From 6e2a7d8225925fdf39face49bad34ef6d65563c9 Mon Sep 17 00:00:00 2001 From: Enrique de la Hoz <enrique.delahoz@uah.es> Date: Fri, 13 Feb 2009 16:37:42 +0000 Subject: [PATCH] Infocard module major update git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@1270 44740490-163a-0410-bde0-09ae8108e29a --- .../config-template/config-login-infocard.php | 232 ++++++--- .../{logininfocard.php => dict-InfoCard.php} | 198 ++++++++ modules/InfoCard/docs/usage.txt | 5 +- .../InfoCard/extra/config-login-infocard.php | 174 ------- modules/InfoCard/extra/getinfocard.php | 198 -------- modules/InfoCard/extra/mex.php | 441 ------------------ modules/InfoCard/extra/tokenservice.php | 296 ------------ modules/InfoCard/lib/STS.php | 384 +++++++++++++++ .../templates/default/temp-getcardform.php | 70 +++ .../temp-login.php} | 17 +- modules/InfoCard/www/getcardform.php | 155 ++++++ modules/InfoCard/www/login-infocard.php | 4 +- modules/InfoCard/www/mex.php | 257 ++++++++++ .../www/resources/infocard_self_114x80.png | Bin 0 -> 9302 bytes modules/InfoCard/www/tokenservice.php | 139 ++++++ 15 files changed, 1375 insertions(+), 1195 deletions(-) rename modules/InfoCard/dictionaries/{logininfocard.php => dict-InfoCard.php} (61%) delete mode 100644 modules/InfoCard/extra/config-login-infocard.php delete mode 100644 modules/InfoCard/extra/getinfocard.php delete mode 100644 modules/InfoCard/extra/mex.php delete mode 100644 modules/InfoCard/extra/tokenservice.php create mode 100644 modules/InfoCard/lib/STS.php create mode 100644 modules/InfoCard/templates/default/temp-getcardform.php rename modules/InfoCard/templates/{login-infocard.php => default/temp-login.php} (86%) create mode 100644 modules/InfoCard/www/getcardform.php create mode 100644 modules/InfoCard/www/mex.php create mode 100644 modules/InfoCard/www/resources/infocard_self_114x80.png create mode 100644 modules/InfoCard/www/tokenservice.php diff --git a/modules/InfoCard/config-template/config-login-infocard.php b/modules/InfoCard/config-template/config-login-infocard.php index 90ba0f612..3259851ef 100644 --- a/modules/InfoCard/config-template/config-login-infocard.php +++ b/modules/InfoCard/config-template/config-login-infocard.php @@ -3,92 +3,142 @@ /* * AUTHOR: Samuel Muñoz Hidalgo * EMAIL: samuel.mh@gmail.com -* LAST REVISION: 1-DEC-08 -* DESCRIPTION: 'login-infocard' module configuration. +* LAST REVISION: 13-FEB-09 +* DESCRIPTION: 'InfoCard' module configuration for simpleSAMLphp. --server_key: --server_crt: --IClogo: InfoCard logo (template's button) - - -Definitions taken from: +Some definitions were taken from: A Guide to Using the Identity Selector Interoperability Profile V1.5 within Web Applications and Browsers. Copyright Microsoft -" --issuer (optional) - This parameter specifies the URL of the STS from which to obtain a token. If omitted, no - specific STS is requested. The special value - “http://schemas.xmlsoap.org/ws/2005/05/identity/issuer/self” specifies that the - token should come from a Self-issued Identity Provider. - --issuerPolicy (optional) - This parameter specifies the URL of an endpoint from which the STS’s WS-SecurityPolicy - can be retrieved using WS-MetadataExchange. This endpoint must use HTTPS. - --tokenType (optional) - This parameter specifies the type of the token to be requested from the STS as a URI. Th - parameter can be omitted if the STS and the Web site front-end