diff --git a/modules/InfoCard/config-template/config-login-infocard.php b/modules/InfoCard/config-template/config-login-infocard.php
index 90ba0f6123062068f0bbad2e3d535836ebb50e17..3259851ef15b0e6bb31d70f856e653b2eef8f9fc 100644
--- a/modules/InfoCard/config-template/config-login-infocard.php
+++ b/modules/InfoCard/config-template/config-login-infocard.php
@@ -3,92 +3,142 @@
 /*
 * AUTHOR: Samuel Muñoz Hidalgo
 * EMAIL: samuel.mh@gmail.com
-* LAST REVISION: 1-DEC-08
-* DESCRIPTION: 'login-infocard' module configuration.
+* LAST REVISION: 13-FEB-09
+* DESCRIPTION: 'InfoCard' module configuration for simpleSAMLphp.
 
 
--server_key:
--server_crt:
--IClogo: InfoCard logo (template's button)
-
-
-Definitions taken from:
+Some definitions were taken from:
 A Guide to Using the Identity Selector
 Interoperability Profile V1.5 within Web
 Applications and Browsers.
 Copyright Microsoft
-"
--issuer (optional)
-	This parameter specifies the URL of the STS from which to obtain a token. If omitted, no
-	specific STS is requested. The special value
-	“http://schemas.xmlsoap.org/ws/2005/05/identity/issuer/self” specifies that the
-	token should come from a Self-issued Identity Provider.
-
--issuerPolicy (optional)
-	This parameter specifies the URL of an endpoint from which the STS’s WS-SecurityPolicy
-	can be retrieved using WS-MetadataExchange. This endpoint must use HTTPS.
-
--tokenType (optional)
-	This parameter specifies the type of the token to be requested from the STS as a URI. Th
-	parameter can be omitted if the STS and the Web site front-end have a mutual
-	understanding about what token type will be provided or if the Web site is willing to accep
-	any token type.
-
--requiredClaims (optional)
-	This parameter specifies the types of claims that must be supplied by the identity. If
-	omitted, there are no required claims. The value of requiredClaims is a space-separate
-	list of URIs, each specifying a required claim type.
-
--optionalClaims (optional)
-	This parameter specifies the types of optional claims that may be supplied by the identity
-	If omitted, there are no optional claims. The value of optionalClaims is a space-separat
-	list of URIs, each specifying a claim type that can be optionally submitted.
-
--privacyUrl (optional)
-	This parameter specifies the URL of the human-readable Privacy Policy of the site, if
-	provided.
-"
-
-
--Claims supported by the current schema
-	givenname
-	surname
-	emailaddress
-	streetaddress
-	locality
-	stateorprovince
-	postalcode
-	country
-	primaryphone
-	dateofbirth
-	privatepersonalid
-	gender
-	webpage
 
 */
 
 
 $config = array (
 	
-	'server_key' => '/etc/apache2/ssl/idp.key',
-	'server_crt' => '/etc/apache2/ssl/idp.crt',
+//-------------  TEMPLATE OPTIONS ---------------
+	'IClogo' => 'resources/infocard_114x80.png',        //Infocard logo button
+	'help_desk_email_URL' => 'mailto:asd@asd.com',      //Help desk e-mail
+	'contact_info_URL' => 'http://google.es',           //Contact information
+	
+	
+	
+	
+//-------------  CERTIFICATE OPTIONS ---------------
+	
+	/*
+	* USED IN: Relying Party
+	* DESCRIPTION: Key of the certificate used in the https connection with the idp, it'll be used
+	*  for decrypting the received XML token,
+	*/
+	'idp_key' => '/etc/apache2/ssl/idp.key',
+	
+	
+	/*
+	* USED IN: Relying Party
+	* DESCRIPTION: Only accept tokens signed with this certificate,
+	*  if no certificate is set, it'll be assumed to accept
+	*  a self isued token and accept any token. 
+	*/
 	'sts_crt' => '/etc/apache2/ssl/sts.crt',
 	
-	'IClogo' => 'resources/infocard_114x80.png',
 	
-
+	/*
+	* USED IN: Infocard Generator, STS
+	*	DESCRIPTION: STS certificate for signing Infocards and tokens.
+	*/
+	'sts_key' => '/etc/apache2/ssl/sts.key',
+	
+	
+	/*
+	* USED IN:
+	*	DESCRIPTION: Array of certificates forming a trust chain.  The local signing
+	* certificate is [0], the one that signed that is [1], etc, chaining to a
+	* trust anchor.
+	* HINT: The first one, [0], should be the same as the sts_crt. 
+	*/	
+	'certificates' => array(
+		0 => '/etc/apache2/ssl/sts.crt',
+		1 => '/etc/apache2/ssl/CA.crt'
+	),
+	
+	
+	
+//-------------  DATA (InfoCard) OPTIONS ---------------
+	
+	/*
+	* USED IN: InfoCard Generator, Relying Party and STS
+	*	DESCRIPTION: Infocard information
+	*/
 	'InfoCard' => array(
+		/*
+		*   -issuer (optional, taken from the sts_crt common name value, if no set, self issuer is assumed )
+		* This parameter specifies the URL of the STS from which to obtain a token. If omitted, no
+		* specific STS is requested. The special value
+		* “http://schemas.xmlsoap.org/ws/2005/05/identity/issuer/self” specifies that the
+		* token should come from a Self-issued Identity Provider
+		*/
+		/*
+		* Root of the current InfoCard schema
+		*/
 		'schema' => 'http://schemas.xmlsoap.org/ws/2005/05/identity',
-		'issuer' => 'https://sts/tokenservice.php',
+		/*
+		*   -issuerPolicy (optional)
+		* This parameter specifies the URL of an endpoint from which the STS’s WS-SecurityPolicy
+		* can be retrieved using WS-MetadataExchange. This endpoint must use HTTPS.
+		*/
 		'issuerPolicy' => '',
+		/*
+		*   -privacyUrl (optional)
+		* This parameter specifies the URL of the human-readable Privacy Policy of the site, if
+		* provided.
+		*/
 		'privacyURL' => '',
+		/*
+		*   -tokenType (optional)
+		* This parameter specifies the type of the token to be requested from the STS as a URI. Th
+		* parameter can be omitted if the STS and the Web site front-end have a mutual
+		* understanding about what token type will be provided or if the Web site is willing to accep
+		* any token type.
+		*/
 		'tokenType' => 'urn:oasis:names:tc:SAML:1.0:assertion',
+		
+		/*-Claims supported by the current schema
+			givenname
+			surname
+			emailaddress
+			streetaddress
+			locality
+			stateorprovince
+			postalcode
+			country
+			primaryphone
+			dateofbirth
+			privatepersonalid
+			gender
+			webpage
+		*/
+		
+		/*
+		*   -requiredClaims (optional)
+		* This parameter specifies the types of claims that must be supplied by the identity. If
+		* omitted, there are no required claims. The value of requiredClaims is a space-separate
+		* list of URIs, each specifying a required claim type.
+		*/
 		'requiredClaims' => array(
 			'privatepersonalidentifier' => array('displayTag'=>"Id",         'description'=>"id"),
 			'givenname' =>                 array('displayTag'=>"Given Name", 'description'=>"etc"),
 			'surname' =>                   array('displayTag'=>"Surname",    'description'=>"apellidos"),
 			'emailaddress' =>              array('displayTag'=>"e-mail",     'description'=>"E-mail address")
 		),
+		/*
+		*   -optionalClaims (optional)
+		* This parameter specifies the types of optional claims that may be supplied by the identity
+		* If omitted, there are no optional claims. The value of optionalClaims is a space-separat
+		* list of URIs, each specifying a claim type that can be optionally submitted
+		*/
 		'optionalClaims' => array(
 			'country' => array('displayTag'=>"country", 'description'=>"PaĂ­s"),
 			'webpage' => array('displayTag'=>"webpage", 'description'=>"Página web")
@@ -96,20 +146,58 @@ $config = array (
 	),
 
 
-//STS only
-// array of certificates forming a trust chain.  The local signing
-// certificate is [0], the one that signed that is [1], etc, chaining to a
-// trust anchor.
+
+
+//-------------  WEB PAGES ---------------
 	
-	'CardGenerator' => 'https://idp.aut.uah.es/simplesaml/module.php/InfoCard/getinfocard.php',
-	'certificates' => array(
-		0 => '/etc/apache2/ssl/sts.crt',
-		1 => '/etc/apache2/ssl/CA.crt'
-	),
+	/*
+	* USED IN: InfoCard Generator, Relying Party (optional form)
+	*	DESCRIPTION: Infocard generator URL, if set it'll  appear a form with username-password authentication in the template
+	*/
+	'CardGenerator' => 'https://sts.aut.uah.es/simplesaml/module.php/InfoCard/getcardform.php',
+
+
+	/*
+	* USED IN: InfoCard Generator, Relying Party (issuer), STS (Metadata-Exchange)
+	*	DESCRIPTION: Token generator URL
+	*/
+	'tokenserviceurl' => 'https://sts.aut.uah.es/simplesaml/module.php/InfoCard/tokenservice.php',
 	
-	'sts_key' => '/etc/apache2/ssl/sts.key',
-	'tokenserviceurl' => 'https://sts/tokenservice.php',
-	'mexurl' => 'https://sts/mex.php',
+	
+	/*
+	* USED IN: InfoCard Generator
+	*	DESCRIPTION: Metadata Exchange URL
+	*/
+	'mexurl' => 'https://sts.aut.uah.es/simplesaml/module.php/InfoCard/mex.php',
+
+
+
+
+//-------------  CREDENTIALS ---------------
+
+	/*
+	* USED IN: InfoCard Generator, Relying Party (optional form)
+	* TYPES: UsernamePasswordCredential, KerberosV5Credential, X509V3Credential, SelfIssuedCredential
+	* DESCRIPTION: How the user will be authenticated
+	* IMPLEMENTED & TESTED: UsernamePasswordCredential, SelfIssuedCredential
+	*/
+	'UserCredential' => 'SelfIssuedCredential',
+
+
+
+
+//-------------  DEBUG ---------------
+
+	/*
+	* USED IN: tokenservice
+	* DESCRIPTION: directory where RSTs and RSTRs will be logged EJ: /tmp.
+	*  If null, logging will be dissabled.
+	*  The directory MUST exists and be accessible to the program, otherwise NO log will be written
+	*  Log files have the form urn:uuid:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX.log where X is an hexadecimal digit [0-9|a-f]
+	*/
+	'debugDir' => '/tmp',
+
 );
+ 
 
 ?>
\ No newline at end of file
diff --git a/modules/InfoCard/dictionaries/logininfocard.php b/modules/InfoCard/dictionaries/dict-InfoCard.php
similarity index 61%
rename from modules/InfoCard/dictionaries/logininfocard.php
rename to modules/InfoCard/dictionaries/dict-InfoCard.php
index a8525b813cdc43acdb147a3138231541e6abfb64..0affd8164059fea67d31d36203ca830d23d9dc57 100644
--- a/modules/InfoCard/dictionaries/logininfocard.php
+++ b/modules/InfoCard/dictionaries/dict-InfoCard.php
@@ -44,6 +44,24 @@ $lang = array(
 		'pt' => '',
 		'pt-BR' => '',
 	),
+	'get_IC_link' => array (
+		'no' => '',
+		'nn' => '',
+		'da' => '',
+		'en' => 'Click here to get your InfoCard',
+		'de' => '',
+		'sv' => '',
+		'fi' => '',
+		'es' => 'Pinche aquĂ­ para conseguir su InfoCard',
+		'fr' => '',
+		'nl' => '',
+		'lb' => '',
+		'sl' => '',
+		'hr' => '',
+		'hu' => '',
+		'pt' => '',
+		'pt-BR' => '',
+	),
 	'form_username' => array (
 		'no' => '',
 		'nn' => '',
@@ -250,6 +268,186 @@ $lang = array(
 		'hu' => 'Elérési információk',
 		'pt' => 'Contactos',
 		'pt-BR' => 'Informações de Contato',
+	),	
+	'getcardform_title' => array (
+		'no' => '',
+		'nn' => '',
+		'da' => '',
+		'en' => 'Authentication form',
+		'de' => '',
+		'sv' => '',
+		'fi' => '',
+		'es' => 'Formulario de autenticaciĂłn',
+		'fr' => '',
+		'nl' => '',
+		'lb' => '',
+		'sl' => '',
+		'hr' => '',
+		'hu' => '',
+		'pt' => '',
+		'pt-BR' => '',
+	),
+	'getcardform_self_title' => array (
+		'no' => '',
+		'nn' => '',
+		'da' => '',
+		'en' => 'Self-Issued Card form',
+		'de' => '',
+		'sv' => '',
+		'fi' => '',
+		'es' => 'Formulario de tarjeta autogestionada',
+		'fr' => '',
+		'nl' => '',
+		'lb' => '',
+		'sl' => '',
+		'hr' => '',
+		'hu' => '',
+		'pt' => '',
+		'pt-BR' => '',
+	),
+	'getcardform_self_text' => array (
+		'no' => '',
+		'nn' => '',
+		'da' => '',
+		'en' => 'Please, enter a self issued InfoCard in order to link it with the managed one we are generating.',
+		'de' => '',
+		'sv' => '',
+		'fi' => '',
+		'es' => 'Por favor, introduzca una InfoCard autogestionada para ligarla a la que vamos a generarle.',
+		'fr' => '',
+		'nl' => '',
+		'lb' => '',
+		'sl' => '',
+		'hr' => '',
+		'hu' => '',
+		'pt' => '',
+		'pt-BR' => '',
+	),
+	'getcardform_finished_title' => array (
+		'no' => '',
+		'nn' => '',
+		'da' => '',
+		'en' => 'Congratulations, your Infocard was succesfully generated',
+		'de' => '',
+		'sv' => '',
+		'fi' => '',
+		'es' => 'Enhorabuena, generĂł su Infocard con Ă©xito',
+		'fr' => '',
+		'nl' => '',
+		'lb' => '',
+		'sl' => '',
+		'hr' => '',
+		'hu' => '',
+		'pt' => '',
+		'pt-BR' => '',
+	),
+	'getcardform_finished_text' => array (
+		'no' => '',
+		'nn' => '',
+		'da' => '',
+		'en' => 'Please follow the next link to get to the login page.',
+		'de' => '',
+		'sv' => '',
+		'fi' => '',
+		'es' => 'Siga el siguiente enlace para ir a la página de login',
+		'fr' => '',
+		'nl' => '',
+		'lb' => '',
+		'sl' => '',
+		'hr' => '',
+		'hu' => '',
+		'pt' => '',
+		'pt-BR' => '',
+	),
+	'NO_password' => array (
+		'no' => '',
+		'nn' => '',
+		'da' => '',
+		'en' => 'Please fill in your password',
+		'de' => '',
+		'sv' => '',
+		'fi' => '',
+		'es' => 'Introduce una contraseña',
+		'fr' => '',
+		'nl' => '',
+		'lb' => '',
+		'sl' => '',
+		'hr' => '',
+		'hu' => '',
+		'pt' => '',
+		'pt-BR' => '',
+	),
+	'NO_user' => array (
+		'no' => '',
+		'nn' => '',
+		'da' => '',
+		'en' => 'Please fill in your username',
+		'de' => '',
+		'sv' => '',
+		'fi' => '',
+		'es' => 'Introduce tu nombre de usuario',
+		'fr' => '',
+		'nl' => '',
+		'lb' => '',
+		'sl' => '',
+		'hr' => '',
+		'hu' => '',
+		'pt' => '',
+		'pt-BR' => '',
+	),
+	'Wrong_user_pass' => array (
+		'no' => '',
+		'nn' => '',
+		'da' => '',
+		'en' => 'Wrong username or password',
+		'de' => '',
+		'sv' => '',
+		'fi' => '',
+		'es' => 'Usuario o contraseña inválidos ',
+		'fr' => '',
+		'nl' => '',
+		'lb' => '',
+		'sl' => '',
+		'hr' => '',
+		'hu' => '',
+		'pt' => '',
+		'pt-BR' => '',
+	),
+	'' => array (
+		'no' => '',
+		'nn' => '',
+		'da' => '',
+		'en' => '',
+		'de' => '',
+		'sv' => '',
+		'fi' => '',
+		'es' => '',
+		'fr' => '',
+		'nl' => '',
+		'lb' => '',
+		'sl' => '',
+		'hr' => '',
+		'hu' => '',
+		'pt' => '',
+		'pt-BR' => '',
+	),
+	'' => array (
+		'no' => '',
+		'nn' => '',
+		'da' => '',
+		'en' => '',
+		'de' => '',
+		'sv' => '',
+		'fi' => '',
+		'es' => '',
+		'fr' => '',
+		'nl' => '',
+		'lb' => '',
+		'sl' => '',
+		'hr' => '',
+		'hu' => '',
+		'pt' => '',
+		'pt-BR' => '',
 	),
 
 );
diff --git a/modules/InfoCard/docs/usage.txt b/modules/InfoCard/docs/usage.txt
index c90dbe409bc8ac65ec54a17370126202496d0682..5495a9b94f519ac4898aaa16943241b7f8b112ea 100644
--- a/modules/InfoCard/docs/usage.txt
+++ b/modules/InfoCard/docs/usage.txt
@@ -9,9 +9,10 @@ Information cards module for simpleSAMLphp
 
 	AUTHOR: Samuel Muñoz Hidalgo
 	EMAIL: samuel.mh@gmail.com
-	LAST REVISION: 22-DEC-08
+	LAST REVISION: 13-FEB-09
 	DESCRIPTION: What you should read before starting doing things.
 
