From 21c3bec4d1a55c1f84dfefb346ac27020fead4e2 Mon Sep 17 00:00:00 2001
From: Enrique de la Hoz <enrique.delahoz@uah.es>
Date: Thu, 4 Dec 2008 13:29:10 +0000
Subject: [PATCH] Fixed STS validation on RP
git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@1051 44740490-163a-0410-bde0-09ae8108e29a
---
modules/InfoCard/lib/RP/InfoCard.php | 80 +++---
.../lib/RP/Zend_InfoCard_Xml_Security.php | 264 +++++++++---------
2 files changed, 176 insertions(+), 168 deletions(-)
diff --git a/modules/InfoCard/lib/RP/InfoCard.php b/modules/InfoCard/lib/RP/InfoCard.php
index 442629195..20d70bd25 100644
--- a/modules/InfoCard/lib/RP/InfoCard.php
+++ b/modules/InfoCard/lib/RP/InfoCard.php
@@ -32,35 +32,45 @@ class sspmod_InfoCard_RP_InfoCard
protected $_password;
protected $_sxml;
+ protected $_sts_crt;
+
public function __construct() {
if(!extension_loaded('mcrypt')) {
- SimpleSAML_Logger::debug("Use of the InfoCard component requires the mcrypt extension to be enabled in PHP");
+ throw new Exception("Use of the InfoCard component requires the mcrypt extension to be enabled in PHP");
}
if(!extension_loaded('openssl')) {
- SimpleSAML_Logger::debug("Use of the InfoCard component requires the openssl extension to be enabled in PHP");
+ throw new Exception("Use of the InfoCard component requires the openssl extension to be enabled in PHP");
}
}
+
+ public function addSTSCertificate($sts_crt){
+ $this->_sts_crt = $sts_crt;
+ if(!file_exists($this->_sts_crt)) {
+ throw new Exception("STS certificate does not exists");
+ }
+ }
+
public function addCertificatePair($private_key_file, $public_key_file, $password = null) {
$this->_private_key_file = $private_key_file;
$this->_public_key_file = $public_key_file;
$this->_password = $password;
if(!file_exists($this->_private_key_file)) {
- SimpleSAML_Logger::debug("Private key file does not exists");
+ throw new Exception("Private key file does not exists");
}
if(!file_exists($this->_public_key_file)) {
- SimpleSAML_Logger::debug("Public key file does not exists");
+ throw new Exception("Public key file does not exists");
}
if(!is_readable($this->_private_key_file)) {
- SimpleSAML_Logger::debug("Private key file is not readable");
+ throw new Exception("Private key file is not readable");
}
if(!is_readable($this->_public_key_file)) {
- SimpleSAML_Logger::debug("Public key file is not readable");
+ throw new Exception("Public key file is not readable");
}
}
@@ -82,7 +92,7 @@ class sspmod_InfoCard_RP_InfoCard
}
catch(Exception $e) {
$retval->setError('Failed to extract assertion document');
- SimpleSAML_Logger::debug('Failed to extract assertion document');
+ throw new Exception('Failed to extract assertion document');
$retval->setCode(Zend_InfoCard_Claims::RESULT_PROCESSING_FAILURE);
return $retval;
}
@@ -92,7 +102,7 @@ class sspmod_InfoCard_RP_InfoCard
}
catch(Exception $e) {
$retval->setError('Failure processing assertion document');
- SimpleSAML_Logger::debug('Failure processing assertion document');
+ throw new Exception('Failure processing assertion document');
$retval->setCode(Zend_InfoCard_Claims::RESULT_PROCESSING_FAILURE);
return $retval;
}
@@ -118,7 +128,7 @@ class sspmod_InfoCard_RP_InfoCard
}
catch(Exception $e) {