have a mutual - understanding about what token type will be provided or if the Web site is willing to accep - any token type. - --requiredClaims (optional) - This parameter specifies the types of claims that must be supplied by the identity. If - omitted, there are no required claims. The value of requiredClaims is a space-separate - list of URIs, each specifying a required claim type. - --optionalClaims (optional) - This parameter specifies the types of optional claims that may be supplied by the identity - If omitted, there are no optional claims. The value of optionalClaims is a space-separat - list of URIs, each specifying a claim type that can be optionally submitted. - --privacyUrl (optional) - This parameter specifies the URL of the human-readable Privacy Policy of the site, if - provided. -" - - --Claims supported by the current schema - givenname - surname - emailaddress - streetaddress - locality - stateorprovince - postalcode - country - primaryphone - dateofbirth - privatepersonalid - gender - webpage */ $config = array ( - 'server_key' => '/etc/apache2/ssl/idp.key', - 'server_crt' => '/etc/apache2/ssl/idp.crt', +//------------- TEMPLATE OPTIONS --------------- + 'IClogo' => 'resources/infocard_114x80.png', //Infocard logo button + 'help_desk_email_URL' => 'mailto:asd@asd.com', //Help desk e-mail + 'contact_info_URL' => 'http://google.es', //Contact information + + + + +//------------- CERTIFICATE OPTIONS --------------- + + /* + * USED IN: Relying Party + * DESCRIPTION: Key of the certificate used in the https connection with the idp, it'll be used + * for decrypting the received XML token, + */ + 'idp_key' => '/etc/apache2/ssl/idp.key', + + + /* + * USED IN: Relying Party + * DESCRIPTION: Only accept tokens signed with this certificate, + * if no certificate is set, it'll be assumed to accept + * a self isued token and accept any token. + */ 'sts_crt' => '/etc/apache2/ssl/sts.crt', - 'IClogo' => 'resources/infocard_114x80.png', - + /* + * USED IN: Infocard Generator, STS + * DESCRIPTION: STS certificate for signing Infocards and tokens. + */ + 'sts_key' => '/etc/apache2/ssl/sts.key', + + + /* + * USED IN: + * DESCRIPTION: Array of certificates forming a trust chain. The local signing + * certificate is [0], the one that signed that is [1], etc, chaining to a + * trust anchor. + * HINT: The first one, [0], should be the same as the sts_crt. + */ + 'certificates' => array( + 0 => '/etc/apache2/ssl/sts.crt', + 1 => '/etc/apache2/ssl/CA.crt' + ), + + + +//------------- DATA (InfoCard) OPTIONS --------------- + + /* + * USED IN: InfoCard Generator, Relying Party and STS + * DESCRIPTION: Infocard information + */ 'InfoCard' => array( + /* + * -issuer (optional, taken from the sts_crt common name value, if no set, self issuer is assumed ) + * This parameter specifies the URL of the STS from which to obtain a token. If omitted, no + * specific STS is requested. The special value + * “http://schemas.xmlsoap.org/ws/2005/05/identity/issuer/self” specifies that the + * token should come from a Self-issued Identity Provider + */ + /* + * Root of the current InfoCard schema + */ 'schema' => 'http://schemas.xmlsoap.org/ws/2005/05/identity', - 'issuer' => 'https://sts/tokenservice.php', + /* + * -issuerPolicy (optional) + * This parameter specifies the URL of an endpoint from which the STS’s WS-SecurityPolicy + * can be retrieved using