+
 	
 Introduction
 -------------
@@ -25,7 +26,7 @@ RP
 : Acting as a Relying Party, you can accept user authentication through InfoCards comsumming tokens sent by aSTS.
 
 STS
-: Acting as a Secure Token Service you can provide information to a RP generating tokens. Currently, only user-password authentication is supported.
+: Acting as a Secure Token Service you can provide information to a RP generating tokens. Currently, only user password and self issued credentials are supported.
 
 InfoCard Generator
 : Your users could request their InfoCard filling a form with their username and password.
diff --git a/modules/InfoCard/extra/config-login-infocard.php b/modules/InfoCard/extra/config-login-infocard.php
deleted file mode 100644
index e94d757429effe42f5b0b8d87b8245539bc277db..0000000000000000000000000000000000000000
--- a/modules/InfoCard/extra/config-login-infocard.php
+++ /dev/null
@@ -1,174 +0,0 @@
-<?php
-
-/*
-* AUTHOR: Samuel Muñoz Hidalgo
-* EMAIL: samuel.mh@gmail.com
-* LAST REVISION: 22-DEC-08
-* DESCRIPTION: 'InfoCard' module configuration for simpleSAMLphp.
-
-
-Some definitions were taken from:
-A Guide to Using the Identity Selector
-Interoperability Profile V1.5 within Web
-Applications and Browsers.
-Copyright Microsoft
-
-*/
-
-
-$config = array (
-	
-//-------------  TEMPLATE OPTIONS ---------------
-	'IClogo' => 'resources/infocard_114x80.png',        //Infocard logo button
-	'help_desk_email_URL' => 'mailto:asd@asd.com',      //Help desk e-mail
-	'contact_info_URL' => 'http://google.es',           //Contact information
-	
-	
-	
-	
-//-------------  CERTIFICATE OPTIONS ---------------
-	
-	/*
-	* USED IN: Relying Party
-	* DESCRIPTION: Key of the certificate used in the https connection with the idp, it'll be used
-	*  for decrypting the received XML token,
-	*/
-	'idp_key' => '/etc/apache2/ssl/idp.key',
-	
-	
-	/*
-	* USED IN: Relying Party
-	* DESCRIPTION: Only accept tokens signed with this certificate,
-	*  if no certificate is set, it'll be assumed to accept
-	*  a self isued token and accept any token. 
-	*/
-	'sts_crt' => '/etc/apache2/ssl/sts.crt',
-	
-	
-	/*
-	* USED IN: Infocard Generator, STS
-	*	DESCRIPTION: STS certificate for signing Infocards and tokens.
-	*/
-	'sts_key' => '/etc/apache2/ssl/sts.key',
-	
-	
-	/*
-	* USED IN:
-	*	DESCRIPTION: Array of certificates forming a trust chain.  The local signing
-	* certificate is [0], the one that signed that is [1], etc, chaining to a
-	* trust anchor.
-	* HINT: The first one, [0], should be the same as the sts_crt. 
-	*/	
-	'certificates' => array(
-		0 => '/etc/apache2/ssl/sts.crt',
-		1 => '/etc/apache2/ssl/CA.crt'
-	),
-	
-	
-	
-//-------------  DATA (InfoCard) OPTIONS ---------------
-	
-	/*
-	* USED IN: InfoCard Generator, Relying Party and STS
-	*	DESCRIPTION: Infocard information
-	*/
-	'InfoCard' => array(
-		/*
-		*   -issuer (optional, taken from the sts_crt common name value, if no set, self issuer is assumed )
-		* This parameter specifies the URL of the STS from which to obtain a token. If omitted, no
-		* specific STS is requested. The special value
-		* “http://schemas.xmlsoap.org/ws/2005/05/identity/issuer/self” specifies that the
-		* token should come from a Self-issued Identity Provider
-		*/
-		/*
-		* Root of the current InfoCard schema
-		*/
-		'schema' => 'http://schemas.xmlsoap.org/ws/2005/05/identity',
-		/*
-		*   -issuerPolicy (optional)
-		* This parameter specifies the URL of an endpoint from which the STS’s WS-SecurityPolicy
-		* can be retrieved using WS-MetadataExchange. This endpoint must use HTTPS.
-		*/
-		'issuerPolicy' => '',
-		/*
-		*   -privacyUrl (optional)
-		* This parameter specifies the URL of the human-readable Privacy Policy of the site, if
-		* provided.
-		*/
-		'privacyURL' => '',
-		/*
-		*   -tokenType (optional)
-		* This parameter specifies the type of the token to be requested from the STS as a URI. Th
-		* parameter can be omitted if the STS and the Web site front-end have a mutual
-		* understanding about what token type will be provided or if the Web site is willing to accep
-		* any token type.
-		*/
-		'tokenType' => 'urn:oasis:names:tc:SAML:1.0:assertion',
-		
-		/*-Claims supported by the current schema
-			givenname
-			surname
-			emailaddress
-			streetaddress
-			locality
-			stateorprovince
-			postalcode
-			country
-			primaryphone
-			dateofbirth
-			privatepersonalid
-			gender
-			webpage
-		*/
-		
-		/*
-		*   -requiredClaims (optional)
-		* This parameter specifies the types of claims that must be supplied by the identity. If
-		* omitted, there are no required claims. The value of requiredClaims is a space-separate
-		* list of URIs, each specifying a required claim type.
-		*/
-		'requiredClaims' => array(
-			'privatepersonalidentifier' => array('displayTag'=>"Id",         'description'=>"id"),
-			'givenname' =>                 array('displayTag'=>"Given Name", 'description'=>"etc"),
-			'surname' =>                   array('displayTag'=>"Surname",    'description'=>"apellidos"),
-			'emailaddress' =>              array('displayTag'=>"e-mail",     'description'=>"E-mail address")
-		),
-		/*
-		*   -optionalClaims (optional)
-		* This parameter specifies the types of optional claims that may be supplied by the identity
-		* If omitted, there are no optional claims. The value of optionalClaims is a space-separat
-		* list of URIs, each specifying a claim type that can be optionally submitted
-		*/
-		'optionalClaims' => array(
-			'country' => array('displayTag'=>"country", 'description'=>"PaĂ­s"),
-			'webpage' => array('displayTag'=>"webpage", 'description'=>"Página web")
-		),
-	),
-
-
-
-
-//-------------  WEB PAGES ---------------
-	
-	/*
-	* USED IN: InfoCard Generator, Relying Party (optional form)
-	*	DESCRIPTION: Infocard generator URL, if set it'll  appear a form with username-password authentication in the template
-	*/
-//	'CardGenerator' => 'https://sts.aut.uah.es/simplesaml/module.php/InfoCard/getinfocard.php',
-
-
-	/*
-	* USED IN: InfoCard Generator, Relying Party (issuer), STS (Metadata-Exchange)
-	*	DESCRIPTION: Token generator URL
-	*/
-	'tokenserviceurl' => 'https://sts.aut.uah.es/simplesaml/module.php/InfoCard/tokenservice.php',
-	
-	
-	/*
-	* USED IN: InfoCard Generator
-	*	DESCRIPTION: Metadata Exchange URL
-	*/
-	'mexurl' => 'https://sts.aut.uah.es/simplesaml/module.php/InfoCard/mex.php',
-);
-
-?>
\ No newline at end of file
diff --git a/modules/InfoCard/extra/getinfocard.php b/modules/InfoCard/extra/getinfocard.php
deleted file mode 100644
index d1fac6a9ab3094e57a64eb8dfc47c0b3d658c6ae..0000000000000000000000000000000000000000
--- a/modules/InfoCard/extra/getinfocard.php
+++ /dev/null
@@ -1,198 +0,0 @@
-<?php
-
-
-/*
-* COAUTHOR: Samuel Muñoz Hidalgo
-* EMAIL: samuel.mh@gmail.com
-* LAST REVISION: 22-DEC-08
-* DESCRIPTION: InfoCard module Infocard generator
-*/
-
-//Generate a raw InfoCard with the given data and the configuration
-//NOTA: hay namespaces totalmente innecesarios desde un punto de vista práctico xml, están cubiertos por el nodo
-//  Signature, pero si no se ponen, la canonicalizaciĂłn de generaciĂłn de firma la de comprobaciĂłn son diferentes
-//	y no funciona.
-//EJ: xmlns="http://www.w3.org/2000/09/xmldsig#" en los nodos Object y SignedInfo
-
-function create_card($ICdata,$ICconfig) {
-		
-	$infocardbuf  = "<Object Id=\"IC01\" xmlns=\"http://www.w3.org/2000/09/xmldsig#\">";
-	$infocardbuf .= "<InformationCard xml:lang=\"en-us\"  xmlns=\"http://schemas.xmlsoap.org/ws/2005/05/identity\" xmlns:wsa=\"http://www.w3.org/2005/08/addressing\" xmlns:wst=\"http://schemas.xmlsoap.org/ws/2005/02/trust\" xmlns:wsx=\"http://schemas.xmlsoap.org/ws/2004/09/mex\">";
-
-	//cardId
-	$infocardbuf .= "<InformationCardReference>";	
-	$infocardbuf .= "<CardId>".$ICdata['CardId']."</CardId>"; //xs:anyURI cardId (="$cardurl/$ppid";  $ppid = "$uname-" . time();)
-	$infocardbuf .= "<CardVersion>1</CardVersion>";  //xs:unsignedInt
-	$infocardbuf .= "</InformationCardReference>";
-
-	//cardName
-	$infocardbuf .= "<CardName>".$ICdata['CardName']."</CardName>";
-
-	//image
-	$infocardbuf .= "<CardImage MimeType=\"".mime_content_type($ICdata['CardImage'])."\">";
-	$infocardbuf .= base64_encode(file_get_contents($ICdata['CardImage']));
-	$infocardbuf .= "</CardImage>";
-
-	//issuer - times
-	$infocardbuf .= "<Issuer>".$ICconfig['InfoCard']['issuer']."</Issuer>";
-	$infocardbuf .= "<TimeIssued>".gmdate('Y-m-d').'T'.gmdate('H:i:s').'Z'."</TimeIssued>";
-	$infocardbuf .= "<TimeExpires>".$ICdata['TimeExpires']."</TimeExpires>";
-
-	//Token Service List
-	$infocardbuf .= "<TokenServiceList>";	
-		$infocardbuf .= "<TokenService>";
-			$infocardbuf .= "<wsa:EndpointReference>";
-				$infocardbuf .= "<wsa:Address>".$ICconfig['tokenserviceurl']."</wsa:Address>";	
-				$infocardbuf .= "<wsa:Metadata>";
-					$infocardbuf .= "<wsx:Metadata>";
-						$infocardbuf .= "<wsx:MetadataSection>";
-							$infocardbuf .= "<wsx:MetadataReference>";
-								$infocardbuf .= "<wsa:Address>".$ICconfig['mexurl']."</wsa:Address>";
-							$infocardbuf .= "</wsx:MetadataReference>";
-						$infocardbuf .= "</wsx:MetadataSection>";
-					$infocardbuf .= "</wsx:Metadata>";
-				$infocardbuf .= "</wsa:Metadata>";
-			$infocardbuf .= "</wsa:EndpointReference>";
-
-
-
-			/*Types of User Credentials 
-			* UsernamePasswordCredential
-			* KerberosV5Credential
-			* X509V3Credential
-			* SelfIssuedCredential
-			*/
-			$infocardbuf .= "<UserCredential>";
-					$infocardbuf .= "<DisplayCredentialHint>".$ICdata['DisplayCredentialHint']."</DisplayCredentialHint>";
-			switch($ICdata['UserCredential']){
-				case "UsernamePasswordCredential":
-					$infocardbuf .= "<UsernamePasswordCredential>";
-						$infocardbuf .= "<Username>".$ICdata['UserName']."</Username>";
-					$infocardbuf .= "</UsernamePasswordCredential>";
-					break;
-				case "KerberosV5Credential":
-					$infocardbuf .= "<KerberosV5Credential/>";
-					break;
-				case "X509V3Credential":
-					$infocardbuf .= "<X509V3Credential>";
-						$infocardbuf .= "<ds:X509Data>";
-							$infocardbuf .= "<wsse:KeyIdentifier ValueType=\"http://docs.oasis-open.org/wss/2004/xx/oasis-2004xx-wss-soap-message-security-1.1#ThumbprintSHA1\" EncodingType=\"http://docs.oasis-open.org/wss/2004/01/oasis200401-wss-soap-message-security-1.0#Base64Binary">
-							/*This element provides a key identifier for the X.509 certificate based on the SHA1 hash
-							of the entire certificate content expressed as a “thumbprint.” Note that the extensibility
-							point in the ds:X509Data element is used to add wsse:KeyIdentifier as a child
-							element.*/ 
-							$infocardbuf .= $ICdata['KeyIdentifier']; //xs:base64binary;
-							$infocardbuf .= "</wsse:KeyIdentifier>";
-						$infocardbuf .= "</ds:X509Data>";
-					$infocardbuf .= "</X509V3Credential>"; 
-					break;
-				default: //SelfIssuedCredential
-					$infocardbuf .= "<SelfIssuedCredential>";
-						$infocardbuf .= "<PrivatePersonalIdentifier>";
-							$infocardbuf .= $ICdata['PPID']; //xs:base64binary;
-							$infocardbuf .= "</PrivatePersonalIdentifier>";
-					$infocardbuf .= "</SelfIssuedCredential> ";
-					break;
-			}
-			$infocardbuf .= "</UserCredential>";
-
-		$infocardbuf .= "</TokenService>";
-	$infocardbuf .= "</TokenServiceList>";
-
-
-	//Tokentype
-	$infocardbuf .= "<SupportedTokenTypeList>";
-		$infocardbuf .= "<wst:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</wst:TokenType>";
-	$infocardbuf .= "</SupportedTokenTypeList>";
-    
-	//Claims
-	$infocardbuf .= "<SupportedClaimTypeList>";
-	$url = $ICconfig['InfoCard']['schema']."/claims/";
-	foreach ($ICconfig['InfoCard']['requiredClaims'] as $claim=>$data) {  
-		$infocardbuf .= "<SupportedClaimType Uri=\"".$url.$claim."\">";
-			$infocardbuf .= "<DisplayTag>".$data['displayTag']."</DisplayTag>";
- 			$infocardbuf .= "<Description>".$data['description']."</Description>";
-		$infocardbuf .= "</SupportedClaimType>";
-	}
-	foreach ($ICconfig['InfoCard']['optionalClaims'] as $claim=>$data) {  
-		$infocardbuf .= "<SupportedClaimType Uri=\"".$url.$claim."\">";
-			$infocardbuf .= "<DisplayTag>".$data['displayTag']."</DisplayTag>";
- 			$infocardbuf .= "<Description>".$data['description']."</Description>";
-		$infocardbuf .= "</SupportedClaimType>";
-	}	
-	$infocardbuf .= "</SupportedClaimTypeList>";
-
-	//Privacy URL
- 	$infocardbuf .= "<PrivacyNotice>".$ICconfig['InfoCard']['privacyURL']."</PrivacyNotice>";
-
-	$infocardbuf .= "</InformationCard>";
-	$infocardbuf .= "</Object>";
-	
-  $canonicalbuf = sspmod_InfoCard_Utils::canonicalize($infocardbuf);
-	
-	//construct a SignedInfo block
-	$signedinfo  = "<SignedInfo  xmlns=\"http://www.w3.org/2000/09/xmldsig#\">";
-		$signedinfo .= "<CanonicalizationMethod Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/>";
-		$signedinfo .= "<SignatureMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\"/>";
-		$signedinfo .= "<Reference URI=\"#IC01\">";
-			$signedinfo .= "<Transforms>";
-				$signedinfo .= "<Transform Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/>";
-			$signedinfo .= "</Transforms>";
-			$signedinfo .= "<DigestMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#sha1\"/>";
-			$signedinfo .= "<DigestValue>".base64_encode(sha1($canonicalbuf, TRUE))."</DigestValue>";
-		$signedinfo .= "</Reference>";
-	$signedinfo .= "</SignedInfo>";
-
-  $canonicalbuf = sspmod_InfoCard_Utils::canonicalize($signedinfo);
-
-	$signature = '';
-	$privkey = openssl_pkey_get_private(file_get_contents($ICconfig['sts_key']));
-	openssl_sign($canonicalbuf, &$signature, $privkey);
-	openssl_free_key($privkey);
-	$infocard_signature = base64_encode($signature);
-	
-	//Envelope
-	$buf = "<Signature xmlns=\"http://www.w3.org/2000/09/xmldsig#\">";
-		$buf .= $signedinfo;
-		$buf .= "<SignatureValue>".$infocard_signature."</SignatureValue>";
-		$buf .= "<KeyInfo>";
-			$buf .= "<X509Data>";
-		// signing certificate(s)
-		foreach ($ICconfig['certificates'] as $idx=>$cert)
-				$buf .= "<X509Certificate>".sspmod_InfoCard_Utils::takeCert($cert)."</X509Certificate>";
-			$buf .= "</X509Data>";
-		$buf .= "</KeyInfo>";
-		$buf .= $infocardbuf;
-	$buf .= "</Signature>";
-
-	return $buf;
-}
-
-
-
-$username = $_POST['username'];
-$password = $_POST['password'];
-
-if (sspmod_InfoCard_UserFunctions::validateUser($username,$password)){
-	
-	$config = SimpleSAML_Configuration::getInstance();
-	$autoconfig = $config->copyFromBase('logininfocard', 'config-login-infocard.php');
-	$ICconfig['InfoCard'] = $autoconfig->getValue('InfoCard');
-	$ICconfig['InfoCard']['issuer'] = $autoconfig->getValue('tokenserviceurl');//sspmod_InfoCard_Utils::getIssuer($sts_crt);
-	$ICconfig['tokenserviceurl'] = $autoconfig->getValue('tokenserviceurl');
-	$ICconfig['mexurl'] = $autoconfig->getValue('mexurl');
-	$ICconfig['sts_key'] = $autoconfig->getValue('sts_key');
-	$ICconfig['certificates'] = $autoconfig->getValue('certificates');
-	
-	$ICdata = sspmod_InfoCard_UserFunctions::fillICdata($username);	
-	
-	$IC = create_card($ICdata,$ICconfig);
-	header("Content-Disposition: attachment; filename=\"".$ICdata['CardName'].".crd\"");
-	header('Content-Type: application/x-informationcard');
-	header('Content-Length:'.strlen($IC));
-}else{
-	$IC = "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\"><html xmlns=\"http://www.w3.org/1999/xhtml\" xml:lang=\"en\" lang=\"en\"><head><title>ERROR!</title></head><body><h1>Wrong credentials!</h1> Could not authenticate you</body></html>";
-}
-
-echo $IC;
-?>
diff --git a/modules/InfoCard/extra/mex.php b/modules/InfoCard/extra/mex.php
deleted file mode 100644
index ba7f3908cf9d4172ecdec5d0ec58741b4adfd4ea..0000000000000000000000000000000000000000
--- a/modules/InfoCard/extra/mex.php
+++ /dev/null
@@ -1,441 +0,0 @@
-<?php
-/*
- *   Copyright (C) 2007 Carillon Information Security Inc.
- *
- * WS-MetadataExchange responder for the Carillon STS.  Everything is
- * pretty much hard-coded -- the only things that get customized are the
- * tokenservice URL and the certificate.
- *
- */
- 
-/*
-* COAUTHOR: Samuel Muñoz Hidalgo
-* EMAIL: samuel.mh@gmail.com
-* LAST REVISION: 22-DEC-08
-* DESCRIPTION: InfoCard module metadata exchange
-*/
-
-
-$method = $_SERVER["REQUEST_METHOD"];
-if ($method == "POST")
-    $use_soap = true;
-else
-    $use_soap = false;
-
-if ($use_soap)
-    Header('Content-Type: application/soap+xml;charset=utf-8');
-else
-    Header('Content-Type: application/xml;charset=utf-8');
-
-$config = SimpleSAML_Configuration::getInstance();
-$autoconfig = $config->copyFromBase('logininfocard', 'config-login-infocard.php');
-$ICconfig['tokenserviceurl'] = $autoconfig->getValue('tokenserviceurl');
-$ICconfig['certificates'] = $autoconfig->getValue('certificates');
-
-
-// Grab the important parts of the token request.  That's pretty much just
-// the request ID.
-$request_id = '';
-if ($use_soap && strlen($HTTP_RAW_POST_DATA))
-{
-    $token = new DOMDocument();
