Signer.php

Go to the documentation of this file.

<?php

namespace SimpleSAML\XML;

use DOMComment;
use DOMElement;
use DOMText;
use RobRichards\XMLSecLibs\XMLSecurityDSig;
use RobRichards\XMLSecLibs\XMLSecurityKey;
use SimpleSAML\Utils\Config;

class Signer
{
    private $idAttrName = '';

    private $privateKey = false;

    private $certificate = '';


    private $extraCertificates = array();


    public function __construct($options = array())
    {
        assert(is_array($options));

        if (array_key_exists('privatekey', $options)) {
            $pass = null;
            if (array_key_exists('privatekey_pass', $options)) {
                $pass = $options['privatekey_pass'];
            }

            $this->loadPrivateKey($options['privatekey'], $pass);
        }

        if (array_key_exists('certificate', $options)) {
            $this->loadCertificate($options['certificate']);
        }

        if (array_key_exists('privatekey_array', $options)) {
            $this->loadPrivateKeyArray($options['privatekey_array']);
        }

        if (array_key_exists('publickey_array', $options)) {
            $this->loadPublicKeyArray($options['publickey_array']);
        }

        if (array_key_exists('id', $options)) {
            $this->setIdAttribute($options['id']);
        }
    }


    public function loadPrivateKeyArray($privatekey)
    {
        assert(is_array($privatekey));
        assert(array_key_exists('PEM', $privatekey));

        $this->privateKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA256, array('type' => 'private'));
        if (array_key_exists('password', $privatekey)) {
            $this->privateKey->passphrase = $privatekey['password'];
        }
        $this->privateKey->loadKey($privatekey['PEM'], false);
    }


    public function loadPrivateKey($file, $pass = null, $full_path = false)
    {
        assert(is_string($file));
        assert(is_string($pass) || $pass === null);
        assert(is_bool($full_path));

        if (!$full_path) {
            $keyFile = Config::getCertPath($file);
        } else {
            $keyFile = $file;
        }

        if (!file_exists($keyFile)) {
            throw new \Exception('Could not find private key file "' . $keyFile . '".');
        }
        $keyData = file_get_contents($keyFile);
        if ($keyData === false) {
            throw new \Exception('Unable to read private key file "' . $keyFile . '".');
        }

        $privatekey = array('PEM' => $keyData);
        if ($pass !== null) {
            $privatekey['password'] = $pass;
        }
        $this->loadPrivateKeyArray($privatekey);
    }


    public function loadPublicKeyArray($publickey)
    {
        assert(is_array($publickey));

        if (!array_key_exists('PEM', $publickey)) {
            // We have a public key with only a fingerprint
            throw new \Exception('Tried to add a certificate fingerprint in a signature.');
        }

        // For now, we only assume that the public key is an X509 certificate
        $this->certificate = $publickey['PEM'];
    }


    public function loadCertificate($file, $full_path = false)
    {
        assert(is_string($file));
        assert(is_bool($full_path));

        if (!$full_path) {
            $certFile = Config::getCertPath($file);
        } else {
            $certFile = $file;
        }

        if (!file_exists($certFile)) {
            throw new \Exception('Could not find certificate file "' . $certFile . '".');
        }

        $cert = file_get_contents($certFile);
        if ($cert === false) {
            throw new \Exception('Unable to read certificate file "' . $certFile . '".');
        }
        $this->certificate = $cert;
    }


    public function setIDAttribute($idAttrName)
    {
        assert(is_string($idAttrName));

        $this->idAttrName = $idAttrName;
    }


    public function addCertificate($file, $full_path = false)
    {
        assert(is_string($file));
        assert(is_bool($full_path));

        if (!$full_path) {
            $certFile = Config::getCertPath($file);
        } else {
            $certFile = $file;
        }

        if (!file_exists($certFile)) {
            throw new \Exception('Could not find extra certificate file "' . $certFile . '".');
        }

        $certificate = file_get_contents($certFile);
        if ($certificate === false) {
            throw new \Exception('Unable to read extra certificate file "' . $certFile . '".');
        }

        $this->extraCertificates[] = $certificate;
    }


    public function sign($node, $insertInto, $insertBefore = null)
    {
        assert($node instanceof DOMElement);
        assert($insertInto instanceof DOMElement);
        assert($insertBefore === null || $insertBefore instanceof DOMElement ||
            $insertBefore instanceof DOMComment || $insertBefore instanceof DOMText);

        if ($this->privateKey === false) {
            throw new \Exception('Private key not set.');
        }


        $objXMLSecDSig = new XMLSecurityDSig();
        $objXMLSecDSig->setCanonicalMethod(XMLSecurityDSig::EXC_C14N);

        $options = array();
        if (!empty($this->idAttrName)) {
            $options['id_name'] = $this->idAttrName;
        }

        $objXMLSecDSig->addReferenceList(
            array($node),
            XMLSecurityDSig::SHA256,
            array('http://www.w3.org/2000/09/xmldsig#enveloped-signature', XMLSecurityDSig::EXC_C14N),
            $options
        );

        $objXMLSecDSig->sign($this->privateKey);


        // Add the certificate to the signature
        $objXMLSecDSig->add509Cert($this->certificate, true);

        // Add extra certificates
        foreach ($this->extraCertificates as $certificate) {
            $objXMLSecDSig->add509Cert($certificate, true);
        }

        $objXMLSecDSig->insertSignature($insertInto, $insertBefore);
    }
}