From a9fbc8703e723b325493040ecf4711a6084edf39 Mon Sep 17 00:00:00 2001 From: Bjoern Schiessle Date: Thu, 4 Oct 2018 15:36:44 +0200 Subject: [PATCH] update to php-saml 3.0.0 without mcrypt dependecy Signed-off-by: Bjoern Schiessle --- 3rdparty/composer.json | 2 +- 3rdparty/composer.lock | 82 +- .../vendor/composer/autoload_classmap.php | 35 +- 3rdparty/vendor/composer/autoload_psr4.php | 2 + 3rdparty/vendor/composer/autoload_static.php | 51 +- 3rdparty/vendor/composer/installed.json | 84 +- .../vendor/onelogin/php-saml/.coveralls.yml | 7 - 3rdparty/vendor/onelogin/php-saml/.gitignore | 14 - 3rdparty/vendor/onelogin/php-saml/.travis.yml | 36 - 3rdparty/vendor/onelogin/php-saml/CHANGELOG | 30 + 3rdparty/vendor/onelogin/php-saml/README.md | 476 +++-- .../onelogin/php-saml/_toolkit_loader.php | 29 +- .../php-saml/advanced_settings_example.php | 26 +- .../onelogin/php-saml/compatibility.php | 12 - .../vendor/onelogin/php-saml/composer.json | 33 +- .../php-saml/extlib/xmlseclibs/xmlseclibs.php | 1721 ----------------- .../php-saml/lib/Saml/AuthRequest.php | 65 - .../onelogin/php-saml/lib/Saml/Metadata.php | 39 - .../onelogin/php-saml/lib/Saml/Response.php | 39 - .../onelogin/php-saml/lib/Saml/Settings.php | 80 - .../onelogin/php-saml/lib/Saml/XmlSec.php | 110 -- .../onelogin/php-saml/lib/Saml2/version.json | 6 - .../locale/en_US/LC_MESSAGES/phptoolkit.mo | Bin 200 -> 0 bytes .../locale/en_US/LC_MESSAGES/phptoolkit.po | 26 - .../locale/es_ES/LC_MESSAGES/phptoolkit.mo | Bin 405 -> 0 bytes .../locale/es_ES/LC_MESSAGES/phptoolkit.po | 27 - 3rdparty/vendor/onelogin/php-saml/phpdoc.xml | 37 - .../onelogin/php-saml/settings_example.php | 50 +- .../php-saml/{lib => src}/Saml2/Auth.php | 353 ++-- .../{lib => src}/Saml2/AuthnRequest.php | 49 +- .../php-saml/{lib => src}/Saml2/Constants.php | 19 +- .../onelogin/php-saml/src/Saml2/Error.php | 66 + .../php-saml/src/Saml2/IdPMetadataParser.php | 237 +++ .../{lib => src}/Saml2/LogoutRequest.php | 276 +-- .../{lib => src}/Saml2/LogoutResponse.php | 213 +- .../php-saml/{lib => src}/Saml2/Metadata.php | 73 +- .../php-saml/{lib => src}/Saml2/Response.php | 585 +++--- .../php-saml/{lib => src}/Saml2/Settings.php | 292 +-- .../php-saml/{lib => src}/Saml2/Utils.php | 611 ++++-- .../Saml2/ValidationError.php} | 69 +- .../schemas/saml-schema-assertion-2.0.xsd | 0 .../schemas/saml-schema-authn-context-2.0.xsd | 0 .../saml-schema-authn-context-types-2.0.xsd | 0 .../schemas/saml-schema-metadata-2.0.xsd | 0 .../schemas/saml-schema-protocol-2.0.xsd | 0 .../Saml2/schemas/sstc-metadata-attr.xsd | 0 .../Saml2/schemas/sstc-saml-attribute-ext.xsd | 0 .../sstc-saml-metadata-algsupport-v1.0.xsd | 0 .../schemas/sstc-saml-metadata-ui-v1.0.xsd | 0 .../Saml2/schemas/xenc-schema.xsd | 0 .../{lib => src}/Saml2/schemas/xml.xsd | 0 .../Saml2/schemas/xmldsig-core-schema.xsd | 0 .../onelogin/php-saml/src/Saml2/version.json | 6 + .../xmlseclibs/CHANGELOG.txt | 63 +- .../extlib => robrichards}/xmlseclibs/LICENSE | 4 +- .../vendor/robrichards/xmlseclibs/README.md | 84 + .../robrichards/xmlseclibs/composer.json | 21 + .../xmlseclibs/src/Utils/XPath.php | 44 + .../robrichards/xmlseclibs/src/XMLSecEnc.php | 510 +++++ .../xmlseclibs/src/XMLSecurityDSig.php | 1142 +++++++++++ .../xmlseclibs/src/XMLSecurityKey.php | 749 +++++++ .../robrichards/xmlseclibs/xmlseclibs.php | 47 + 62 files changed, 5050 insertions(+), 3582 deletions(-) delete mode 100644 3rdparty/vendor/onelogin/php-saml/.coveralls.yml delete mode 100644 3rdparty/vendor/onelogin/php-saml/.gitignore delete mode 100644 3rdparty/vendor/onelogin/php-saml/.travis.yml delete mode 100644 3rdparty/vendor/onelogin/php-saml/compatibility.php delete mode 100644 3rdparty/vendor/onelogin/php-saml/extlib/xmlseclibs/xmlseclibs.php delete mode 100644 3rdparty/vendor/onelogin/php-saml/lib/Saml/AuthRequest.php delete mode 100644 3rdparty/vendor/onelogin/php-saml/lib/Saml/Metadata.php delete mode 100644 3rdparty/vendor/onelogin/php-saml/lib/Saml/Response.php delete mode 100644 3rdparty/vendor/onelogin/php-saml/lib/Saml/Settings.php delete mode 100644 3rdparty/vendor/onelogin/php-saml/lib/Saml/XmlSec.php delete mode 100644 3rdparty/vendor/onelogin/php-saml/lib/Saml2/version.json delete mode 100644 3rdparty/vendor/onelogin/php-saml/locale/en_US/LC_MESSAGES/phptoolkit.mo delete mode 100644 3rdparty/vendor/onelogin/php-saml/locale/en_US/LC_MESSAGES/phptoolkit.po delete mode 100644 3rdparty/vendor/onelogin/php-saml/locale/es_ES/LC_MESSAGES/phptoolkit.mo delete mode 100644 3rdparty/vendor/onelogin/php-saml/locale/es_ES/LC_MESSAGES/phptoolkit.po delete mode 100644 3rdparty/vendor/onelogin/php-saml/phpdoc.xml rename 3rdparty/vendor/onelogin/php-saml/{lib => src}/Saml2/Auth.php (62%) rename 3rdparty/vendor/onelogin/php-saml/{lib => src}/Saml2/AuthnRequest.php (75%) rename 3rdparty/vendor/onelogin/php-saml/{lib => src}/Saml2/Constants.php (89%) create mode 100644 3rdparty/vendor/onelogin/php-saml/src/Saml2/Error.php create mode 100644 3rdparty/vendor/onelogin/php-saml/src/Saml2/IdPMetadataParser.php rename 3rdparty/vendor/onelogin/php-saml/{lib => src}/Saml2/LogoutRequest.php (56%) rename 3rdparty/vendor/onelogin/php-saml/{lib => src}/Saml2/LogoutResponse.php (55%) rename 3rdparty/vendor/onelogin/php-saml/{lib => src}/Saml2/Metadata.php (79%) rename 3rdparty/vendor/onelogin/php-saml/{lib => src}/Saml2/Response.php (64%) rename 3rdparty/vendor/onelogin/php-saml/{lib => src}/Saml2/Settings.php (77%) rename 3rdparty/vendor/onelogin/php-saml/{lib => src}/Saml2/Utils.php (66%) rename 3rdparty/vendor/onelogin/php-saml/{lib/Saml2/Error.php => src/Saml2/ValidationError.php} (59%) rename 3rdparty/vendor/onelogin/php-saml/{lib => src}/Saml2/schemas/saml-schema-assertion-2.0.xsd (100%) rename 3rdparty/vendor/onelogin/php-saml/{lib => src}/Saml2/schemas/saml-schema-authn-context-2.0.xsd (100%) rename 3rdparty/vendor/onelogin/php-saml/{lib => src}/Saml2/schemas/saml-schema-authn-context-types-2.0.xsd (100%) rename 3rdparty/vendor/onelogin/php-saml/{lib => src}/Saml2/schemas/saml-schema-metadata-2.0.xsd (100%) rename 3rdparty/vendor/onelogin/php-saml/{lib => src}/Saml2/schemas/saml-schema-protocol-2.0.xsd (100%) rename 3rdparty/vendor/onelogin/php-saml/{lib => src}/Saml2/schemas/sstc-metadata-attr.xsd (100%) rename 3rdparty/vendor/onelogin/php-saml/{lib => src}/Saml2/schemas/sstc-saml-attribute-ext.xsd (100%) rename 3rdparty/vendor/onelogin/php-saml/{lib => src}/Saml2/schemas/sstc-saml-metadata-algsupport-v1.0.xsd (100%) rename 3rdparty/vendor/onelogin/php-saml/{lib => src}/Saml2/schemas/sstc-saml-metadata-ui-v1.0.xsd (100%) rename 3rdparty/vendor/onelogin/php-saml/{lib => src}/Saml2/schemas/xenc-schema.xsd (100%) rename 3rdparty/vendor/onelogin/php-saml/{lib => src}/Saml2/schemas/xml.xsd (100%) rename 3rdparty/vendor/onelogin/php-saml/{lib => src}/Saml2/schemas/xmldsig-core-schema.xsd (100%) create mode 100644 3rdparty/vendor/onelogin/php-saml/src/Saml2/version.json rename 3rdparty/vendor/{onelogin/php-saml/extlib => robrichards}/xmlseclibs/CHANGELOG.txt (68%) rename 3rdparty/vendor/{onelogin/php-saml/extlib => robrichards}/xmlseclibs/LICENSE (94%) create mode 100644 3rdparty/vendor/robrichards/xmlseclibs/README.md create mode 100644 3rdparty/vendor/robrichards/xmlseclibs/composer.json create mode 100644 3rdparty/vendor/robrichards/xmlseclibs/src/Utils/XPath.php create mode 100644 3rdparty/vendor/robrichards/xmlseclibs/src/XMLSecEnc.php create mode 100644 3rdparty/vendor/robrichards/xmlseclibs/src/XMLSecurityDSig.php create mode 100644 3rdparty/vendor/robrichards/xmlseclibs/src/XMLSecurityKey.php create mode 100644 3rdparty/vendor/robrichards/xmlseclibs/xmlseclibs.php diff --git a/3rdparty/composer.json b/3rdparty/composer.json index 228781b..8735f1f 100644 --- a/3rdparty/composer.json +++ b/3rdparty/composer.json @@ -4,7 +4,7 @@ "classmap-authoritative": true }, "require": { - "onelogin/php-saml": "2.10.5", + "onelogin/php-saml": "^3.0", "firebase/php-jwt": "^4.0" } } diff --git a/3rdparty/composer.lock b/3rdparty/composer.lock index 17b7cc4..916107f 100644 --- a/3rdparty/composer.lock +++ b/3rdparty/composer.lock @@ -4,7 +4,7 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "This file is @generated automatically" ], - "content-hash": "c0b54acdb5e61d572c6c95652de525ed", + "content-hash": "f3e661f8388070704bd9b01b48752bf0", "packages": [ { "name": "firebase/php-jwt", @@ -51,57 +51,91 @@ }, { "name": "onelogin/php-saml", - "version": "2.10.5", + "version": "v3.0.0", "source": { "type": "git", "url": "https://github.com/onelogin/php-saml.git", - "reference": "3319d7707f342e38291eee6b01a4a5f8df1b333b" + "reference": "920c2240e48c9a74aad4129720f48fbf3d5fee47" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/onelogin/php-saml/zipball/3319d7707f342e38291eee6b01a4a5f8df1b333b", - "reference": "3319d7707f342e38291eee6b01a4a5f8df1b333b", + "url": "https://api.github.com/repos/onelogin/php-saml/zipball/920c2240e48c9a74aad4129720f48fbf3d5fee47", + "reference": "920c2240e48c9a74aad4129720f48fbf3d5fee47", "shasum": "" }, "require": { - "ext-dom": "*", - "ext-mcrypt": "*", - "ext-openssl": "*", - "php": ">=5.3.2" + "php": ">=5.4", + "robrichards/xmlseclibs": "^3.0" }, "require-dev": { - "pdepend/pdepend": "1.1.0", - "phploc/phploc": "*", - "phpunit/phpunit": "4.8", - "satooshi/php-coveralls": "1.0.1", - "sebastian/phpcpd": "*", - "squizlabs/php_codesniffer": "*" + "pdepend/pdepend": "^2.5.0", + "php-coveralls/php-coveralls": "^1.0.2 || ^2.0", + "phploc/phploc": "^2.1 || ^3.0 || ^4.0", + "phpunit/phpunit": "^4.8.35 || ^5.7 || ^6.5 || ^7.1", + "sebastian/phpcpd": "^2.0 || ^3.0 || ^4.0", + "squizlabs/php_codesniffer": "^3.1.1" }, "suggest": { + "ext-curl": "Install curl lib to be able to use the IdPMetadataParser for parsing remote XMLs", "ext-gettext": "Install gettext and php5-gettext libs to handle translations", - "ext-mcrypt": "Install mcrypt and php5-mcrypt libs in order to support encryption", - "lib-openssl": "Install openssl lib in order to handle with x509 certs (require to support sign and encryption)" + "ext-openssl": "Install openssl lib in order to handle with x509 certs (require to support sign and encryption)" }, "type": "library", "autoload": { - "classmap": [ - "extlib/xmlseclibs", - "lib/Saml", - "lib/Saml2" - ] + "psr-4": { + "OneLogin\\": "src/" + } }, "notification-url": "https://packagist.org/downloads/", "license": [ "MIT" ], "description": "OneLogin PHP SAML Toolkit", - "homepage": "https://onelogin.zendesk.com/hc/en-us/sections/200245634-SAML-Toolkits", + "homepage": "https://developers.onelogin.com/saml/php", "keywords": [ "SAML2", "onelogin", "saml" ], - "time": "2017-03-13T09:56:49+00:00" + "time": "2018-10-02T16:02:37+00:00" + }, + { + "name": "robrichards/xmlseclibs", + "version": "3.0.2", + "source": { + "type": "git", + "url": "https://github.com/robrichards/xmlseclibs.git", + "reference": "1f4de0c0d121922aafd8c62c2a9f5e528830cf38" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/robrichards/xmlseclibs/zipball/1f4de0c0d121922aafd8c62c2a9f5e528830cf38", + "reference": "1f4de0c0d121922aafd8c62c2a9f5e528830cf38", + "shasum": "" + }, + "require": { + "ext-openssl": "*", + "php": ">= 5.4" + }, + "type": "library", + "autoload": { + "psr-4": { + "RobRichards\\XMLSecLibs\\": "src" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "BSD-3-Clause" + ], + "description": "A PHP library for XML Security", + "homepage": "https://github.com/robrichards/xmlseclibs", + "keywords": [ + "security", + "signature", + "xml", + "xmldsig" + ], + "time": "2018-09-27T13:24:13+00:00" } ], "packages-dev": [], diff --git a/3rdparty/vendor/composer/autoload_classmap.php b/3rdparty/vendor/composer/autoload_classmap.php index 12172bf..b8d5737 100644 --- a/3rdparty/vendor/composer/autoload_classmap.php +++ b/3rdparty/vendor/composer/autoload_classmap.php @@ -10,23 +10,20 @@ return array( 'Firebase\\JWT\\ExpiredException' => $vendorDir . '/firebase/php-jwt/src/ExpiredException.php', 'Firebase\\JWT\\JWT' => $vendorDir . '/firebase/php-jwt/src/JWT.php', 'Firebase\\JWT\\SignatureInvalidException' => $vendorDir . '/firebase/php-jwt/src/SignatureInvalidException.php', - 'OneLogin_Saml2_Auth' => $vendorDir . '/onelogin/php-saml/lib/Saml2/Auth.php', - 'OneLogin_Saml2_AuthnRequest' => $vendorDir . '/onelogin/php-saml/lib/Saml2/AuthnRequest.php', - 'OneLogin_Saml2_Constants' => $vendorDir . '/onelogin/php-saml/lib/Saml2/Constants.php', - 'OneLogin_Saml2_Error' => $vendorDir . '/onelogin/php-saml/lib/Saml2/Error.php', - 'OneLogin_Saml2_LogoutRequest' => $vendorDir . '/onelogin/php-saml/lib/Saml2/LogoutRequest.php', - 'OneLogin_Saml2_LogoutResponse' => $vendorDir . '/onelogin/php-saml/lib/Saml2/LogoutResponse.php', - 'OneLogin_Saml2_Metadata' => $vendorDir . '/onelogin/php-saml/lib/Saml2/Metadata.php', - 'OneLogin_Saml2_Response' => $vendorDir . '/onelogin/php-saml/lib/Saml2/Response.php', - 'OneLogin_Saml2_Settings' => $vendorDir . '/onelogin/php-saml/lib/Saml2/Settings.php', - 'OneLogin_Saml2_Utils' => $vendorDir . '/onelogin/php-saml/lib/Saml2/Utils.php', - 'OneLogin_Saml2_ValidationError' => $vendorDir . '/onelogin/php-saml/lib/Saml2/Error.php', - 'OneLogin_Saml_AuthRequest' => $vendorDir . '/onelogin/php-saml/lib/Saml/AuthRequest.php', - 'OneLogin_Saml_Metadata' => $vendorDir . '/onelogin/php-saml/lib/Saml/Metadata.php', - 'OneLogin_Saml_Response' => $vendorDir . '/onelogin/php-saml/lib/Saml/Response.php', - 'OneLogin_Saml_Settings' => $vendorDir . '/onelogin/php-saml/lib/Saml/Settings.php', - 'OneLogin_Saml_XmlSec' => $vendorDir . '/onelogin/php-saml/lib/Saml/XmlSec.php', - 'XMLSecEnc' => $vendorDir . '/onelogin/php-saml/extlib/xmlseclibs/xmlseclibs.php', - 'XMLSecurityDSig' => $vendorDir . '/onelogin/php-saml/extlib/xmlseclibs/xmlseclibs.php', - 'XMLSecurityKey' => $vendorDir . '/onelogin/php-saml/extlib/xmlseclibs/xmlseclibs.php', + 'OneLogin\\Saml2\\Auth' => $vendorDir . '/onelogin/php-saml/src/Saml2/Auth.php', + 'OneLogin\\Saml2\\AuthnRequest' => $vendorDir . '/onelogin/php-saml/src/Saml2/AuthnRequest.php', + 'OneLogin\\Saml2\\Constants' => $vendorDir . '/onelogin/php-saml/src/Saml2/Constants.php', + 'OneLogin\\Saml2\\Error' => $vendorDir . '/onelogin/php-saml/src/Saml2/Error.php', + 'OneLogin\\Saml2\\IdPMetadataParser' => $vendorDir . '/onelogin/php-saml/src/Saml2/IdPMetadataParser.php', + 'OneLogin\\Saml2\\LogoutRequest' => $vendorDir . '/onelogin/php-saml/src/Saml2/LogoutRequest.php', + 'OneLogin\\Saml2\\LogoutResponse' => $vendorDir . '/onelogin/php-saml/src/Saml2/LogoutResponse.php', + 'OneLogin\\Saml2\\Metadata' => $vendorDir . '/onelogin/php-saml/src/Saml2/Metadata.php', + 'OneLogin\\Saml2\\Response' => $vendorDir . '/onelogin/php-saml/src/Saml2/Response.php', + 'OneLogin\\Saml2\\Settings' => $vendorDir . '/onelogin/php-saml/src/Saml2/Settings.php', + 'OneLogin\\Saml2\\Utils' => $vendorDir . '/onelogin/php-saml/src/Saml2/Utils.php', + 'OneLogin\\Saml2\\ValidationError' => $vendorDir . '/onelogin/php-saml/src/Saml2/ValidationError.php', + 'RobRichards\\XMLSecLibs\\Utils\\XPath' => $vendorDir . '/robrichards/xmlseclibs/src/Utils/XPath.php', + 'RobRichards\\XMLSecLibs\\XMLSecEnc' => $vendorDir . '/robrichards/xmlseclibs/src/XMLSecEnc.php', + 'RobRichards\\XMLSecLibs\\XMLSecurityDSig' => $vendorDir . '/robrichards/xmlseclibs/src/XMLSecurityDSig.php', + 'RobRichards\\XMLSecLibs\\XMLSecurityKey' => $vendorDir . '/robrichards/xmlseclibs/src/XMLSecurityKey.php', ); diff --git a/3rdparty/vendor/composer/autoload_psr4.php b/3rdparty/vendor/composer/autoload_psr4.php index 00bfd9c..5cd4e92 100644 --- a/3rdparty/vendor/composer/autoload_psr4.php +++ b/3rdparty/vendor/composer/autoload_psr4.php @@ -6,5 +6,7 @@ $vendorDir = dirname(dirname(__FILE__)); $baseDir = dirname($vendorDir); return array( + 'RobRichards\\XMLSecLibs\\' => array($vendorDir . '/robrichards/xmlseclibs/src'), + 'OneLogin\\' => array($vendorDir . '/onelogin/php-saml/src'), 'Firebase\\JWT\\' => array($vendorDir . '/firebase/php-jwt/src'), ); diff --git a/3rdparty/vendor/composer/autoload_static.php b/3rdparty/vendor/composer/autoload_static.php index 2280298..012668c 100644 --- a/3rdparty/vendor/composer/autoload_static.php +++ b/3rdparty/vendor/composer/autoload_static.php @@ -7,6 +7,14 @@ namespace Composer\Autoload; class ComposerStaticInitcc75f134f7630c1ee3a8e4d7c86f3bcc { public static $prefixLengthsPsr4 = array ( + 'R' => + array ( + 'RobRichards\\XMLSecLibs\\' => 23, + ), + 'O' => + array ( + 'OneLogin\\' => 9, + ), 'F' => array ( 'Firebase\\JWT\\' => 13, @@ -14,6 +22,14 @@ class ComposerStaticInitcc75f134f7630c1ee3a8e4d7c86f3bcc ); public static $prefixDirsPsr4 = array ( + 'RobRichards\\XMLSecLibs\\' => + array ( + 0 => __DIR__ . '/..' . '/robrichards/xmlseclibs/src', + ), + 'OneLogin\\' => + array ( + 0 => __DIR__ . '/..' . '/onelogin/php-saml/src', + ), 'Firebase\\JWT\\' => array ( 0 => __DIR__ . '/..' . '/firebase/php-jwt/src', @@ -25,25 +41,22 @@ class ComposerStaticInitcc75f134f7630c1ee3a8e4d7c86f3bcc 'Firebase\\JWT\\ExpiredException' => __DIR__ . '/..' . '/firebase/php-jwt/src/ExpiredException.php', 'Firebase\\JWT\\JWT' => __DIR__ . '/..' . '/firebase/php-jwt/src/JWT.php', 'Firebase\\JWT\\SignatureInvalidException' => __DIR__ . '/..' . '/firebase/php-jwt/src/SignatureInvalidException.php', - 'OneLogin_Saml2_Auth' => __DIR__ . '/..' . '/onelogin/php-saml/lib/Saml2/Auth.php', - 'OneLogin_Saml2_AuthnRequest' => __DIR__ . '/..' . '/onelogin/php-saml/lib/Saml2/AuthnRequest.php', - 'OneLogin_Saml2_Constants' => __DIR__ . '/..' . '/onelogin/php-saml/lib/Saml2/Constants.php', - 'OneLogin_Saml2_Error' => __DIR__ . '/..' . '/onelogin/php-saml/lib/Saml2/Error.php', - 'OneLogin_Saml2_LogoutRequest' => __DIR__ . '/..' . '/onelogin/php-saml/lib/Saml2/LogoutRequest.php', - 'OneLogin_Saml2_LogoutResponse' => __DIR__ . '/..' . '/onelogin/php-saml/lib/Saml2/LogoutResponse.php', - 'OneLogin_Saml2_Metadata' => __DIR__ . '/..' . '/onelogin/php-saml/lib/Saml2/Metadata.php', - 'OneLogin_Saml2_Response' => __DIR__ . '/..' . '/onelogin/php-saml/lib/Saml2/Response.php', - 'OneLogin_Saml2_Settings' => __DIR__ . '/..' . '/onelogin/php-saml/lib/Saml2/Settings.php', - 'OneLogin_Saml2_Utils' => __DIR__ . '/..' . '/onelogin/php-saml/lib/Saml2/Utils.php', - 'OneLogin_Saml2_ValidationError' => __DIR__ . '/..' . '/onelogin/php-saml/lib/Saml2/Error.php', - 'OneLogin_Saml_AuthRequest' => __DIR__ . '/..' . '/onelogin/php-saml/lib/Saml/AuthRequest.php', - 'OneLogin_Saml_Metadata' => __DIR__ . '/..' . '/onelogin/php-saml/lib/Saml/Metadata.php', - 'OneLogin_Saml_Response' => __DIR__ . '/..' . '/onelogin/php-saml/lib/Saml/Response.php', - 'OneLogin_Saml_Settings' => __DIR__ . '/..' . '/onelogin/php-saml/lib/Saml/Settings.php', - 'OneLogin_Saml_XmlSec' => __DIR__ . '/..' . '/onelogin/php-saml/lib/Saml/XmlSec.php', - 'XMLSecEnc' => __DIR__ . '/..' . '/onelogin/php-saml/extlib/xmlseclibs/xmlseclibs.php', - 'XMLSecurityDSig' => __DIR__ . '/..' . '/onelogin/php-saml/extlib/xmlseclibs/xmlseclibs.php', - 'XMLSecurityKey' => __DIR__ . '/..' . '/onelogin/php-saml/extlib/xmlseclibs/xmlseclibs.php', + 'OneLogin\\Saml2\\Auth' => __DIR__ . '/..' . '/onelogin/php-saml/src/Saml2/Auth.php', + 'OneLogin\\Saml2\\AuthnRequest' => __DIR__ . '/..' . '/onelogin/php-saml/src/Saml2/AuthnRequest.php', + 'OneLogin\\Saml2\\Constants' => __DIR__ . '/..' . '/onelogin/php-saml/src/Saml2/Constants.php', + 'OneLogin\\Saml2\\Error' => __DIR__ . '/..' . '/onelogin/php-saml/src/Saml2/Error.php', + 'OneLogin\\Saml2\\IdPMetadataParser' => __DIR__ . '/..' . '/onelogin/php-saml/src/Saml2/IdPMetadataParser.php', + 'OneLogin\\Saml2\\LogoutRequest' => __DIR__ . '/..' . '/onelogin/php-saml/src/Saml2/LogoutRequest.php', + 'OneLogin\\Saml2\\LogoutResponse' => __DIR__ . '/..' . '/onelogin/php-saml/src/Saml2/LogoutResponse.php', + 'OneLogin\\Saml2\\Metadata' => __DIR__ . '/..' . '/onelogin/php-saml/src/Saml2/Metadata.php', + 'OneLogin\\Saml2\\Response' => __DIR__ . '/..' . '/onelogin/php-saml/src/Saml2/Response.php', + 'OneLogin\\Saml2\\Settings' => __DIR__ . '/..' . '/onelogin/php-saml/src/Saml2/Settings.php', + 'OneLogin\\Saml2\\Utils' => __DIR__ . '/..' . '/onelogin/php-saml/src/Saml2/Utils.php', + 'OneLogin\\Saml2\\ValidationError' => __DIR__ . '/..' . '/onelogin/php-saml/src/Saml2/ValidationError.php', + 'RobRichards\\XMLSecLibs\\Utils\\XPath' => __DIR__ . '/..' . '/robrichards/xmlseclibs/src/Utils/XPath.php', + 'RobRichards\\XMLSecLibs\\XMLSecEnc' => __DIR__ . '/..' . '/robrichards/xmlseclibs/src/XMLSecEnc.php', + 'RobRichards\\XMLSecLibs\\XMLSecurityDSig' => __DIR__ . '/..' . '/robrichards/xmlseclibs/src/XMLSecurityDSig.php', + 'RobRichards\\XMLSecLibs\\XMLSecurityKey' => __DIR__ . '/..' . '/robrichards/xmlseclibs/src/XMLSecurityKey.php', ); public static function getInitializer(ClassLoader $loader) diff --git a/3rdparty/vendor/composer/installed.json b/3rdparty/vendor/composer/installed.json index 77fcbf5..5e69b07 100644 --- a/3rdparty/vendor/composer/installed.json +++ b/3rdparty/vendor/composer/installed.json @@ -46,58 +46,94 @@ }, { "name": "onelogin/php-saml", - "version": "2.10.5", - "version_normalized": "2.10.5.0", + "version": "v3.0.0", + "version_normalized": "3.0.0.0", "source": { "type": "git", "url": "https://github.com/onelogin/php-saml.git", - "reference": "3319d7707f342e38291eee6b01a4a5f8df1b333b" + "reference": "920c2240e48c9a74aad4129720f48fbf3d5fee47" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/onelogin/php-saml/zipball/3319d7707f342e38291eee6b01a4a5f8df1b333b", - "reference": "3319d7707f342e38291eee6b01a4a5f8df1b333b", + "url": "https://api.github.com/repos/onelogin/php-saml/zipball/920c2240e48c9a74aad4129720f48fbf3d5fee47", + "reference": "920c2240e48c9a74aad4129720f48fbf3d5fee47", "shasum": "" }, "require": { - "ext-dom": "*", - "ext-mcrypt": "*", - "ext-openssl": "*", - "php": ">=5.3.2" + "php": ">=5.4", + "robrichards/xmlseclibs": "^3.0" }, "require-dev": { - "pdepend/pdepend": "1.1.0", - "phploc/phploc": "*", - "phpunit/phpunit": "4.8", - "satooshi/php-coveralls": "1.0.1", - "sebastian/phpcpd": "*", - "squizlabs/php_codesniffer": "*" + "pdepend/pdepend": "^2.5.0", + "php-coveralls/php-coveralls": "^1.0.2 || ^2.0", + "phploc/phploc": "^2.1 || ^3.0 || ^4.0", + "phpunit/phpunit": "^4.8.35 || ^5.7 || ^6.5 || ^7.1", + "sebastian/phpcpd": "^2.0 || ^3.0 || ^4.0", + "squizlabs/php_codesniffer": "^3.1.1" }, "suggest": { + "ext-curl": "Install curl lib to be able to use the IdPMetadataParser for parsing remote XMLs", "ext-gettext": "Install gettext and php5-gettext libs to handle translations", - "ext-mcrypt": "Install mcrypt and php5-mcrypt libs in order to support encryption", - "lib-openssl": "Install openssl lib in order to handle with x509 certs (require to support sign and encryption)" + "ext-openssl": "Install openssl lib in order to handle with x509 certs (require to support sign and encryption)" }, - "time": "2017-03-13T09:56:49+00:00", + "time": "2018-10-02T16:02:37+00:00", "type": "library", "installation-source": "dist", "autoload": { - "classmap": [ - "extlib/xmlseclibs", - "lib/Saml", - "lib/Saml2" - ] + "psr-4": { + "OneLogin\\": "src/" + } }, "notification-url": "https://packagist.org/downloads/", "license": [ "MIT" ], "description": "OneLogin PHP SAML Toolkit", - "homepage": "https://onelogin.zendesk.com/hc/en-us/sections/200245634-SAML-Toolkits", + "homepage": "https://developers.onelogin.com/saml/php", "keywords": [ "SAML2", "onelogin", "saml" ] + }, + { + "name": "robrichards/xmlseclibs", + "version": "3.0.2", + "version_normalized": "3.0.2.0", + "source": { + "type": "git", + "url": "https://github.com/robrichards/xmlseclibs.git", + "reference": "1f4de0c0d121922aafd8c62c2a9f5e528830cf38" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/robrichards/xmlseclibs/zipball/1f4de0c0d121922aafd8c62c2a9f5e528830cf38", + "reference": "1f4de0c0d121922aafd8c62c2a9f5e528830cf38", + "shasum": "" + }, + "require": { + "ext-openssl": "*", + "php": ">= 5.4" + }, + "time": "2018-09-27T13:24:13+00:00", + "type": "library", + "installation-source": "dist", + "autoload": { + "psr-4": { + "RobRichards\\XMLSecLibs\\": "src" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "BSD-3-Clause" + ], + "description": "A PHP library for XML Security", + "homepage": "https://github.com/robrichards/xmlseclibs", + "keywords": [ + "security", + "signature", + "xml", + "xmldsig" + ] } ] diff --git a/3rdparty/vendor/onelogin/php-saml/.coveralls.yml b/3rdparty/vendor/onelogin/php-saml/.coveralls.yml deleted file mode 100644 index 173ff35..0000000 --- a/3rdparty/vendor/onelogin/php-saml/.coveralls.yml +++ /dev/null @@ -1,7 +0,0 @@ -service_name: travis-ci - -src_dir: lib - -coverage_clover: tests/build/logs/clover.xml - -json_path: tests/build/logs/coveralls-upload.json diff --git a/3rdparty/vendor/onelogin/php-saml/.gitignore b/3rdparty/vendor/onelogin/php-saml/.gitignore deleted file mode 100644 index 239418a..0000000 --- a/3rdparty/vendor/onelogin/php-saml/.gitignore +++ /dev/null @@ -1,14 +0,0 @@ -*.swp -*~ -.DS_Store -/settings.php -/demo1/settings.php -/demo-old/settings.php -/certs/sp.key -/certs/sp.crt -/certs/metadata.key -/certs/metadata.crt -/tests/build -/vendor -/composer.lock -/.idea diff --git a/3rdparty/vendor/onelogin/php-saml/.travis.yml b/3rdparty/vendor/onelogin/php-saml/.travis.yml deleted file mode 100644 index 648e8cc..0000000 --- a/3rdparty/vendor/onelogin/php-saml/.travis.yml +++ /dev/null @@ -1,36 +0,0 @@ -language: php - -php: - - 5.6 - - 5.5 - - 5.4 -# - 5.3 - - 7.0 - -env: - - TRAVIS=true - -matrix: - fast_finish: true - -before_install: - - composer self-update || true - - composer install --prefer-source --no-interaction - -before_script: - - phpenv config-rm xdebug.ini - -script: - - vendor/bin/phpunit --bootstrap tests/bootstrap.php --configuration tests/phpunit.xml - - php vendor/bin/phpcpd --exclude tests --exclude vendor . - - php vendor/bin/phploc . --exclude vendor - - php vendor/bin/phploc lib/. - - mkdir -p tests/build/dependences - - php vendor/bin/pdepend --summary-xml=tests/build/logs/dependence-summary.xml --jdepend-chart=tests/build/dependences/jdepend.svg --overview-pyramid=tests/build/dependences/pyramid.svg lib/. - - php vendor/bin/phpcs --standard=tests/ZendModStandard lib/Saml2 demo1 demo2 demo-old endpoints tests/src - -after_script: - - export TRAVIS=https://travis-ci.org/onelogin/php-saml - - echo $TRAVIS - - echo $TRAVIS_JOB_ID - - php vendor/bin/coveralls --config .coveralls.yml -v diff --git a/3rdparty/vendor/onelogin/php-saml/CHANGELOG b/3rdparty/vendor/onelogin/php-saml/CHANGELOG index bdb23be..31fe880 100644 --- a/3rdparty/vendor/onelogin/php-saml/CHANGELOG +++ b/3rdparty/vendor/onelogin/php-saml/CHANGELOG @@ -1,5 +1,35 @@ CHANGELOG ========= + +v.3.0.0 (pending) +* Remove mcrypt dependency. Compatible with PHP 7.2 +* xmlseclibs now is not part of the toolkit and need to be installed from original source + +v.2.12.0 +* Improve Time management. Use DateTime/DateTimeZone classes. +* Escape error messages in debug mode +* Improve phpdoc +* Add an extra filter to the url to be used on redirection + +* [#242](https://github.com/onelogin/php-saml/pull/242) Document that SHA-1 must not be used +* [#250](https://github.com/onelogin/php-saml/pull/250) Fixed issue with IdPMetadataParser only keeping 1 certificate when multiple certificates of a single type were provided. +* [#263](https://github.com/onelogin/php-saml/issues/263) Fix incompatibility with ADFS on SLO. When on php saml settings NameID Format is set as unspecified but the SAMLResponse has no NameID Format, no NameID Format should be specified on LogoutRequest. + +v.2.11.0 +* [#236](https://github.com/onelogin/php-saml/pull/236) Exclude unnecesary files from Composer production downloads +* [#226](https://github.com/onelogin/php-saml/pull/226) Add possibility to handle nameId NameQualifier attribute in SLO Request +* Improve logout documentation on Readme. +* Improve multi-certificate support + +v.2.10.7 +* Fix IdPMetadataParser. The SingleLogoutService retrieved method was wrong +* [#201](https://github.com/onelogin/php-saml/issues/201) Fix issues with SP entity_id, acs url and sls url that contains & + +v.2.10.6 +* [#206](https://github.com/onelogin/php-saml/pull/206)Be able to register future SP x509cert on the settings and publish it on SP metadata +* [#206](https://github.com/onelogin/php-saml/pull/206) Be able to register more than 1 Identity Provider x509cert, linked with an specific use (signing or encryption) +* [#206](https://github.com/onelogin/php-saml/pull/206) Support the ability to parse IdP XML metadata (remote url or file) and be able to inject the data obtained on the settings. + v.2.10.5 * Be able to get at the auth object the last processed ID * Improve NameID Format support diff --git a/3rdparty/vendor/onelogin/php-saml/README.md b/3rdparty/vendor/onelogin/php-saml/README.md index 1e43b95..15402b6 100644 --- a/3rdparty/vendor/onelogin/php-saml/README.md +++ b/3rdparty/vendor/onelogin/php-saml/README.md @@ -1,22 +1,16 @@ -# OneLogin's SAML PHP Toolkit +# OneLogin's SAML PHP Toolkit Compatible with PHP 5.X & 7.X [![Build Status](https://api.travis-ci.org/onelogin/php-saml.png?branch=master)](http://travis-ci.org/onelogin/php-saml) [![Coverage Status](https://coveralls.io/repos/onelogin/php-saml/badge.png)](https://coveralls.io/r/onelogin/php-saml) [![License](https://poser.pugx.org/onelogin/php-saml/license.png)](https://packagist.org/packages/onelogin/php-saml) -Add SAML support to your PHP softwares using this library. -Forget those complicated libraries and use that open source library provided +Add SAML support to your PHP software using this library. +Forget those complicated libraries and use this open source library provided and supported by OneLogin Inc. Warning ------- -Update php-saml to 2.10.4, this version includes a security patch related to -[signature validations on LogoutRequests/LogoutResponses](https://github.com/onelogin/php-saml/commit/949359f5cad5e1d085c4e5447d9aa8f49a6e82a1) - -Update php-saml to 2.10.0, this version includes a security patch that contains extra validations that will prevent signature wrapping attacks. [CVE-2016-1000253](https://github.com/distributedweaknessfiling/DWF-Database-Artifacts/blob/ab8ae6e845eb506fbeb10a7e4ccb379f0b4222ca/DWF/2016/1000253/CVE-2016-1000253.json) - -php-saml < v2.10.0 is vulnerable and allows signature wrapping! - +This version is compatible with PHP 7.X and does not include xmlseclibs (you will need to install it via composer, dependency described in composer.json) Security Guidelines ------------------- @@ -81,13 +75,10 @@ Installation ### Dependencies ### - * `php >= 5.3.3` and some core extensions like `php-xml`, `php-date`, `php-zlib`. + * `php >= 5.4` and some core extensions like `php-xml`, `php-date`, `php-zlib`. * `openssl`. Install the openssl library. It handles x509 certificates. - * `mcrypt`. Install that library and its php driver if you gonna handle - encrypted data (`nameID`, `assertions`). * `gettext`. Install that library and its php driver. It handles translations. - -Since [PHP 5.3 is officially unsupported](http://php.net/eol.php) we recommend you to use a newer PHP version. + * `curl`. Install that library and its php driver if you plan to use the IdP Metadata parser. ### Code ### @@ -95,8 +86,9 @@ Since [PHP 5.3 is officially unsupported](http://php.net/eol.php) we recommend y The toolkit is hosted on github. You can download it from: - * Lastest release: https://github.com/onelogin/php-saml/releases/latest - * Master repo: https://github.com/onelogin/php-saml/tree/master + * https://github.com/onelogin/php-saml/releases + +Search for 3.X.X releases Copy the core of the library inside the php application. (each application has its structure so take your time to locate the PHP SAML toolkit in the best place). @@ -111,49 +103,39 @@ In order to import the saml toolkit to your current php project, execute composer require onelogin/php-saml ``` +Remember to select the 3.X.X branch + After installation has completed you will find at the `vendor/` folder a new folder named `onelogin` and inside the `php-saml`. Make sure you are including the autoloader provided by composer. It can be found at `vendor/autoload.php`. **Important** In this option, the x509 certs must be stored at `vendor/onelogin/php-saml/certs` and settings file stored at `vendor/onelogin/php-saml`. -Your settings are at risk of being deleted when updating packages using `composer update` or similiar commands. So it is **highly** recommended that instead of using settings files, you pass the settings as an array directly to the constructor (explained later in this document). If you do not use this approach your settings are at risk of being deleted when updating packages using `composer update` or similiar commands. +Your settings are at risk of being deleted when updating packages using `composer update` or similar commands. So it is **highly** recommended that instead of using settings files, you pass the settings as an array directly to the constructor (explained later in this document). If you do not use this approach your settings are at risk of being deleted when updating packages using `composer update` or similar commands. Compatibility ------------- -This 2.0 version has a new library. The toolkit is still compatible. - -The old code that you used in order to add SAML support gonna continue working -with minor changes. You only need to load the files of the `lib/Saml` folder. -(notice that the `compatibility.php` file do that). - -The old-demo folder contains code from an old app that uses the old version of -the toolkit (v.1). Take a look. - -Sometimes the names of the classes of the old code could be a bit different -and if that is your case you must change them for `OneLogin_Saml_Settings`, -`OneLogin_Saml_Response`, `OneLogin_Saml_AuthRequest` or `OneLogin_Saml_Metadata`. - -We recommend that you migrate the old code to the new one to be able to use -the new features that the new library Saml2 carries. - +This 3.X.X supports PHP 7.X. but can be used with PHP >=5.4 as well (5.6.24+ recommended for security reasons). Namespaces ---------- -If you are using the library with a framework like Symfony2 that contains +If you are using the library with a framework like Symfony that contains namespaces, remember that calls to the class must be done by adding a backslash (`\`) to the start, for example to use the static method getSelfURLNoQuery use: - \OneLogin_Saml2_Utils::getSelfURLNoQuery() + \OneLogin\Saml2\Utils::getSelfURLNoQuery() Security warning ---------------- -In production, the `strict` parameter **MUST** be set as `"true"`. Otherwise -your environment is not secure and will be exposed to attacks. +In production, the `strict` parameter **MUST** be set as `"true"` and the +`signatureAlgorithm` and `digestAlgorithm` under `security` must be set to +something other than SHA1 (see https://shattered.io/ ). Otherwise your +environment is not secure and will be exposed to attacks. +In production also we highly recommended to register on the settings the IdP certificate instead of using the fingerprint method. The fingerprint, is a hash, so at the end is open to a collision attack that can end on a signature validation bypass. Other SAML toolkits deprecated that mechanism, we maintain it for compatibility and also to be used on test environment. Getting started --------------- @@ -161,43 +143,35 @@ Getting started ### Knowing the toolkit ### The new OneLogin SAML Toolkit contains different folders (`certs`, `endpoints`, -`extlib`, `lib`, `demo`, etc.) and some files. +`lib`, `demo`, etc.) and some files. Let's start describing the folders: #### `certs/` #### -SAML requires a x.509 cert to sign and encrypt elements like `NameID`, `Message`, +SAML requires a x509 cert to sign and encrypt elements like `NameID`, `Message`, `Assertion`, `Metadata`. If our environment requires sign or encrypt support, this folder may contain the x509 cert and the private key that the SP will use: * `sp.crt` - The public cert of the SP - * `sp.key` - The privake key of the SP + * `sp.key` - The private key of the SP Or also we can provide those data in the setting file at the `$settings['sp']['x509cert']` and the `$settings['sp']['privateKey']`. Sometimes we could need a signature on the metadata published by the SP, in -this case we could use the x.509 cert previously mentioned or use a new x.509 +this case we could use the x509 cert previously mentioned or use a new x.509 cert: `metadata.crt` and `metadata.key`. +Use `sp_new.crt` if you are in a key rollover process and you want to +publish that x509 certificate on Service Provider metadata. -#### `extlib/` #### - -This folder contains the 3rd party libraries that the toolkit uses. At the -moment only uses the `xmlseclibs` (autor Robert Richards, BSD Licensed) which -handle the sign and the encryption of xml elements. - - -#### `lib/` #### +#### `src/` #### This folder contains the heart of the toolkit, the libraries: - * `Saml` folder contains a modified version of the toolkit v.1 and allows the - old code to keep working. (This library is provided to maintain - backward compatibility). * `Saml2` folder contains the new version of the classes and methods that are described in a later section. @@ -236,8 +210,6 @@ and support multiple languages. advanced_settings.php file which contains extra configuration info related to the security, the contact person, and the organization associated to the SP. * `_toolkit_loader.php` - This file load the toolkit libraries (The SAML2 lib). -* `compatibility` - Import that file to make compatible your old code with the - new toolkit (loads the SAML library). #### Miscellaneous #### @@ -246,8 +218,6 @@ and support multiple languages. * `demo1/` - Contains an example of a simple PHP app with SAML support. Read the `Readme.txt` inside for more info. * `demo2/` - Contains another example. -* `demo-old/` - Contains an example that uses the code of the older version of the - the toolkit to demonstrate the backwards compatibility. ### How it works ### @@ -272,7 +242,7 @@ file, rename and edit it. ```php null, // Service Provider Data that we are deploying. - 'sp' => array ( + 'sp' => array( // Identifier of the SP entity (must be a URI) 'entityId' => '', // Specifies info about where and how the message MUST be // returned to the requester, in this case our SP. - 'assertionConsumerService' => array ( + 'assertionConsumerService' => array( // URL Location where the from the IdP will be returned 'url' => '', // SAML protocol binding to be used when returning the @@ -319,8 +289,8 @@ $settings = array ( ) ), // Specifies info about where and how the message MUST be - // returned to the requester, in this case our SP. - 'singleLogoutService' => array ( + // returned to the requester, in this case our SP. + 'singleLogoutService' => array( // URL Location where the from the IdP will be returned 'url' => '', // SAML protocol binding to be used when returning the @@ -337,14 +307,22 @@ $settings = array ( 'x509cert' => '', 'privateKey' => '', + /* + * Key rollover + * If you plan to update the SP x509cert and privateKey + * you can define here the new x509cert and it will be + * published on the SP metadata so Identity Providers can + * read them and get ready for rollover. + */ + // 'x509certNew' => '', ), // Identity Provider Data that we want connected with our SP. - 'idp' => array ( + 'idp' => array( // Identifier of the IdP entity (must be a URI) 'entityId' => '', // SSO endpoint info of the IdP. (Authentication Request protocol) - 'singleSignOnService' => array ( + 'singleSignOnService' => array( // URL Target of the IdP where the Authentication Request Message // will be sent. 'url' => '', @@ -354,7 +332,7 @@ $settings = array ( 'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', ), // SLO endpoint info of the IdP. - 'singleLogoutService' => array ( + 'singleLogoutService' => array( // URL Location of the IdP where SLO Request will be sent. 'url' => '', // SAML protocol binding to be used when returning the @@ -366,7 +344,8 @@ $settings = array ( 'x509cert' => '', /* * Instead of use the whole x509cert you can use a fingerprint in order to - * validate a SAMLResponse. + * validate a SAMLResponse, but we don't recommend to use that + * method on production since is exploitable by a collision attack. * (openssl x509 -noout -fingerprint -in "idp.crt" to generate it, * or add for example the -sha256 , -sha384 or -sha512 parameter) * @@ -379,6 +358,22 @@ $settings = array ( */ // 'certFingerprint' => '', // 'certFingerprintAlgorithm' => 'sha1', + + /* In some scenarios the IdP uses different certificates for + * signing/encryption, or is under key rollover phase and + * more than one certificate is published on IdP metadata. + * In order to handle that the toolkit offers that parameter. + * (when used, 'x509cert' and 'certFingerprint' values are + * ignored). + */ + // 'x509certMulti' => array( + // 'signing' => array( + // 0 => '', + // ), + // 'encryption' => array( + // 0 => '', + // ) + // ), ), ); ``` @@ -391,15 +386,15 @@ that you can copy and rename it as `advanced_settings.php` ```php array ( + 'compress' => array( 'requests' => true, 'responses' => true ), // Security settings - 'security' => array ( + 'security' => array( /** signatures and encryptions offered */ @@ -420,14 +415,13 @@ $advancedSettings = array ( 'logoutResponseSigned' => false, /* Sign the Metadata - False || True (use sp certs) || array ( + False || True (use sp certs) || array( keyFileName => 'metadata.key', certFileName => 'metadata.crt' ) */ 'signMetadata' => false, - /** signatures and encryptions required **/ // Indicates a requirement for the , @@ -450,11 +444,10 @@ $advancedSettings = array ( // this SP to be encrypted. 'wantNameIdEncrypted' => false, - // Authentication context. - // Set to false or don't present this parameter and no AuthContext will be sent in the AuthNRequest, - // Set true and you will get an AuthContext 'exact' 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport' - // Set an array with the possible auth context values: array ('urn:oasis:names:tc:SAML:2.0:ac:classes:Password', 'urn:oasis:names:tc:SAML:2.0:ac:classes:X509'), + // Set to false and no AuthContext will be sent in the AuthNRequest. + // Set true or don't present this parameter and you will get an AuthContext 'exact' 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'. + // Set an array with the possible auth context values: array('urn:oasis:names:tc:SAML:2.0:ac:classes:Password', 'urn:oasis:names:tc:SAML:2.0:ac:classes:X509'). 'requestedAuthnContext' => true, // Indicates if the SP will validate all received xmls. @@ -471,14 +464,16 @@ $advancedSettings = array ( // 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' // 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384' // 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512' - 'signatureAlgorithm' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1', + // Notice that rsa-sha1 is a deprecated algorithm and should not be used + 'signatureAlgorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256', // Algorithm that the toolkit will use on digest process. Options: // 'http://www.w3.org/2000/09/xmldsig#sha1' // 'http://www.w3.org/2001/04/xmlenc#sha256' // 'http://www.w3.org/2001/04/xmldsig-more#sha384' // 'http://www.w3.org/2001/04/xmlenc#sha512' - 'digestAlgorithm' => 'http://www.w3.org/2000/09/xmldsig#sha1', + // Notice that sha1 is a deprecated algorithm and should not be used + 'digestAlgorithm' => 'http://www.w3.org/2001/04/xmlenc#sha256', // ADFS URL-Encodes SAML data as lowercase, and the toolkit by default uses // uppercase. Turn it True for ADFS compatibility on signature verification @@ -487,12 +482,12 @@ $advancedSettings = array ( // Contact information template, it is recommended to supply a // technical and support contacts. - 'contactPerson' => array ( - 'technical' => array ( + 'contactPerson' => array( + 'technical' => array( 'givenName' => '', 'emailAddress' => '' ), - 'support' => array ( + 'support' => array( 'givenName' => '', 'emailAddress' => '' ), @@ -500,7 +495,7 @@ $advancedSettings = array ( // Organization information template, the info in en_US lang is // recomended, add more if required. - 'organization' => array ( + 'organization' => array( 'en-US' => array( 'name' => '', 'displayname' => '', @@ -512,7 +507,7 @@ $advancedSettings = array ( The compression settings allow you to instruct whether or not the IdP can accept data that has been compressed using [gzip](gzip) ('requests' and 'responses'). -But if we provide a $deflate boolean parameter to the getRequest or getResponse method it will have priority over the compression settings. +But if we provide a `$deflate` boolean parameter to the `getRequest` or `getResponse` method it will have priority over the compression settings. In the security section, you can set the way that the SP will handle the messages and assertions. Contact the admin of the IdP and ask him what the IdP expects, @@ -523,21 +518,21 @@ Once we know what kind of data could be configured, let's talk about the way settings are handled within the toolkit. The settings files described (`settings.php` and `advanced_settings.php`) are loaded -by the toolkit if not other array with settings info is provided in the constructors of the toolkit. Let's see some examples. +by the toolkit if no other array with settings info is provided in the constructor of the toolkit. Let's see some examples. ```php // Initializes toolkit with settings.php & advanced_settings files. -$auth = new OneLogin_Saml2_Auth(); +$auth = new OneLogin\Saml2\Auth(); //or -$settings = new OneLogin_Saml2_Settings(); +$settings = new OneLogin\Saml2\Settings(); // Initializes toolkit with the array provided. -$auth = new OneLogin_Saml2_Auth($settingsInfo); +$auth = new OneLogin\Saml2\Auth($settingsInfo); //or -$settings = new OneLogin_Saml2_Settings($settingsInfo); +$settings = new OneLogin\Saml2\Settings($settingsInfo); ``` -You can declare the `$settingsInfo` in the file that constains the constructor +You can declare the `$settingsInfo` in the file that contains the constructor execution or locate them in any file and load the file in order to get the array available as we see in the following example: @@ -547,15 +542,19 @@ array available as we see in the following example: require_once 'custom_settings.php'; // The custom_settings.php contains a // $settingsInfo array. -$auth = new OneLogin_Saml2_Auth($settingsInfo); +$auth = new OneLogin\Saml2\Auth($settingsInfo); ``` #### How load the library #### -In order to use the toolkit library you need to import the `_toolkit_loader.php` -file located on the base folder of the toolkit. You can load this file in this -way: + +In order to use the toolkit library, if your project support composer you only +need to install it with composer (See the installation section) and you are done. + + +If your project doesn't use composer you need to import the `_toolkit_loader.php` +file located on the base folder of the toolkit. You can load this file in this way: ```php login(); // Method that sent the AuthNRequest ``` @@ -599,13 +590,13 @@ The `AuthNRequest` will be sent signed or unsigned based on the security info of the `advanced_settings.php` (`'authnRequestsSigned'`). -The IdP will then return the SAML Response to the user's client. The client is then forwarded to the Attribute Consumer Service of the SP with this information. If we do not set a 'url' param in the login method and we are using the default ACS provided by the toolkit (`endpoints/acs.php`), then the ACS endpoint will redirect the user to the file that launched the SSO request. +The IdP will then return the SAML Response to the user's client. The client is then forwarded to the Attribute Consumer Service of the SP with this information. If we do not set a `'url'` param in the login method and we are using the default ACS provided by the toolkit (`endpoints/acs.php`), then the ACS endpoint will redirect the user to the file that launched the SSO request. -We can set an `'returnTo'` url to change the workflow and redirect the user to the other PHP file. +We can set a `'returnTo'` url to change the workflow and redirect the user to the other PHP file. ```php $newTargetUrl = 'http://example.com/consume2.php'; -$auth = new OneLogin_Saml2_Auth(); +$auth = new OneLogin\Saml2\Auth(); $auth->login($newTargetUrl); ``` @@ -644,7 +635,7 @@ define("TOOLKIT_PATH", '/var/www/php-saml/'); require_once dirname(TOOLKIT_PATH.'/_toolkit_loader.php'; try { - $auth = new OneLogin_Saml2_Auth(); + $auth = new OneLogin\Saml2\Auth(); $settings = $auth->getSettings(); $metadata = $settings->getSPMetadata(); $errors = $settings->validateMetadata($metadata); @@ -652,9 +643,9 @@ try { header('Content-Type: text/xml'); echo $metadata; } else { - throw new OneLogin_Saml2_Error( + throw new OneLogin\Saml2\Error( 'Invalid SP metadata: '.implode(', ', $errors), - OneLogin_Saml2_Error::METADATA_SP_INVALID + OneLogin\Saml2\Error::METADATA_SP_INVALID ); } } catch (Exception $e) { @@ -668,8 +659,9 @@ Before the XML metadata is exposed, a check takes place to ensure that the info to be provided is valid. Instead of use the Auth object, you can directly use -``` -$settings = new OneLogin_Saml2_Settings($settingsInfo, true); + +```php +$settings = new OneLogin\Saml2\Settings($settingsInfo, true); ``` to get the settings object and with the true parameter we will avoid the IdP Settings validation. @@ -687,7 +679,7 @@ session_start(); // IMPORTANT: This is required in order to be able define("TOOLKIT_PATH", '/var/www/php-saml/'); require_once dirname(TOOLKIT_PATH.'/_toolkit_loader.php'; -$auth = new OneLogin_Saml2_Auth(); +$auth = new OneLogin\Saml2\Auth(); if (isset($_SESSION) && isset($_SESSION['AuthNRequestID'])) { $requestID = $_SESSION['AuthNRequestID']; @@ -696,11 +688,12 @@ if (isset($_SESSION) && isset($_SESSION['AuthNRequestID'])) { } $auth->processResponse($requestID); +unset($_SESSION['AuthNRequestID']); $errors = $auth->getErrors(); if (!empty($errors)) { - print_r('