-    $token->loadXML($HTTP_RAW_POST_DATA);
-    $doc = $token->documentElement;
-    $elements = $doc->getElementsByTagname('MessageID');
-    $request_id = $elements->item(0)->nodeValue;
-}
-
-$buf = '<?xml version="1.0"?>';
-
-if ($use_soap)
-{
-    $buf .= '<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">';
-    $buf .= '<s:Header>';
-    $buf .= '<a:Action s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2004/09/transfer/GetResponse</a:Action>';
-    if ($request_id)
-        $buf .= "<a:RelatesTo>$request_id</a:RelatesTo>";
-    $buf .= '</s:Header>';
-    $buf .= '<s:Body>';
-}
-$buf .= '<Metadata xmlns="http://schemas.xmlsoap.org/ws/2004/09/mex" xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex">';
-$buf .= '<wsx:MetadataSection xmlns="" Dialect="http://schemas.xmlsoap.org/wsdl/" Identifier="http://schemas.xmlsoap.org/ws/2005/02/trust">';
-$buf .= '<wsdl:definitions xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:tns="http://schemas.xmlsoap.org/ws/2005/02/trust" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsap="http://schemas.xmlsoap.org/ws/2004/08/addressing/policy" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:msc="http://schemas.microsoft.com/ws/2005/12/wsdl/contract" xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl" xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/" xmlns:wsa10="http://www.w3.org/2005/08/addressing" targetNamespace="http://schemas.xmlsoap.org/ws/2005/02/trust">';
-$buf .= '<wsdl:types>';
-$buf .= '<xsd:schema targetNamespace="http://schemas.xmlsoap.org/ws/2005/02/trust/Imports">';
-$buf .= '<xsd:import namespace="http://schemas.microsoft.com/Message"/>';
-$buf .= '</xsd:schema>';
-$buf .= '</wsdl:types>';
-$buf .= '<wsdl:message name="IWSTrustContract_Cancel_InputMessage">';
-$buf .= '<wsdl:part xmlns:q1="http://schemas.microsoft.com/Message" name="request" type="q1:MessageBody"/>';
-$buf .= '</wsdl:message>';
-$buf .= '<wsdl:message name="IWSTrustContract_Cancel_OutputMessage">';
-$buf .= '<wsdl:part xmlns:q2="http://schemas.microsoft.com/Message" name="CancelResult" type="q2:MessageBody"/>';
-$buf .= '</wsdl:message>';
-$buf .= '<wsdl:message name="IWSTrustContract_Issue_InputMessage">';
-$buf .= '<wsdl:part xmlns:q3="http://schemas.microsoft.com/Message" name="request" type="q3:MessageBody"/>';
-$buf .= '</wsdl:message>';
-$buf .= '<wsdl:message name="IWSTrustContract_Issue_OutputMessage">';
-$buf .= '<wsdl:part xmlns:q4="http://schemas.microsoft.com/Message" name="IssueResult" type="q4:MessageBody"/>';
-$buf .= '</wsdl:message>';
-$buf .= '<wsdl:message name="IWSTrustContract_Renew_InputMessage">';
-$buf .= '<wsdl:part xmlns:q5="http://schemas.microsoft.com/Message" name="request" type="q5:MessageBody"/>';
-$buf .= '</wsdl:message>';
-$buf .= '<wsdl:message name="IWSTrustContract_Renew_OutputMessage">';
-$buf .= '<wsdl:part xmlns:q6="http://schemas.microsoft.com/Message" name="RenewResult" type="q6:MessageBody"/>';
-$buf .= '</wsdl:message>';
-$buf .= '<wsdl:message name="IWSTrustContract_Validate_InputMessage">';
-$buf .= '<wsdl:part xmlns:q7="http://schemas.microsoft.com/Message" name="request" type="q7:MessageBody"/>';
-$buf .= '</wsdl:message>';
-$buf .= '<wsdl:message name="IWSTrustContract_Validate_OutputMessage">';
-$buf .= '<wsdl:part xmlns:q8="http://schemas.microsoft.com/Message" name="ValidateResult" type="q8:MessageBody"/>';
-$buf .= '</wsdl:message>';
-$buf .= '<wsdl:portType name="IWSTrustContract">';
-$buf .= '<wsdl:operation name="Cancel">';
-$buf .= '<wsdl:input wsaw:Action="http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Cancel" message="tns:IWSTrustContract_Cancel_InputMessage"/>';
-$buf .= '<wsdl:output wsaw:Action="http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Cancel" message="tns:IWSTrustContract_Cancel_OutputMessage"/>';
-$buf .= '</wsdl:operation>';
-$buf .= '<wsdl:operation name="Issue">';
-$buf .= '<wsdl:input wsaw:Action="http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue" message="tns:IWSTrustContract_Issue_InputMessage"/>';
-$buf .= '<wsdl:output wsaw:Action="http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue" message="tns:IWSTrustContract_Issue_OutputMessage"/>';
-$buf .= '</wsdl:operation>';
-$buf .= '<wsdl:operation name="Renew">';
-$buf .= '<wsdl:input wsaw:Action="http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Renew" message="tns:IWSTrustContract_Renew_InputMessage"/>';
-$buf .= '<wsdl:output wsaw:Action="http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Renew" message="tns:IWSTrustContract_Renew_OutputMessage"/>';
-$buf .= '</wsdl:operation>';
-$buf .= '<wsdl:operation name="Validate">';
-$buf .= '<wsdl:input wsaw:Action="http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Validate" message="tns:IWSTrustContract_Validate_InputMessage"/>';
-$buf .= '<wsdl:output wsaw:Action="http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Validate" message="tns:IWSTrustContract_Validate_OutputMessage"/>';
-$buf .= '</wsdl:operation>';
-$buf .= '</wsdl:portType>';
-$buf .= '</wsdl:definitions>';
-$buf .= '</wsx:MetadataSection>';
-$buf .= '<wsx:MetadataSection xmlns="" Dialect="http://schemas.xmlsoap.org/wsdl/" Identifier="http://tempuri.org/">';
-$buf .= '<wsdl:definitions xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:tns="http://tempuri.org/" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:i0="http://schemas.xmlsoap.org/ws/2005/02/trust" xmlns:wsap="http://schemas.xmlsoap.org/ws/2004/08/addressing/policy" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:msc="http://schemas.microsoft.com/ws/2005/12/wsdl/contract" xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl" xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/" xmlns:wsa10="http://www.w3.org/2005/08/addressing" name="STS" targetNamespace="http://tempuri.org/">';
-$buf .= '<wsp:Policy wsu:Id="CustomBinding_IWSTrustContract_policy">';
-$buf .= '<wsp:ExactlyOne>';
-$buf .= '<wsp:All>';
-$buf .= '<sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">';
-$buf .= '<wsp:Policy>';
-$buf .= '<sp:TransportToken>';
-$buf .= '<wsp:Policy>';
-$buf .= '<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">';
-$buf .= '<wsp:Policy>';
-$buf .= '<sp:RequireThumbprintReference/>';
-$buf .= '<sp:WssX509V3Token10/>';
-$buf .= '</wsp:Policy>';
-$buf .= '</sp:X509Token>';
-$buf .= '</wsp:Policy>';
-$buf .= '</sp:TransportToken>';
-$buf .= '<sp:AlgorithmSuite>';
-$buf .= '<wsp:Policy>';
-$buf .= '<sp:Basic128/>';
-$buf .= '</wsp:Policy>';
-$buf .= '</sp:AlgorithmSuite>';
-$buf .= '<sp:Layout>';
-$buf .= '<wsp:Policy>';
-$buf .= '<sp:Strict/>';
-$buf .= '</wsp:Policy>';
-$buf .= '</sp:Layout>';
-if ($_GET['auth'] == 'x509')
-    $buf .= '<sp:IncludeTimestamp/>';
-$buf .= '</wsp:Policy>';
-$buf .= '</sp:TransportBinding>';
-
-// is this metadata for an infocard that wants an x509-authenticated 
-// token, or a username/password token?
-if ($_GET['auth'] == 'x509')
-{
-    $buf .= '<sp:EndorsingSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">';
-    $buf .= '<wsp:Policy>';
-    $buf .= '<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">';
-    $buf .= '<wsp:Policy>';
-    $buf .= '<sp:RequireThumbprintReference/>';
-    $buf .= '<sp:WssX509V3Token10/>';
-    $buf .= '</wsp:Policy>';
-    $buf .= '</sp:X509Token>';
-    $buf .= '</wsp:Policy>';
-    $buf .= '</sp:EndorsingSupportingTokens>';
-}
-else
-{
-    $buf .= '<sp:SignedSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">';
-    $buf .= '<wsp:Policy>';
-    $buf .= '<sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">';
-    $buf .= '<wsp:Policy>';
-    $buf .= '<sp:WssUsernameToken10/>';
-    $buf .= '</wsp:Policy>';
-    $buf .= '</sp:UsernameToken>';
-    $buf .= '</wsp:Policy>';
-    $buf .= '</sp:SignedSupportingTokens>';
-}
-
-$buf .= '<sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">';
-$buf .= '<wsp:Policy>';
-$buf .= '<sp:MustSupportRefKeyIdentifier/>';
-$buf .= '<sp:MustSupportRefIssuerSerial/>';
-$buf .= '<sp:MustSupportRefThumbprint/>';
-$buf .= '<sp:MustSupportRefEncryptedKey/>';
-$buf .= '</wsp:Policy>';
-$buf .= '</sp:Wss11>';
-$buf .= '<sp:Trust10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">';
-$buf .= '<wsp:Policy>';
-$buf .= '<sp:MustSupportIssuedTokens/>';
-$buf .= '<sp:RequireServerEntropy/>';
-$buf .= '</wsp:Policy>';
-$buf .= '</sp:Trust10>';
-$buf .= '</wsp:All>';
-$buf .= '</wsp:ExactlyOne>';
-$buf .= '</wsp:Policy>';
-$buf .= '<wsp:Policy wsu:Id="CustomBinding_IWSTrustContract_Cancel_Input_policy">';
-$buf .= '<wsp:ExactlyOne>';
-$buf .= '<wsp:All>';
-$buf .= '<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">';
-$buf .= '<sp:Body/>';
-$buf .= '<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '</sp:SignedParts>';
-$buf .= '<sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">';
-$buf .= '<sp:Body/>';
-$buf .= '</sp:EncryptedParts>';
-$buf .= '</wsp:All>';
-$buf .= '</wsp:ExactlyOne>';
-$buf .= '</wsp:Policy>';
-$buf .= '<wsp:Policy wsu:Id="CustomBinding_IWSTrustContract_Cancel_output_policy">';
-$buf .= '<wsp:ExactlyOne>';
-$buf .= '<wsp:All>';
-$buf .= '<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">';
-$buf .= '<sp:Body/>';
-$buf .= '<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '</sp:SignedParts>';
-$buf .= '<sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">';
-$buf .= '<sp:Body/>';
-$buf .= '</sp:EncryptedParts>';
-$buf .= '</wsp:All>';
-$buf .= '</wsp:ExactlyOne>';
-$buf .= '</wsp:Policy>';
-$buf .= '<wsp:Policy wsu:Id="CustomBinding_IWSTrustContract_Issue_policy">';
-$buf .= '<wsp:ExactlyOne>';
-$buf .= '<wsp:All>';
-$buf .= '<sp:EndorsingSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">';
-$buf .= '<wsp:Policy>';
-$buf .= '<mssp:RsaToken xmlns:mssp="http://schemas.microsoft.com/ws/2005/07/securitypolicy" sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never" wsp:Optional="true"/>';
-$buf .= '</wsp:Policy>';
-$buf .= '</sp:EndorsingSupportingTokens>';
-$buf .= '</wsp:All>';
-$buf .= '</wsp:ExactlyOne>';
-$buf .= '</wsp:Policy>';
-$buf .= '<wsp:Policy wsu:Id="CustomBinding_IWSTrustContract_Issue_Input_policy">';
-$buf .= '<wsp:ExactlyOne>';
-$buf .= '<wsp:All>';
-$buf .= '<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">';
-$buf .= '<sp:Body/>';
-$buf .= '<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '</sp:SignedParts>';
-$buf .= '<sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">';
-$buf .= '<sp:Body/>';
-$buf .= '</sp:EncryptedParts>';
-$buf .= '</wsp:All>';
-$buf .= '</wsp:ExactlyOne>';
-$buf .= '</wsp:Policy>';
-$buf .= '<wsp:Policy wsu:Id="CustomBinding_IWSTrustContract_Issue_output_policy">';
-$buf .= '<wsp:ExactlyOne>';
-$buf .= '<wsp:All>';
-$buf .= '<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">';
-$buf .= '<sp:Body/>';
-$buf .= '<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '</sp:SignedParts>';
-$buf .= '<sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">';
-$buf .= '<sp:Body/>';
-$buf .= '</sp:EncryptedParts>';
-$buf .= '</wsp:All>';
-$buf .= '</wsp:ExactlyOne>';
-$buf .= '</wsp:Policy>';
-$buf .= '<wsp:Policy wsu:Id="CustomBinding_IWSTrustContract_Renew_Input_policy">';
-$buf .= '<wsp:ExactlyOne>';
-$buf .= '<wsp:All>';
-$buf .= '<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">';
-$buf .= '<sp:Body/>';
-$buf .= '<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '</sp:SignedParts>';
-$buf .= '<sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">';
-$buf .= '<sp:Body/>';
-$buf .= '</sp:EncryptedParts>';
-$buf .= '</wsp:All>';
-$buf .= '</wsp:ExactlyOne>';
-$buf .= '</wsp:Policy>';
-$buf .= '<wsp:Policy wsu:Id="CustomBinding_IWSTrustContract_Renew_output_policy">';
-$buf .= '<wsp:ExactlyOne>';
-$buf .= '<wsp:All>';
-$buf .= '<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">';
-$buf .= '<sp:Body/>';
-$buf .= '<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '</sp:SignedParts>';
-$buf .= '<sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">';
-$buf .= '<sp:Body/>';
-$buf .= '</sp:EncryptedParts>';
-$buf .= '</wsp:All>';
-$buf .= '</wsp:ExactlyOne>';
-$buf .= '</wsp:Policy>';
-$buf .= '<wsp:Policy wsu:Id="CustomBinding_IWSTrustContract_Validate_Input_policy">';
-$buf .= '<wsp:ExactlyOne>';
-$buf .= '<wsp:All>';
-$buf .= '<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">';
-$buf .= '<sp:Body/>';
-$buf .= '<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '</sp:SignedParts>';
-$buf .= '<sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">';
-$buf .= '<sp:Body/>';
-$buf .= '</sp:EncryptedParts>';
-$buf .= '</wsp:All>';
-$buf .= '</wsp:ExactlyOne>';
-$buf .= '</wsp:Policy>';
-$buf .= '<wsp:Policy wsu:Id="CustomBinding_IWSTrustContract_Validate_output_policy">';
-$buf .= '<wsp:ExactlyOne>';
-$buf .= '<wsp:All>';
-$buf .= '<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">';
-$buf .= '<sp:Body/>';
-$buf .= '<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '<sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"/>';
-$buf .= '</sp:SignedParts>';
-$buf .= '<sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">';
-$buf .= '<sp:Body/>';
-$buf .= '</sp:EncryptedParts>';
-$buf .= '</wsp:All>';
-$buf .= '</wsp:ExactlyOne>';
-$buf .= '</wsp:Policy>';
-$buf .= '<wsdl:import namespace="http://schemas.xmlsoap.org/ws/2005/02/trust" location=""/>';
-$buf .= '<wsdl:types/>';
-$buf .= '<wsdl:binding name="CustomBinding_IWSTrustContract" type="i0:IWSTrustContract">';
-$buf .= '<wsp:PolicyReference URI="#CustomBinding_IWSTrustContract_policy"/>';
-$buf .= '<soap12:binding transport="http://schemas.xmlsoap.org/soap/http"/>';
-$buf .= '<wsdl:operation name="Cancel">';
-$buf .= '<soap12:operation soapAction="http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Cancel" style="document"/>';
-$buf .= '<wsdl:input>';
-$buf .= '<wsp:PolicyReference URI="#CustomBinding_IWSTrustContract_Cancel_Input_policy"/>';
-$buf .= '<soap12:body use="literal"/>';
-$buf .= '</wsdl:input>';
-$buf .= '<wsdl:output>';
-$buf .= '<wsp:PolicyReference URI="#CustomBinding_IWSTrustContract_Cancel_output_policy"/>';
-$buf .= '<soap12:body use="literal"/>';
-$buf .= '</wsdl:output>';
-$buf .= '</wsdl:operation>';
-$buf .= '<wsdl:operation name="Issue">';
-$buf .= '<wsp:PolicyReference URI="#CustomBinding_IWSTrustContract_Issue_policy"/>';
-$buf .= '<soap12:operation soapAction="http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue" style="document"/>';
-$buf .= '<wsdl:input>';
-$buf .= '<wsp:PolicyReference URI="#CustomBinding_IWSTrustContract_Issue_Input_policy"/>';
-$buf .= '<soap12:body use="literal"/>';
-$buf .= '</wsdl:input>';
-$buf .= '<wsdl:output>';
-$buf .= '<wsp:PolicyReference URI="#CustomBinding_IWSTrustContract_Issue_output_policy"/>';
-$buf .= '<soap12:body use="literal"/>';
-$buf .= '</wsdl:output>';
-$buf .= '</wsdl:operation>';
-$buf .= '<wsdl:operation name="Renew">';
-$buf .= '<soap12:operation soapAction="http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Renew" style="document"/>';
-$buf .= '<wsdl:input>';
-$buf .= '<wsp:PolicyReference URI="#CustomBinding_IWSTrustContract_Renew_Input_policy"/>';
-$buf .= '<soap12:body use="literal"/>';
-$buf .= '</wsdl:input>';
-$buf .= '<wsdl:output>';
-$buf .= '<wsp:PolicyReference URI="#CustomBinding_IWSTrustContract_Renew_output_policy"/>';
-$buf .= '<soap12:body use="literal"/>';
-$buf .= '</wsdl:output>';
-$buf .= '</wsdl:operation>';
-$buf .= '<wsdl:operation name="Validate">';
-$buf .= '<soap12:operation soapAction="http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Validate" style="document"/>';
-$buf .= '<wsdl:input>';
-$buf .= '<wsp:PolicyReference URI="#CustomBinding_IWSTrustContract_Validate_Input_policy"/>';
-$buf .= '<soap12:body use="literal"/>';
-$buf .= '</wsdl:input>';
-$buf .= '<wsdl:output>';
-$buf .= '<wsp:PolicyReference URI="#CustomBinding_IWSTrustContract_Validate_output_policy"/>';
-$buf .= '<soap12:body use="literal"/>';
-$buf .= '</wsdl:output>';
-$buf .= '</wsdl:operation>';
-$buf .= '</wsdl:binding>';
-$buf .= '<wsdl:service name="STS">';
-$buf .= '<wsdl:port name="CustomBinding_IWSTrustContract" binding="tns:CustomBinding_IWSTrustContract">';
-$buf .= "<soap12:address location=\"".$ICconfig['tokenserviceurl']."\"/>";
-$buf .= '<wsa10:EndpointReference>';
-$buf .= "<wsa10:Address>".$ICconfig['tokenserviceurl']."</wsa10:Address>";
-$buf .= '<Identity xmlns="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity">';
-$buf .= '<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">';
-$buf .= '<X509Data>';
-$buf .= '<X509Certificate>'.sspmod_InfoCard_Utils::takeCert($ICconfig['certificates'][0]).'</X509Certificate>';
-$buf .= '</X509Data>';
-$buf .= '</KeyInfo>';
-$buf .= '</Identity>';
-$buf .= '</wsa10:EndpointReference>';
-$buf .= '</wsdl:port>';
-$buf .= '</wsdl:service>';
-$buf .= '</wsdl:definitions>';
-$buf .= '</wsx:MetadataSection>';
-$buf .= '<wsx:MetadataSection xmlns="" Dialect="http://www.w3.org/2001/XMLSchema" Identifier="http://schemas.microsoft.com/Message">';