$retval->setError('Failure processing assertion document');
- SimpleSAML_Logger::debug('Failure processing assertion document');
+ throw new Exception('Failure processing assertion document');
$retval->setCode(Zend_InfoCard_Claims::RESULT_PROCESSING_FAILURE);
return $retval;
}
@@ -128,9 +138,9 @@ class sspmod_InfoCard_RP_InfoCard
private function ValidateSignature($assertions) {
include_once 'Zend_InfoCard_Xml_Security.php';
- $reference_id = Zend_InfoCard_Xml_Security::validateXMLSignature($assertions->asXML());
+ $reference_id = Zend_InfoCard_Xml_Security::validateXMLSignature($assertions->asXML(), $this->_sts_crt);
if(!$reference_id) {
- SimpleSAML_Logger::debug("Failure Validating the Signature of the assertion document");
+ throw new Exception("Failure Validating the Signature of the assertion document");
}
return $reference_id;
@@ -140,16 +150,16 @@ class sspmod_InfoCard_RP_InfoCard
if($reference_id[0] == '#') {
$reference_id = substr($reference_id, 1);
} else {
- SimpleSAML_Logger::debug("Reference of document signature does not reference the local document");
+ throw new Exception("Reference of document signature does not reference the local document");
}
if($reference_id != $assertions->getAssertionID()) {
- SimpleSAML_Logger::debug("Reference of document signature does not reference the local document");
+ throw new Exception("Reference of document signature does not reference the local document");
}
$conditions = $assertions->getConditions();
if(is_array($condition_error = $assertions->validateConditions($conditions))) {
- SimpleSAML_Logger::debug("Conditions of assertion document are not met: {$condition_error[1]} ({$condition_error[0]})");
+ throw new Exception("Conditions of assertion document are not met: {$condition_error[1]} ({$condition_error[0]})");
}
}
@@ -174,90 +184,90 @@ class sspmod_InfoCard_RP_InfoCard
}
}
- SimpleSAML_Logger::debug("Unable to determine Assertion type by Namespace");
+ throw new Exception("Unable to determine Assertion type by Namespace");
}
private function decryptToken($xmlToken) {
if($this->_sxml['Type'] != self::XENC_ELEMENT_TYPE) {
- SimpleSAML_Logger::debug("Unknown EncryptedData type found");
+ throw new Exception("Unknown EncryptedData type found");
}
$this->_sxml->registerXPathNamespace('enc', self::XENC_NS);
list($encryptionMethod) = $this->_sxml->xpath("//enc:EncryptionMethod");
if(!$encryptionMethod instanceof SimpleXMLElement) {
- SimpleSAML_Logger::debug("EncryptionMethod node not found");
+ throw new Exception("EncryptionMethod node not found");
}
$encMethodDom = dom_import_simplexml($encryptionMethod);
if(!$encMethodDom instanceof DOMElement) {
- SimpleSAML_Logger::debug("Failed to create DOM from EncryptionMethod node");
+ throw new Exception("Failed to create DOM from EncryptionMethod node");
}
if(!$encMethodDom->hasAttribute("Algorithm")) {
- SimpleSAML_Logger::debug("Unable to determine the encryption algorithm in the Symmetric enc:EncryptionMethod XML block");
+ throw new Exception("Unable to determine the encryption algorithm in the Symmetric enc:EncryptionMethod XML block");
}
$algo = $encMethodDom->getAttribute("Algorithm");
if($algo != self::XENC_ENC_ALGO) {