'.implode(', ', $errors).'

'); + echo '

' . implode(', ', $errors) . '

'; exit(); } @@ -711,7 +704,12 @@ if (!$auth->isAuthenticated()) { $_SESSION['samlUserdata'] = $auth->getAttributes(); $_SESSION['samlNameId'] = $auth->getNameId(); -if (isset($_POST['RelayState']) && OneLogin_Saml2_Utils::getSelfURL() != $_POST['RelayState']) { +$_SESSION['samlNameIdFormat'] = $auth->getNameIdFormat(); +$_SESSION['samlNameidNameQualifier' = $auth->getNameIdNameQualifier(); +$_SESSION['samlNameidSPNameQualifier' = $auth->getNameIdSPNameQualifier(); +$_SESSION['samlSessionIndex'] = $auth->getSessionIndex(); + +if (isset($_POST['RelayState']) && OneLogin\Saml2\Utils::getSelfURL() != $_POST['RelayState']) { $auth->redirectTo($_POST['RelayState']); } @@ -721,8 +719,8 @@ $nameId = $_SESSION['samlNameId']; echo '

Identified user: '. htmlentities($nameId) .'

'; if (!empty($attributes)) { - echo '

'._('User attributes:').'

'; - echo ''; + echo '

' . _('User attributes:') . '

'; + echo '
'._('Name').''._('Values').'
'; foreach ($attributes as $attributeName => $attributeValues) { echo '
' . _('Name') . '' . _('Values') . '
' . htmlentities($attributeName) . '
    '; foreach ($attributeValues as $attributeValue) { @@ -823,7 +821,7 @@ session_start(); // IMPORTANT: This is required in order to be able define("TOOLKIT_PATH", '/var/www/php-saml/'); require_once dirname(TOOLKIT_PATH.'/_toolkit_loader.php'; -$auth = new OneLogin_Saml2_Auth(); +$auth = new OneLogin\Saml2\Auth(); if (isset($_SESSION) && isset($_SESSION['LogoutRequestID'])) { $requestID = $_SESSION['LogoutRequestID']; @@ -836,9 +834,9 @@ $auth->processSLO(false, $requestID); $errors = $auth->getErrors(); if (empty($errors)) { - print_r('Sucessfully logged out'); + echo 'Sucessfully logged out'; } else { - print_r(implode(', ', $errors)); + echo implode(', ', $errors); } ``` @@ -850,14 +848,14 @@ validated and the session could be closed ```php // part of the processSLO method -$logoutResponse = new OneLogin_Saml2_LogoutResponse($this->_settings, $_GET['SAMLResponse']); +$logoutResponse = new OneLogin\Saml2\LogoutResponse($this->_settings, $_GET['SAMLResponse']); if (!$logoutResponse->isValid($requestId)) { $this->_errors[] = 'invalid_logout_response'; -} else if ($logoutResponse->getStatus() !== OneLogin_Saml2_Constants::STATUS_SUCCESS) { +} else if ($logoutResponse->getStatus() !== OneLogin\Saml2\Constants::STATUS_SUCCESS) { $this->_errors[] = 'logout_not_success'; } else { if (!$keepLocalSession) { - OneLogin_Saml2_Utils::deleteLocalSession(); + OneLogin\Saml2\Utils::deleteLocalSession(); } } ``` @@ -871,15 +869,15 @@ the IdP. $decoded = base64_decode($_GET['SAMLRequest']); $request = gzinflate($decoded); -if (!OneLogin_Saml2_LogoutRequest::isValid($this->_settings, $request)) { +if (!OneLogin\Saml2\LogoutRequest::isValid($this->_settings, $request)) { $this->_errors[] = 'invalid_logout_request'; } else { if (!$keepLocalSession) { - OneLogin_Saml2_Utils::deleteLocalSession(); + OneLogin\Saml2\Utils::deleteLocalSession(); } $inResponseTo = $request->id; - $responseBuilder = new OneLogin_Saml2_LogoutResponse($this->_settings); + $responseBuilder = new OneLogin\Saml2\LogoutResponse($this->_settings); $responseBuilder->build($inResponseTo); $logoutResponse = $responseBuilder->getResponse(); @@ -931,17 +929,21 @@ In order to send a Logout Request to the IdP: define("TOOLKIT_PATH", '/var/www/php-saml/'); require_once(TOOLKIT_PATH . '_toolkit_loader.php'); -$auth = new OneLogin_Saml2_Auth(); +$auth = new OneLogin\Saml2\Auth(); $auth->logout(); // Method that sent the Logout Request. ``` -Also there are three optional parameters that can be set: - +Also there are eight optional parameters that can be set: +* `$returnTo` - The target URL the user should be returned to after logout. +* `$parameters` - Extra parameters to be added to the GET. * `$name_id` - That will be used to build the LogoutRequest. If `name_id` parameter is not set and the auth object processed a SAML Response with a `NameId`, then this `NameId` will be used. * `$session_index` - SessionIndex that identifies the session of the user. -* `$strict` - True if we want to stay (returns the url string) False to redirect. +* `$stay` - True if we want to stay (returns the url string) False to redirect. +* `$nameIdFormat` - The NameID Format will be set in the LogoutRequest. +* `$nameIdNameQualifier` - The NameID NameQualifier will be set in the LogoutRequest. +* `$nameIdSPNameQualifier` - The NameID SP NameQualifier will be set in the LogoutRequest. The Logout Request will be sent signed or unsigned based on the security info of the `advanced_settings.php` (`'logoutRequestSigned'`). @@ -957,9 +959,37 @@ to other php file. ```php $newTargetUrl = 'http://example.com/loggedOut.php'; -$auth = new OneLogin_Saml2_Auth(); +$auth = new OneLogin\Saml2\Auth(); $auth->logout($newTargetUrl); ``` +A more complex logout with all the parameters: +``` +$auth = new OneLogin\Saml2\Auth(); +$returnTo = null; +$paramters = array(); +$nameId = null; +$sessionIndex = null; +$nameIdFormat = null; +$nameIdNameQualifier = null; +$nameIdSPNameQualifier = null; + +if (isset($_SESSION['samlNameId'])) { + $nameId = $_SESSION['samlNameId']; +} +if (isset($_SESSION['samlSessionIndex'])) { + $sessionIndex = $_SESSION['samlSessionIndex']; +} +if (isset($_SESSION['samlNameIdFormat'])) { + $nameIdFormat = $_SESSION['samlNameIdFormat']; +} +if (isset($_SESSION['samlNameIdNameQualifier'])) { + $nameIdNameQualifier = $_SESSION['samlNameIdNameQualifier']; +} +if (isset($_SESSION['samlNameIdSPNameQualifier'])) { + $nameIdSPNameQualifier = $_SESSION['samlNameIdSPNameQualifier']; +} +$auth->logout($returnTo, $paramters, $nameId, $sessionIndex, false, $nameIdFormat, $nameIdNameQualifier, $nameIdSPNameQualifier); +``` If a match on the future LogoutResponse ID and the LogoutRequest ID to be sent is required, that LogoutRequest ID must to be extracted and stored. @@ -987,11 +1017,10 @@ session_start(); // Initialize the session, we do that because // Note that processResponse and processSLO // methods could manipulate/close that session -require_once dirname(dirname(__FILE__)).'/_toolkit_loader.php'; // Load Saml2 and - // external libs +require_once dirname(__DIR__) . '/_toolkit_loader.php'; // Load Saml2 and xmlseclibs require_once 'settings.php'; // Load the setting info as an Array -$auth = new OneLogin_Saml2_Auth($settingsInfo); // Initialize the SP SAML instance +$auth = new OneLogin\Saml2\Auth($settingsInfo); // Initialize the SP SAML instance if (isset($_GET['sso'])) { // SSO action. Will send an AuthNRequest to the IdP $auth->login(); @@ -1009,25 +1038,25 @@ if (isset($_GET['sso'])) { // SSO action. Will send an AuthNRequest to the I // that could took place during the process if (!empty($errors)) { - print_r('

    '.implode(', ', $errors).'

    '); + echo '

    ' . implode(', ', $errors) . '

    '; } // This check if the response was if (!$auth->isAuthenticated()) { // sucessfully validated and the user - echo "

    Not authenticated

    "; // data retrieved or not + echo '

    Not authenticated

    '; // data retrieved or not exit(); } $_SESSION['samlUserdata'] = $auth->getAttributes(); // Retrieves user data - if (isset($_POST['RelayState']) && OneLogin_Saml2_Utils::getSelfURL() != $_POST['RelayState']) { + if (isset($_POST['RelayState']) && OneLogin\Saml2\Utils::getSelfURL() != $_POST['RelayState']) { $auth->redirectTo($_POST['RelayState']); // Redirect if there is a } // relayState set } else if (isset($_GET['sls'])) { // Single Logout Service $auth->processSLO(); // Process the Logout Request & Logout Response $errors = $auth->getErrors(); // Retrieves possible validation errors if (empty($errors)) { - print_r('

    Sucessfully logged out

    '); + echo '

    Sucessfully logged out

    '; } else { - print_r('

    '.implode(', ', $errors).'

    '); + echo '

    ' . implode(', ', $errors) . '