-$buf .= '<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:tns="http://schemas.microsoft.com/Message" elementFormDefault="qualified" targetNamespace="http://schemas.microsoft.com/Message">';
-$buf .= '<xs:complexType name="MessageBody">';
-$buf .= '<xs:sequence>';
-$buf .= '<xs:any minOccurs="0" maxOccurs="unbounded" namespace="##any"/>';
-$buf .= '</xs:sequence>';
-$buf .= '</xs:complexType>';
-$buf .= '</xs:schema>';
-$buf .= '</wsx:MetadataSection>';
-$buf .= '</Metadata>';
-
-if ($use_soap)
-{
-    $buf .= '</s:Body>';
-    $buf .= '</s:Envelope>';
-}
-
-
-
-print($buf);
-
-?>
diff --git a/modules/InfoCard/extra/tokenservice.php b/modules/InfoCard/extra/tokenservice.php
deleted file mode 100644
index 7b6267c974383730c1f7ae541948ccb9d2d9ab41..0000000000000000000000000000000000000000
--- a/modules/InfoCard/extra/tokenservice.php
+++ /dev/null
@@ -1,296 +0,0 @@
-<?php
-/*
- *   Copyright (C) 2007 Carillon Information Security Inc.
- *
- * Token responder for the Carillon STS.  Accepts a SOAP token request from
- * a relying party (or an infocard client, more likely) and produces a
- * token with the proper attributes, as stored in the database of issued
- * infocards.
- *
- */
-
-/*
-* COAUTHOR: Samuel Muñoz Hidalgo
-* EMAIL: samuel.mh@gmail.com
-* LAST REVISION: 22-DEC-08
-* DESCRIPTION: InfoCard module token generator
-*/
-
-
-
-// Windows CardSpace doesn't support using the infocard's certificate as
-// the SSL cert for transport binding... so we make it sign a timestamp in
-// the token request, and validate the signature on that.
-function validate_embedded_cert()
-{
-    global $doc, $row;
-    global $db_usertable;
-    global $uidnum, $uname, $fullname;
-    global $HTTP_RAW_POST_DATA;
-
-    // FIXME: Add error checking to this!
-
-    // get the signed part (the timestamp) in a horribly cheating way for
-    // now
-    // first grab the namespace for u
-    $begin = 'xmlns:u="';
-    $end = 'xsd"';
-    $xmlnsu = $HTTP_RAW_POST_DATA;
-    $xmlnsu = substr($xmlnsu, strpos($xmlnsu, $begin));
-    $xmlnsu = substr($xmlnsu, 0, strpos($xmlnsu, $end)+strlen($end));
-    $begin = '<u:Timestamp ';
-    $end = '</u:Timestamp>';
-    $tmp = $HTTP_RAW_POST_DATA;
-    $tmp = substr($tmp, strpos($tmp, $begin));
-    $tmp = substr($tmp, 0, strpos($tmp, $end)+strlen($end));
-    $tmp1 = substr($tmp, 0, strpos($tmp, ' '));
-    $tmp2 = substr($tmp, strpos($tmp, ' ')+1);
-    $timestamp = $tmp1." $xmlnsu ".$tmp2;
-
-    // canonicalize the timestamp and digest it
-    $canonical_timestamp = sspmod_InfoCard_Utils::canonicalize($timestamp);
-    $myhash = sha1($canonical_timestamp,TRUE);
-    $mydigest = base64_encode($myhash);
-
-    // grab the digest from the request
-    $elements = $doc->getElementsByTagname('DigestValue');
-    $request_digest = $elements->item(0)->nodeValue;
-
-    // if the digests don't match, we fail
-    if ($mydigest != $request_digest)
-        return false;
-
-    // get the SignedInfo in a horribly cheating way for now
-    $begin = '<SignedInfo';
-    $end = '</SignedInfo>';
-    $sinfo = $HTTP_RAW_POST_DATA;
-    $sinfo = substr($sinfo, strpos($sinfo, $begin));
-    $sinfo = substr($sinfo, 0, strpos($sinfo, $end)+strlen($end));
-
-    // grab the signing certificate and PEM-encode it to satisfy openssl
-    $elements = $doc->getElementsByTagname('BinarySecurityToken');
-    $cert = $elements->item(0)->nodeValue;
-    $certpem = "-----BEGIN CERTIFICATE-----\n";
-    $offset = 0;
-    while ($segment=substr($cert, $offset, 64))
-    {
-        $certpem .= $segment."\n";
-        $offset += 64;
-    }
-    $certpem .= "-----END CERTIFICATE-----\n";
-
-    $pubkey = openssl_pkey_get_public($certpem);
-
-    // canonicalize the signed info
-    $canonical_sinfo = sspmod_InfoCard_Utils::canonicalize($sinfo);
-
-    // grab the signature from the request
-    $elements = $doc->getElementsByTagname('SignatureValue');
-    $request_sig = $elements->item(0)->nodeValue;
-
-    $request_sig = base64_decode($request_sig);
-
-    // try to verify the signature... if we can't, we fail.
-    if (openssl_verify($canonical_sinfo, $request_sig, $pubkey) == false)
-        return false;
-
-    // so, the signature is OK.  Was it the right cert?  Check its
-    // thumbprint against the cert we recorded in the infocard...
-    $thumb = sspmod_InfoCard_Utils::thumbcert($cert);
-    if ($row['x509thumb'] != $thumb)
-        return false;
-
-    // at this point we've succeeded, but we need to populate some fields
-    // based on the usertable to create a card...
-    $arr = openssl_x509_parse($certpem);
-    $who = $arr['subject']['CN'];
-    $query = "SELECT * FROM $db_usertable WHERE full_name='$who'";
-    $userrow = pg_fetch_assoc(do_query($query));
-    if ($userrow['status'] == "1")
-    {
-        $uidnum = $userrow['id'];
-        $uname = $userrow['userid'];
-        $fullname = $userrow['full_name'];
-        return true;
-    }
-    return false;
-}
-
-
-
-/*
-* claimValues ( 'claim'('value','displayTag'), 'claim'('value','displayTag'), ... )
-*/
-function create_token($claimValues,$config){
-    // build a SAML assertion
-    $now = gmdate('Y-m-d').'T'.gmdate('H:i:s').'Z';
-    $later = gmdate('Y-m-d', time()+3600).'T'.gmdate('H:i:s', time()+3600).'Z';
-    $assertionid = uniqid('uuid-');
-
-    $saml = "<saml:Assertion MajorVersion=\"1\" MinorVersion=\"0\" AssertionID=\"$assertionid\" Issuer=\"".$config['issuer']."\" IssueInstant=\"$now\" xmlns:saml=\"urn:oasis:names:tc:SAML:1.0:assertion\">";
-    $saml .= "<saml:Conditions NotBefore=\"$now\" NotOnOrAfter=\"$later\" />";
-
-    $saml .= "<saml:AttributeStatement>";
-    $saml .= "<saml:Subject>";
-    $saml .= "<saml:SubjectConfirmation>";
-    $saml .= "<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>";
-    
-    // proof key
-    $saml .= "<dsig:KeyInfo xmlns:dsig=\"http://www.w3.org/2000/09/xmldsig#\">";
-    $saml .= "<dsig:X509Data>";
-    $saml .= "<dsig:X509Certificate>".sspmod_InfoCard_Utils::takeCert($config['sts_crt'])."</dsig:X509Certificate>";
-    $saml .= "</dsig:X509Data>";
-    $saml .= "</dsig:KeyInfo>";
-
-    $saml .= "</saml:SubjectConfirmation>";
-    $saml .= "</saml:Subject>";
-
-		
-		foreach ($claimValues as $claim=>$data) {  
-        $saml .= "<saml:Attribute AttributeName=\"$claim\" AttributeNamespace=\"".$config['InfoCard']['schema']."/claims\">";
-        $saml .= "<saml:AttributeValue>".$data['value']."</saml:AttributeValue>";
-        $saml .= "</saml:Attribute>";
-    }
-
-    $saml .= "</saml:AttributeStatement>";
-
-
-    // calculate the digest for the signature...
-    $canonicalbuf = sspmod_InfoCard_Utils::canonicalize($saml."</saml:Assertion>");
-    $myhash = sha1($canonicalbuf,TRUE);
-    $samldigest = base64_encode($myhash);
-
-
-    // construct a SignedInfo block
-    $signedinfo = "<dsig:SignedInfo xmlns:dsig=\"http://www.w3.org/2000/09/xmldsig#\">";
-    $signedinfo .= "<dsig:CanonicalizationMethod Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\" />";
-    $signedinfo .= "<dsig:SignatureMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\" />";
-    $signedinfo .= "<dsig:Reference URI=\"#$assertionid\">";
-    $signedinfo .= "<dsig:Transforms>";
-    $signedinfo .= "<dsig:Transform Algorithm=\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\" />";
-    $signedinfo .= "<dsig:Transform Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\" />";
-    $signedinfo .= "</dsig:Transforms>";
-    $signedinfo .= "<dsig:DigestMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#sha1\" />";
-    $signedinfo .= "<dsig:DigestValue>$samldigest</dsig:DigestValue>";
-    $signedinfo .= "</dsig:Reference>";
-    $signedinfo .= "</dsig:SignedInfo>";
-
-    // compute the signature of hte canonicalized digest
-    $canonicalbuf = sspmod_InfoCard_Utils::canonicalize($signedinfo);
-		$privkey = openssl_pkey_get_private(file_get_contents($config['sts_key']));
-    $signature = '';
-    openssl_sign($canonicalbuf, &$signature, $privkey);
-    openssl_free_key($privkey);
-    $samlsignature = base64_encode($signature);
-
-	
-    // now put it all together
-    $saml .= "<dsig:Signature xmlns:dsig=\"http://www.w3.org/2000/09/xmldsig#\">";
-    $saml .= $signedinfo;
-    $saml .= "<dsig:SignatureValue>$samlsignature</dsig:SignatureValue>";
-
-    $saml .= "<dsig:KeyInfo>";
-   	$saml .= "<dsig:X509Data>";
-  	$saml .= "<dsig:X509Certificate>".sspmod_InfoCard_Utils::takeCert($config['sts_crt'])."</dsig:X509Certificate>";
-   	$saml .= "</dsig:X509Data>";
-    $saml .= "</dsig:KeyInfo>";
-    $saml .= "</dsig:Signature>";
-
-    $saml .= "</saml:Assertion>";
-
-
-    // cram the SAML assertion in a SOAP envelope
-    $buf = '<?xml version="1.0"?>';
-    $buf .= "<soap:Envelope xmlns:ic=\"http://schemas.xmlsoap.org/ws/2005/05/identity\" xmlns:soap=\"http://www.w3.org/2003/05/soap-envelope\" xmlns:wsa=\"http://www.w3.org/2005/08/addressing\" xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\" xmlns:wst=\"http://schemas.xmlsoap.org/ws/2005/02/trust\" xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">";
-    if ($include_timestamp) {
-        $buf .= "<soap:Header>";
-        $buf .= "<wsse:Security>";
-        $buf .= "<wsu:Timestamp>";
-        $buf .= "<wsu:Created>$now</wsu:Created>";
-        $buf .= "<wsu:Expires>$later</wsu:Expires>";
-        $buf .= "</wsu:Timestamp>";
-        $buf .= "</wsse:Security>";
-        $buf .= "</soap:Header>";
-    } else
-        $buf .= "<soap:Header />";
-
-    $buf .= "<soap:Body>";
-    $buf .= "<wst:RequestSecurityTokenResponse Context=\"ProcessRequestSecurityToken\">";
-    $buf .= "<wst:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</wst:TokenType>";
-    $buf .= "<wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType>";
-    $buf .= "<wst:RequestedSecurityToken>";
-
-    $buf .= $saml;
-
-    $buf .= "</wst:RequestedSecurityToken>";
-
-    // references
-    $buf .= "<wst:RequestedAttachedReference>";
-    $buf .= "<wsse:SecurityTokenReference>";
-    $buf .= "<wsse:KeyIdentifier ValueType=\"http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID\">$assertionid</wsse:KeyIdentifier>";
-    $buf .= "</wsse:SecurityTokenReference>";
-    $buf .= "</wst:RequestedAttachedReference>";
-    $buf .= "<wst:RequestedUnattachedReference>";
-    $buf .= "<wsse:SecurityTokenReference>";
-    $buf .= "<wsse:KeyIdentifier ValueType=\"http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID\">$assertionid</wsse:KeyIdentifier>";
-    $buf .= "</wsse:SecurityTokenReference>";
-    $buf .= "</wst:RequestedUnattachedReference>";
-
-    // display token
-    $buf .= "<ic:RequestedDisplayToken>";
-    $buf .= "<ic:DisplayToken xml:lang=\"en\">";
-    
-    foreach ($claimValues as $claim=>$data) { 
-        $buf .= "<ic:DisplayClaim Uri=\"".$config['InfoCard']['schema']."/claims/".$claim."\">";
-        $buf .= "<ic:DisplayTag>".$data['displayTag']."</ic:DisplayTag>";
-        $buf .= "<ic:DisplayValue>".$data['value']."</ic:DisplayValue>";
-        $buf .= "</ic:DisplayClaim>";
-    }
-
-    $buf .= "</ic:DisplayToken>";
-    $buf .= "</ic:RequestedDisplayToken>";
-
-    // the end
-    $buf .= "</wst:RequestSecurityTokenResponse>";
-    $buf .= "</soap:Body>";
-    $buf .= "</soap:Envelope>";
-
-    return $buf;
-}
-
-
-
-
-// grab the important parts of the token request.  these are the username,
-// password, and cardid.
-
-Header('Content-Type: application/soap+xml;charset=utf-8');
-
-
-$token = new DOMDocument();
-$token->loadXML($HTTP_RAW_POST_DATA);
-$doc = $token->documentElement;
-$username = $doc->getElementsByTagname('Username')->item(0)->nodeValue;
-$password = $doc->getElementsByTagname('Password')->item(0)->nodeValue;
-$cardId  =  $doc->getElementsByTagname('CardId')->item(0)->nodeValue;
-
-
-if (sspmod_InfoCard_UserFunctions::validateUser($username,$password)){
-	$config = SimpleSAML_Configuration::getInstance();
-	$autoconfig = $config->copyFromBase('logininfocard', 'config-login-infocard.php');
-	$ICconfig['InfoCard'] = $autoconfig->getValue('InfoCard');
-	$ICconfig['issuer'] = $autoconfig->getValue('issuer');
-	$ICconfig['sts_crt'] = $autoconfig->getValue('sts_crt');
-	$ICconfig['sts_key'] = $autoconfig->getValue('sts_key');
-	
-	$requiredClaims = sspmod_InfoCard_Utils::extractClaims($ICconfig['InfoCard']['schema'], $doc->getElementsByTagname('ClaimType'));
-	$claimValues = sspmod_InfoCard_UserFunctions::fillClaims($username, $ICconfig['InfoCard']['requiredClaims'], $ICconfig['InfoCard']['optionalClaims'],$requiredClaims);
-	$buf = create_token($claimValues,$ICconfig);
-	Header('Content-length: '.strlen($buf)+1);
-	print($buf);
-}else{
-	$bad = true;
-	print("");
-}
-
-?>
\ No newline at end of file
diff --git a/modules/InfoCard/lib/STS.php b/modules/InfoCard/lib/STS.php
new file mode 100644
index 0000000000000000000000000000000000000000..9d8d137a7fd0c908e884ee93de82a0277817829f
--- /dev/null
+++ b/modules/InfoCard/lib/STS.php
@@ -0,0 +1,384 @@
+<?php
+/*
+* COAUTHOR: Samuel Muñoz Hidalgo
+* EMAIL: samuel.mh@gmail.com
+* LAST REVISION: 13-FEB-09
+* DESCRIPTION: Things the STS can do
+*		- InfoCard issue
+*		- Error response (if the user send us wrong credentials)
+*		- Request Security Token Response
+*/
+
+class sspmod_InfoCard_STS {
+
+
+/*
+* USED IN: www/getcardform.php
+* INPUT: data and configuration
+* OUTPUT; a custom error message for the identity selector
+*/
+	static public function createCard($ICdata,$ICconfig) {
+		
+		$infocardbuf  = '<Object Id="IC01" xmlns="http://www.w3.org/2000/09/xmldsig#">';
+		$infocardbuf .= '<InformationCard xml:lang="en-us"  xmlns="http://schemas.xmlsoap.org/ws/2005/05/identity" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust" xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex">';
+	
+		//cardId
+		$infocardbuf .= '<InformationCardReference>';	
+			$infocardbuf .= '<CardId>'.$ICdata['CardId'].'</CardId>'; //xs:anyURI cardId (="$cardurl/$ppid";  $ppid = "$uname-" . time();)
+			$infocardbuf .= '<CardVersion>1</CardVersion>';  //xs:unsignedInt
+		$infocardbuf .= '</InformationCardReference>';
+	
+		//cardName
+		$infocardbuf .= '<CardName>'.$ICdata['CardName'].'</CardName>';
+	
+		//image
+		$infocardbuf .= '<CardImage MimeType="'.mime_content_type($ICdata['CardImage']).'">';
+			$infocardbuf .= base64_encode(file_get_contents($ICdata['CardImage']));
+		$infocardbuf .= '</CardImage>';
+	
+		//issuer - times
+		$infocardbuf .= '<Issuer>'.$ICconfig['InfoCard']['issuer'].'</Issuer>';
+		$infocardbuf .= '<TimeIssued>'.gmdate('Y-m-d').'T'.gmdate('H:i:s').'Z'.'</TimeIssued>';
+		$infocardbuf .= '<TimeExpires>'.$ICdata['TimeExpires'].'</TimeExpires>';
+	
+		//Token Service List
+		$infocardbuf .= '<TokenServiceList>';	
+			$infocardbuf .= '<TokenService>';
+				$infocardbuf .= '<wsa:EndpointReference>';
+					$infocardbuf .= '<wsa:Address>'.$ICconfig['tokenserviceurl'].'</wsa:Address>';	
+					$infocardbuf .= '<wsa:Metadata>';
+						$infocardbuf .= '<wsx:Metadata>';
+							$infocardbuf .= '<wsx:MetadataSection>';
+								$infocardbuf .= '<wsx:MetadataReference>';
+									$infocardbuf .= '<wsa:Address>'.$ICconfig['mexurl'].'</wsa:Address>';
+								$infocardbuf .= '</wsx:MetadataReference>';
+							$infocardbuf .= '</wsx:MetadataSection>';
+						$infocardbuf .= '</wsx:Metadata>';
+					$infocardbuf .= '</wsa:Metadata>';
+				$infocardbuf .= '</wsa:EndpointReference>';
+	
+	
+	
+				/*Types of User Credentials 
+				*  Supported: UsernamePasswordCredential, SelfIssuedCredential
+				*  Unsupported: KerberosV5Credential, X509V3Credential
+				*/
+				$infocardbuf .= '<UserCredential>';
+						$infocardbuf .= '<DisplayCredentialHint>'.$ICdata['DisplayCredentialHint'].'</DisplayCredentialHint>';
+				switch($ICconfig['UserCredential']){
+					case 'UsernamePasswordCredential':
+						$infocardbuf .= '<UsernamePasswordCredential>';
+							$infocardbuf .= '<Username>'.$ICdata['UserName'].'</Username>';
+						$infocardbuf .= '</UsernamePasswordCredential>';
+						break;
+					case 'KerberosV5Credential':
+						$infocardbuf .= '<KerberosV5Credential/>';
+						break;
+					case 'X509V3Credential':
+						$infocardbuf .= '<X509V3Credential>';
+							$infocardbuf .= '<ds:X509Data>';
+								$infocardbuf .= '<wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/2004/xx/oasis-2004xx-wss-soap-message-security-1.1#ThumbprintSHA1" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis200401-wss-soap-message-security-1.0#Base64Binary">';
+								/*This element provides a key identifier for the X.509 certificate based on the SHA1 hash
+								of the entire certificate content expressed as a “thumbprint.” Note that the extensibility
+								point in the ds:X509Data element is used to add wsse:KeyIdentifier as a child
+								element.*/ 
+								$infocardbuf .= $ICdata['KeyIdentifier']; //xs:base64binary;