- SimpleSAML_Logger::debug("Unsupported encryption algorithm");
+ throw new Exception("Unsupported encryption algorithm");
}
$this->_sxml->registerXPathNamespace('ds', self::DSIG_NS);
list($keyInfo) = $this->_sxml->xpath("ds:KeyInfo");
if(!$keyInfo instanceof SimpleXMLElement) {
- SimpleSAML_Logger::debug("KeyInfo node not found");
+ throw new Exception("KeyInfo node not found");
}
$keyInfo->registerXPathNamespace('enc', self::XENC_NS);
list($encryptedKey) = $keyInfo->xpath("enc:EncryptedKey");
if(!$encryptedKey instanceof SimpleXMLElement) {
- SimpleSAML_Logger::debug("EncryptedKey element not found in KeyInfo");
+ throw new Exception("EncryptedKey element not found in KeyInfo");
}
$encryptedKey->registerXPathNamespace('enc', self::XENC_NS);
list($keyInfoEncryptionMethod) = $encryptedKey->xpath("enc:EncryptionMethod");
if(!$keyInfoEncryptionMethod instanceof SimpleXMLElement) {
- SimpleSAML_Logger::debug("EncryptionMethod element not found in EncryptedKey");
+ throw new Exception("EncryptionMethod element not found in EncryptedKey");
}
$keyInfoEncMethodDom = dom_import_simplexml($keyInfoEncryptionMethod);
if(!$keyInfoEncMethodDom instanceof DOMElement) {
- SimpleSAML_Logger::debug("Failed to create DOM from EncryptionMethod node");
+ throw new Exception("Failed to create DOM from EncryptionMethod node");
}
if(!$keyInfoEncMethodDom->hasAttribute("Algorithm")) {
- SimpleSAML_Logger::debug("Unable to determine the encryption algorithm in the Symmetric enc:EncryptionMethod XML block");
+ throw new Exception("Unable to determine the encryption algorithm in the Symmetric enc:EncryptionMethod XML block");
}
$keyInfoEncMethodAlgo = $keyInfoEncMethodDom->getAttribute("Algorithm");
if($keyInfoEncMethodAlgo != self::XENC_KEYINFO_ENC_ALGO) {
- SimpleSAML_Logger::debug("Unsupported encryption algorithm");
+ throw new Exception("Unsupported encryption algorithm");
}
$encryptedKey->registerXPathNamespace('ds', self::DSIG_NS);
$encryptedKey->registerXPathNamespace('wsse', self::WSSE_NS);
list($keyIdentifier) = $encryptedKey->xpath("ds:KeyInfo/wsse:SecurityTokenReference/wsse:KeyIdentifier");
if(!$keyIdentifier instanceof SimpleXMLElement) {
- SimpleSAML_Logger::debug("KeyInfo/SecurityTokenReference/KeyIdentifier node not found in KeyInfo");
+ throw new Exception("KeyInfo/SecurityTokenReference/KeyIdentifier node not found in KeyInfo");
}
$keyIdDom = dom_import_simplexml($keyIdentifier);
if(!$keyIdDom instanceof DOMElement) {
- SimpleSAML_Logger::debug("Failed to create DOM from KeyIdentifier node");
+ throw new Exception("Failed to create DOM from KeyIdentifier node");
}
if(!$keyIdDom->hasAttribute("ValueType")) {
- SimpleSAML_Logger::debug("Unable to determine ValueType of KeyIdentifier");
+ throw new Exception("Unable to determine ValueType of KeyIdentifier");
}
$valueType = $keyIdDom->getAttribute("ValueType");
if($valueType != self::WSSE_KEYID_VALUE_TYPE) {
- SimpleSAML_Logger::debug("Unsupported KeyIdentifier ValueType");
+ throw new Exception("Unsupported KeyIdentifier ValueType");
}
list($cipherValue) = $encryptedKey->xpath("enc:CipherData/enc:CipherValue");
if(!$cipherValue instanceof SimpleXMLElement) {
- SimpleSAML_Logger::debug("CipherValue node found in EncryptedKey");