WS-MetadataExchange. This endpoint must use HTTPS. + */ 'issuerPolicy' => '', + /* + * -privacyUrl (optional) + * This parameter specifies the URL of the human-readable Privacy Policy of the site, if + * provided. + */ 'privacyURL' => '', + /* + * -tokenType (optional) + * This parameter specifies the type of the token to be requested from the STS as a URI. Th + * parameter can be omitted if the STS and the Web site front-end have a mutual + * understanding about what token type will be provided or if the Web site is willing to accep + * any token type. + */ 'tokenType' => 'urn:oasis:names:tc:SAML:1.0:assertion', + + /*-Claims supported by the current schema + givenname + surname + emailaddress + streetaddress + locality + stateorprovince + postalcode + country + primaryphone + dateofbirth + privatepersonalid + gender + webpage + */ + + /* + * -requiredClaims (optional) + * This parameter specifies the types of claims that must be supplied by the identity. If + * omitted, there are no required claims. The value of requiredClaims is a space-separate + * list of URIs, each specifying a required claim type. + */ 'requiredClaims' => array( 'privatepersonalidentifier' => array('displayTag'=>"Id", 'description'=>"id"), 'givenname' => array('displayTag'=>"Given Name", 'description'=>"etc"), 'surname' => array('displayTag'=>"Surname", 'description'=>"apellidos"), 'emailaddress' => array('displayTag'=>"e-mail", 'description'=>"E-mail address") ), + /* + * -optionalClaims (optional) + * This parameter specifies the types of optional claims that may be supplied by the identity + * If omitted, there are no optional claims. The value of optionalClaims is a space-separat + * list of URIs, each specifying a claim type that can be optionally submitted + */ 'optionalClaims' => array( 'country' => array('displayTag'=>"country", 'description'=>"País"), 'webpage' => array('displayTag'=>"webpage", 'description'=>"Página web") @@ -96,20 +146,58 @@ $config = array ( ), -//STS only -// array of certificates forming a trust chain. The local signing -// certificate is [0], the one that signed that is [1], etc, chaining to a -// trust anchor. + + +//------------- WEB PAGES --------------- - 'CardGenerator' => 'https://idp.aut.uah.es/simplesaml/module.php/InfoCard/getinfocard.php', - 'certificates' => array( - 0 => '/etc/apache2/ssl/sts.crt', - 1 => '/etc/apache2/ssl/CA.crt' - ), + /* + * USED IN: InfoCard Generator, Relying Party (optional form) + * DESCRIPTION: Infocard generator URL, if set it'll appear a form with username-password authentication in the template + */ + 'CardGenerator' => 'https://sts.aut.uah.es/simplesaml/module.php/InfoCard/getcardform.php', + + + /* + * USED IN: InfoCard Generator, Relying Party (issuer), STS (Metadata-Exchange) + * DESCRIPTION: Token generator URL + */ + 'tokenserviceurl' => 'https://sts.aut.uah.es/simplesaml/module.php/InfoCard/tokenservice.php', - 'sts_key' => '/etc/apache2/ssl/sts.key', - 'tokenserviceurl' => 'https://sts/tokenservice.php', - 'mexurl' => 'https://sts/mex.php', + + /* + * USED IN: InfoCard Generator + * DESCRIPTION: Metadata Exchange URL + */ + 'mexurl' => 'https://sts.aut.uah.es/simplesaml/module.php/InfoCard/mex.php', + + + + +//------------- CREDENTIALS --------------- + + /* + * USED IN: InfoCard Generator, Relying Party (optional form) + * TYPES: UsernamePasswordCredential, KerberosV5Credential, X509V3Credential, SelfIssuedCredential + * DESCRIPTION: How the user will be authenticated + * IMPLEMENTED & TESTED: UsernamePasswordCredential, SelfIssuedCredential + */ + 'UserCredential' => 'SelfIssuedCredential', + + + + +//------------- DEBUG --------------- + + /* + * USED IN: tokenservice + * DESCRIPTION: directory where RSTs and RSTRs will be logged EJ: /tmp. + * If null, logging will be dissabled. + * The directory MUST exists and be accessible to the program, otherwise NO log will be written + * Log files have the form urn:uuid:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX.log where X is an hexadecimal digit [0-9|a-f] + */ + 'debugDir' => '/tmp', + ); + ?> \ No newline at end of file diff --git a/modules/InfoCard/dictionaries/logininfocard.php b/modules/InfoCard/dictionaries/dict-InfoCard.php similarity index 61% rename from modules/InfoCard/dictionaries/logininfocard.php rename to modules/InfoCard/dictionaries/dict-InfoCard.php index a8525b813..0affd8164 100644 --- a/modules/InfoCard/dictionaries/logininfocard.php +++ b/modules/InfoCard/dictionaries/dict-InfoCard.php @@ -44,6 +44,24 @@ $lang = array( 'pt' => '', 'pt-BR' => '', ), + 'get_IC_link' => array ( + 'no' => '', + 'nn' => '', + 'da' => '', + 'en' => 'Click here to get your InfoCard', + 'de' => '', + 'sv' => '', + 'fi' => '', + 'es' => 'Pinche aquí para conseguir su InfoCard', + 'fr' => '', + 'nl' => '', + 'lb' => '', + 'sl' => '', + 'hr' => '', + 'hu' => '', + 'pt' => '', + 'pt-BR' => '', + ), 'form_username' => array ( 'no' => '', 'nn' => '', @@ -250,6 +268,186 @@ $lang = array( 'hu' => 'Elérési információk', 'pt' => 'Contactos', 'pt-BR' => 'Informações de Contato', + ), + 'getcardform_title' => array ( + 'no' => '', + 'nn' => '', + 'da' => '', + 'en' => 'Authentication form', + 'de' => '', + 'sv' => '', + 'fi' => '', + 'es' => 'Formulario de autenticación', + 'fr' => '', + 'nl' => '', + 'lb' => '', + 'sl' => '', + 'hr' => '', + 'hu' => '', + 'pt' => '', + 'pt-BR' => '', + ), + 'getcardform_self_title' => array ( + 'no' => '', + 'nn' => '', + 'da' => '', + 'en' => 'Self-Issued Card form', + 'de' => '', + 'sv' => '', + 'fi' => '', + 'es' => 'Formulario de tarjeta autogestionada', + 'fr' => '', + 'nl' => '', + 'lb' => '', + 'sl' => '', + 'hr' => '', + 'hu' => '', + 'pt' => '', + 'pt-BR' => '', + ), + 'getcardform_self_text' => array ( + 'no' => '', + 'nn' => '', + 'da' => '', + 'en' => 'Please, enter a self issued InfoCard in order to link it with the managed one we are generating.', + 'de' => '', + 'sv' => '', + 'fi' => '', + 'es' => 'Por favor, introduzca una InfoCard autogestionada para ligarla a la que vamos a generarle.', + 'fr' => '', + 'nl' => '', + 'lb' => '', + 'sl' => '', + 'hr' => '', + 'hu' => '', + 'pt' => '', + 'pt-BR' => '', + ), + 'getcardform_finished_title' => array ( + 'no' => '', + 'nn' => '', + 'da' => '', + 'en' => 'Congratulations, your Infocard was succesfully generated', + 'de' => '', + 'sv' => '', + 'fi' => '', + 'es' => 'Enhorabuena, generó su Infocard con éxito', + 'fr' => '', + 'nl' => '', + 'lb' => '', + 'sl' => '', + 'hr' => '', + 'hu' => '', + 'pt' => '', + 'pt-BR' => '', + ), + 'getcardform_finished_text' => array ( + 'no' => '', + 'nn' => '', + 'da' => '', + 'en' => 'Please follow the next link to get to the login page.', + 'de' => '', + 'sv' => '', + 'fi' => '', + 'es' => 'Siga el siguiente enlace para ir a la página de login', + 'fr' => '', + 