+								$infocardbuf .= '</wsse:KeyIdentifier>';
+							$infocardbuf .= '</ds:X509Data>';
+						$infocardbuf .= '</X509V3Credential>';
+						break;
+					case 'SelfIssuedCredential':
+						$infocardbuf .= '<SelfIssuedCredential>';
+							$infocardbuf .= '<PrivatePersonalIdentifier>';
+								$infocardbuf .= $ICdata['PPID']; //xs:base64binary;
+								$infocardbuf .= '</PrivatePersonalIdentifier>';
+						$infocardbuf .= '</SelfIssuedCredential> ';
+						break;
+					default:
+						break;
+				}
+				$infocardbuf .= '</UserCredential>';
+	
+			$infocardbuf .= '</TokenService>';
+		$infocardbuf .= '</TokenServiceList>';
+	
+	
+		//Tokentype
+		$infocardbuf .= '<SupportedTokenTypeList>';
+			$infocardbuf .= '<wst:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</wst:TokenType>';
+		$infocardbuf .= '</SupportedTokenTypeList>';
+			
+		//Claims
+		$infocardbuf .= '<SupportedClaimTypeList>';
+		$url = $ICconfig['InfoCard']['schema'].'/claims/';
+		foreach ($ICconfig['InfoCard']['requiredClaims'] as $claim=>$data) {  
+			$infocardbuf .= '<SupportedClaimType Uri="'.$url.$claim.'">';
+				$infocardbuf .= '<DisplayTag>'.$data['displayTag'].'</DisplayTag>';
+				$infocardbuf .= '<Description>'.$data['description'].'</Description>';
+			$infocardbuf .= '</SupportedClaimType>';
+		}
+		foreach ($ICconfig['InfoCard']['optionalClaims'] as $claim=>$data) {  
+			$infocardbuf .= '<SupportedClaimType Uri="'.$url.$claim.'">';
+				$infocardbuf .= '<DisplayTag>'.$data['displayTag'].'</DisplayTag>';
+				$infocardbuf .= '<Description>'.$data['description'].'</Description>';
+			$infocardbuf .= '</SupportedClaimType>';
+		}	
+		$infocardbuf .= '</SupportedClaimTypeList>';
+	
+		//Privacy URL
+		$infocardbuf .= '<PrivacyNotice>'.$ICconfig['InfoCard']['privacyURL'].'</PrivacyNotice>';
+	
+		$infocardbuf .= '</InformationCard>';
+		$infocardbuf .= '</Object>';
+				
+		
+		$canonicalbuf = sspmod_InfoCard_Utils::canonicalize($infocardbuf);
+		
+		//construct a SignedInfo block
+		$signedinfo  = '<SignedInfo  xmlns="http://www.w3.org/2000/09/xmldsig#">';
+			$signedinfo .= '<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>';
+			$signedinfo .= '<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>';
+			$signedinfo .= '<Reference URI="#IC01">';
+				$signedinfo .= '<Transforms>';
+					$signedinfo .= '<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>';
+				$signedinfo .= '</Transforms>';
+				$signedinfo .= '<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>';
+				$signedinfo .= '<DigestValue>'.base64_encode(sha1($canonicalbuf, TRUE)).'</DigestValue>';
+			$signedinfo .= '</Reference>';
+		$signedinfo .= '</SignedInfo>';
+	
+		$canonicalbuf = sspmod_InfoCard_Utils::canonicalize($signedinfo);
+	
+		$signature = '';
+		$privkey = openssl_pkey_get_private(file_get_contents($ICconfig['sts_key']));
+		openssl_sign($canonicalbuf, &$signature, $privkey);
+		openssl_free_key($privkey);
+		$infocard_signature = base64_encode($signature);
+		
+		//Envelope
+		$buf = '<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">';
+			$buf .= $signedinfo;
+			$buf .= '<SignatureValue>'.$infocard_signature.'</SignatureValue>';
+			$buf .= '<KeyInfo>';
+				$buf .= '<X509Data>';
+			// signing certificate(s)
+			foreach ($ICconfig['certificates'] as $idx=>$cert)
+					$buf .= '<X509Certificate>'.sspmod_InfoCard_Utils::takeCert($cert).'</X509Certificate>';
+				$buf .= '</X509Data>';
+			$buf .= '</KeyInfo>';
+			$buf .= $infocardbuf;
+		$buf .= '</Signature>';
+	
+		return $buf;
+	}
+
+
+
+
+/*
+* USED IN: www/tokenservice.php
+* INPUT: error message, uuid of the RST
+* OUTPUT; a custom error message for the identity selector
+*/
+	static public function errorMessage($msg,$relatesto){
+		$buf = '<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">';
+			$buf .= '<s:Header>';
+				$buf .= '<a:Action s:mustUnderstand="1">http://www.w3.org/2005/08/addressing/soap/fault</a:Action>';
+				$buf .= '<a:RelatesTo>'.$relatesto.'</a:RelatesTo>';
+			$buf .= '</s:Header>';
+			$buf .= '<s:Body>';
+				$buf .= '<s:Fault>';
+					$buf .= '<s:Code>';
+						$buf .= '<s:Value xmlns:a="http://www.w3.org/2003/05/soap-envelope">';
+							$buf .= 'a:Sender';
+						$buf .= '</s:Value>';
+						$buf .= '<s:Subcode>';
+							$buf .= '<s:Value xmlns:a="http://schemas.xmlsoap.org/ws/2005/05/identity">';
+								$buf .= 'a:MissingAppliesTo';
+						$buf .= '</s:Value>';
+						$buf .= '</s:Subcode>';
+					$buf .= '</s:Code>';
+					$buf .= '<s:Reason>';
+						$buf .= '<s:Text xml:lang="en">';
+							$buf .= $msg;
+						$buf .= '</s:Text>';
+					$buf .= '</s:Reason>';
+				$buf .= '</s:Fault>';
+			$buf .= '</s:Body>';
+		$buf .= '</s:Envelope>';
+		return $buf;
+	}
+
+
+
+/*
+* USED IN: www/tokenservice.php
+* INPUT: claims value, configuration, uuid of the RST
+* OUTPUT; a security token for the identity selector
+*/
+	static public function createToken($claimValues,$config,$relatesto){
+		$assertionid = uniqid('uuid-');
+		$created = gmdate('Y-m-d').'T'.gmdate('H:i:s').'Z';
+		$expires = gmdate('Y-m-d', time()+3600).'T'.gmdate('H:i:s', time()+3600).'Z';
+		
+
+		//SOAP ENVELOPE
+		$env = '<?xml version="1.0"?>';
+		$env .= '<S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://www.w3.org/2005/08/addressing"  xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity" xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust" xmlns:xenc="http://www.w3.org/2001/04/xmlenc" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">';
+	
+			$env .= '<S:Header>';
+				$env .= '<wsa:Action wsu:Id="_1">';
+					$env .= 'http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue';
+				$env .= '</wsa:Action>';
+				$env .= '<wsa:RelatesTo wsu:Id="_2">';
+					$env .= $relatesto;
+				$env .= '</wsa:RelatesTo>';
+				$env .= '<wsa:To wsu:id="_3">';
+					$env .= 'http://www.w3.org/2005/08/addressing/anonymous';
+				$env .= '</wsa:To>';
+				$env .= '<wsse:Security S:mustUnderstand="1">';
+					$env .= '<wsu:Timestamp wsu:Id="_6">';
+						$env .= '<wsu:Created>'.$created.'</wsu:Created>';
+						$env .= '<wsu:Expires>'.$expires.'</wsu:Expires>';
+					$env .= '</wsu:Timestamp>';
+				$env .= '</wsse:Security>';
+			$env .= '</S:Header>';
+			
+			
+			$env .= '<S:Body wsu:Id="_10">';
+				//RequestSecurityTokenResponse
+				$env .= sspmod_InfoCard_STS::RequestSecurityTokenResponse($claimValues,$config,$assertionid,$created,$expires);
+			$env .= '</S:Body>';
+		$env .= '</S:Envelope>';
+				
+		return $env;
+	}
+
+
+
+/*
+* USED IN: createToken
+* INPUT: claims value, configuration, uuid, times
+* OUTPUT; returns the <wst:RequestSecurityTokenResponse>' of the RSTR
+*/
+	static private function RequestSecurityTokenResponse ($claimValues,$config,$assertionid,$created,$expires){
+		$tr = '<wst:RequestSecurityTokenResponse>';
+			$tr .= '<wst:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</wst:TokenType>';
+			$tr .= '<wst:LifeTime>';
+				$tr .= '<wsu:Created>'.$created.'</wsu:Created>';
+				$tr .= '<wsu:Expires>'.$expires.'</wsu:Expires>';
+			$tr .= '</wst:LifeTime>';
+			
+			//Encrypted token: SAML assertion
+			$tr .= '<wst:RequestedSecurityToken>';
+				$tr .= sspmod_InfoCard_STS::saml_assertion($claimValues,$config,$assertionid,$created,$expires);
+			$tr .= '</wst:RequestedSecurityToken>';
+			
+			//RequestedAattachedReference
+			$tr .= '<wst:RequestedAttachedReference>';
+				$tr .= '<wsse:SecurityTokenReference>';
+					$tr .= '<wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">';
+						$tr .= $assertionid;
+					$tr .= '</wsse:KeyIdentifier>';
+				$tr .= '</wsse:SecurityTokenReference>';
+			$tr .= '</wst:RequestedAttachedReference>';
+			
+			//RequestedUnattachedReference
+			$tr .= '<wst:RequestedUnattachedReference>';
+				$tr .= '<wsse:SecurityTokenReference>';
+					$tr .= '<wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">';
+						$tr .= $assertionid;
+					$tr .= '</wsse:KeyIdentifier>';
+				$tr .= '</wsse:SecurityTokenReference>';
+			$tr .= '</wst:RequestedUnattachedReference>';
+	
+			//RequestedDisplayToken
+			$tr .= '<ic:RequestedDisplayToken>';
+				$tr .= '<ic:DisplayToken xml:lang="en-us">';
+				foreach ($claimValues as $claim=>$data) {
+					$tr .= '<ic:DisplayClaim Uri="'.$config['InfoCard']['schema'].'/claims/'.$claim.'">';
+						$tr .= '<ic:DisplayTag>'.$data['displayTag'].'</ic:DisplayTag>';
+						$tr .= '<ic:DisplayValue>'.$data['value'].'</ic:DisplayValue>';
+					$tr .= "</ic:DisplayClaim>";
+				}
+				$tr .= '</ic:DisplayToken>';
+			$tr .= '</ic:RequestedDisplayToken>';
+		$tr .= '</wst:RequestSecurityTokenResponse>';
+		return $tr;
+	}
+
+
+
+
+/*
+* USED IN: RequestSecurityTokenResponse
+* INPUT: claims value, configuration, uuid, times
+* OUTPUT; STS Signed SAML assertion
+*/
+	static private function saml_assertion($claimValues,$config,$assertionid,$created,$expires){
+		$saml = '<saml:Assertion MajorVersion="1" MinorVersion="0" AssertionID="'.$assertionid.'" Issuer="'.$config['issuer'].'" IssueInstant="'.$created.'" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">';
+			$saml .= '<saml:Conditions NotBefore="'.$created.'" NotOnOrAfter="'.$expires.'" />';
+			$saml .= '<saml:AttributeStatement>';
+				$saml .= '<saml:Subject>';
+					$saml .= '<saml:SubjectConfirmation>';
+						$saml .= '<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>';
+						// proof key
+						$saml .= '<dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">';
+							$saml .= '<dsig:X509Data>';
+								$saml .= '<dsig:X509Certificate>'.sspmod_InfoCard_Utils::takeCert($config['sts_crt']).'</dsig:X509Certificate>';
+							$saml .= '</dsig:X509Data>';
+						$saml .= '</dsig:KeyInfo>';
+					$saml .= '</saml:SubjectConfirmation>';
+				$saml .= '</saml:Subject>';
+				foreach ($claimValues as $claim=>$data) {
+					$saml .= '<saml:Attribute AttributeName="'.$claim.'" AttributeNamespace="'.$config['InfoCard']['schema'].'/claims">';
+						$saml .= '<saml:AttributeValue>'.$data['value'].'</saml:AttributeValue>';
+					$saml .= '</saml:Attribute>';
+				}
+			$saml .= '</saml:AttributeStatement>';
+	
+			//Pure SAML Assertion digest
+			$canonicalbuf = sspmod_InfoCard_Utils::canonicalize($saml.'</saml:Assertion>');
+			$myhash = sha1($canonicalbuf,TRUE);
+			$samldigest = base64_encode($myhash);
+	
+			//Digest block
+			$signedinfo = '<dsig:SignedInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" >';
+				$signedinfo .= '<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />';
+				$signedinfo .= '<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />';
+				$signedinfo .= '<dsig:Reference URI="#'.$assertionid.'">';
+					$signedinfo .= '<dsig:Transforms>';
+						$signedinfo .= '<dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />';
+						$signedinfo .= '<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />';
+					$signedinfo .= '</dsig:Transforms>';
+					$signedinfo .= '<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />';
+					$signedinfo .= '<dsig:DigestValue>'.$samldigest.'</dsig:DigestValue>';
+				$signedinfo .= '</dsig:Reference>';
+			$signedinfo .= '</dsig:SignedInfo>';
+			
+			//Signature of the digest
+			$canonicalbuf = sspmod_InfoCard_Utils::canonicalize($signedinfo);
+			$privkey = openssl_pkey_get_private(file_get_contents($config['sts_key']));
+			$signature = '';
+			openssl_sign($canonicalbuf, &$signature, $privkey);
+			openssl_free_key($privkey);
+			$samlsignature = base64_encode($signature);
+	
+			//Signature block
+			$saml .= '<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">';
+				$saml .= $signedinfo;
+				$saml .= '<dsig:SignatureValue>'.$samlsignature.'</dsig:SignatureValue>';
+				$saml .= '<dsig:KeyInfo>';
+					$saml .= '<dsig:X509Data>';
+						$saml .= '<dsig:X509Certificate>'.sspmod_InfoCard_Utils::takeCert($config['sts_crt']).'</dsig:X509Certificate>';
+					$saml .= '</dsig:X509Data>';
+				$saml .= '</dsig:KeyInfo>';
+			$saml .= '</dsig:Signature>';
+		$saml .= '</saml:Assertion>';
+		return $saml;
+	}
+	
+
+}
+
+?>
\ No newline at end of file
diff --git a/modules/InfoCard/templates/default/temp-getcardform.php b/modules/InfoCard/templates/default/temp-getcardform.php
new file mode 100644
index 0000000000000000000000000000000000000000..bf8f728ec95b2e049a1b5cbb6211aeae427987f6
--- /dev/null
+++ b/modules/InfoCard/templates/default/temp-getcardform.php
@@ -0,0 +1,70 @@
+<?php
+/*
+* AUTHOR: Samuel Muñoz Hidalgo
+* EMAIL: samuel.mh@gmail.com
+* LAST REVISION: 22-DEC-08
+* DESCRIPTION: InfoCard module template.
+*/
+	$this->includeAtTemplateBase('includes/header.php'); 
+	if (!array_key_exists('icon', $this->data)) $this->data['icon'] = 'lock.png';
+	if (isset($this->data['error'])) { ?>
+		<div style="border-left: 1px solid #e8e8e8; border-bottom: 1px solid #e8e8e8; background: #f5f5f5">
+		<img src="/<?php echo $this->data['baseurlpath']; ?>resources/icons/bomb.png" style="float: left; margin: 15px " />
+		<h2><?php echo $this->t('error_header'); ?></h2>
+		
+		<p><?php echo $this->t($this->data['error']); ?> </p>
+		</div>
+	<?php } ?>
+
+
+<!-- 	GET INFOCARD SECTION -->
+	<?php
+		if (strcmp($this->data['CardGenerator'],'')>0) {
+		
+			if(strcmp($this->data['form'],"validate")==0){
+				echo '<h2>'.$this->t('getcardform_title').'</h2>';
+				echo '<form action = ?AuthState='.$this->data['stateparams']['AuthState']." method='post'>";
+					echo '<table border="0">';
+					echo "<tr><td>".$this->t('form_username').": </td><td><input type='text' name='username' value='usuario' /></td></tr>";
+					echo "<tr><td>".$this->t('form_password').": </td><td><input type='password' name='password' value='clave' /></td></tr>";
+					echo "<tr><td></td><td><input type='submit' name='get_button' value='".$this->t('get_button')."' /></td></tr>";
+					echo "<input type='hidden' name='form' value='".$this->data['form']."'/>";
+				echo '</table>';
+				echo '</form>';
+				
+			} else if(strcmp($this->data['form'],"selfIssued")==0){ //ASK FOR A SELF-ISSUED CARD
+				echo '<h2>'.$this->t('getcardform_self_title').'</h2>';
+				echo '<p>'.$this->t('getcardform_self_text').'</p>';
+				echo	'<form name="ctl00" id="ctl00" method="post" action="?AuthState='.$this->data['stateparams']['AuthState'].'">';
+					echo	'<OBJECT type="application/x-informationCard" name="xmlToken">';
+						echo '<PARAM Name="issuer" Value="http://schemas.xmlsoap.org/ws/2005/05/identity/issuer/self" />';
+						if ($this->data['InfoCard']['issuerPolicy']!='') echo '<PARAM Name="issuerPolicy" Value="'.$this->data['InfoCard']['issuerPolicy']."\">\n";
+						if ($this->data['InfoCard']['tokenType']!='') echo '<PARAM Name="tokenType" Value="'.$this->data['InfoCard']['tokenType']."\">\n";
+						if ($this->data['InfoCard']['privacyURL']!='') echo '<PARAM Name="privacyUrl" Value="'.$this->data['InfoCard']['privacyURL']."\">\n";
+						if ($this->data['InfoCard']['privacyVersion']!='')echo '<PARAM Name="privacyVersion" Value="'.$this->data['InfoCard']['privacyVersion']."\">\n";
+						echo '<PARAM Name="requiredClaims" Value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier">';
+					echo '</OBJECT>';
+					echo "<input type='hidden' name='username' value='".$this->data['username']."'/>";
+					echo "<input type='hidden' name='password' value='".$this->data['password']."'/>";
+					echo "<input type='hidden' name='form' value='".$this->data['form']."'/>";
+					echo "<input type='image' src='resources/infocard_self_114x80.png' style='cursor:pointer' />";
+				echo '</form>';
+			} else {
+				echo '<h2>'.$this->t('getcardform_finished_title').'</h2>';
+				echo '<p>'.$this->t('getcardform_finished_text').'</p>';
+				echo '<p> <a href="login-infocard.php?AuthState='.$this->data['stateparams']['AuthState'].'">LOGIN</a></p>';
+			}
+		}
+  ?>
+	 
+<!-- 	 HELP SECTION -->
+	<h2><?php echo $this->t('help_header'); ?></h2>	
+	<p><?php echo $this->t('help_text'); ?></p>
+	<?php
+		if ((array_key_exists('contact_info_URL',$this->data)) && ($this->data['contact_info_URL']!=null)) 
+			echo "<p><a href='".$this->data['contact_info_URL']."'>".$this->t('contact_info')."</a><p/>";
+		if ((array_key_exists('help_desk_email_URL',$this->data)) && ($this->data['help_desk_email_URL']!=null)) 
+			echo "<p><a href='".$this->data['help_desk_email_URL']."'>".$this->t('help_desk_email')."</a></p>";
+	?>
+	
+<?php $this->includeAtTemplateBase('includes/footer.php'); ?> 
diff --git a/modules/InfoCard/templates/login-infocard.php b/modules/InfoCard/templates/default/temp-login.php
similarity index 86%
rename from modules/InfoCard/templates/login-infocard.php
rename to modules/InfoCard/templates/default/temp-login.php
index 48821e7e841e0fba545db4efdbb034596f1448b0..70cd74f746a26091b52540342f8f4115c6c3c47e 100644
--- a/modules/InfoCard/templates/login-infocard.php
+++ b/modules/InfoCard/templates/default/temp-login.php
@@ -21,6 +21,7 @@
 	<p><?php echo $this->t('user_IC_text'); ?></p>
 	