+ throw new Exception("CipherValue node found in EncryptedKey");
}
$base64DecodeSupportsStrictParam = version_compare(PHP_VERSION, '5.2.0', '>=');
@@ -270,19 +280,19 @@ class sspmod_InfoCard_RP_InfoCard
$private_key = openssl_pkey_get_private(array(file_get_contents($this->_private_key_file), $this->_password));
if(!$private_key) {
- SimpleSAML_Logger::debug("Unable to load private key");
+ throw new Exception("Unable to load private key");
}
$result = openssl_private_decrypt($keyCipherValueBase64Decoded, $symmetricKey, $private_key, OPENSSL_PKCS1_OAEP_PADDING);
openssl_free_key($private_key);
if(!$result) {
- SimpleSAML_Logger::debug("Unable to decrypt symmetric key");
+ throw new Exception("Unable to decrypt symmetric key");
}
list($cipherValue) = $this->_sxml->xpath("enc:CipherData/enc:CipherValue");
if(!$cipherValue instanceof SimpleXMLElement) {
- SimpleSAML_Logger::debug("CipherValue node found in EncryptedData");
+ throw new Exception("CipherValue node found in EncryptedData");
}
if ($base64DecodeSupportsStrictParam) {
@@ -296,7 +306,7 @@ class sspmod_InfoCard_RP_InfoCard
$decrypted = mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $symmetricKey, $keyCipherValueBase64Decoded, MCRYPT_MODE_CBC, $mcrypt_iv);
if(!$decrypted) {
- SimpleSAML_Logger::debug("Unable to decrypt token");
+ throw new Exception("Unable to decrypt token");
}
$decryptedLength = strlen($decrypted);
diff --git a/modules/InfoCard/lib/RP/Zend_InfoCard_Xml_Security.php b/modules/InfoCard/lib/RP/Zend_InfoCard_Xml_Security.php
index da4ef9f79..48ef389a6 100644
--- a/modules/InfoCard/lib/RP/Zend_InfoCard_Xml_Security.php
+++ b/modules/InfoCard/lib/RP/Zend_InfoCard_Xml_Security.php
@@ -33,6 +33,11 @@ require_once 'Zend_InfoCard_Xml_Security_Transform.php';
* @copyright Copyright (c) 2005-2008 Zend Technologies USA Inc. (http://www.zend.com)
* @license http://framework.zend.com/license/new-bsd New BSD License
*/
+
+/*
+* ĂšLTIMA REVISIĂ“N: 4-DEC-2008
+*/
+
class Zend_InfoCard_Xml_Security
{
/**
@@ -79,6 +84,7 @@ class Zend_InfoCard_Xml_Security
{
}
+
/**
* Validates the signature of a provided XML block
*
@@ -86,142 +92,134 @@ class Zend_InfoCard_Xml_Security
* @return bool True if the signature validated, false otherwise
* @throws Exception
*/
- static public function validateXMLSignature($strXMLInput)
- {
- if(!extension_loaded('openssl')) {
- SimpleSAML_Logger::debug("You must have the openssl extension installed to use this class");
- }
-
- $sxe = simplexml_load_string($strXMLInput);
-
- $sxe->registerXPathNamespace('ds', 'http://www.w3.org/2000/09/xmldsig#');
-
- list($canonMethod) = $sxe->xpath("//ds:Signature/ds:SignedInfo/ds:CanonicalizationMethod");
- switch((string)$canonMethod['Algorithm']) {
- case self::CANONICAL_METHOD_C14N_EXC:
- $cMethod = (string)$canonMethod['Algorithm'];
- break;
- default:
- SimpleSAML_Logger::debug("Unknown or unsupported CanonicalizationMethod Requested");
- }
-
- list($signatureMethod) = $sxe->xpath("//ds:Signature/ds:SignedInfo/ds:SignatureMethod");
- switch((string)$signatureMethod['Algorithm']) {
- case self::SIGNATURE_METHOD_SHA1:
- $sMethod = (string)$signatureMethod['Algorithm'];
- break;
- default:
- SimpleSAML_Logger::debug("Unknown or unsupported SignatureMethod Requested");
- }
-
- list($digestMethod) = $sxe->xpath("//ds:Signature/ds:SignedInfo/ds:Reference/ds:DigestMethod");
- switch((string)$digestMethod['Algorithm']) {
- case self::DIGEST_METHOD_SHA1:
- $dMethod = (string)$digestMethod['Algorithm'];
- break;
- default:
- SimpleSAML_Logger::debug("Unknown or unsupported DigestMethod Requested");
- }
-
- $base64DecodeSupportsStrictParam = version_compare(PHP_VERSION, '5.2.0', '>=');
-
- list($digestValue) = $sxe->xpath("//ds:Signature/ds:SignedInfo/ds:Reference/ds:DigestValue");
- if ($base64DecodeSupportsStrictParam) {
- $dValue = base64_decode((string)$digestValue, true);
- } else {
- $dValue = base64_decode((string)$digestValue);
- }
-
- list($signatureValueElem) = $sxe->xpath("//ds:Signature/ds:SignatureValue");
- if ($base64DecodeSupportsStrictParam) {
- $signatureValue = base64_decode((string)$signatureValueElem, true);
- } else {
- $signatureValue = base64_decode((string)$signatureValueElem);
- }
-
- $transformer = new Zend_InfoCard_Xml_Security_Transform();
+ static public function validateXMLSignature($strXMLInput, $sts_crt=NULL){
+ if(!extension_loaded('openssl')) {
+ throw new SimpleSAML_Error_Error("You must have the openssl extension installed to use this class");
+ }
+
+ $sxe = simplexml_load_string($strXMLInput);
+ $sxe->registerXPathNamespace('ds', 'http://www.w3.org/2000/09/xmldsig#');
+
+ list($canonMethod) = $sxe->xpath("//ds:Signature/ds:SignedInfo/ds:CanonicalizationMethod");
+ switch((string)$canonMethod['Algorithm']) {
+ case self::CANONICAL_METHOD_C14N_EXC:
+ $cMethod = (string)$canonMethod['Algorithm'];
+ break;
+ default:
+ throw new SimpleSAML_Error_Error("Unknown or unsupported CanonicalizationMethod Requested");
+ }
+
+ list($signatureMethod) = $sxe->xpath("//ds:Signature/ds:SignedInfo/ds:SignatureMethod");
+ switch((string)$signatureMethod['Algorithm']) {
+ case self::SIGNATURE_METHOD_SHA1:
+ $sMethod = (string)$signatureMethod['Algorithm'];
+ break;
+ default:
+ throw new SimpleSAML_Error_Error("Unknown or unsupported SignatureMethod Requested");
+ }
+
+ list($digestMethod) = $sxe->xpath("//ds:Signature/ds:SignedInfo/ds:Reference/ds:DigestMethod");
+ switch((string)$digestMethod['Algorithm']) {
+ case self::DIGEST_METHOD_SHA1:
+ $dMethod = (string)$digestMethod['Algorithm'];
+ break;
+ default:
+ throw new SimpleSAML_Error_Error("Unknown or unsupported DigestMethod Requested");
+ }
+
+ $base64DecodeSupportsStrictParam = version_compare(PHP_VERSION, '5.2.0', '>=');
+
+ list($digestValue) = $sxe->xpath("//ds:Signature/ds:SignedInfo/ds:Reference/ds:DigestValue");
+ if ($base64DecodeSupportsStrictParam) {
+ $dValue = base64_decode((string)$digestValue, true);
+ } else {
+ $dValue = base64_decode((string)$digestValue);
+ }
+
+ list($signatureValueElem) = $sxe->xpath("//ds:Signature/ds:SignatureValue");
+ if ($base64DecodeSupportsStrictParam) {
+ $signatureValue = base64_decode((string)$signatureValueElem, true);
+ } else {
+ $signatureValue = base64_decode((string)$signatureValueElem);
+ }
+
+ $transformer = new Zend_InfoCard_Xml_Security_Transform();
//need to fix this later
