
			$assertion,
			$responseSigned
	)

staticprivate

Process an assertion in a response.

Parameters

SimpleSAML_Configuration	$spMetadata	The metadata of the service provider.
SimpleSAML_Configuration	$idpMetadata	The metadata of the identity provider.
\SAML2\Response	$response	The response containing the assertion.
\SAML2\Assertion \| \SAML2\EncryptedAssertion	$assertion	The assertion.
bool	$responseSigned	Whether the response is signed.

Returns: \SAML2\Assertion The assertion, if it is valid.

Exceptions

SimpleSAML_Error_Exception if an error occurs while trying to validate the assertion, or if a assertion is not signed and it should be, or if we are unable to decrypt the NameID due to a local failure (missing or invalid decryption key).

Exceptions

Exception if we couldn't decrypt the NameID for unexpected reasons.

Definition at line 601 of file Message.php.

      {
        assert('$assertion instanceof \SAML2\Assertion || $assertion instanceof \SAML2\EncryptedAssertion');
        assert('is_bool($responseSigned)');
 
        $assertion = self::decryptAssertion($idpMetadata, $spMetadata, $assertion);
 
        if (!self::checkSign($idpMetadata, $assertion)) {
            if (!$responseSigned) {
                throw new SimpleSAML_Error_Exception('Neither the assertion nor the response was signed.');
            }
        } // at least one valid signature found
 
        $currentURL = \SimpleSAML\Utils\HTTP::getSelfURLNoQuery();
 
        // check various properties of the assertion
        $notBefore = $assertion->getNotBefore();
        if ($notBefore !== null && $notBefore > time() + 60) {
            throw new SimpleSAML_Error_Exception(
                'Received an assertion that is valid in the future. Check clock synchronization on IdP and SP.'
            );
        }
        $notOnOrAfter = $assertion->getNotOnOrAfter();
        if ($notOnOrAfter !== null && $notOnOrAfter <= time() - 60) {
            throw new SimpleSAML_Error_Exception(
                'Received an assertion that has expired. Check clock synchronization on IdP and SP.'
            );
        }
        $sessionNotOnOrAfter = $assertion->getSessionNotOnOrAfter();
        if ($sessionNotOnOrAfter !== null && $sessionNotOnOrAfter <= time() - 60) {
            throw new SimpleSAML_Error_Exception(
                'Received an assertion with a session that has expired. Check clock synchronization on IdP and SP.'
            );
        }
        $validAudiences = $assertion->getValidAudiences();
        if ($validAudiences !== null) {
            $spEntityId = $spMetadata->getString('entityid');
            if (!in_array($spEntityId, $validAudiences, true)) {
                $candidates = '['.implode('], [', $validAudiences).']';
                throw new SimpleSAML_Error_Exception('This SP ['.$spEntityId.
                    ']  is not a valid audience for the assertion. Candidates were: '.$candidates);
            }
        }
 
        $found = false;
        $lastError = 'No SubjectConfirmation element in Subject.';
        $validSCMethods = array(\SAML2\Constants::CM_BEARER, \SAML2\Constants::CM_HOK, \SAML2\Constants::CM_VOUCHES);
        foreach ($assertion->getSubjectConfirmation() as $sc) {
            if (!in_array($sc->Method, $validSCMethods, true)) {
                $lastError = 'Invalid Method on SubjectConfirmation: '.var_export($sc->Method, true);
                continue;
            }
 
            // is SSO with HoK enabled? IdP remote metadata overwrites SP metadata configuration
            $hok = $idpMetadata->getBoolean('saml20.hok.assertion', null);
            if ($hok === null) {
                $hok = $spMetadata->getBoolean('saml20.hok.assertion', false);
            }
            if ($sc->Method === \SAML2\Constants::CM_BEARER && $hok) {
                $lastError = 'Bearer SubjectConfirmation received, but Holder-of-Key SubjectConfirmation needed';
                continue;
            }
            if ($sc->Method === \SAML2\Constants::CM_HOK && !$hok) {
                $lastError = 'Holder-of-Key SubjectConfirmation received, '.
                    'but the Holder-of-Key profile is not enabled.';
                continue;
            }
 
            $scd = $sc->SubjectConfirmationData;
            if ($sc->Method === \SAML2\Constants::CM_HOK) {
                // check HoK Assertion
                if (\SimpleSAML\Utils\HTTP::isHTTPS() === false) {
                    $lastError = 'No HTTPS connection, but required for Holder-of-Key SSO';
                    continue;
                }
                if (isset($_SERVER['SSL_CLIENT_CERT']) && empty($_SERVER['SSL_CLIENT_CERT'])) {
                    $lastError = 'No client certificate provided during TLS Handshake with SP';
                    continue;
                }
                // extract certificate data (if this is a certificate)
                $clientCert = $_SERVER['SSL_CLIENT_CERT'];
                $pattern = '/^-----BEGIN CERTIFICATE-----([^-]*)^-----END CERTIFICATE-----/m';
                if (!preg_match($pattern, $clientCert, $matches)) {
                    $lastError = 'Error while looking for client certificate during TLS handshake with SP, the client '.
                        'certificate does not have the expected structure';
                    continue;
                }
                // we have a valid client certificate from the browser
                $clientCert = str_replace(array("\r", "\n", " "), '', $matches[1]);
 