 	<form name="ctl00" id="ctl00" method="post" action="?AuthState=<?php echo $this->data['stateparams']['AuthState']?>">
+
 <!--		<ic:informationCard xmlns:ic="<?php echo $this->data['InfoCard']['schema'] ?>" name="xmlToken" 
 			issuer="<?php echo $this->data['InfoCard']['issuer']; ?>"
 			<?php 
@@ -62,16 +63,12 @@
 	</form>
 	
 <!-- 	GET INFOCARD SECTION -->
-	<?php if (strcmp($this->data['CardGenerator'],'')>0) {
-	echo '<h2>'.$this->t('get_IC').'</h2>';
-	echo "<form action=\"". $this->data['CardGenerator'] ."\" method='post'>";
-		echo '<table border="0">';
-		echo "<tr><td>".$this->t('form_username').": </td><td><input type='text' name='username' value='usuario' /></td></tr>";
-		echo "<tr><td>".$this->t('form_password').": </td><td><input type='password' name='password' value='clave' /></td></tr>";
-		echo "<tr><td></td><td><input type='submit' name='get_button' value='".$this->t('get_button')."' /></td></tr>";
-	echo '</table>';
-	echo '</form>';
-	 } ?>
+	<?php
+		if (strcmp($this->data['CardGenerator'],'')>0) {
+			echo '<h2>'.$this->t('get_IC').'</h2>';
+			echo '<a href="'.$this->data['CardGenerator'].'?AuthState='.$this->data['stateparams']['AuthState'].'">'.$this->t('get_IC_link').'</a>';
+	 	}
+	?>
 	 