    '; } } @@ -1056,8 +1085,8 @@ if (isset($_SESSION['samlUserdata'])) { // If there is user data we print it. ``` #### URL-guessing methods #### - -php-saml toolkit uses a bunch of methods in OneLogin_Saml2_Utils that try to guess the URL where the SAML messages are processed. + +php-saml toolkit uses a bunch of methods in OneLogin\Saml2\Utils that try to guess the URL where the SAML messages are processed. * `getSelfHost` Returns the current host. * `getSelfPort` Return the port number used for the request @@ -1069,11 +1098,11 @@ php-saml toolkit uses a bunch of methods in OneLogin_Saml2_Utils that try to gue getSelfURLNoQuery and getSelfRoutedURLNoQuery are used to calculate the currentURL in order to valdate SAML elements like Destination or Recipient. -When the PHP application is behind a proxy or a load balancer we can execute setProxyVars(true) and getSelfPort and isHTTPS will take care of the $_SERVER["HTTP_X_FORWARDED_PORT"] and $_SERVER['HTTP_X_FORWARDED_PROTO'] vars (otherwise they are ignored). +When the PHP application is behind a proxy or a load balancer we can execute `setProxyVars(true)` and `setSelfPort` and `isHTTPS` will take care of the `$_SERVER["HTTP_X_FORWARDED_PORT"]` and `$_SERVER['HTTP_X_FORWARDED_PROTO']` vars (otherwise they are ignored). -Also a developer can use setSelfProtocol, setSelfHost, setSelfPort and getBaseURLPath to define a specific value to be returned by isHTTPS, getSelfHost, getSelfPort and getBaseURLPath. And define a setBasePath to be used on the getSelfURL and getSelfRoutedURLNoQuery to replace the data extracted from $_SERVER["REQUEST_URI"]. +Also a developer can use `setSelfProtocol`, `setSelfHost`, `setSelfPort` and `getBaseURLPath` to define a specific value to be returned by `isHTTPS`, `getSelfHost`, `getSelfPort` and `getBaseURLPath`. And define a `setBasePath` to be used on the `getSelfURL` and `getSelfRoutedURLNoQuery` to replace the data extracted from `$_SERVER["REQUEST_URI"]`. -At the settings the developer will be able to set a 'baseurl' parameter that automatically will use setBaseURL to set values for setSelfProtocol, setSelfHost, setSelfPort and setBaseURLPath. +At the settings the developer will be able to set a `'baseurl'` parameter that automatically will use `setBaseURL` to set values for `setSelfProtocol`, `setSelfHost`, `setSelfPort` and `setBaseURLPath`. ### Working behind load balancer ### @@ -1085,68 +1114,46 @@ You should be able to workaround this by configuring your server so that it is a Or by using the method described on the previous section. -### Reply attacks ### +### SP Key rollover ### -In order to avoid reply attacks, you can store the ID of the SAML messages already processed, to avoid processing them twice. Since the Messages expires and will be invalidated due that fact, you don't need to store those IDs longer than the time frame that you currently accepting. +If you plan to update the SP x509cert and privateKey you can define the new x509cert as `$settings['sp']['x509certNew']` and it will be +published on the SP metadata so Identity Providers can read them and get ready for rollover. -Get the ID of the last processed message/assertion with the getLastMessageId/getLastAssertionId method of the Auth object. + +### IdP with multiple certificates ### + +In some scenarios the IdP uses different certificates for +signing/encryption, or is under key rollover phase and more than one certificate is published on IdP metadata. + +In order to handle that the toolkit offers the `$settings['idp']['x509certMulti']` parameter. + +When that parameter is used, `'x509cert'` and `'certFingerprint'` values will be ignored by the toolkit. + +The `x509certMulti` is an array with 2 keys: +- `signing`. An array of certs that will be used to validate IdP signature +- `encryption` An array with one unique cert that will be used to encrypt data to be sent to the IdP + + +### Replay attacks ### + +In order to avoid replay attacks, you can store the ID of the SAML messages already processed, to avoid processing them twice. Since the Messages expires and will be invalidated due that fact, you don't need to store those IDs longer than the time frame that you currently accepting. + +Get the ID of the last processed message/assertion with the `getLastMessageId`/`getLastAssertionId` methods of the Auth object. ### Main classes and methods ### Described below are the main classes and methods that can be invoked. -#### The Old Saml library #### - -Lets start describing the classes and methods of the SAML library, an evolution -of the old v.1 toolkit that is provided to keep the backward compability. -Most of them use classes and methods of the new SAML2 library. - -##### OneLogin_Saml_AuthRequest - `AuthRequest.php` ##### - -Has the protected attribute `$auth`, an `OneLogin_Saml2_Auth` object. - -* `OneLogin_Saml_AuthRequest` - Constructs `OneLogin_Saml2_Auth`, - initializing the SP SAML instance. -* `getRedirectUrl($returnTo)` - Obtains the SSO URL containing the AuthRequest - message deflated. - - -##### OneLogin_Saml_Response - `Response.php` ##### - -* `OneLogin_Saml_Response` - Constructor that process the SAML Response, - Internally initializes an SP SAML instance and an `OneLogin_Saml2_Response`. -* `get_saml_attributes` - Retrieves an Array with the logged user data. - - -##### OneLogin_Saml_Settings - `Settings.php` ##### - -A simple class used to build the Setting object used in the v1.0 of the toolkit. - -##### OneLogin_Saml_Metadata - `Metadata.php` ##### - -* `OneLogin_Saml_Metadata` - Constructor that build the Metadata XML info based - on the settings of the SP -* `getXml` - An XML with the metadata info of the SP - - -##### OneLogin_Saml_XmlSec - `XmlSec.php` ##### - -Auxiliary class that contains methods to validate the SAML Response: -`validateNumAssertions`, `validateTimestamps`, `isValid` (which -uses the other two previous methods and also validate the signature of -SAML Response). - - #### Saml2 library #### Lets describe now the classes and methods of the SAML2 library. -##### OneLogin_Saml2_Auth - Auth.php ##### +##### OneLogin\Saml2\Auth - Auth.php ##### Main class of OneLogin PHP Toolkit - * `OneLogin_Saml2_Auth` - Initializes the SP SAML instance + * `Auth` - Initializes the SP SAML instance * `login` - Initiates the SSO process. * `logout` - Initiates the SLO process. * `processResponse` - Process the SAML Response sent by the IdP. @@ -1158,6 +1165,9 @@ Main class of OneLogin PHP Toolkit * `getAttributes` - Returns the set of SAML attributes. * `getAttribute` - Returns the requested SAML attribute * `getNameId` - Returns the nameID + * `getNameIdFormat` - Gets the NameID Format provided by the SAML response from the IdP. + * `getNameIdNameQualifier` - Gets the NameID NameQualifier provided from the SAML Response String. + * `getNameIdNameSPQualifier` - Gets the NameID SP NameQualifier provided from the SAML Response String. * `getSessionIndex` - Gets the SessionIndex from the AuthnStatement. * `getErrors` - Returns if there were any error * `getSSOurl` - Gets the SSO url. @@ -1172,20 +1182,20 @@ Main class of OneLogin PHP Toolkit * `getLastResponseXML` - Returns the most recently-constructed/processed XML SAML response (SAMLResponse, LogoutResponse). If the SAMLResponse had an encrypted assertion, decrypts it. -##### OneLogin_Saml2_AuthnRequest - `AuthnRequest.php` ##### +##### OneLogin\Saml2\AuthnRequest - `AuthnRequest.php` ##### SAML 2 Authentication Request class - * `OneLogin_Saml2_AuthnRequest` - Constructs the `AuthnRequest` object. + * `AuthnRequest` - Constructs the `AuthnRequest` object. * `getRequest` - Returns deflated, base64 encoded, unsigned `AuthnRequest`. * `getId` - Returns the `AuthNRequest` ID. * `getXML` - Returns the XML that will be sent as part of the request. -##### OneLogin_Saml2_Response - `Response.php` ##### +##### OneLogin\Saml2\Response - `Response.php` ##### SAML 2 Authentication Response class - * `OneLogin_Saml2_Response` - Constructs the SAML Response object. + * `Response` - Constructs the SAML Response object. * `isValid` - Determines if the SAML Response is valid using the certificate. * `checkStatus` - Checks if the Status is success. * `getAudiences` - Gets the audiences. @@ -1194,6 +1204,8 @@ SAML 2 Authentication Response class IdP. * `getNameId` - Gets the NameID provided by the SAML response from the IdP. * `getNameIdFormat` - Gets the NameID Format provided by the SAML response from the IdP. + * `getNameIdNameQualifier` - Gets the NameID NameQualifier provided from the SAML Response String. + * `getNameIdNameSPQualifier` - Gets the NameID SP NameQualifier provided from the SAML Response String. * `getSessionNotOnOrAfter` - Gets the SessionNotOnOrAfter from the AuthnStatement * `getSessionIndex` - Gets the SessionIndex from the AuthnStatement. @@ -1205,11 +1217,11 @@ SAML 2 Authentication Response class * `getError` - After executing a validation process, if it fails, this method returns the cause * `getXMLDocument` - Returns the SAML Response document (If contains an encrypted assertion, decrypts it) -##### OneLogin_Saml2_LogoutRequest - `LogoutRequest.php` ##### +##### OneLogin\Saml2\LogoutRequest - `LogoutRequest.php` ##### SAML 2 Logout Request class - * `OneLogin_Saml2_LogoutRequest` - Constructs the Logout Request object. + * `LogoutRequest` - Constructs the Logout Request object. * `getRequest` - Returns the Logout Request defated, base64encoded, unsigned * `getID` - Returns the ID of the Logout Request. (If you have the object you can access to the id attribute) * `getNameIdData` - Gets the NameID Data of the the Logout Request. @@ -1220,11 +1232,11 @@ SAML 2 Logout Request class * `getError` - After executing a validation process, if it fails, this method returns the cause * `getXML` - Returns the XML that will be sent as part of the request or that was received at the SP. -##### OneLogin_Saml2_LogoutResponse - `LogoutResponse.php` ##### +##### OneLogin\Saml2\LogoutResponse - `LogoutResponse.php` ##### SAML 2 Logout Response class - * `OneLogin_Saml2_LogoutResponse` - Constructs a Logout Response object + * `LogoutResponse` - Constructs a Logout Response object (Initialize params from settings and if provided load the Logout Response) * `getIssuer` - Gets the Issuer of the Logout Response. * `getStatus` - Gets the Status of the Logout Response. @@ -1234,11 +1246,11 @@ SAML 2 Logout Response class * `getError` - After executing a validation process, if it fails, this method returns the cause. * `getXML` - Returns the XML that will be sent as part of the response or that was received at the SP. -##### OneLogin_Saml2_Settings - `Settings.php` ##### +##### OneLogin\Saml2\Settings - `Settings.php` ##### Configuration of the OneLogin PHP Toolkit - * `OneLogin_Saml2_Settings` - Initializes the settings: Sets the paths of + * `Settings` - Initializes the settings: Sets the paths of the different folders and Loads settings info from settings file or array/object provided * `checkSettings` - Checks the settings info. @@ -1250,6 +1262,7 @@ Configuration of the OneLogin PHP Toolkit * `checkSPCerts` - Checks if the x509 certs of the SP exists and are valid. * `getSPkey` - Returns the x509 private key of the SP. * `getSPcert` - Returns the x509 public cert of the SP. + * `getSPcertNew` - Returns the future x509 public cert of the SP. * `getIdPData` - Gets the IdP data. * `getSPData`Gets the SP data. * `getSecurityData` - Gets security data. @@ -1259,6 +1272,7 @@ Configuration of the OneLogin PHP Toolkit * `validateMetadata` - Validates an XML SP Metadata. * `formatIdPCert` - Formats the IdP cert. * `formatSPCert` - Formats the SP cert. + * `formatSPCertNew` - Formats the SP cert new. * `formatSPKey` - Formats the SP private key. * `getErrors` - Returns an array with the errors, the array is empty when the settings is ok. @@ -1269,7 +1283,7 @@ Configuration of the OneLogin PHP Toolkit * `isStrict` - Returns if the 'strict' mode is active. * `isDebugActive` - Returns if the debug is active. -##### OneLogin_Saml2_Metadata - `Metadata.php` ##### +##### OneLogin\Saml2\Metadata - `Metadata.php` ##### A class that contains functionality related to the metadata of the SP @@ -1278,7 +1292,7 @@ A class that contains functionality related to the metadata of the SP * `addX509KeyDescriptors` - Adds the x509 descriptors (sign/encriptation) to the metadata -##### OneLogin_Saml2_Utils - `Utils.php` ##### +##### OneLogin\Saml2\Utils - `Utils.php` ##### Auxiliary class that contains several methods @@ -1317,6 +1331,16 @@ Auxiliary class that contains several methods (Message or Assertion). * `validateSign` - Validates a signature (Message or Assertion). +##### OneLogin\Saml2\IdPMetadataParser - `IdPMetadataParser.php` ##### + +Auxiliary class that contains several methods to retrieve and process IdP metadata + + * `parseRemoteXML` - Get IdP Metadata Info from URL. + * `parseFileXML` - Get IdP Metadata Info from File. + * `parseXML` - Get IdP Metadata Info from XML. + * `injectIntoSettings` - Inject metadata info into php-saml settings array. + + For more info, look at the source code; each method is documented and details about what it does and how to use it are provided. Make sure to also check the doc folder where HTML documentation about the classes and methods is provided for SAML and @@ -1436,7 +1460,7 @@ At demo1, we saw how all the SAML Request and Responses were handler at an unique file, the `index.php` file. This demo1 uses high-level programming. At demo2, we have several views: `index.php`, `sso.php`, `slo.php`, `consume.php` -and `metadata.php`. As we said, we gonna use the endpoints that are defined +and `metadata.php`. As we said, we will use the endpoints that are defined in the toolkit (`acs.php`, `sls.php` of the endpoints folder). This demo2 uses low-level programming. @@ -1469,7 +1493,7 @@ demo1, only changes the targets. valid, close the user session of the local app. Notice that the SLO Workflow starts and ends at the SP. - 5.2 SLO Initiated by IdP. In this case, the action takes place on the IdP + 4.2 SLO Initiated by IdP. In this case, the action takes place on the IdP side, the logout process is initiated at the idP, sends a Logout Request to the SP (SLS endpoint `sls.php` of the endpoint folder). The SLS endpoint of the SP process the Logout Request and if is valid, @@ -1478,43 +1502,3 @@ demo1, only changes the targets. Response, process it and close the session at of the IdP. Notice that the SLO Workflow starts and ends at the IdP. - -## Demo Old ## - -### SP setup ### - -This demo uses the old style of the version 1 of the toolkit. -An object of the class `OneLogin_Saml_Settings` must be provided to the -constructor of the `AuthRequest`. - -You will find an `example_settings.php` file at the demo-old's folder that -could be used as a template for your `settings.php` file. - -In that template, SAML settings are divided into two parts, the application -specific (`const_assertion_consumer_service_url`, `const_issuer`, -`const_name_identifier_format`) and the user/account specific -`idp_sso_target_url`, `x509certificate`). You'll need to add your own code here -to identify the user or user origin (e.g. by `subdomain`, `ip_address` etc.). - - -### IdP setup ### - -Once the SP is configured, the metadata of the SP is published at the -`metadata.php` file. After that, configure the IdP based on that information. - - -### How it works ### - -At the `metadata.php` view is published the metadata of the SP. - -The `index.php` file acts as an initiater for the SAML conversation if it should -should be initiated by the application. This is called Service Provider -Initiated SAML. The service provider creates a SAML Authentication Request and -sends it to the identity provider (IdP). - -The `consume.php` is the ACS endpoint. Receives the SAML assertion. After Response -validation, the userdata and the nameID will be available, using `getNameId()` or -`getAttributes()` we obtain them. - -Since the version 1 of the php toolkit does not support SLO we don't show how -handle SLO in this demo-old. diff --git a/3rdparty/vendor/onelogin/php-saml/_toolkit_loader.php b/3rdparty/vendor/onelogin/php-saml/_toolkit_loader.php index 1af21e9..c4649d7 100644 --- a/3rdparty/vendor/onelogin/php-saml/_toolkit_loader.php +++ b/3rdparty/vendor/onelogin/php-saml/_toolkit_loader.php @@ -1,19 +1,28 @@ array ( + 'compress' => array( 'requests' => true, 'responses' => true ), // Security settings - 'security' => array ( + 'security' => array( /** signatures and encryptions offered */ @@ -33,7 +33,7 @@ $advancedSettings = array ( 'logoutResponseSigned' => false, /* Sign the Metadata - False || True (use sp certs) || array ( + False || True (use sp certs) || array( keyFileName => 'metadata.key', certFileName => 'metadata.crt' ) @@ -66,7 +66,7 @@ $advancedSettings = array ( // Authentication context. // Set to false and no AuthContext will be sent in the AuthNRequest, // Set true or don't present this parameter and you will get an AuthContext 'exact' 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport' - // Set an array with the possible auth context values: array ('urn:oasis:names:tc:SAML:2.0:ac:classes:Password', 'urn:oasis:names:tc:SAML:2.0:ac:classes:X509'), + // Set an array with the possible auth context values: array('urn:oasis:names:tc:SAML:2.0:ac:classes:Password', 'urn:oasis:names:tc:SAML:2.0:ac:classes:X509'), 'requestedAuthnContext' => false, // Allows the authn comparison parameter to be set, defaults to 'exact' if @@ -87,14 +87,16 @@ $advancedSettings = array ( // 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' // 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384' // 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512' - 'signatureAlgorithm' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1', + // Notice that rsa-sha1 is a deprecated algorithm and should not be used + 'signatureAlgorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256', // Algorithm that the toolkit will use on digest process. Options: // 'http://www.w3.org/2000/09/xmldsig#sha1' // 'http://www.w3.org/2001/04/xmlenc#sha256' // 'http://www.w3.org/2001/04/xmldsig-more#sha384' // 'http://www.w3.org/2001/04/xmlenc#sha512' - 'digestAlgorithm' => 'http://www.w3.org/2000/09/xmldsig#sha1', + // Notice that sha1 is a deprecated algorithm and should not be used + 'digestAlgorithm' => 'http://www.w3.org/2001/04/xmlenc#sha256', // ADFS URL-Encodes SAML data as lowercase, and the toolkit by default uses // uppercase. Turn it True for ADFS compatibility on signature verification @@ -102,19 +104,19 @@ $advancedSettings = array ( ), // Contact information template, it is recommended to suply a technical and support contacts - 'contactPerson' => array ( - 'technical' => array ( + 'contactPerson' => array( + 'technical' => array( 'givenName' => '', 'emailAddress' => '' ), - 'support' => array ( + 'support' => array( 'givenName' => '', 'emailAddress' => '' ), ), // Organization information template, the info in en_US lang is recomended, add more if required - 'organization' => array ( + 'organization' => array( 'en-US' => array( 'name' => '', 'displayname' => '', diff --git a/3rdparty/vendor/onelogin/php-saml/compatibility.php b/3rdparty/vendor/onelogin/php-saml/compatibility.php deleted file mode 100644 index 02a8108..0000000 --- a/3rdparty/vendor/onelogin/php-saml/compatibility.php +++ /dev/null @@ -1,12 +0,0 @@ -=5.3.2", - "ext-openssl": "*", - "ext-dom": "*", - "ext-mcrypt": "*" + "php": ">=5.4", + "robrichards/xmlseclibs": "^3.0" }, "require-dev": { - "phpunit/phpunit": "4.8", - "satooshi/php-coveralls": "1.0.1", - "sebastian/phpcpd": "*", - "phploc/phploc": "*", - "pdepend/pdepend" : "1.1.0", - "squizlabs/php_codesniffer": "*" + "phpunit/phpunit": "^4.8.35 || ^5.7 || ^6.5 || ^7.1", + "php-coveralls/php-coveralls": "^1.0.2 || ^2.0", + "sebastian/phpcpd": "^2.0 || ^3.0 || ^4.0", + "phploc/phploc": "^2.1 || ^3.0 || ^4.0", + "pdepend/pdepend": "^2.5.0", + "squizlabs/php_codesniffer": "^3.1.1" }, "suggest": { - "lib-openssl": "Install openssl lib in order to handle with x509 certs (require to support sign and encryption)", - "ext-mcrypt": "Install mcrypt and php5-mcrypt libs in order to support encryption", + "ext-openssl": "Install openssl lib in order to handle with x509 certs (require to support sign and encryption)", + "ext-curl": "Install curl lib to be able to use the IdPMetadataParser for parsing remote XMLs", "ext-gettext": "Install gettext and php5-gettext libs to handle translations" } } diff --git a/3rdparty/vendor/onelogin/php-saml/extlib/xmlseclibs/xmlseclibs.php b/3rdparty/vendor/onelogin/php-saml/extlib/xmlseclibs/xmlseclibs.php deleted file mode 100644 index 05be864..0000000 --- a/3rdparty/vendor/onelogin/php-saml/extlib/xmlseclibs/xmlseclibs.php +++ /dev/null @@ -1,1721 +0,0 @@ -. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * * Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * * Neither the name of Robert Richards nor the names of his - * contributors may be used to endorse or promote products derived - * from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER - * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN - * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - * - * @author Robert Richards - * @copyright 2007-2015 Robert Richards - * @license http://www.opensource.org/licenses/bsd-license.php BSD License - * @version 2.0.0 modified - */ - -class XMLSecurityKey { - const TRIPLEDES_CBC = 'http://www.w3.org/2001/04/xmlenc#tripledes-cbc'; - const AES128_CBC = 'http://www.w3.org/2001/04/xmlenc#aes128-cbc'; - const AES192_CBC = 'http://www.w3.org/2001/04/xmlenc#aes192-cbc'; - const AES256_CBC = 'http://www.w3.org/2001/04/xmlenc#aes256-cbc'; - const RSA_1_5 = 'http://www.w3.org/2001/04/xmlenc#rsa-1_5'; - const RSA_OAEP_MGF1P = 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p'; - const DSA_SHA1 = 'http://www.w3.org/2000/09/xmldsig#dsa-sha1'; - const RSA_SHA1 = 'http://www.w3.org/2000/09/xmldsig#rsa-sha1'; - const RSA_SHA256 = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'; - const RSA_SHA384 = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384'; - const RSA_SHA512 = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512'; - const HMAC_SHA1 = 'http://www.w3.org/2000/09/xmldsig#hmac-sha1'; - - private $cryptParams = array(); - public $type = 0; - public $key = null; - public $passphrase = ""; - public $iv = null; - public $name = null; - public $keyChain = null; - public $isEncrypted = false; - public $encryptedCtx = null; - public $guid = null; - - /** - * This variable contains the certificate as a string if this key represents an X509-certificate. - * If this key doesn't represent a certificate, this will be null. - */ - private $x509Certificate = null; - - /* This variable contains the certificate thunbprint if we have loaded an X509-certificate. */ - private $X509Thumbprint = null; - - public function __construct($type, $params=null) { - switch ($type) { - case (XMLSecurityKey::TRIPLEDES_CBC): - $this->cryptParams['library'] = 'mcrypt'; - $this->cryptParams['cipher'] = MCRYPT_TRIPLEDES; - $this->cryptParams['mode'] = MCRYPT_MODE_CBC; - $this->cryptParams['method'] = 'http://www.w3.org/2001/04/xmlenc#tripledes-cbc'; - $this->cryptParams['keysize'] = 24; - break; - case (XMLSecurityKey::AES128_CBC): - $this->cryptParams['library'] = 'mcrypt'; - $this->cryptParams['cipher'] = MCRYPT_RIJNDAEL_128; - $this->cryptParams['mode'] = MCRYPT_MODE_CBC; - $this->cryptParams['method'] = 'http://www.w3.org/2001/04/xmlenc#aes128-cbc'; - $this->cryptParams['keysize'] = 16; - break; - case (XMLSecurityKey::AES192_CBC): - $this->cryptParams['library'] = 'mcrypt'; - $this->cryptParams['cipher'] = MCRYPT_RIJNDAEL_128; - $this->cryptParams['mode'] = MCRYPT_MODE_CBC; - $this->cryptParams['method'] = 'http://www.w3.org/2001/04/xmlenc#aes192-cbc'; - $this->cryptParams['keysize'] = 24; - break; - case (XMLSecurityKey::AES256_CBC): - $this->cryptParams['library'] = 'mcrypt'; - $this->cryptParams['cipher'] = MCRYPT_RIJNDAEL_128; - $this->cryptParams['mode'] = MCRYPT_MODE_CBC; - $this->cryptParams['method'] = 'http://www.w3.org/2001/04/xmlenc#aes256-cbc'; - $this->cryptParams['keysize'] = 32; - break; - case (XMLSecurityKey::RSA_1_5): - $this->cryptParams['library'] = 'openssl'; - $this->cryptParams['padding'] = OPENSSL_PKCS1_PADDING; - $this->cryptParams['method'] = 'http://www.w3.org/2001/04/xmlenc#rsa-1_5'; - if (is_array($params) && ! empty($params['type'])) { - if ($params['type'] == 'public' || $params['type'] == 'private') { - $this->cryptParams['type'] = $params['type']; - break; - } - } - throw new Exception('Certificate "type" (private/public) must be passed via parameters'); - case (XMLSecurityKey::RSA_OAEP_MGF1P): - $this->cryptParams['library'] = 'openssl'; - $this->cryptParams['padding'] = OPENSSL_PKCS1_OAEP_PADDING; - $this->cryptParams['method'] = 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p'; - $this->cryptParams['hash'] = null; - if (is_array($params) && ! empty($params['type'])) { - if ($params['type'] == 'public' || $params['type'] == 'private') { - $this->cryptParams['type'] = $params['type']; - break; - } - } - throw new Exception('Certificate "type" (private/public) must be passed via parameters'); - case (XMLSecurityKey::RSA_SHA1): - $this->cryptParams['library'] = 'openssl'; - $this->cryptParams['method'] = 'http://www.w3.org/2000/09/xmldsig#rsa-sha1'; - $this->cryptParams['padding'] = OPENSSL_PKCS1_PADDING; - if (is_array($params) && ! empty($params['type'])) { - if ($params['type'] == 'public' || $params['type'] == 'private') { - $this->cryptParams['type'] = $params['type']; - break; - } - } - throw new Exception('Certificate "type" (private/public) must be passed via parameters'); - case (XMLSecurityKey::RSA_SHA256): - $this->cryptParams['library'] = 'openssl'; - $this->cryptParams['method'] = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'; - $this->cryptParams['padding'] = OPENSSL_PKCS1_PADDING; - $this->cryptParams['digest'] = 'SHA256'; - if (is_array($params) && ! empty($params['type'])) { - if ($params['type'] == 'public' || $params['type'] == 'private') { - $this->cryptParams['type'] = $params['type']; - break; - } - } - throw new Exception('Certificate "type" (private/public) must be passed via parameters'); - case (XMLSecurityKey::RSA_SHA384): - $this->cryptParams['library'] = 'openssl'; - $this->cryptParams['method'] = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384'; - $this->cryptParams['padding'] = OPENSSL_PKCS1_PADDING; - $this->cryptParams['digest'] = 'SHA384'; - if (is_array($params) && ! empty($params['type'])) { - if ($params['type'] == 'public' || $params['type'] == 'private') { - $this->cryptParams['type'] = $params['type']; - break; - } - } - throw new Exception('Certificate "type" (private/public) must be passed via parameters'); - case (XMLSecurityKey::RSA_SHA512): - $this->cryptParams['library'] = 'openssl'; - $this->cryptParams['method'] = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512'; - $this->cryptParams['padding'] = OPENSSL_PKCS1_PADDING; - $this->cryptParams['digest'] = 'SHA512'; - if (is_array($params) && ! empty($params['type'])) { - if ($params['type'] == 'public' || $params['type'] == 'private') { - $this->cryptParams['type'] = $params['type']; - break; - } - } - throw new Exception('Certificate "type" (private/public) must be passed via parameters'); - case (XMLSecurityKey::HMAC_SHA1): - $this->cryptParams['library'] = $type; - $this->cryptParams['method'] = 'http://www.w3.org/2000/09/xmldsig#hmac-sha1'; - break; - default: - throw new Exception('Invalid Key Type'); - } - $this->type = $type; - } - - /** - * Retrieve the key size for the symmetric encryption algorithm.. - * - * If the key size is unknown, or this isn't a symmetric encryption algorithm, - * null is returned. - * - * @return int|null The number of bytes in the key. - */ - public function getSymmetricKeySize() { - if (! isset($this->cryptParams['keysize'])) { - return null; - } - return $this->cryptParams['keysize']; - } - - public function generateSessionKey() { - if (!isset($this->cryptParams['keysize'])) { - throw new Exception('Unknown key size for type "' . $this->type . '".'); - } - $keysize = $this->cryptParams['keysize']; - - if (function_exists('openssl_random_pseudo_bytes')) { - /* We have PHP >= 5.3 - use openssl to generate session key. */ - $key = openssl_random_pseudo_bytes($keysize); - } else { - /* Generating random key using iv generation routines */ - $key = mcrypt_create_iv($keysize, MCRYPT_RAND); - } - - if ($this->type === XMLSecurityKey::TRIPLEDES_CBC) { - /* Make sure that the generated key has the proper parity bits set. - * Mcrypt doesn't care about the parity bits, but others may care. - */ - for ($i = 0; $i < strlen($key); $i++) { - $byte = ord($key[$i]) & 0xfe; - $parity = 1; - for ($j = 1; $j < 8; $j++) { - $parity ^= ($byte >> $j) & 1; - } - $byte |= $parity; - $key[$i] = chr($byte); - } - } - - $this->key = $key; - return $key; - } - - public static function getRawThumbprint($cert) { - - $arCert = explode("\n", $cert); - $data = ''; - $inData = false; - - foreach ($arCert AS $curData) { - if (! $inData) { - if (strncmp($curData, '-----BEGIN CERTIFICATE', 22) == 0) { - $inData = true; - } - } else { - if (strncmp($curData, '-----END CERTIFICATE', 20) == 0) { - break; - } - $data .= trim($curData); - } - } - - if (! empty($data)) { - return strtolower(sha1(base64_decode($data))); - } - - return null; - } - - public function loadKey($key, $isFile=false, $isCert = false) { - if ($isFile) { - $this->key = file_get_contents($key); - } else { - $this->key = $key; - } - if ($isCert) { - $this->key = openssl_x509_read($this->key); - openssl_x509_export($this->key, $str_cert); - $this->x509Certificate = $str_cert; - $this->key = $str_cert; - } else { - $this->x509Certificate = null; - } - if ($this->cryptParams['library'] == 'openssl') { - if ($this->cryptParams['type'] == 'public') { - if ($isCert) { - /* Load the thumbprint if this is an X509 certificate. */ - $this->X509Thumbprint = self::getRawThumbprint($this->key); - } - $this->key = openssl_get_publickey($this->key); - } else { - $this->key = openssl_get_privatekey($this->key, $this->passphrase); - } - } else if ($this->cryptParams['cipher'] == MCRYPT_RIJNDAEL_128) { - /* Check key length */ - switch ($this->type) { - case (XMLSecurityKey::AES256_CBC): - if (strlen($this->key) < 25) { - throw new Exception('Key must contain at least 25 characters for this cipher'); - } - break; - case (XMLSecurityKey::AES192_CBC): - if (strlen($this->key) < 17) { - throw new Exception('Key must contain at least 17 characters for this cipher'); - } - break; - } - } - } - - private function encryptMcrypt($data) { - $td = mcrypt_module_open($this->cryptParams['cipher'], '', $this->cryptParams['mode'], ''); - $this->iv = mcrypt_create_iv (mcrypt_enc_get_iv_size($td), MCRYPT_RAND); - mcrypt_generic_init($td, $this->key, $this->iv); - if ($this->cryptParams['mode'] == MCRYPT_MODE_CBC) { - $bs = mcrypt_enc_get_block_size($td); - for ($datalen0=$datalen=strlen($data); (($datalen%$bs)!=($bs-1)); $datalen++) - $data.=chr(mt_rand(1, 127)); - $data.=chr($datalen-$datalen0+1); - } - $encrypted_data = $this->iv.mcrypt_generic($td, $data); - mcrypt_generic_deinit($td); - mcrypt_module_close($td); - return $encrypted_data; - } - - private function decryptMcrypt($data) { - $td = mcrypt_module_open($this->cryptParams['cipher'], '', $this->cryptParams['mode'], ''); - $iv_length = mcrypt_enc_get_iv_size($td); - - $this->iv = substr($data, 0, $iv_length); - $data = substr($data, $iv_length); - - mcrypt_generic_init($td, $this->key, $this->iv); - $decrypted_data = mdecrypt_generic($td, $data); - mcrypt_generic_deinit($td); - mcrypt_module_close($td); - if ($this->cryptParams['mode'] == MCRYPT_MODE_CBC) { - $dataLen = strlen($decrypted_data); - $paddingLength = substr($decrypted_data, $dataLen - 1, 1); - $decrypted_data = substr($decrypted_data, 0, $dataLen - ord($paddingLength)); - } - return $decrypted_data; - } - - private function encryptOpenSSL($data) { - if ($this->cryptParams['type'] == 'public') { - if (! openssl_public_encrypt($data, $encrypted_data, $this->key, $this->cryptParams['padding'])) { - throw new Exception('Failure encrypting Data'); - } - } else { - if (! openssl_private_encrypt($data, $encrypted_data, $this->key, $this->cryptParams['padding'])) { - throw new Exception('Failure encrypting Data'); - } - } - return $encrypted_data; - } - - private function decryptOpenSSL($data) { - if ($this->cryptParams['type'] == 'public') { - if (! openssl_public_decrypt($data, $decrypted, $this->key, $this->cryptParams['padding'])) { - throw new Exception('Failure decrypting Data'); - } - } else { - if (! openssl_private_decrypt($data, $decrypted, $this->key, $this->cryptParams['padding'])) { - throw new Exception('Failure decrypting Data'); - } - } - return $decrypted; - } - - private function signOpenSSL($data) { - $algo = OPENSSL_ALGO_SHA1; - if (! empty($this->cryptParams['digest'])) { - $algo = $this->cryptParams['digest']; - } - if (! openssl_sign ($data, $signature, $this->key, $algo)) { - throw new Exception('Failure Signing Data: ' . openssl_error_string() . ' - ' . $algo); - } - return $signature; - } - - private function verifyOpenSSL($data, $signature) { - $algo = OPENSSL_ALGO_SHA1; - if (! empty($this->cryptParams['digest'])) { - $algo = $this->cryptParams['digest']; - } - return openssl_verify ($data, $signature, $this->key, $algo); - } - - public function encryptData($data) { - switch ($this->cryptParams['library']) { - case 'mcrypt': - return $this->encryptMcrypt($data); - case 'openssl': - return $this->encryptOpenSSL($data); - } - } - - public function decryptData($data) { - switch ($this->cryptParams['library']) { - case 'mcrypt': - return $this->decryptMcrypt($data); - case 'openssl': - return $this->decryptOpenSSL($data); - } - } - - public function signData($data) { - switch ($this->cryptParams['library']) { - case 'openssl': - return $this->signOpenSSL($data); - case (XMLSecurityKey::HMAC_SHA1): - return hash_hmac("sha1", $data, $this->key, true); - } - } - - public function verifySignature($data, $signature) { - switch ($this->cryptParams['library']) { - case 'openssl': - return $this->verifyOpenSSL($data, $signature); - case (XMLSecurityKey::HMAC_SHA1): - $expectedSignature = hash_hmac("sha1", $data, $this->key, true); - return strcmp($signature, $expectedSignature) == 0; - } - } - - public function getAlgorithm() { - return $this->cryptParams['method']; - } - - static function makeAsnSegment($type, $string) { - switch ($type){ - case 0x02: - if (ord($string) > 0x7f) - $string = chr(0).$string; - break; - case 0x03: - $string = chr(0).$string; - break; - } - - $length = strlen($string); - - if ($length < 128){ - $output = sprintf("%c%c%s", $type, $length, $string); - } else if ($length < 0x0100){ - $output = sprintf("%c%c%c%s", $type, 0x81, $length, $string); - } else if ($length < 0x010000) { - $output = sprintf("%c%c%c%c%s", $type, 0x82, $length/0x0100, $length%0x0100, $string); - } else { - $output = null; - } - return($output); - } - - /* Modulus and Exponent must already be base64 decoded */ - static function convertRSA($modulus, $exponent) { - /* make an ASN publicKeyInfo */ - $exponentEncoding = XMLSecurityKey::makeAsnSegment(0x02, $exponent); - $modulusEncoding = XMLSecurityKey::makeAsnSegment(0x02, $modulus); - $sequenceEncoding = XMLSecurityKey:: makeAsnSegment(0x30, $modulusEncoding.$exponentEncoding); - $bitstringEncoding = XMLSecurityKey::makeAsnSegment(0x03, $sequenceEncoding); - $rsaAlgorithmIdentifier = pack("H*", "300D06092A864886F70D0101010500"); - $publicKeyInfo = XMLSecurityKey::makeAsnSegment (0x30, $rsaAlgorithmIdentifier.$bitstringEncoding); - - /* encode the publicKeyInfo in base64 and add PEM brackets */ - $publicKeyInfoBase64 = base64_encode($publicKeyInfo); - $encoding = "-----BEGIN PUBLIC KEY-----\n"; - $offset = 0; - while ($segment=substr($publicKeyInfoBase64, $offset, 64)){ - $encoding = $encoding.$segment."\n"; - $offset += 64; - } - return $encoding."-----END PUBLIC KEY-----\n"; - } - - public function serializeKey($parent) { - - } - - - - /** - * Retrieve the X509 certificate this key represents. - * - * Will return the X509 certificate in PEM-format if this key represents - * an X509 certificate. - * - * @return The X509 certificate or null if this key doesn't represent an X509-certificate. - */ - public function getX509Certificate() { - return $this->x509Certificate; - } - - /* Get the thumbprint of this X509 certificate. - * - * Returns: - * The thumbprint as a lowercase 40-character hexadecimal number, or null - * if this isn't a X509 certificate. - */ - public function getX509Thumbprint() { - return $this->X509Thumbprint; - } - - - /** - * Create key from an EncryptedKey-element. - * - * @param DOMElement $element The EncryptedKey-element. - * @return XMLSecurityKey The new key. - */ - public static function fromEncryptedKeyElement(DOMElement $element) { - - $objenc = new XMLSecEnc(); - $objenc->setNode($element); - if (! $objKey = $objenc->locateKey()) { - throw new Exception("Unable to locate algorithm for this Encrypted Key"); - } - $objKey->isEncrypted = true; - $objKey->encryptedCtx = $objenc; - XMLSecEnc::staticLocateKeyInfo($objKey, $element); - return $objKey; - } - -} - - -class XMLSecurityDSig { - const XMLDSIGNS = 'http://www.w3.org/2000/09/xmldsig#'; - const SHA1 = 'http://www.w3.org/2000/09/xmldsig#sha1'; - const SHA256 = 'http://www.w3.org/2001/04/xmlenc#sha256'; - const SHA384 = 'http://www.w3.org/2001/04/xmldsig-more#sha384'; - const SHA512 = 'http://www.w3.org/2001/04/xmlenc#sha512'; - const RIPEMD160 = 'http://www.w3.org/2001/04/xmlenc#ripemd160'; - - const C14N = 'http://www.w3.org/TR/2001/REC-xml-c14n-20010315'; - const C14N_COMMENTS = 'http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments'; - const EXC_C14N = 'http://www.w3.org/2001/10/xml-exc-c14n#'; - const EXC_C14N_COMMENTS = 'http://www.w3.org/2001/10/xml-exc-c14n#WithComments'; - - const template = ' - - - -'; - - public $sigNode = null; - public $idKeys = array(); - public $idNS = array(); - private $signedInfo = null; - private $xPathCtx = null; - private $canonicalMethod = null; - private $prefix = 'ds'; - private $searchpfx = 'secdsig'; - - /* This variable contains an associative array of validated nodes. */ - private $validatedNodes = null; - - public function __construct() { - $sigdoc = new DOMDocument(); - $sigdoc->loadXML(XMLSecurityDSig::template); - $this->sigNode = $sigdoc->documentElement; - } - - private function resetXPathObj() { - $this->xPathCtx = null; - } - - private function getXPathObj() { - if (empty($this->xPathCtx) && ! empty($this->sigNode)) { - $xpath = new DOMXPath($this->sigNode->ownerDocument); - $xpath->registerNamespace('secdsig', XMLSecurityDSig::XMLDSIGNS); - $this->xPathCtx = $xpath; - } - return $this->xPathCtx; - } - - static function generateGUID($prefix='pfx') { - $uuid = md5(uniqid(mt_rand(), true)); - $guid = $prefix.substr($uuid,0,8)."-". - substr($uuid,8,4)."-". - substr($uuid,12,4)."-". - substr($uuid,16,4)."-". - substr($uuid,20,12); - return $guid; - } - - public function locateSignature($objDoc, $pos=0) { - if ($objDoc instanceof DOMDocument) { - $doc = $objDoc; - } else { - $doc = $objDoc->ownerDocument; - } - if ($doc) { - $xpath = new DOMXPath($doc); - $xpath->registerNamespace('secdsig', XMLSecurityDSig::XMLDSIGNS); - $query = ".//secdsig:Signature"; - $nodeset = $xpath->query($query, $objDoc); - $this->sigNode = $nodeset->item($pos); - return $this->sigNode; - } - return null; - } - - public function createNewSignNode($name, $value=null) { - $doc = $this->sigNode->ownerDocument; - if (! is_null($value)) { - $node = $doc->createElementNS(XMLSecurityDSig::XMLDSIGNS, $this->prefix.':'.$name, $value); - } else { - $node = $doc->createElementNS(XMLSecurityDSig::XMLDSIGNS, $this->prefix.':'.$name); - } - return $node; - } - - public function setCanonicalMethod($method) { - switch ($method) { - case 'http://www.w3.org/TR/2001/REC-xml-c14n-20010315': - case 'http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments': - case 'http://www.w3.org/2001/10/xml-exc-c14n#': - case 'http://www.w3.org/2001/10/xml-exc-c14n#WithComments': - $this->canonicalMethod = $method; - break; - default: - throw new Exception('Invalid Canonical Method'); - } - if ($xpath = $this->getXPathObj()) { - $query = './'.$this->searchpfx.':SignedInfo'; - $nodeset = $xpath->query($query, $this->sigNode); - if ($sinfo = $nodeset->item(0)) { - $query = './'.$this->searchpfx.'CanonicalizationMethod'; - $nodeset = $xpath->query($query, $sinfo); - if (! ($canonNode = $nodeset->item(0))) { - $canonNode = $this->createNewSignNode('CanonicalizationMethod'); - $sinfo->insertBefore($canonNode, $sinfo->firstChild); - } - $canonNode->setAttribute('Algorithm', $this->canonicalMethod); - } - } - } - - private function canonicalizeData($node, $canonicalmethod, $arXPath=null, $prefixList=null) { - $exclusive = false; - $withComments = false; - switch ($canonicalmethod) { - case 'http://www.w3.org/TR/2001/REC-xml-c14n-20010315': - $exclusive = false; - $withComments = false; - break; - case 'http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments': - $withComments = true; - break; - case 'http://www.w3.org/2001/10/xml-exc-c14n#': - $exclusive = true; - break; - case 'http://www.w3.org/2001/10/xml-exc-c14n#WithComments': - $exclusive = true; - $withComments = true; - break; - } - - if (is_null($arXPath) && ($node instanceof DOMNode) && ($node->ownerDocument !