- $transforms = $sxe->xpath("//ds:Signature/ds:SignedInfo/ds:Reference/ds:Transforms/ds:Transform");
- while(list( , $transform) = each($transforms)) {
- $transformer->addTransform((string)$transform['Algorithm']);
- }
-
- $transformed_xml = $transformer->applyTransforms($strXMLInput);
-
- //$transformed_xml_binhash = pack("H*", sha1($transformed_xml));
- $transformed_xml_binhash = pack("H*", sha1($transformed_xml));
-
- if($transformed_xml_binhash != $dValue) {
- SimpleSAML_Logger::debug("Locally Transformed XML (".$transformed_xml_binhash.") does not match XML Document (".$dValue."). Cannot Verify Signature");
- }
+ $transforms = $sxe->xpath("//ds:Signature/ds:SignedInfo/ds:Reference/ds:Transforms/ds:Transform");
+ while(list( , $transform) = each($transforms)) {
+ $transformer->addTransform((string)$transform['Algorithm']);
+ }
+ $transformed_xml = $transformer->applyTransforms($strXMLInput);
+ $transformed_xml_binhash = pack("H*", sha1($transformed_xml));
+ if($transformed_xml_binhash != $dValue) {
+ throw new SimpleSAML_Error_Error("Locally Transformed XML (".$transformed_xml_binhash.") does not match XML Document (".$dValue."). Cannot Verify Signature");
+ }
+
+ $public_key = null;
+
+ $sxe->registerXPathNamespace('ds', 'http://www.w3.org/2000/09/xmldsig#');
+ list($keyValue) = $sxe->xpath("//ds:Signature/ds:KeyInfo");
+ $keyValue->registerXPathNamespace('ds', 'http://www.w3.org/2000/09/xmldsig#');
+ list($x509cert) = $keyValue->xpath("ds:X509Data/ds:X509Certificate");
+ list($rsaKeyValue) = $keyValue->xpath("ds:KeyValue/ds:RSAKeyValue");
+
+ switch(true) {
+ case isset($x509cert):
+ $certificate = (string)$x509cert;
+
+ $pem = "-----BEGIN CERTIFICATE-----\n".wordwrap($certificate, 64, "\n", true)."\n-----END CERTIFICATE-----";
+ $public_key = openssl_pkey_get_public($pem);
+ if(!$public_key) {
+ throw new SimpleSAML_Error_Error("Unable to extract and prcoess X509 Certificate from KeyValue");
+ }
+ break;
+ case isset($rsaKeyValue):
+ $rsaKeyValue->registerXPathNamespace('ds', 'http://www.w3.org/2000/09/xmldsig#');
+ list($modulus) = $rsaKeyValue->xpath("ds:Modulus");
+ list($exponent) = $rsaKeyValue->xpath("ds:Exponent");
+ if(!isset($modulus) || !isset($exponent)) {
+ throw new SimpleSAML_Error_Error("RSA Key Value not in Modulus/Exponent form");
+ }
+ $modulus = base64_decode((string)$modulus);
+ $exponent = base64_decode((string)$exponent);
+ $pem_public_key = self::_getPublicKeyFromModExp($modulus, $exponent);
+ $public_key = openssl_pkey_get_public ($pem_public_key);
+ break;
+ default:
+ throw new SimpleSAML_Error_Error("Unable to determine or unsupported representation of the KeyValue block");
+ }
+
+ $transformer = new Zend_InfoCard_Xml_Security_Transform();
+ $transformer->addTransform((string)$canonMethod['Algorithm']);
+ list($signedInfo) = $sxe->xpath("//ds:Signature/ds:SignedInfo");
+ $signedInfoXML = self::addNamespace($signedInfo, "http://www.w3.org/2000/09/xmldsig#");
+ $canonical_signedinfo = $transformer->applyTransforms($signedInfoXML);
+
+
+ //Check received public_key against configured one
+ if ($sts_crt!=NULL){
+ $checkcert = file_get_contents($sts_crt);
+ $check_key = openssl_pkey_get_public($checkcert);
+ $checkData = openssl_pkey_get_details($check_key);