                $keyInfo = array();
                foreach ($scd->info as $thing) {
                    if ($thing instanceof \SAML2\XML\ds\KeyInfo) {
                        $keyInfo[] = $thing;
                    }
                }
                if (count($keyInfo) != 1) {
                    $lastError = 'Error validating Holder-of-Key assertion: Only one <ds:KeyInfo> element in '.
                        '<SubjectConfirmationData> allowed';
                    continue;
                }
 
                $x509data = array();
                foreach ($keyInfo[0]->info as $thing) {
                    if ($thing instanceof \SAML2\XML\ds\X509Data) {
                        $x509data[] = $thing;
                    }
                }
                if (count($x509data) != 1) {
                    $lastError = 'Error validating Holder-of-Key assertion: Only one <ds:X509Data> element in '.
                        '<ds:KeyInfo> within <SubjectConfirmationData> allowed';
                    continue;
                }
 
                $x509cert = array();
                foreach ($x509data[0]->data as $thing) {
                    if ($thing instanceof \SAML2\XML\ds\X509Certificate) {
                        $x509cert[] = $thing;
                    }
                }
                if (count($x509cert) != 1) {
                    $lastError = 'Error validating Holder-of-Key assertion: Only one <ds:X509Certificate> element in '.
                        '<ds:X509Data> within <SubjectConfirmationData> allowed';
                    continue;
                }
 
                $HoKCertificate = $x509cert[0]->certificate;
                if ($HoKCertificate !== $clientCert) {
                    $lastError = 'Provided client certificate does not match the certificate bound to the '.
                        'Holder-of-Key assertion';
                    continue;
                }
            }
 
            // if no SubjectConfirmationData then don't do anything.
            if ($scd === null) {
                $lastError = 'No SubjectConfirmationData provided';
                continue;
            }
 
            if ($scd->NotBefore && $scd->NotBefore > time() + 60) {
                $lastError = 'NotBefore in SubjectConfirmationData is in the future: '.$scd->NotBefore;
                continue;
            }
            if ($scd->NotOnOrAfter && $scd->NotOnOrAfter <= time() - 60) {
                $lastError = 'NotOnOrAfter in SubjectConfirmationData is in the past: '.$scd->NotOnOrAfter;
                continue;
            }
            if ($scd->Recipient !== null && $scd->Recipient !== $currentURL) {
                $lastError = 'Recipient in SubjectConfirmationData does not match the current URL. Recipient is '.
                    var_export($scd->Recipient, true).', current URL is '.var_export($currentURL, true).'.';
                continue;
            }
            if ($scd->InResponseTo !== null && $response->getInResponseTo() !== null &&
                $scd->InResponseTo !== $response->getInResponseTo()
            ) {
                $lastError = 'InResponseTo in SubjectConfirmationData does not match the Response. Response has '.
                    var_export($response->getInResponseTo(), true).
                    ', SubjectConfirmationData has '.var_export($scd->InResponseTo, true).'.';
                continue;
            }
            $found = true;
            break;
        }
        if (!$found) {
            throw new SimpleSAML_Error_Exception('Error validating SubjectConfirmation in Assertion: '.$lastError);
        } // as far as we can tell, the assertion is valid
 
        // maybe we need to base64 decode the attributes in the assertion?
        if ($idpMetadata->getBoolean('base64attributes', false)) {
            $attributes = $assertion->getAttributes();
            $newAttributes = array();
            foreach ($attributes as $name => $values) {
                $newAttributes[$name] = array();
                foreach ($values as $value) {
                    foreach (explode('_', $value) as $v) {
                        $newAttributes[$name][] = base64_decode($v);
                    }
                }
            }
            $assertion->setAttributes($newAttributes);
        }
 
        // decrypt the NameID element if it is encrypted
        if ($assertion->isNameIdEncrypted()) {
            try {
                $keys = self::getDecryptionKeys($idpMetadata, $spMetadata);
            } catch (Exception $e) {
                throw new SimpleSAML_Error_Exception('Error decrypting NameID: '.$e->getMessage());
            }
 
            $blacklist = self::getBlacklistedAlgorithms($idpMetadata, $spMetadata);
 
            $lastException = null;
            foreach ($keys as $i => $key) {
                try {
                    $assertion->decryptNameId($key, $blacklist);
                    SimpleSAML\Logger::debug('Decryption with key #'.$i.' succeeded.');
                    $lastException = null;
                    break;
                } catch (Exception $e) {
                    SimpleSAML\Logger::debug('Decryption with key #'.$i.' failed with exception: '.$e->getMessage());
                    $lastException = $e;
                }
            }
            if ($lastException !== null) {
                throw $lastException;
            }
        }
 
        return $assertion;
    }

References $_SERVER, $attributes, $i, $idpMetadata, $key, $keys, $name, $response, $sc, $spEntityId, $spMetadata, data, SimpleSAML\Logger\debug(), decryptAssertion(), getBlacklistedAlgorithms(), getDecryptionKeys(), and SimpleSAML\Utils\HTTP\getSelfURLNoQuery().