== null) && $node->isSameNode($node->ownerDocument->documentElement)) { - /* Check for any PI or comments as they would have been excluded */ - $element = $node; - while ($refnode = $element->previousSibling) { - if ($refnode->nodeType == XML_PI_NODE || (($refnode->nodeType == XML_COMMENT_NODE) && $withComments)) { - break; - } - $element = $refnode; - } - if ($refnode == null) { - $node = $node->ownerDocument; - } - } - - return $node->C14N($exclusive, $withComments, $arXPath, $prefixList); - } - - public function canonicalizeSignedInfo() { - - $doc = $this->sigNode->ownerDocument; - $canonicalmethod = null; - if ($doc) { - $xpath = $this->getXPathObj(); - $query = "./secdsig:SignedInfo"; - $nodeset = $xpath->query($query, $this->sigNode); - if ($signInfoNode = $nodeset->item(0)) { - $query = "./secdsig:CanonicalizationMethod"; - $nodeset = $xpath->query($query, $signInfoNode); - if ($canonNode = $nodeset->item(0)) { - $canonicalmethod = $canonNode->getAttribute('Algorithm'); - } - $this->signedInfo = $this->canonicalizeData($signInfoNode, $canonicalmethod); - return $this->signedInfo; - } - } - return null; - } - - public function calculateDigest ($digestAlgorithm, $data, $encode = true) { - switch ($digestAlgorithm) { - case XMLSecurityDSig::SHA1: - $alg = 'sha1'; - break; - case XMLSecurityDSig::SHA256: - $alg = 'sha256'; - break; - case XMLSecurityDSig::SHA384: - $alg = 'sha384'; - break; - case XMLSecurityDSig::SHA512: - $alg = 'sha512'; - break; - case XMLSecurityDSig::RIPEMD160: - $alg = 'ripemd160'; - break; - default: - throw new Exception("Cannot validate digest: Unsupported Algorithm <$digestAlgorithm>"); - } - - $digest = hash($alg, $data, true); - if ($encode) { - $digest = base64_encode($digest); - } - return $digest; - } - - public function validateDigest($refNode, $data) { - $xpath = new DOMXPath($refNode->ownerDocument); - $xpath->registerNamespace('secdsig', XMLSecurityDSig::XMLDSIGNS); - $query = 'string(./secdsig:DigestMethod/@Algorithm)'; - $digestAlgorithm = $xpath->evaluate($query, $refNode); - $digValue = $this->calculateDigest($digestAlgorithm, $data, false); - $query = 'string(./secdsig:DigestValue)'; - $digestValue = $xpath->evaluate($query, $refNode); - return ($digValue == base64_decode($digestValue)); - } - - public function processTransforms($refNode, $objData, $includeCommentNodes = true) { - $data = $objData; - $xpath = new DOMXPath($refNode->ownerDocument); - $xpath->registerNamespace('secdsig', XMLSecurityDSig::XMLDSIGNS); - $query = './secdsig:Transforms/secdsig:Transform'; - $nodelist = $xpath->query($query, $refNode); - $canonicalMethod = 'http://www.w3.org/TR/2001/REC-xml-c14n-20010315'; - $arXPath = null; - $prefixList = null; - foreach ($nodelist AS $transform) { - $algorithm = $transform->getAttribute("Algorithm"); - switch ($algorithm) { - case 'http://www.w3.org/2001/10/xml-exc-c14n#': - case 'http://www.w3.org/2001/10/xml-exc-c14n#WithComments': - - if(!$includeCommentNodes) { - /* We remove comment nodes by forcing it to use a canonicalization - * without comments. - */ - $canonicalMethod = 'http://www.w3.org/2001/10/xml-exc-c14n#'; - } else { - $canonicalMethod = $algorithm; - } - - $node = $transform->firstChild; - while ($node) { - if ($node->localName == 'InclusiveNamespaces') { - if ($pfx = $node->getAttribute('PrefixList')) { - $arpfx = array(); - $pfxlist = explode(" ", $pfx); - foreach ($pfxlist AS $pfx) { - $val = trim($pfx); - if (! empty($val)) { - $arpfx[] = $val; - } - } - if (count($arpfx) > 0) { - $prefixList = $arpfx; - } - } - break; - } - $node = $node->nextSibling; - } - break; - case 'http://www.w3.org/TR/2001/REC-xml-c14n-20010315': - case 'http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments': - if(!$includeCommentNodes) { - /* We remove comment nodes by forcing it to use a canonicalization - * without comments. - */ - $canonicalMethod = 'http://www.w3.org/TR/2001/REC-xml-c14n-20010315'; - } else { - $canonicalMethod = $algorithm; - } - - break; - case 'http://www.w3.org/TR/1999/REC-xpath-19991116': - $node = $transform->firstChild; - while ($node) { - if ($node->localName == 'XPath') { - $arXPath = array(); - $arXPath['query'] = '(.//. | .//@* | .//namespace::*)['.$node->nodeValue.']'; - $arXpath['namespaces'] = array(); - $nslist = $xpath->query('./namespace::*', $node); - foreach ($nslist AS $nsnode) { - if ($nsnode->localName != "xml") { - $arXPath['namespaces'][$nsnode->localName] = $nsnode->nodeValue; - } - } - break; - } - $node = $node->nextSibling; - } - break; - } - } - if ($data instanceof DOMNode) { - $data = $this->canonicalizeData($objData, $canonicalMethod, $arXPath, $prefixList); - } - return $data; - } - - public function processRefNode($refNode) { - $dataObject = null; - - /* - * Depending on the URI, we may not want to include comments in the result - * See: http://www.w3.org/TR/xmldsig-core/#sec-ReferenceProcessingModel - */ - $includeCommentNodes = true; - - if ($uri = $refNode->getAttribute("URI")) { - $arUrl = parse_url($uri); - if (empty($arUrl['path'])) { - if ($identifier = $arUrl['fragment']) { - - /* This reference identifies a node with the given id by using - * a URI on the form "#identifier". This should not include comments. - */ - $includeCommentNodes = false; - - $xPath = new DOMXPath($refNode->ownerDocument); - if ($this->idNS && is_array($this->idNS)) { - foreach ($this->idNS AS $nspf=>$ns) { - $xPath->registerNamespace($nspf, $ns); - } - } - $iDlist = '@Id="'.$identifier.'"'; - if (is_array($this->idKeys)) { - foreach ($this->idKeys AS $idKey) { - $iDlist .= " or @$idKey='$identifier'"; - } - } - $query = '//*['.$iDlist.']'; - $dataObject = $xPath->query($query)->item(0); - } else { - $dataObject = $refNode->ownerDocument; - } - } else { - $dataObject = file_get_contents($arUrl); - } - } else { - /* This reference identifies the root node with an empty URI. This should - * not include comments. - */ - $includeCommentNodes = false; - - $dataObject = $refNode->ownerDocument; - } - $data = $this->processTransforms($refNode, $dataObject, $includeCommentNodes); - if (!$this->validateDigest($refNode, $data)) { - return false; - } - - if ($dataObject instanceof DOMNode) { - /* Add this node to the list of validated nodes. */ - if(! empty($identifier)) { - $this->validatedNodes[$identifier] = $dataObject; - } else { - $this->validatedNodes[] = $dataObject; - } - } - - return true; - } - - public function getRefNodeID($refNode) { - if ($uri = $refNode->getAttribute("URI")) { - $arUrl = parse_url($uri); - if (empty($arUrl['path'])) { - if ($identifier = $arUrl['fragment']) { - return $identifier; - } - } - } - return null; - } - - public function getRefIDs() { - $refids = array(); - - $xpath = $this->getXPathObj(); - $query = "./secdsig:SignedInfo/secdsig:Reference"; - $nodeset = $xpath->query($query, $this->sigNode); - if ($nodeset->length == 0) { - throw new Exception("Reference nodes not found"); - } - foreach ($nodeset AS $refNode) { - $refids[] = $this->getRefNodeID($refNode); - } - return $refids; - } - - public function validateReference() { - $docElem = $this->sigNode->ownerDocument->documentElement; - if (! $docElem->isSameNode($this->sigNode)) { - $this->sigNode->parentNode->removeChild($this->sigNode); - } - $xpath = $this->getXPathObj(); - $query = "./secdsig:SignedInfo/secdsig:Reference"; - $nodeset = $xpath->query($query, $this->sigNode); - if ($nodeset->length == 0) { - throw new Exception("Reference nodes not found"); - } - - /* Initialize/reset the list of validated nodes. */ - $this->validatedNodes = array(); - - foreach ($nodeset AS $refNode) { - if (! $this->processRefNode($refNode)) { - /* Clear the list of validated nodes. */ - $this->validatedNodes = null; - throw new Exception("Reference validation failed"); - } - } - return true; - } - - private function addRefInternal($sinfoNode, $node, $algorithm, $arTransforms=null, $options=null) { - $prefix = null; - $prefix_ns = null; - $id_name = 'Id'; - $overwrite_id = true; - $force_uri = false; - - if (is_array($options)) { - $prefix = empty($options['prefix'])?null:$options['prefix']; - $prefix_ns = empty($options['prefix_ns'])?null:$options['prefix_ns']; - $id_name = empty($options['id_name'])?'Id':$options['id_name']; - $overwrite_id = !isset($options['overwrite'])?true:(bool)$options['overwrite']; - $force_uri = !isset($options['force_uri'])?false:(bool)$options['force_uri']; - } - - $attname = $id_name; - if (! empty($prefix)) { - $attname = $prefix.':'.$attname; - } - - $refNode = $this->createNewSignNode('Reference'); - $sinfoNode->appendChild($refNode); - - if (! $node instanceof DOMDocument) { - $uri = null; - if (! $overwrite_id) { - $uri = $prefix_ns ? $node->getAttributeNS($prefix_ns, $id_name) : $node->getAttribute($id_name); - } - if (empty($uri)) { - $uri = XMLSecurityDSig::generateGUID(); - $node->setAttributeNS($prefix_ns, $attname, $uri); - } - $refNode->setAttribute("URI", '#'.$uri); - } elseif ($force_uri) { - $refNode->setAttribute("URI", ''); - } - - $transNodes = $this->createNewSignNode('Transforms'); - $refNode->appendChild($transNodes); - - if (is_array($arTransforms)) { - foreach ($arTransforms AS $transform) { - $transNode = $this->createNewSignNode('Transform'); - $transNodes->appendChild($transNode); - if (is_array($transform) && - (! empty($transform['http://www.w3.org/TR/1999/REC-xpath-19991116'])) && - (! empty($transform['http://www.w3.org/TR/1999/REC-xpath-19991116']['query']))) { - $transNode->setAttribute('Algorithm', 'http://www.w3.org/TR/1999/REC-xpath-19991116'); - $XPathNode = $this->createNewSignNode('XPath', $transform['http://www.w3.org/TR/1999/REC-xpath-19991116']['query']); - $transNode->appendChild($XPathNode); - if (! empty($transform['http://www.w3.org/TR/1999/REC-xpath-19991116']['namespaces'])) { - foreach ($transform['http://www.w3.org/TR/1999/REC-xpath-19991116']['namespaces'] AS $prefix => $namespace) { - $XPathNode->setAttributeNS("http://www.w3.org/2000/xmlns/", "xmlns:$prefix", $namespace); - } - } - } else { - $transNode->setAttribute('Algorithm', $transform); - } - } - } elseif (! empty($this->canonicalMethod)) { - $transNode = $this->createNewSignNode('Transform'); - $transNodes->appendChild($transNode); - $transNode->setAttribute('Algorithm', $this->canonicalMethod); - } - - $canonicalData = $this->processTransforms($refNode, $node); - $digValue = $this->calculateDigest($algorithm, $canonicalData); - - $digestMethod = $this->createNewSignNode('DigestMethod'); - $refNode->appendChild($digestMethod); - $digestMethod->setAttribute('Algorithm', $algorithm); - - $digestValue = $this->createNewSignNode('DigestValue', $digValue); - $refNode->appendChild($digestValue); - } - - public function addReference($node, $algorithm, $arTransforms=null, $options=null) { - if ($xpath = $this->getXPathObj()) { - $query = "./secdsig:SignedInfo"; - $nodeset = $xpath->query($query, $this->sigNode); - if ($sInfo = $nodeset->item(0)) { - $this->addRefInternal($sInfo, $node, $algorithm, $arTransforms, $options); - } - } - } - - public function addReferenceList($arNodes, $algorithm, $arTransforms=null, $options=null) { - if ($xpath = $this->getXPathObj()) { - $query = "./secdsig:SignedInfo"; - $nodeset = $xpath->query($query, $this->sigNode); - if ($sInfo = $nodeset->item(0)) { - foreach ($arNodes AS $node) { - $this->addRefInternal($sInfo, $node, $algorithm, $arTransforms, $options); - } - } - } - } - - public function addObject($data, $mimetype=null, $encoding=null) { - $objNode = $this->createNewSignNode('Object'); - $this->sigNode->appendChild($objNode); - if (! empty($mimetype)) { - $objNode->setAttribute('MimeType', $mimetype); - } - if (! empty($encoding)) { - $objNode->setAttribute('Encoding', $encoding); - } - - if ($data instanceof DOMElement) { - $newData = $this->sigNode->ownerDocument->importNode($data, true); - } else { - $newData = $this->sigNode->ownerDocument->createTextNode($data); - } - $objNode->appendChild($newData); - - return $objNode; - } - - public function locateKey($node=null) { - if (empty($node)) { - $node = $this->sigNode; - } - if (! $node instanceof DOMNode) { - return null; - } - if ($doc = $node->ownerDocument) { - $xpath = new DOMXPath($doc); - $xpath->registerNamespace('secdsig', XMLSecurityDSig::XMLDSIGNS); - $query = "string(./secdsig:SignedInfo/secdsig:SignatureMethod/@Algorithm)"; - $algorithm = $xpath->evaluate($query, $node); - if ($algorithm) { - try { - $objKey = new XMLSecurityKey($algorithm, array('type'=>'public')); - } catch (Exception $e) { - return null; - } - return $objKey; - } - } - return null; - } - - public function verify($objKey) { - $doc = $this->sigNode->ownerDocument; - $xpath = new DOMXPath($doc); - $xpath->registerNamespace('secdsig', XMLSecurityDSig::XMLDSIGNS); - $query = "string(./secdsig:SignatureValue)"; - $sigValue = $xpath->evaluate($query, $this->sigNode); - if (empty($sigValue)) { - throw new Exception("Unable to locate SignatureValue"); - } - return $objKey->verifySignature($this->signedInfo, base64_decode($sigValue)); - } - - public function signData($objKey, $data) { - return $objKey->signData($data); - } - - public function sign($objKey, $appendToNode = null) { - // If we have a parent node append it now so C14N properly works - if ($appendToNode != null) { - $this->resetXPathObj(); - $this->appendSignature($appendToNode); - $this->sigNode = $appendToNode->lastChild; - } - if ($xpath = $this->getXPathObj()) { - $query = "./secdsig:SignedInfo"; - $nodeset = $xpath->query($query, $this->sigNode); - if ($sInfo = $nodeset->item(0)) { - $query = "./secdsig:SignatureMethod"; - $nodeset = $xpath->query($query, $sInfo); - $sMethod = $nodeset->item(0); - $sMethod->setAttribute('Algorithm', $objKey->type); - $data = $this->canonicalizeData($sInfo, $this->canonicalMethod); - $sigValue = base64_encode($this->signData($objKey, $data)); - $sigValueNode = $this->createNewSignNode('SignatureValue', $sigValue); - if ($infoSibling = $sInfo->nextSibling) { - $infoSibling->parentNode->insertBefore($sigValueNode, $infoSibling); - } else { - $this->sigNode->appendChild($sigValueNode); - } - } - } - } - - public function appendCert() { - - } - - public function appendKey($objKey, $parent=null) { - $objKey->serializeKey($parent); - } - - - /** - * This function inserts the signature element. - * - * The signature element will be appended to the element, unless $beforeNode is specified. If $beforeNode - * is specified, the signature element will be inserted as the last element before $beforeNode. - * - * @param $node The node the signature element should be inserted into. - * @param $beforeNode The node the signature element should be located before. - * - * @return DOMNode The signature element node - */ - public function insertSignature($node, $beforeNode = null) { - - $document = $node->ownerDocument; - $signatureElement = $document->importNode($this->sigNode, true); - - if($beforeNode == null) { - return $node->insertBefore($signatureElement); - } else { - return $node->insertBefore($signatureElement, $beforeNode); - } - } - - public function appendSignature($parentNode, $insertBefore = false) { - $beforeNode = $insertBefore ? $parentNode->firstChild : null; - return $this->insertSignature($parentNode, $beforeNode); - } - - static function get509XCert($cert, $isPEMFormat=true) { - $certs = XMLSecurityDSig::staticGet509XCerts($cert, $isPEMFormat); - if (! empty($certs)) { - return $certs[0]; - } - return ''; - } - - static function staticGet509XCerts($certs, $isPEMFormat=true) { - if ($isPEMFormat) { - $data = ''; - $certlist = array(); - $arCert = explode("\n", $certs); - $inData = false; - foreach ($arCert AS $curData) { - if (! $inData) { - if (strncmp($curData, '-----BEGIN CERTIFICATE', 22) == 0) { - $inData = true; - } - } else { - if (strncmp($curData, '-----END CERTIFICATE', 20) == 0) { - $inData = false; - $certlist[] = $data; - $data = ''; - continue; - } - $data .= trim($curData); - } - } - return $certlist; - } else { - return array($certs); - } - } - - static function staticAdd509Cert($parentRef, $cert, $isPEMFormat=true, $isURL=false, $xpath=null, $options=null) { - if ($isURL) { - $cert = file_get_contents($cert); - } - if (! $parentRef instanceof DOMElement) { - throw new Exception('Invalid parent Node parameter'); - } - - list($parentRef, $keyInfo) = self::auxKeyInfo($parentRef, $xpath); - - // Add all certs if there are more than one - $certs = XMLSecurityDSig::staticGet509XCerts($cert, $isPEMFormat); - - $baseDoc = $parentRef->ownerDocument; - // Attach X509 data node - $x509DataNode = $baseDoc->createElementNS(XMLSecurityDSig::XMLDSIGNS, 'ds:X509Data'); - $keyInfo->appendChild($x509DataNode); - - $issuerSerial = false; - $subjectName = false; - if (is_array($options)) { - if (! empty($options['issuerSerial'])) { - $issuerSerial = true; - } - if (! empty($options['subjectName'])) { - $subjectName = true; - } - } - - // Attach all certificate nodes and any additional data - foreach ($certs as $X509Cert){ - if ($issuerSerial || $subjectName) { - if ($certData = openssl_x509_parse("-----BEGIN CERTIFICATE-----\n".chunk_split($X509Cert, 64, "\n")."-----END CERTIFICATE-----\n")) { - if ($subjectName && ! empty($certData['subject'])) { - if (is_array($certData['subject'])) { - $parts = array(); - foreach ($certData['subject'] AS $key => $value) { - if (is_array($value)) { - foreach ($value as $valueElement) { - array_unshift($parts, "$key=$valueElement"); - } - } else { - array_unshift($parts, "$key=$value"); - } - } - $subjectNameValue = implode(',', $parts); - } else { - $subjectNameValue = $certData['issuer']; - } - $x509SubjectNode = $baseDoc->createElementNS(XMLSecurityDSig::XMLDSIGNS, 'ds:X509SubjectName', $subjectNameValue); - $x509DataNode->appendChild($x509SubjectNode); - } - if ($issuerSerial && ! empty($certData['issuer']) && ! empty($certData['serialNumber'])) { - if (is_array($certData['issuer'])) { - $parts = array(); - foreach ($certData['issuer'] AS $key => $value) { - array_unshift($parts, "$key=$value"); - } - $issuerName = implode(',', $parts); - } else { - $issuerName = $certData['issuer']; - } - - $x509IssuerNode = $baseDoc->createElementNS(XMLSecurityDSig::XMLDSIGNS, 'ds:X509IssuerSerial'); - $x509DataNode->appendChild($x509IssuerNode); - - $x509Node = $baseDoc->createElementNS(XMLSecurityDSig::XMLDSIGNS, 'ds:X509IssuerName', $issuerName); - $x509IssuerNode->appendChild($x509Node); - $x509Node = $baseDoc->createElementNS(XMLSecurityDSig::XMLDSIGNS, 'ds:X509SerialNumber', $certData['serialNumber']); - $x509IssuerNode->appendChild($x509Node); - } - } - - } - $x509CertNode = $baseDoc->createElementNS(XMLSecurityDSig::XMLDSIGNS, 'ds:X509Certificate', $X509Cert); - $x509DataNode->appendChild($x509CertNode); - } - } - - public function add509Cert($cert, $isPEMFormat=true, $isURL=false, $options=null) { - if ($xpath = $this->getXPathObj()) { - self::staticAdd509Cert($this->sigNode, $cert, $isPEMFormat, $isURL, $xpath, $options); - } - } - - /** - * This function appends a node to the KeyInfo. - * - * The KeyInfo element will be created if one does not exist in the document. - * - * @param DOMNode $node The node to append to the KeyInfo. - * - * @return DOMNode The KeyInfo element node - */ - public function appendToKeyInfo($node) { - $parentRef = $this->sigNode; - - $xpath = $this->getXPathObj(); - - list($parentRef, $keyInfo) = self::auxKeyInfo($parentRef, $xpath); - - $keyInfo->appendChild($node); - - return $keyInfo; - } - - static function auxKeyInfo($parentRef, $xpath=null) - { - $baseDoc = $parentRef->ownerDocument; - if (empty($xpath)) { - $xpath = new DOMXPath($parentRef->ownerDocument); - $xpath->registerNamespace('secdsig', XMLSecurityDSig::XMLDSIGNS); - } - - $query = "./secdsig:KeyInfo"; - $nodeset = $xpath->query($query, $parentRef); - $keyInfo = $nodeset->item(0); - if (! $keyInfo) { - $inserted = false; - $keyInfo = $baseDoc->createElementNS(XMLSecurityDSig::XMLDSIGNS, 'ds:KeyInfo'); - - $query = "./secdsig:Object"; - $nodeset = $xpath->query($query, $parentRef); - if ($sObject = $nodeset->item(0)) { - $sObject->parentNode->insertBefore($keyInfo, $sObject); - $inserted = true; - } - - if (! $inserted) { - $parentRef->appendChild($keyInfo); - } - } - return array($parentRef, $keyInfo); - } - - /* This function retrieves an associative array of the validated nodes. - * - * The array will contain the id of the referenced node as the key and the node itself - * as the value. - * - * Returns: - * An associative array of validated nodes or null if no nodes have been validated. - */ - public function getValidatedNodes() { - return $this->validatedNodes; - } -} - - -class XMLSecEnc { - const template = " - - - -"; - - const Element = 'http://www.w3.org/2001/04/xmlenc#Element'; - const Content = 'http://www.w3.org/2001/04/xmlenc#Content'; - const URI = 3; - const XMLENCNS = 'http://www.w3.org/2001/04/xmlenc#'; - - private $encdoc = null; - private $rawNode = null; - public $type = null; - public $encKey = null; - private $references = array(); - - public function __construct() { - $this->_resetTemplate(); - } - - private function _resetTemplate(){ - $this->encdoc = new DOMDocument(); - $this->encdoc->loadXML(XMLSecEnc::template); - } - - public function addReference($name, $node, $type) { - if (! $node instanceOf DOMNode) { - throw new Exception('$node is not of type DOMNode'); - } - $curencdoc = $this->encdoc; - $this->_resetTemplate(); - $encdoc = $this->encdoc; - $this->encdoc = $curencdoc; - $refuri = XMLSecurityDSig::generateGUID(); - $element = $encdoc->documentElement; - $element->setAttribute("Id", $refuri); - $this->references[$name] = array("node" => $node, "type" => $type, "encnode" => $encdoc, "refuri" => $refuri); - } - - public function setNode($node) { - $this->rawNode = $node; - } - - /** - * Encrypt the selected node with the given key. - * - * @param XMLSecurityKey $objKey The encryption key and algorithm. - * @param bool $replace Whether the encrypted node should be replaced in the original tree. Default is true. - * @return DOMElement The -element. - */ - public function encryptNode($objKey, $replace=true) { - $data = ''; - if (empty($this->rawNode)) { - throw new Exception('Node to encrypt has not been set'); - } - if (! $objKey instanceof XMLSecurityKey) { - throw new Exception('Invalid Key'); - } - $doc = $this->rawNode->ownerDocument; - $xPath = new DOMXPath($this->encdoc); - $objList = $xPath->query('/xenc:EncryptedData/xenc:CipherData/xenc:CipherValue'); - $cipherValue = $objList->item(0); - if ($cipherValue == null) { - throw new Exception('Error locating CipherValue element within template'); - } - switch ($this->type) { - case (XMLSecEnc::Element): - $data = $doc->saveXML($this->rawNode); - $this->encdoc->documentElement->setAttribute('Type', XMLSecEnc::Element); - break; - case (XMLSecEnc::Content): - $children = $this->rawNode->childNodes; - foreach ($children AS $child) { - $data .