'nl' => '', + 'lb' => '', + 'sl' => '', + 'hr' => '', + 'hu' => '', + 'pt' => '', + 'pt-BR' => '', + ), + 'NO_password' => array ( + 'no' => '', + 'nn' => '', + 'da' => '', + 'en' => 'Please fill in your password', + 'de' => '', + 'sv' => '', + 'fi' => '', + 'es' => 'Introduce una contraseña', + 'fr' => '', + 'nl' => '', + 'lb' => '', + 'sl' => '', + 'hr' => '', + 'hu' => '', + 'pt' => '', + 'pt-BR' => '', + ), + 'NO_user' => array ( + 'no' => '', + 'nn' => '', + 'da' => '', + 'en' => 'Please fill in your username', + 'de' => '', + 'sv' => '', + 'fi' => '', + 'es' => 'Introduce tu nombre de usuario', + 'fr' => '', + 'nl' => '', + 'lb' => '', + 'sl' => '', + 'hr' => '', + 'hu' => '', + 'pt' => '', + 'pt-BR' => '', + ), + 'Wrong_user_pass' => array ( + 'no' => '', + 'nn' => '', + 'da' => '', + 'en' => 'Wrong username or password', + 'de' => '', + 'sv' => '', + 'fi' => '', + 'es' => 'Usuario o contraseña inválidos ', + 'fr' => '', + 'nl' => '', + 'lb' => '', + 'sl' => '', + 'hr' => '', + 'hu' => '', + 'pt' => '', + 'pt-BR' => '', + ), + '' => array ( + 'no' => '', + 'nn' => '', + 'da' => '', + 'en' => '', + 'de' => '', + 'sv' => '', + 'fi' => '', + 'es' => '', + 'fr' => '', + 'nl' => '', + 'lb' => '', + 'sl' => '', + 'hr' => '', + 'hu' => '', + 'pt' => '', + 'pt-BR' => '', + ), + '' => array ( + 'no' => '', + 'nn' => '', + 'da' => '', + 'en' => '', + 'de' => '', + 'sv' => '', + 'fi' => '', + 'es' => '', + 'fr' => '', + 'nl' => '', + 'lb' => '', + 'sl' => '', + 'hr' => '', + 'hu' => '', + 'pt' => '', + 'pt-BR' => '', ), ); diff --git a/modules/InfoCard/docs/usage.txt b/modules/InfoCard/docs/usage.txt index c90dbe409..5495a9b94 100644 --- a/modules/InfoCard/docs/usage.txt +++ b/modules/InfoCard/docs/usage.txt @@ -9,9 +9,10 @@ Information cards module for simpleSAMLphp AUTHOR: Samuel Muñoz Hidalgo EMAIL: samuel.mh@gmail.com - LAST REVISION: 22-DEC-08 + LAST REVISION: 13-FEB-09 DESCRIPTION: What you should read before starting doing things. + Introduction ------------- @@ -25,7 +26,7 @@ RP : Acting as a Relying Party, you can accept user authentication through InfoCards comsumming tokens sent by aSTS. STS -: Acting as a Secure Token Service you can provide information to a RP generating tokens. Currently, only user-password authentication is supported. +: Acting as a Secure Token Service you can provide information to a RP generating tokens. Currently, only user password and self issued credentials are supported. InfoCard Generator : Your users could request their InfoCard filling a form with their username and password. diff --git a/modules/InfoCard/extra/config-login-infocard.php b/modules/InfoCard/extra/config-login-infocard.php deleted file mode 100644 index e94d75742..000000000 --- a/modules/InfoCard/extra/config-login-infocard.php +++ /dev/null @@ -1,174 +0,0 @@ -<?php - -/* -* AUTHOR: Samuel Muñoz Hidalgo -* EMAIL: samuel.mh@gmail.com -* LAST REVISION: 22-DEC-08 -* DESCRIPTION: 'InfoCard' module configuration for simpleSAMLphp. - - -Some definitions were taken from: -A Guide to Using the Identity Selector -Interoperability Profile V1.5 within Web -Applications and Browsers. -Copyright Microsoft - -*/ - - -$config = array ( - -//------------- TEMPLATE OPTIONS --------------- - 'IClogo' => 'resources/infocard_114x80.png', //Infocard logo button - 'help_desk_email_URL' => 'mailto:asd@asd.com', //Help desk e-mail - 'contact_info_URL' => 