 <!-- 	 HELP SECTION -->
 	<h2><?php echo $this->t('help_header'); ?></h2>	
diff --git a/modules/InfoCard/www/getcardform.php b/modules/InfoCard/www/getcardform.php
new file mode 100644
index 0000000000000000000000000000000000000000..992af0f57f19ed558f4e3586729ad5b0acc70176
--- /dev/null
+++ b/modules/InfoCard/www/getcardform.php
@@ -0,0 +1,155 @@
+<?php
+
+/*
+* AUTHOR: Samuel Muñoz Hidalgo
+* EMAIL: samuel.mh@gmail.com
+* LAST REVISION: 13-FEB-09
+* DESCRIPTION:
+*		Pretty form to get a managed InfoCard
+*		User flow controller.
+*		Displays the template and request a non null xmlToken
+*/
+
+
+/* Load the configuration. */
+$config = SimpleSAML_Configuration::getInstance();
+$autoconfig = $config->copyFromBase('logininfocard', 'config-login-infocard.php');
+
+$Infocard =   $autoconfig->getValue('InfoCard');
+
+
+/* Load the session of the current user. */
+$session = SimpleSAML_Session::getInstance();
+if($session == NULL) {
+	SimpleSAML_Utilities::fatalError($session->getTrackID(), 'NOSESSION');
+}
+
+if (!array_key_exists('AuthState', $_REQUEST)) {
+SimpleSAML_Logger::debug('NO AUTH STATE');
+SimpleSAML_Logger::debug('ERROR: NO AUTH STATE');
+	throw new SimpleSAML_Error_BadRequest('Missing AuthState parameter.');
+} else {
+	$authStateId = $_REQUEST['AuthState'];
+SimpleSAML_Logger::debug('AUTH STATE:  '.$authStateId);
+}
+
+$username = null;
+$password = null;
+
+$state = "validate";
+if(array_key_exists('form', $_POST) && ($_POST['form']!=NULL)  ) {
+	if(array_key_exists('username', $_POST) && ($_POST['username']!=NULL)  ) {
+		if(array_key_exists('password', $_POST) && ($_POST['password']!=NULL)  ) {
+			//Validation: Username/Password
+			$username = $_POST['username'];
+			$password = $_POST['password'];
+			if (sspmod_InfoCard_UserFunctions::validateUser(array('username'=>$username,'password'=>$password),'UsernamePasswordCredential')){
+				$userCredential =   $autoconfig->getValue('UserCredential');
+				if (strcmp($userCredential,'UsernamePasswordCredential')==0){
+					
+					$ICconfig['InfoCard'] = $Infocard;
+					$ICconfig['InfoCard']['issuer'] = $autoconfig->getValue('tokenserviceurl');//sspmod_InfoCard_Utils::getIssuer($sts_crt);
+					$ICconfig['tokenserviceurl'] = $autoconfig->getValue('tokenserviceurl');
+					$ICconfig['mexurl'] = $autoconfig->getValue('mexurl');
+					$ICconfig['sts_key'] = $autoconfig->getValue('sts_key');
+					$ICconfig['certificates'] = $autoconfig->getValue('certificates');
+					$ICconfig['UserCredential'] = $autoconfig->getValue('UserCredential');
+					
+					$ICdata = sspmod_InfoCard_UserFunctions::fillICdata($username,$userCredential);
+					$IC = sspmod_InfoCard_STS::createCard($ICdata,$ICconfig);
+					header("Content-Disposition: attachment; filename=\"".$ICdata['CardName'].".crd\"");
+					header('Content-Type: application/x-informationcard');
+					header('Content-Length:'.strlen($IC));
+					echo $IC;
+					$state = 'end';
+				}else if (strcmp($userCredential,'SelfIssuedCredential')==0){
+					/*
+					* VERY IMPORTANT:
+					* The STS is acting as a Relying Party to get the PPID in order to generate a
+					*  managed card with a self issued credential, that's why we use the STS
+					*  certificate private key to decrypt the token.
+					*/
+					if(array_key_exists('xmlToken', $_POST) && ($_POST['xmlToken']!=NULL)  ) {
+						SimpleSAML_Logger::debug('HAY XML TOKEN');
+						$token = new sspmod_InfoCard_RP_InfoCard();
+						$idp_key = $autoconfig->getValue('sts_key');
+						$token->addIDPKey($idp_key);
+						$token->addSTSCertificate('');	
+						$claims = $token->process($_POST['xmlToken']);
+						if(($claims->isValid()) && ($claims->privatepersonalidentifier!=NULL)) {
+							$ppid = $claims->privatepersonalidentifier;
+							$ICconfig['InfoCard'] = $Infocard;
+							$ICconfig['InfoCard']['issuer'] = $autoconfig->getValue('tokenserviceurl');//sspmod_InfoCard_Utils::getIssuer($sts_crt);
+							$ICconfig['tokenserviceurl'] = $autoconfig->getValue('tokenserviceurl');
+							$ICconfig['mexurl'] = $autoconfig->getValue('mexurl');
+							$ICconfig['sts_key'] = $autoconfig->getValue('sts_key');
+							$ICconfig['certificates'] = $autoconfig->getValue('certificates');
+							$ICconfig['UserCredential'] = $autoconfig->getValue('UserCredential');
+							
+							$ICdata = sspmod_InfoCard_UserFunctions::fillICdata($username,$userCredential,$ppid);	
+							$IC = sspmod_InfoCard_STS::createCard($ICdata,$ICconfig);
+							header('Content-Disposition: attachment; filename="'.$ICdata['CardName'].'.crd"');
+							header('Content-Type: application/x-informationcard');
+							header('Content-Length:'.strlen($IC));
+							echo $IC;
+							$state = 'end';
+						}else {
+							SimpleSAML_Logger::debug('Wrong Self-Issued card');
+							$error = 'wrong_IC';
+							$state = "selfIssued";
+						}
+					}else{
+						SimpleSAML_Logger::debug('NO HAY XML TOKEN');
+						$error = NULL;
+						$state = "selfIssued";
+					}
+				}else{
+					SimpleSAML_Logger::debug('CONFIGURATION ERROR: UserCredential '.$userCredential.' NOT SUPPORTED');
+				}
+			}else{
+				$error = 'Wrong_user_pass';
+				SimpleSAML_Logger::debug('WRONG username or password');
+			}
+		}else{
+			$error = 'NO_password';
+			SimpleSAML_Logger::debug('NO PASSWORD');
+		}
+	}else {
+		$error = 'NO_user';
+		SimpleSAML_Logger::debug('NO USERNAME');
+	}
+}else{
+	$error = NULL;
+}
+
+
+unset($_POST); //Show the languages bar if reloaded
+
+$t = new SimpleSAML_XHTML_Template($config, 'InfoCard:temp-getcardform.php', 'InfoCard:dict-InfoCard'); //(configuracion, template, diccionario)
+$t->data['header'] = 'simpleSAMLphp: Get your Infocard';
+$t->data['stateparams'] = array('AuthState' => $authStateId);
+
+
+$t->data['InfoCard'] = $Infocard;
+
+$cardGenerator =   $autoconfig->getValue('CardGenerator');
+$t->data['CardGenerator'] = $cardGenerator;
+
+$help_desk_email_URL = $autoconfig->getValue('help_desk_email_URL');
+$t->data['help_desk_email_URL'] = $help_desk_email_URL;
+
+$contact_info_URL = $autoconfig->getValue('contact_info_URL');
+$t->data['contact_info_URL'] = $contact_info_URL;
+
+$t->data['error'] = $error;
+$t->data['form'] = $state;
+
+//For testing purposes
+$t->data['username']=$username;
+$t->data['password']=$password;
+
+
+
+$t->show();
+exit();
+?>
\ No newline at end of file
diff --git a/modules/InfoCard/www/login-infocard.php b/modules/InfoCard/www/login-infocard.php
index d33c7dbb73b0f9bab578f01f3e68c8964a650999..af12e8f85300d961c2a58c62401565e70408836d 100644
--- a/modules/InfoCard/www/login-infocard.php
+++ b/modules/InfoCard/www/login-infocard.php
@@ -3,7 +3,7 @@
 /*
 * AUTHOR: Samuel Muñoz Hidalgo
 * EMAIL: samuel.mh@gmail.com
-* LAST REVISION: 22-DEC-08
+* LAST REVISION: 13-FEB-09
 * DESCRIPTION:
 *		User flow controller.
 *		Displays the template and request a non null xmlToken
@@ -52,7 +52,7 @@ SimpleSAML_Logger::debug('NO HAY XML TOKEN');
 unset($_POST); //Show the languages bar if reloaded
  