= $doc->saveXML($child); - } - $this->encdoc->documentElement->setAttribute('Type', XMLSecEnc::Content); - break; - default: - throw new Exception('Type is currently not supported'); - } - - $encMethod = $this->encdoc->documentElement->appendChild($this->encdoc->createElementNS(XMLSecEnc::XMLENCNS, 'xenc:EncryptionMethod')); - $encMethod->setAttribute('Algorithm', $objKey->getAlgorithm()); - $cipherValue->parentNode->parentNode->insertBefore($encMethod, $cipherValue->parentNode->parentNode->firstChild); - - $strEncrypt = base64_encode($objKey->encryptData($data)); - $value = $this->encdoc->createTextNode($strEncrypt); - $cipherValue->appendChild($value); - - if ($replace) { - switch ($this->type) { - case (XMLSecEnc::Element): - if ($this->rawNode->nodeType == XML_DOCUMENT_NODE) { - return $this->encdoc; - } - $importEnc = $this->rawNode->ownerDocument->importNode($this->encdoc->documentElement, true); - $this->rawNode->parentNode->replaceChild($importEnc, $this->rawNode); - return $importEnc; - case (XMLSecEnc::Content): - $importEnc = $this->rawNode->ownerDocument->importNode($this->encdoc->documentElement, true); - while($this->rawNode->firstChild) { - $this->rawNode->removeChild($this->rawNode->firstChild); - } - $this->rawNode->appendChild($importEnc); - return $importEnc; - } - } else { - return $this->encdoc->documentElement; - } - } - - public function encryptReferences($objKey) { - $curRawNode = $this->rawNode; - $curType = $this->type; - foreach ($this->references AS $name=>$reference) { - $this->encdoc = $reference["encnode"]; - $this->rawNode = $reference["node"]; - $this->type = $reference["type"]; - try { - $encNode = $this->encryptNode($objKey); - $this->references[$name]["encnode"] = $encNode; - } catch (Exception $e) { - $this->rawNode = $curRawNode; - $this->type = $curType; - throw $e; - } - } - $this->rawNode = $curRawNode; - $this->type = $curType; - } - - /** - * Retrieve the CipherValue text from this encrypted node. - * - * @return string|null The Ciphervalue text, or null if no CipherValue is found. - */ - public function getCipherValue() { - if (empty($this->rawNode)) { - throw new Exception('Node to decrypt has not been set'); - } - - $doc = $this->rawNode->ownerDocument; - $xPath = new DOMXPath($doc); - $xPath->registerNamespace('xmlencr', XMLSecEnc::XMLENCNS); - /* Only handles embedded content right now and not a reference */ - $query = "./xmlencr:CipherData/xmlencr:CipherValue"; - $nodeset = $xPath->query($query, $this->rawNode); - $node = $nodeset->item(0); - - if (!$node) { - return null; - } - - return base64_decode($node->nodeValue); - } - - /** - * Decrypt this encrypted node. - * - * The behaviour of this function depends on the value of $replace. - * If $replace is false, we will return the decrypted data as a string. - * If $replace is true, we will insert the decrypted element(s) into the - * document, and return the decrypted element(s). - * - * @params XMLSecurityKey $objKey The decryption key that should be used when decrypting the node. - * @params boolean $replace Whether we should replace the encrypted node in the XML document with the decrypted data. The default is true. - * @return string|DOMElement The decrypted data. - */ - public function decryptNode($objKey, $replace=true) { - if (! $objKey instanceof XMLSecurityKey) { - throw new Exception('Invalid Key'); - } - - $encryptedData = $this->getCipherValue(); - if ($encryptedData) { - $decrypted = $objKey->decryptData($encryptedData); - if ($replace) { - switch ($this->type) { - case (XMLSecEnc::Element): - $newdoc = new DOMDocument(); - $newdoc->loadXML($decrypted); - if ($this->rawNode->nodeType == XML_DOCUMENT_NODE) { - return $newdoc; - } - $importEnc = $this->rawNode->ownerDocument->importNode($newdoc->documentElement, true); - $this->rawNode->parentNode->replaceChild($importEnc, $this->rawNode); - return $importEnc; - case (XMLSecEnc::Content): - if ($this->rawNode->nodeType == XML_DOCUMENT_NODE) { - $doc = $this->rawNode; - } else { - $doc = $this->rawNode->ownerDocument; - } - $newFrag = $doc->createDocumentFragment(); - $newFrag->appendXML($decrypted); - $parent = $this->rawNode->parentNode; - $parent->replaceChild($newFrag, $this->rawNode); - return $parent; - default: - return $decrypted; - } - } else { - return $decrypted; - } - } else { - throw new Exception("Cannot locate encrypted data"); - } - } - - public function encryptKey($srcKey, $rawKey, $append=true) { - if ((! $srcKey instanceof XMLSecurityKey) || (! $rawKey instanceof XMLSecurityKey)) { - throw new Exception('Invalid Key'); - } - $strEncKey = base64_encode($srcKey->encryptData($rawKey->key)); - $root = $this->encdoc->documentElement; - $encKey = $this->encdoc->createElementNS(XMLSecEnc::XMLENCNS, 'xenc:EncryptedKey'); - if ($append) { - $keyInfo = $root->insertBefore($this->encdoc->createElementNS('http://www.w3.org/2000/09/xmldsig#', 'dsig:KeyInfo'), $root->firstChild); - $keyInfo->appendChild($encKey); - } else { - $this->encKey = $encKey; - } - $encMethod = $encKey->appendChild($this->encdoc->createElementNS(XMLSecEnc::XMLENCNS, 'xenc:EncryptionMethod')); - $encMethod->setAttribute('Algorithm', $srcKey->getAlgorithm()); - if (! empty($srcKey->name)) { - $keyInfo = $encKey->appendChild($this->encdoc->createElementNS('http://www.w3.org/2000/09/xmldsig#', 'dsig:KeyInfo')); - $keyInfo->appendChild($this->encdoc->createElementNS('http://www.w3.org/2000/09/xmldsig#', 'dsig:KeyName', $srcKey->name)); - } - $cipherData = $encKey->appendChild($this->encdoc->createElementNS(XMLSecEnc::XMLENCNS, 'xenc:CipherData')); - $cipherData->appendChild($this->encdoc->createElementNS(XMLSecEnc::XMLENCNS, 'xenc:CipherValue', $strEncKey)); - if (is_array($this->references) && count($this->references) > 0) { - $refList = $encKey->appendChild($this->encdoc->createElementNS(XMLSecEnc::XMLENCNS, 'xenc:ReferenceList')); - foreach ($this->references AS $name=>$reference) { - $refuri = $reference["refuri"]; - $dataRef = $refList->appendChild($this->encdoc->createElementNS(XMLSecEnc::XMLENCNS, 'xenc:DataReference')); - $dataRef->setAttribute("URI", '#' . $refuri); - } - } - return; - } - - public function decryptKey($encKey) { - if (! $encKey->isEncrypted) { - throw new Exception("Key is not Encrypted"); - } - if (empty($encKey->key)) { - throw new Exception("Key is missing data to perform the decryption"); - } - return $this->decryptNode($encKey, false); - } - - public function locateEncryptedData($element) { - if ($element instanceof DOMDocument) { - $doc = $element; - } else { - $doc = $element->ownerDocument; - } - if ($doc) { - $xpath = new DOMXPath($doc); - $query = "//*[local-name()='EncryptedData' and namespace-uri()='".XMLSecEnc::XMLENCNS."']"; - $nodeset = $xpath->query($query); - return $nodeset->item(0); - } - return null; - } - - public function locateKey($node=null) { - if (empty($node)) { - $node = $this->rawNode; - } - if (! $node instanceof DOMNode) { - return null; - } - if ($doc = $node->ownerDocument) { - $xpath = new DOMXPath($doc); - $xpath->registerNamespace('xmlsecenc', XMLSecEnc::XMLENCNS); - $query = ".//xmlsecenc:EncryptionMethod"; - $nodeset = $xpath->query($query, $node); - if ($encmeth = $nodeset->item(0)) { - $attrAlgorithm = $encmeth->getAttribute("Algorithm"); - try { - $objKey = new XMLSecurityKey($attrAlgorithm, array('type'=>'private')); - } catch (Exception $e) { - return null; - } - return $objKey; - } - } - return null; - } - - static function staticLocateKeyInfo($objBaseKey=null, $node=null) { - if (empty($node) || (! $node instanceof DOMNode)) { - return null; - } - $doc = $node->ownerDocument; - if (!$doc) { - return null; - } - - $xpath = new DOMXPath($doc); - $xpath->registerNamespace('xmlsecenc', XMLSecEnc::XMLENCNS); - $xpath->registerNamespace('xmlsecdsig', XMLSecurityDSig::XMLDSIGNS); - $query = "./xmlsecdsig:KeyInfo"; - $nodeset = $xpath->query($query, $node); - $encmeth = $nodeset->item(0); - if (!$encmeth) { - /* No KeyInfo in EncryptedData / EncryptedKey. */ - return $objBaseKey; - } - - foreach ($encmeth->childNodes AS $child) { - switch ($child->localName) { - case 'KeyName': - if (! empty($objBaseKey)) { - $objBaseKey->name = $child->nodeValue; - } - break; - case 'KeyValue': - foreach ($child->childNodes AS $keyval) { - switch ($keyval->localName) { - case 'DSAKeyValue': - throw new Exception("DSAKeyValue currently not supported"); - case 'RSAKeyValue': - $modulus = null; - $exponent = null; - if ($modulusNode = $keyval->getElementsByTagName('Modulus')->item(0)) { - $modulus = base64_decode($modulusNode->nodeValue); - } - if ($exponentNode = $keyval->getElementsByTagName('Exponent')->item(0)) { - $exponent = base64_decode($exponentNode->nodeValue); - } - if (empty($modulus) || empty($exponent)) { - throw new Exception("Missing Modulus or Exponent"); - } - $publicKey = XMLSecurityKey::convertRSA($modulus, $exponent); - $objBaseKey->loadKey($publicKey); - break; - } - } - break; - case 'RetrievalMethod': - $type = $child->getAttribute('Type'); - if ($type !== 'http://www.w3.org/2001/04/xmlenc#EncryptedKey') { - /* Unsupported key type. */ - break; - } - $uri = $child->getAttribute('URI'); - if ($uri[0] !== '#') { - /* URI not a reference - unsupported. */ - break; - } - $id = substr($uri, 1); - - $query = "//xmlsecenc:EncryptedKey[@Id='$id']"; - $keyElement = $xpath->query($query)->item(0); - if (!$keyElement) { - throw new Exception("Unable to locate EncryptedKey with @Id='$id'."); - } - - return XMLSecurityKey::fromEncryptedKeyElement($keyElement); - case 'EncryptedKey': - return XMLSecurityKey::fromEncryptedKeyElement($child); - case 'X509Data': - if ($x509certNodes = $child->getElementsByTagName('X509Certificate')) { - if ($x509certNodes->length > 0) { - $x509cert = $x509certNodes->item(0)->textContent; - $x509cert = str_replace(array("\r", "\n", " "), "", $x509cert); - $x509cert = "-----BEGIN CERTIFICATE-----\n".chunk_split($x509cert, 64, "\n")."-----END CERTIFICATE-----\n"; - $objBaseKey->loadKey($x509cert, false, true); - } - } - break; - } - } - return $objBaseKey; - } - - public function locateKeyInfo($objBaseKey=null, $node=null) { - if (empty($node)) { - $node = $this->rawNode; - } - return XMLSecEnc::staticLocateKeyInfo($objBaseKey, $node); - } -} diff --git a/3rdparty/vendor/onelogin/php-saml/lib/Saml/AuthRequest.php b/3rdparty/vendor/onelogin/php-saml/lib/Saml/AuthRequest.php deleted file mode 100644 index 4f08f5f..0000000 --- a/3rdparty/vendor/onelogin/php-saml/lib/Saml/AuthRequest.php +++ /dev/null @@ -1,65 +0,0 @@ -auth = new OneLogin_Saml2_Auth($settings); - } - - /** - * Obtains the SSO URL containing the AuthRequest - * message deflated. - * - * @param string|null $returnTo - * - * @return string - * - * @throws OneLogin_Saml2_Error - */ - public function getRedirectUrl($returnTo = null) - { - $settings = $this->auth->getSettings(); - $authnRequest = new OneLogin_Saml2_AuthnRequest($settings); - $parameters = array('SAMLRequest' => $authnRequest->getRequest()); - if (!empty($returnTo)) { - $parameters['RelayState'] = $returnTo; - } else { - $parameters['RelayState'] = OneLogin_Saml2_Utils::getSelfRoutedURLNoQuery(); - } - $url = OneLogin_Saml2_Utils::redirect($this->auth->getSSOurl(), $parameters, true); - return $url; - } - - /** - * @return string - */ - protected function _generateUniqueID() - { - return OneLogin_Saml2_Utils::generateUniqueID(); - } - - /** - * @return string - */ - protected function _getTimestamp() - { - $defaultTimezone = date_default_timezone_get(); - date_default_timezone_set('UTC'); - $timestamp = strftime("%Y-%m-%dT%H:%M:%SZ"); - date_default_timezone_set($defaultTimezone); - return $timestamp; - } -} diff --git a/3rdparty/vendor/onelogin/php-saml/lib/Saml/Metadata.php b/3rdparty/vendor/onelogin/php-saml/lib/Saml/Metadata.php deleted file mode 100644 index 1073a90..0000000 --- a/3rdparty/vendor/onelogin/php-saml/lib/Saml/Metadata.php +++ /dev/null @@ -1,39 +0,0 @@ -_settings = $auth->getSettings(); - } - - /** - * @return string - * - * @throws OneLogin_Saml2_Error - */ - public function getXml() - { - return $this->_settings->getSPMetadata(); - } - - /** - * @return string - */ - protected function _getMetadataValidTimestamp() - { - $timeZone = date_default_timezone_get(); - date_default_timezone_set('UTC'); - $time = strftime("%Y-%m-%dT%H:%M:%SZ", time() + self::VALIDITY_SECONDS); - date_default_timezone_set($timeZone); - return $time; - } -} diff --git a/3rdparty/vendor/onelogin/php-saml/lib/Saml/Response.php b/3rdparty/vendor/onelogin/php-saml/lib/Saml/Response.php deleted file mode 100644 index d9332a7..0000000 --- a/3rdparty/vendor/onelogin/php-saml/lib/Saml/Response.php +++ /dev/null @@ -1,39 +0,0 @@ -getSettings(); - parent::__construct($settings, $assertion); - } - - /** - * Retrieves an Array with the logged user data. - * - * @return array - */ - public function get_saml_attributes() - { - return $this->getAttributes(); - } - - /** - * Retrieves the nameId - * - * @return string - */ - public function get_nameid() - { - return $this->getNameId(); - } -} diff --git a/3rdparty/vendor/onelogin/php-saml/lib/Saml/Settings.php b/3rdparty/vendor/onelogin/php-saml/lib/Saml/Settings.php deleted file mode 100644 index e9dbedc..0000000 --- a/3rdparty/vendor/onelogin/php-saml/lib/Saml/Settings.php +++ /dev/null @@ -1,80 +0,0 @@ - Values (compatibility with the new version) - */ - public function getValues() - { - $values = array(); - - $values['sp'] = array(); - $values['sp']['entityId'] = $this->spIssuer; - $values['sp']['assertionConsumerService'] = array( - 'url' => $this->spReturnUrl, - ); - $values['sp']['NameIDFormat'] = $this->requestedNameIdFormat; - - $values['idp'] = array(); - $values['idp']['entityId'] = $this->idpSingleSignOnUrl; - $values['idp']['singleSignOnService'] = array( - 'url' => $this->idpSingleSignOnUrl, - ); - $values['idp']['singleLogoutService'] = array( - 'url' => $this->idpSingleLogOutUrl, - ); - $values['idp']['x509cert'] = $this->idpPublicCertificate; - - return $values; - } -} diff --git a/3rdparty/vendor/onelogin/php-saml/lib/Saml/XmlSec.php b/3rdparty/vendor/onelogin/php-saml/lib/Saml/XmlSec.php deleted file mode 100644 index 919a62e..0000000 --- a/3rdparty/vendor/onelogin/php-saml/lib/Saml/XmlSec.php +++ /dev/null @@ -1,110 +0,0 @@ -_settings = $settings; - $this->_document = clone $response->document; - } - - /** - * Verify that the document only contains a single Assertion - * - * @return bool TRUE if the document passes. - */ - public function validateNumAssertions() - { - $rootNode = $this->_document; - $assertionNodes = $rootNode->getElementsByTagName('Assertion'); - return ($assertionNodes->length == 1); - } - - /** - * Verify that the document is still valid according - * - * @return bool - */ - public function validateTimestamps() - { - $rootNode = $this->_document; - $timestampNodes = $rootNode->getElementsByTagName('Conditions'); - for ($i = 0; $i < $timestampNodes->length; $i++) { - $nbAttribute = $timestampNodes->item($i)->attributes->getNamedItem("NotBefore"); - $naAttribute = $timestampNodes->item($i)->attributes->getNamedItem("NotOnOrAfter"); - if ($nbAttribute && strtotime($nbAttribute->textContent) > time()) { - return false; - } - if ($naAttribute && strtotime($naAttribute->textContent) <= time()) { - return false; - } - } - return true; - } - - /** - * @return bool - * - * @throws Exception - */ - public function isValid() - { - $singleAssertion = $this->validateNumAssertions(); - if (!$singleAssertion) { - throw new Exception('Multiple assertions are not supported'); - } - - $validTimestamps = $this->validateTimestamps(); - if (!$validTimestamps) { - throw new Exception('Timing issues (please check your clock settings)'); - } - - $objXMLSecDSig = new XMLSecurityDSig(); - - $objDSig = $objXMLSecDSig->locateSignature($this->_document); - if (!$objDSig) { - throw new Exception('Cannot locate Signature Node'); - } - $objXMLSecDSig->canonicalizeSignedInfo(); - $objXMLSecDSig->idKeys = array('ID'); - - $objKey = $objXMLSecDSig->locateKey(); - if (!$objKey) { - throw new Exception('We have no idea about the key'); - } - - try { - $objXMLSecDSig->validateReference(); - } catch (Exception $e) { - throw new Exception('Reference Validation Failed'); - } - - XMLSecEnc::staticLocateKeyInfo($objKey, $objDSig); - - $objKey->loadKey($this->_settings->idpPublicCertificate, false, true); - - return ($objXMLSecDSig->verify($objKey) === 1); - } -} diff --git a/3rdparty/vendor/onelogin/php-saml/lib/Saml2/version.json b/3rdparty/vendor/onelogin/php-saml/lib/Saml2/version.json deleted file mode 100644 index 5ca57d3..0000000 --- a/3rdparty/vendor/onelogin/php-saml/lib/Saml2/version.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "php-saml": { - "version": "2.10.5", - "released": "13/03/2017" - } -} diff --git a/3rdparty/vendor/onelogin/php-saml/locale/en_US/LC_MESSAGES/phptoolkit.mo b/3rdparty/vendor/onelogin/php-saml/locale/en_US/LC_MESSAGES/phptoolkit.mo deleted file mode 100644 index 4898ddb5c7895d82c678c934ce0e74521361f589..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 200 zcmca7#4?ou2$+Fb28d07m=%b9fEWZ4fS3h{6M>i$h|_@B1BeTN7$m+Eh(Y4}fS3`8 zVSow90GY{9l3H8>CXB2URErs$^Ycnl^Gb9>DhpDr6iQMnO7shI5;OCx6_PU&i;7cA nY)ebhbS=2x>WUKciqleybY1h3^HVbO(ybIMk}^xU(9Hz^xL~aXbX4a^fIGaOzZ@Tyl5sG;mFhmlse+H^J5KqF=(r zy_1`Zvy=Z^OYw2P{7Le-y!l@5RiXMYgemO63#593eRzi+e84Vz!WMi%I{$`k_<>9K zg+myxE&6Vd2iTX$^w#6@{0W)fdq(2x{)y;%Ql{E~^u}h|pw`oJF2c5mLP0w(y7tjk zYGP)jt^%<(tLt1{nHrJ!V$^esegZMOvCR{pUQ~97KepWF3yRWFxF+{`GcT;)BSS?2? J%rX|E{Q>j5TAKg> diff --git a/3rdparty/vendor/onelogin/php-saml/locale/es_ES/LC_MESSAGES/phptoolkit.po b/3rdparty/vendor/onelogin/php-saml/locale/es_ES/LC_MESSAGES/phptoolkit.po deleted file mode 100644 index a989377..0000000 --- a/3rdparty/vendor/onelogin/php-saml/locale/es_ES/LC_MESSAGES/phptoolkit.po +++ /dev/null @@ -1,27 +0,0 @@ -msgid "" -msgstr "" -"Content-Type: text/plain; charset=utf-8\n" -"Content-Transfer-Encoding: 8bit\n" - -msgid "test" -msgstr "prueba" - -msgid "test2: %s" -msgstr "prueba2: %s" - -#: index.php:15 endpoints/acs.php:35 -msgid "User attributes:" -msgstr "Atributos del usuario:" - -#: index.php:16 endpoints/acs.php:36 -msgid "Name" -msgstr "Nombre" - -#: index.php:16 endpoints/acs.php:36 -msgid "Values" -msgstr "Valores" - -#: index.php:26 endpoints/acs.php:46 -msgid "Attributes not found" -msgstr "Atributos no encontrados" - diff --git a/3rdparty/vendor/onelogin/php-saml/phpdoc.xml b/3rdparty/vendor/onelogin/php-saml/phpdoc.xml deleted file mode 100644 index e9f38d8..0000000 --- a/3rdparty/vendor/onelogin/php-saml/phpdoc.xml +++ /dev/null @@ -1,37 +0,0 @@ - - - OneLogin's SAML PHP Toolkit - - OneLogin_SAML_Toolkit - docs/Saml3 - - - php - - - docs/Saml3 - - -