'http://google.es', //Contact information - - - - -//------------- CERTIFICATE OPTIONS --------------- - - /* - * USED IN: Relying Party - * DESCRIPTION: Key of the certificate used in the https connection with the idp, it'll be used - * for decrypting the received XML token, - */ - 'idp_key' => '/etc/apache2/ssl/idp.key', - - - /* - * USED IN: Relying Party - * DESCRIPTION: Only accept tokens signed with this certificate, - * if no certificate is set, it'll be assumed to accept - * a self isued token and accept any token. - */ - 'sts_crt' => '/etc/apache2/ssl/sts.crt', - - - /* - * USED IN: Infocard Generator, STS - * DESCRIPTION: STS certificate for signing Infocards and tokens. - */ - 'sts_key' => '/etc/apache2/ssl/sts.key', - - - /* - * USED IN: - * DESCRIPTION: Array of certificates forming a trust chain. The local signing - * certificate is [0], the one that signed that is [1], etc, chaining to a - * trust anchor. - * HINT: The first one, [0], should be the same as the sts_crt. - */ - 'certificates' => array( - 0 => '/etc/apache2/ssl/sts.crt', - 1 => '/etc/apache2/ssl/CA.crt' - ), - - - -//------------- DATA (InfoCard) OPTIONS --------------- - - /* - * USED IN: InfoCard Generator, Relying Party and STS - * DESCRIPTION: Infocard information - */ - 'InfoCard' => array( - /* - * -issuer (optional, taken from the sts_crt common name value, if no set, self issuer is assumed ) - * This parameter specifies the URL of the STS from which to obtain a token. If omitted, no - * specific STS is requested. The special value - * “http://schemas.xmlsoap.org/ws/2005/05/identity/issuer/self” specifies that the - * token should come from a Self-issued Identity Provider - */ - /* - * Root of the current InfoCard schema - */ - 'schema' => 'http://schemas.xmlsoap.org/ws/2005/05/identity', - /* - * -issuerPolicy (optional) - * This parameter specifies the URL of an endpoint from which the STS’s WS-SecurityPolicy - * can be retrieved using WS-MetadataExchange. This endpoint must use HTTPS. - */ - 'issuerPolicy' => '', - /* - * -privacyUrl (optional) - * This parameter specifies the URL of the human-readable Privacy Policy of the site, if - * provided. - */ - 'privacyURL' => '', - /* - * -tokenType (optional) - * This parameter specifies the type of the token to be requested from the STS as a URI. Th - * parameter can be omitted if the STS and the Web site front-end have a mutual - * understanding about what token type will be provided or if the Web site is willing to accep - * any token type. - */ - 'tokenType' => 'urn:oasis:names:tc:SAML:1.0:assertion', - - /*-Claims supported by the current schema - givenname - surname - emailaddress - streetaddress - locality - stateorprovince - postalcode - country - primaryphone - dateofbirth - privatepersonalid - gender - webpage - */ - - /* - * -requiredClaims (optional) - * This parameter specifies the types of claims that must be supplied by the identity. If - * omitted, there are no required claims. The value of requiredClaims is a space-separate - * list of URIs, each specifying a required claim type. - */ - 'requiredClaims' => array( - 'privatepersonalidentifier' => array('displayTag'=>"Id", 'description'=>"id"), - 'givenname' => array('displayTag'=>"Given Name", 'description'=>"etc"), - 'surname' => array('displayTag'=>"Surname", 'description'=>"apellidos"), - 'emailaddress' => array('displayTag'=>"e-mail", 