+ $checkData2= openssl_pkey_get_details($public_key);
+ }
+ if (($checkData2 == $checkData) || ($sts_crt==NULL)) {
+ if (openssl_verify($canonical_signedinfo,$signatureValue,$public_key)) {
+ list($reference) = $sxe->xpath("//ds:Signature/ds:SignedInfo/ds:Reference");
+ return (string)$reference['URI'];
+ } else {
+ throw new SimpleSAML_Error_Error("Could not validate the XML signature");
+ }
+ } else {
+ SimpleSAML_Logger::debug("Configured STS cert and received STS cert mismatch");
+ throw new SimpleSAML_Error_Error("Configured STS cert and received STS cert mismatch");
+ }
+ return false;
+ }
- $public_key = null;
- $sxe->registerXPathNamespace('ds', 'http://www.w3.org/2000/09/xmldsig#');
- list($keyValue) = $sxe->xpath("//ds:Signature/ds:KeyInfo");
-
- $keyValue->registerXPathNamespace('ds', 'http://www.w3.org/2000/09/xmldsig#');
-
- list($x509cert) = $keyValue->xpath("ds:X509Data/ds:X509Certificate");
- list($rsaKeyValue) = $keyValue->xpath("ds:KeyValue/ds:RSAKeyValue");
-
- switch(true) {
- case isset($x509cert):
-
- $certificate = (string)$x509cert;
-
-
- $pem = "-----BEGIN CERTIFICATE-----\n" .
- wordwrap($certificate, 64, "\n", true) .
- "\n-----END CERTIFICATE-----";
-
- $public_key = openssl_pkey_get_public($pem);
-
- if(!$public_key) {
- SimpleSAML_Logger::debug("Unable to extract and prcoess X509 Certificate from KeyValue");
- }
-
- break;
- case isset($rsaKeyValue):
-
- $rsaKeyValue->registerXPathNamespace('ds', 'http://www.w3.org/2000/09/xmldsig#');
- list($modulus) = $rsaKeyValue->xpath("ds:Modulus");
- list($exponent) = $rsaKeyValue->xpath("ds:Exponent");
- if(!isset($modulus) ||
- !isset($exponent)) {
- SimpleSAML_Logger::debug("RSA Key Value not in Modulus/Exponent form");
- }
-
- $modulus = base64_decode((string)$modulus);
- $exponent = base64_decode((string)$exponent);
-
- $pem_public_key = self::_getPublicKeyFromModExp($modulus, $exponent);
-
- $public_key = openssl_pkey_get_public ($pem_public_key);
-
- break;
- default:
- SimpleSAML_Logger::debug("Unable to determine or unsupported representation of the KeyValue block");
- }
-
- $transformer = new Zend_InfoCard_Xml_Security_Transform();
- $transformer->addTransform((string)$canonMethod['Algorithm']);
-
- list($signedInfo) = $sxe->xpath("//ds:Signature/ds:SignedInfo");
- $signedInfoXML = self::addNamespace($signedInfo, "http://www.w3.org/2000/09/xmldsig#");
-
- $canonical_signedinfo = $transformer->applyTransforms($signedInfoXML);
-
- if(openssl_verify($canonical_signedinfo, $signatureValue, $public_key)) {
- list($reference) = $sxe->xpath("//ds:Signature/ds:SignedInfo/ds:Reference");
- return (string)$reference['URI'];
- }
-
- return false;
- }
-
private function addNamespace($xmlElem, $ns) {
$xmlElem->addAttribute('DS_NS', $ns);
$xml = $xmlElem->asXML();
@@ -294,9 +292,9 @@ class Zend_InfoCard_Xml_Security
case ($len < 0x010000):
return sprintf("%c%c%c%c%s", $type, 0x82, $len / 0x0100, $len % 0x0100, $data);
default:
- SimpleSAML_Logger::debug("Could not encode value");
+ throw new SimpleSAML_Error_Error("Could not encode value");
}
- SimpleSAML_Logger::debug("Invalid code path");
+ throw new SimpleSAML_Error_Error("Invalid code path");
}
}
--
GitLab