Referenced by processResponse().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ processResponse()

static sspmod_saml_Message::processResponse	(	SimpleSAML_Configuration	$spMetadata,
		SimpleSAML_Configuration	$idpMetadata,
		\SAML2\Response	$response
	)

static

Process a response message.

If the response is an error response, we will throw a sspmod_saml_Error exception with the error.

Parameters

SimpleSAML_Configuration	$spMetadata	The metadata of the service provider.
SimpleSAML_Configuration	$idpMetadata	The metadata of the identity provider.
\SAML2\Response	$response	The response.

Returns: array Array with \SAML2\Assertion objects, containing valid assertions from the response.

Exceptions

SimpleSAML_Error_Exception if there are no assertions in the response.

Exceptions

Exception if the destination of the response does not match the current URL.

Definition at line 548 of file Message.php.

      {
        if (!$response->isSuccess()) {
            throw self::getResponseError($response);
        }
 
        // validate Response-element destination
        $currentURL = \SimpleSAML\Utils\HTTP::getSelfURLNoQuery();
        $msgDestination = $response->getDestination();
        if ($msgDestination !== null && $msgDestination !== $currentURL) {
            throw new Exception('Destination in response doesn\'t match the current URL. Destination is "'.
                $msgDestination.'", current URL is "'.$currentURL.'".');
        }
 
        $responseSigned = self::checkSign($idpMetadata, $response);
 
        /*
         * When we get this far, the response itself is valid.
         * We only need to check signatures and conditions of the response.
         */
        $assertion = $response->getAssertions();
        if (empty($assertion)) {
            throw new SimpleSAML_Error_Exception('No assertions found in response from IdP.');
        }
 
        $ret = array();
        foreach ($assertion as $a) {
            $ret[] = self::processAssertion($spMetadata, $idpMetadata, $response, $a, $responseSigned);
        }
 
        return $ret;
    }

References $idpMetadata, $response, $ret, $spMetadata, checkSign(), getResponseError(), SimpleSAML\Utils\HTTP\getSelfURLNoQuery(), and processAssertion().

Here is the call graph for this function:

◆ validateMessage()

static sspmod_saml_Message::validateMessage	(	SimpleSAML_Configuration	$srcMetadata,
		SimpleSAML_Configuration	$dstMetadata,
		\SAML2\Message	$message
	)

static

Check signature on a SAML2 message if enabled.

Parameters

SimpleSAML_Configuration	$srcMetadata	The metadata of the sender.
SimpleSAML_Configuration	$dstMetadata	The metadata of the recipient.
\SAML2\Message	$message	The message we should check the signature on.

Exceptions

SimpleSAML_Error_Exception if message validation is enabled, but there is no signature in the message.

Definition at line 246 of file Message.php.

      {
        $enabled = null;
        if ($message instanceof \SAML2\LogoutRequest || $message instanceof \SAML2\LogoutResponse) {
            $enabled = $srcMetadata->getBoolean('validate.logout', null);
            if ($enabled === null) {
                $enabled = $dstMetadata->getBoolean('validate.logout', null);
            }
        } elseif ($message instanceof \SAML2\AuthnRequest) {
            $enabled = $srcMetadata->getBoolean('validate.authnrequest', null);
            if ($enabled === null) {
                $enabled = $dstMetadata->getBoolean('validate.authnrequest', null);
            }
        }
 
        if ($enabled === null) {
            $enabled = $srcMetadata->getBoolean('redirect.validate', null);
            if ($enabled === null) {
                $enabled = $dstMetadata->getBoolean('redirect.validate', false);
            }
        }
 
        if (!$enabled) {
            return;
        }
 
        if (!self::checkSign($srcMetadata, $message)) {
            throw new SimpleSAML_Error_Exception(
                'Validation of received messages enabled, but no signature found on message.'
            );
        }
    }

References $message, and SimpleSAML_Configuration\getBoolean().

Referenced by sspmod_saml_IdP_SAML2\receiveAuthnRequest(), and sspmod_saml_IdP_SAML2\receiveLogoutMessage().

Here is the call graph for this function:

Here is the caller graph for this function:

The documentation for this class was generated from the following file:

libs/composer/vendor/simplesamlphp/simplesamlphp/modules/saml/lib/Message.php

Static Public Member Functions

Static Private Member Functions

Detailed Description

Member Function Documentation

◆ addRedirectSign()

◆ addSign()

◆ buildAuthnRequest()

◆ buildLogoutRequest()

◆ buildLogoutResponse()

◆ checkSign()

◆ decryptAssertion()

◆ findCertificate()

◆ getBlacklistedAlgorithms()

◆ getDecryptionKeys()

◆ getEncryptionKey()

◆ getResponseError()

◆ processAssertion()

◆ processResponse()

◆ validateMessage()