 //Login Page
-$t = new SimpleSAML_XHTML_Template($config, 'InfoCard:login-infocard.php', 'InfoCard:logininfocard'); //(configuracion, template, diccionario)
+$t = new SimpleSAML_XHTML_Template($config, 'InfoCard:temp-login.php', 'InfoCard:dict-InfoCard'); //(configuracion, template, diccionario)
 $t->data['header'] = 'simpleSAMLphp: Infocard login';
 $t->data['stateparams'] = array('AuthState' => $authStateId);
 $t->data['IClogo'] = $IClogo;
diff --git a/modules/InfoCard/www/mex.php b/modules/InfoCard/www/mex.php
new file mode 100644
index 0000000000000000000000000000000000000000..43c6554c63899d587a37af19fde6b8c94bb2dc0c
--- /dev/null
+++ b/modules/InfoCard/www/mex.php
@@ -0,0 +1,257 @@
+<?php
+
+/*
+* AUTHOR: Samuel Muñoz Hidalgo
+* EMAIL: samuel.mh@gmail.com
+* LAST REVISION: 13-FEB-09
+* DESCRIPTION: InfoCard module metadata exchange (POLICY)
+*/
+
+
+$method = $_SERVER["REQUEST_METHOD"];
+
+if ($method == "POST"){
+	$use_soap = true;
+	Header('Content-Type: application/soap+xml;charset=utf-8');
+}else{
+	$use_soap = false;
+	Header('Content-Type: application/xml;charset=utf-8');
+}
+
+
+$config = SimpleSAML_Configuration::getInstance();
+$autoconfig = $config->copyFromBase('logininfocard', 'config-login-infocard.php');
+$ICconfig['tokenserviceurl'] = $autoconfig->getValue('tokenserviceurl');
+$ICconfig['certificates'] = $autoconfig->getValue('certificates');
+$ICconfig['UserCredential'] = $autoconfig->getValue('UserCredential');
+
+
+// Grab the important parts of the token request.  That's pretty much just
+// the request ID.
+$request_id = '';
+if ($use_soap && strlen($HTTP_RAW_POST_DATA))
+{
+    $token = new DOMDocument();
+    $token->loadXML($HTTP_RAW_POST_DATA);
+    $doc = $token->documentElement;
+    $elements = $doc->getElementsByTagname('MessageID');
+    $request_id = $elements->item(0)->nodeValue;
+}
+
+$buf = '<?xml version="1.0"?>';
+
+$buf .= '<S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://www.w3.org/2005/08/addressing">';
+
+	$buf .= '<S:Header>';
+		$buf .= '<wsa:Action S:mustUnderstand="1">';
+			$buf .= 'http://schemas.xmlsoap.org/ws/2004/09/transfer/GetResponse';
+		$buf .= '</wsa:Action>';
+		$buf .= '<wsa:RelatesTo>';
+			$buf .= $request_id;
+		$buf .= '</wsa:RelatesTo>';
+	$buf .= '</S:Header>';
+	
+	$buf .= '<S:Body>';	
+		$buf .= '<Metadata xmlns="http://schemas.xmlsoap.org/ws/2004/09/mex">';
+		
+			$buf .= '<MetadataSection Dialect="http://schemas.xmlsoap.org/wsdl/" Identifier="http://schemas.xmlsoap.org/ws/2005/02/trust">';
+				$buf .= '<wsdl:definitions name="STS_wsdl" targetNamespace="'.$ICconfig['tokenserviceurl'].'" xmlns:tns="'.$ICconfig['tokenserviceurl'].'" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust" xmlns:wsid="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity" xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity" xmlns:q1="'.$ICconfig['tokenserviceurl'].'">';
+				
+					$buf .= '<wsdl:types>';
+						$buf .= '<xs:schema targetNamespace="http://schemas.xmlsoap.org/ws/2005/02/trust/Imports">';
+							$buf .= '<xs:import schemaLocation="" namespace="'.$ICconfig['tokenserviceurl'].'"/>';
+						$buf .= '</xs:schema>';
+					$buf .= '</wsdl:types>';
+				
+					$buf .= '<wsdl:message name="RequestSecurityTokenMsg">';
+						$buf .= '<wsdl:part name="request" type="q1:MessageBody" />';
+					$buf .= '</wsdl:message>';
+					$buf .= '<wsdl:message name="RequestSecurityTokenResponseMsg">';
+						$buf .= '<wsdl:part name="response" type="q1:MessageBody" />';
+					$buf .= '</wsdl:message>';
+					
+					$buf .= '<wsdl:portType name="SecurityTokenService">';
+						$buf .= '<wsdl:operation name="Issue">';
+							$buf .= '<wsdl:input wsaw:Action="http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue" message="tns:RequestSecurityTokenMsg">';
+							$buf .= '</wsdl:input>';
+							$buf .= '<wsdl:output wsaw:Action="http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue" message="tns:RequestSecurityTokenResponseMsg">';
+							$buf .= '</wsdl:output>';
+						$buf .= '</wsdl:operation>';
+					$buf .= '</wsdl:portType>';
+					
+					$buf .= '<wsp:Policy wsu:Id="STS_endpoint_policy">';
+						$buf .= '<wsp:ExactlyOne>';
+							$buf .= '<wsp:All>';
+								$buf .= '<ic:RequireFederatedIdentityProvisioning />';
+								$buf .= '<sp:TransportBinding>';
+									$buf .= '<wsp:Policy>';
+										$buf .= '<sp:TransportToken>';
+											$buf .= '<wsp:Policy>';
+												$buf .= '<sp:HttpsToken RequireClientCertificate="false" />';
+											$buf .= '</wsp:Policy>';
+										$buf .= '</sp:TransportToken>';
+										$buf .= '<sp:AlgorithmSuite>';
+											$buf .= '<wsp:Policy>';
+												$buf .= '<sp:Basic256/>';
+											$buf .= '</wsp:Policy>';
+										$buf .= '</sp:AlgorithmSuite>';
+										$buf .= '<sp:Layout>';
+											$buf .= '<wsp:Policy>';
+												$buf .= '<sp:Strict/>';
+											$buf .= '</wsp:Policy>';
+										$buf .= '</sp:Layout>';
+										$buf .= '<sp:IncludeTimestamp/>';
+									$buf .= '</wsp:Policy>';
+								$buf .= '</sp:TransportBinding>';
+								
+								// Authentication token assertion
+								switch($ICconfig['UserCredential']){
+									case "UsernamePasswordCredential":
+										$buf .= '<sp:SignedSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">';
+											$buf .= '<wsp:Policy>';
+												$buf .= '<sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">';
+													$buf .= '<wsp:Policy>';
+														$buf .= '<sp:WssUsernameToken10/>';
+													$buf .= '</wsp:Policy>';
+												$buf .= '</sp:UsernameToken>';
+											$buf .= '</wsp:Policy>';
+										$buf .= '</sp:SignedSupportingTokens>';
+										break;
+									case "KerberosV5Credential":
+										$buf .= '<sp:ProtectionToken>';
+											$buf .= '<wsp:Policy>';
+												$buf .= '<sp:KerberosToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Once">';
+													$buf .= '<wsp:Policy>';
+														$buf .= '<sp: WssGssKerberosV5ApReqToken11/>';
+													$buf .= '</wsp:Policy>';
+												$buf .= '</sp:KerberosToken>';
+											$buf .= '<wsp:Policy>';
+										$buf .= '</sp:ProtectionToken>';
+										break;
+									case "X509V3Credential":
+										$buf .= '<sp:EndorsingSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">';
+											$buf .= '<wsp:Policy>';
+												$buf .= '<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">';
+													$buf .= '<wsp:Policy>';
+														$buf .= '<sp:WssX509V3Token10/>';
+													$buf .= '</wsp:Policy>';
+												$buf .= '</sp:X509Token>';
+											$buf .= '</wsp:Policy>';
+										$buf .= '</sp:EndorsingSupportingTokens>';
+										break;
+									case "SelfIssuedCredential":
+										$buf .= '<sp:EndorsingSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy" xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">';
+											$buf .= '<wsp:Policy>';
+												$buf .= '<sp:IssuedToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">';
+													$buf .= '<sp:Issuer>';
+														$buf .= '<wsa:Address>';
+															$buf .= 'http://schemas.xmlsoap.org/ws/2005/05/identity/issuer/self';
+														$buf .= '</wsa:Address>';
+													$buf .= '</sp:Issuer>';
+													$buf .= '<sp:RequestSecurityTokenTemplate>';
+														$buf .= '<wst:TokenType>';
+															$buf .= 'urn:oasis:names:tc:SAML:1.0:assertion';
+														$buf .= '</wst:TokenType>';
+														$buf .= '<wst:KeyType>';
+															$buf .= 'http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey';
+														$buf .= '</wst:KeyType>';
+														$buf .= '<wst:Claims xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity">';
+															$buf .= '<ic:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier"/>';
+														$buf .= '</wst:Claims>';
+													$buf .= '</sp:RequestSecurityTokenTemplate>';
+													$buf .= '<wsp:Policy>';
+														$buf .= '<sp:RequireInternalReference/>';
+													$buf .= '</wsp:Policy>';
+												$buf .= '</sp:IssuedToken>';
+											$buf .= '</wsp:Policy>';
+										$buf .= '</sp:EndorsingSupportingTokens>';
+										break;
+									default:
+										break;
+								}
+								
+								$buf .= '<sp:Wss11>';
+									$buf .= '<wsp:Policy>';
+										$buf .= '<sp:MustSupportRefThumbprint/>';
+										$buf .= '<sp:MustSupportRefEncryptedKey/>';
+									$buf .= '</wsp:Policy>';
+								$buf .= '</sp:Wss11>';
+								$buf .= '<sp:Trust10>';
+									$buf .= '<wsp:Policy>';
+										$buf .= '<sp:RequireClientEntropy/>';
+										$buf .= '<sp:RequireServerEntropy/>';
+									$buf .= '</wsp:Policy>';
+								$buf .= '</sp:Trust10>';
+								$buf .= '<wsaw:UsingAddressing wsdl:required="true" />';
+							$buf .= '</wsp:All>';
+						$buf .= '</wsp:ExactlyOne>';
+					$buf .= '</wsp:Policy>';
+					
+					$buf .= '<wsdl:binding name="Transport_binding" type="tns:SecurityTokenService">';
+						$buf .= '<wsp:PolicyReference URI="#STS_endpoint_policy"/>';
+							$buf .= '<soap12:binding transport="http://schemas.xmlsoap.org/soap/http"/>';
+							$buf .= '<wsdl:operation name="Issue">';
+								$buf .= '<soap12:operation soapAction="http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue" style="document"/>';
+								$buf .= '<wsdl:input>';
+									$buf .= '<soap12:body use="literal"/>';
+								$buf .= '</wsdl:input>';
+								$buf .= '<wsdl:output>';
+									$buf .= '<soap12:body use="literal"/>';
+								$buf .= '</wsdl:output>';
+							$buf .= '</wsdl:operation>';
+					$buf .= '</wsdl:binding>';
+				
+					$buf .= '<wsdl:service name="STS_0">';
+						$buf .= '<wsdl:port name="STS_0_port" binding="tns:Transport_binding">';
+							$buf .= '<soap12:address location="'.$ICconfig['tokenserviceurl'].'" />';
+							$buf .= '<wsa:EndpointReference>';
+								$buf .= '<wsa:Address>'.$ICconfig['tokenserviceurl'].'</wsa:Address>';
+								$buf .= '<wsid:Identity>';
+									$buf .= '<ds:KeyInfo>';
+										$buf .= '<ds:X509Data>';
+											$buf .= '<ds:X509Certificate>';
+												$buf .= sspmod_InfoCard_Utils::takeCert($ICconfig['certificates'][0]);
+											$buf .='</ds:X509Certificate>';
+										$buf .= '</ds:X509Data>';
+									$buf .= '</ds:KeyInfo>';
+								$buf .= '</wsid:Identity>';
+							$buf .= '</wsa:EndpointReference>';
+						$buf .= '</wsdl:port>';
+					$buf .= '</wsdl:service>';
+					
+				$buf .= '</wsdl:definitions>';
+			$buf .= '</MetadataSection>';
+		
+		
+			$buf .= '<MetadataSection Dialect="http://www.w3.org/2001/XMLSchema" Identifier="'.$ICconfig['tokenserviceurl'].'">';
+				$buf .= '<xs:schema xmlns:tns="'.$ICconfig['tokenserviceurl'].'" xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" targetNamespace="'.$ICconfig['tokenserviceurl'].'">';
+					$buf .= '<xs:complexType name="MessageBody">';
+						$buf .= '<xs:sequence>';
+							$buf .= '<xs:any maxOccurs="unbounded" minOccurs="0" namespace="##any"/>';
+						$buf .= '</xs:sequence>';
+					$buf .= '</xs:complexType>';
+				$buf .= '</xs:schema>';
+			$buf .= '</MetadataSection>';
+		
+		$buf .= '</Metadata>';	
+	$buf .= '</S:Body>';
+	
+$buf .= '</S:Envelope>';
+
+
+print($buf);
+
+?>
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/modules/InfoCard/www/resources/infocard_self_114x80.png b/modules/InfoCard/www/resources/infocard_self_114x80.png
new file mode 100644
index 0000000000000000000000000000000000000000..9351cbcebdace06d93a7a5d00287732823bc676f
Binary files /dev/null and b/modules/InfoCard/www/resources/infocard_self_114x80.png differ
diff --git a/modules/InfoCard/www/tokenservice.php b/modules/InfoCard/www/tokenservice.php
new file mode 100644
index 0000000000000000000000000000000000000000..3c076dfafd4c81cfb8000045136335c6b13a17a5
--- /dev/null
+++ b/modules/InfoCard/www/tokenservice.php
@@ -0,0 +1,139 @@
+<?php
+
+/*
+* AUTHOR: Samuel Muñoz Hidalgo
+* EMAIL: samuel.mh@gmail.com
+* LAST REVISION: 13-FEB-09
+* DESCRIPTION: Web interface for the token generator
+*/
+
+
+//Borrowed from xlmseclibs, TEMPORAL
+function decryptMcrypt($data,$key) {
+	$td = mcrypt_module_open(MCRYPT_RIJNDAEL_128,'',MCRYPT_MODE_CBC,'');
+	$iv_length = mcrypt_enc_get_iv_size($td);
+
+	$iv = substr($data, 0, $iv_length);
+	$data = substr($data, $iv_length);
+
+	mcrypt_generic_init($td, $key, $iv);
+	$decrypted_data = mdecrypt_generic($td, $data);
+	mcrypt_generic_deinit($td);
+	mcrypt_module_close($td);
+	
+	$dataLen = strlen($decrypted_data);
+	$paddingLength = substr($decrypted_data, $dataLen - 1, 1);
+	$decrypted_data = substr($decrypted_data, 0, $dataLen - ord($paddingLength));
+	
+	return $decrypted_data;
+}
+
+
+
+//Input: self issued saml token
+//Returns ppid coded in base 64
+	function getppid($samlToken){
+	$token = new DOMDocument();
+	$token->loadXML($samlToken);
+	$doc = $token->documentElement;
+	return($doc->getElementsByTagname('AttributeValue')->item(0)->nodeValue);
+}
+
+
+// grab the important parts of the token request.  these are the username,
+// password, and cardid.
+
+Header('Content-Type: application/soap+xml;charset=utf-8');
+
+$config = SimpleSAML_Configuration::getInstance();
+SimpleSAML_Logger::debug('Tokenservice');
+
+$token = new DOMDocument();
+$token->loadXML($HTTP_RAW_POST_DATA);
+$doc = $token->documentElement;
+
+$cardId  =  $doc->getElementsByTagname('CardId')->item(0)->nodeValue;
+
+$authenticated = false;
+
+
+$autoconfig = $config->copyFromBase('logininfocard', 'config-login-infocard.php');
+$ICconfig['UserCredential'] = $autoconfig->getValue('UserCredential');
+$debugDir = $autoconfig->getValue('debugDir');
+
+
+SimpleSAML_Logger::debug('USERCREDENTIAL: '.$ICconfig['UserCredential']);
+switch($ICconfig['UserCredential']){
+	case "UsernamePasswordCredential":
+		$username = $doc->getElementsByTagname('Username')->item(0)->nodeValue;
+		$password = $doc->getElementsByTagname('Password')->item(0)->nodeValue;
+		if (sspmod_InfoCard_UserFunctions::validateUser(array('username'=>$username,'password'=>$password),$ICconfig['UserCredential'])){
+			$authenticated = true;
+		}
+		break;
+	case "KerberosV5Credential":
+		break;
+	case "X509V3Credential":
+		break;
+	case "SelfIssuedCredential":
+		//Obtener clave simétrica
+		$encKey = base64_decode($doc->getElementsByTagname('CipherValue')->item(0)->nodeValue);
+		$sts_key = $autoconfig->getValue('sts_key');
+		$privkey = openssl_pkey_get_private(file_get_contents($sts_key));
+		$key=NULL;
+		openssl_private_decrypt($encKey,$key,$privkey,OPENSSL_PKCS1_OAEP_PADDING);
+		openssl_free_key($privkey);
+		
+		//Recuperar informaciĂłn
+		$encSamlToken = base64_decode($doc->getElementsByTagname('CipherValue')->item(1)->nodeValue);
+		$samlToken=decryptMcrypt($encSamlToken,$key);
+		SimpleSAML_Logger::debug('$samlToken'.$samlToken);
+		$ppid=getppid($samlToken);
+		SimpleSAML_Logger::debug('PPID: '.$ppid);
+
+		if (sspmod_InfoCard_UserFunctions::validateUser(array('PPID'=>$ppid),$ICconfig['UserCredential'])){
+			$authenticated = true;
+		}
+		break;
+	default:
+		break;
+}
+
+
+$messageid = $doc->getElementsByTagname('MessageID')->item(0)->nodeValue;
+
+if ($authenticated){
+	$ICconfig['InfoCard'] = $autoconfig->getValue('InfoCard');
+	$ICconfig['issuer'] =  $autoconfig->getValue('issuer');
+	$ICconfig['sts_crt'] = $autoconfig->getValue('sts_crt');
+	$ICconfig['sts_key'] = $autoconfig->getValue('sts_key');
+	
+	$requiredClaims = sspmod_InfoCard_Utils::extractClaims($ICconfig['InfoCard']['schema'], $doc->getElementsByTagname('ClaimType'));
+	$claimValues = sspmod_InfoCard_UserFunctions::fillClaims($username, $ICconfig['InfoCard']['requiredClaims'], $ICconfig['InfoCard']['optionalClaims'],$requiredClaims);
+	
+	$response = sspmod_InfoCard_STS::createToken($claimValues,$ICconfig,$messageid);
+	
+
+}else{
+	$response = sspmod_InfoCard_STS::errorMessage('Wrong Credentials',$messageid);
+}
+
+
+Header('Content-length: '.strlen($buf)+1);
+print($response);
+
+//LOG
+if ($debugDir!=null){
+	$handle=fopen($debugDir.'/'.$messageid.".log","w");
+	fwrite($handle,"  ------ InfoCard simpleSAMLphp Module LOG ------\n\n");
+	fwrite($handle,"-- TIME: ".gmdate('Y-m-d').' '.gmdate('H:i:s')."\n");
+	fwrite($handle,"-- MESSAGE ID: ".$messageid."\n\n\n");
+	fwrite($handle,"-- RST\n");
+	fwrite($handle,$HTTP_RAW_POST_DATA);
+	fwrite($handle,"\n\n\n-- RSTR\n");
+	fwrite($handle,$response);
+	fclose($handle);
+}
+
+
+?>
\ No newline at end of file