'description'=>"E-mail address") - ), - /* - * -optionalClaims (optional) - * This parameter specifies the types of optional claims that may be supplied by the identity - * If omitted, there are no optional claims. The value of optionalClaims is a space-separat - * list of URIs, each specifying a claim type that can be optionally submitted - */ - 'optionalClaims' => array( - 'country' => array('displayTag'=>"country", 'description'=>"País"), - 'webpage' => array('displayTag'=>"webpage", 'description'=>"Página web") - ), - ), - - - - -//------------- WEB PAGES --------------- - - /* - * USED IN: InfoCard Generator, Relying Party (optional form) - * DESCRIPTION: Infocard generator URL, if set it'll appear a form with username-password authentication in the template - */ -// 'CardGenerator' => 'https://sts.aut.uah.es/simplesaml/module.php/InfoCard/getinfocard.php', - - - /* - * USED IN: InfoCard Generator, Relying Party (issuer), STS (Metadata-Exchange) - * DESCRIPTION: Token generator URL - */ - 'tokenserviceurl' => 'https://sts.aut.uah.es/simplesaml/module.php/InfoCard/tokenservice.php', - - - /* - * USED IN: InfoCard Generator - * DESCRIPTION: Metadata Exchange URL - */ - 'mexurl' => 'https://sts.aut.uah.es/simplesaml/module.php/InfoCard/mex.php', -); - -?> \ No newline at end of file diff --git a/modules/InfoCard/extra/getinfocard.php b/modules/InfoCard/extra/getinfocard.php deleted file mode 100644 index d1fac6a9a..000000000 --- a/modules/InfoCard/extra/getinfocard.php +++ /dev/null @@ -1,198 +0,0 @@ -<?php - - -/* -* COAUTHOR: Samuel Muñoz Hidalgo -* EMAIL: samuel.mh@gmail.com -* LAST REVISION: 22-DEC-08 -* DESCRIPTION: InfoCard module Infocard generator -*/ - -//Generate a raw InfoCard with the given data and the configuration -//NOTA: hay namespaces totalmente innecesarios desde un punto de vista práctico xml, están cubiertos por el nodo -// Signature, pero si no se ponen, la canonicalización de generación de firma la de comprobación son diferentes -// y no funciona. -//EJ: xmlns="http://www.w3.org/2000/09/xmldsig#" en los nodos Object y SignedInfo - -function create_card($ICdata,$ICconfig) { - - $infocardbuf = "<Object Id=\"IC01\" xmlns=\"http://www.w3.org/2000/09/xmldsig#\">"; - $infocardbuf .= "<InformationCard xml:lang=\"en-us\" xmlns=\"http://schemas.xmlsoap.org/ws/2005/05/identity\" xmlns:wsa=\"http://www.w3.org/2005/08/addressing\" xmlns:wst=\"http://schemas.xmlsoap.org/ws/2005/02/trust\" xmlns:wsx=\"http://schemas.xmlsoap.org/ws/2004/09/mex\">"; - - //cardId - $infocardbuf .= "<InformationCardReference>"; - $infocardbuf .= "<CardId>".$ICdata['CardId']."</CardId>"; //xs:anyURI cardId (="$cardurl/$ppid"; $ppid = "$uname-" . time();) - $infocardbuf .= "<CardVersion>1</CardVersion>"; //xs:unsignedInt - $infocardbuf .= "</InformationCardReference>"; - - //cardName - $infocardbuf .= "<CardName>".$ICdata['CardName']."</CardName>"; - - //image - $infocardbuf .= "<CardImage MimeType=\"".mime_content_type($ICdata['CardImage'])."\">"; - $infocardbuf .= base64_encode(file_get_contents($ICdata['CardImage'])); - $infocardbuf .= "</CardImage>"; - - //issuer - times - $infocardbuf .= "<Issuer>".$ICconfig['InfoCard']['issuer']."</Issuer>"; - $infocardbuf .= "<TimeIssued>".gmdate('Y-m-d').'T'.gmdate('H:i:s').'Z'."</TimeIssued>"; - $infocardbuf .= "<TimeExpires>".$ICdata['TimeExpires']."</TimeExpires>"; - - //Token Service List - $infocardbuf .= "<TokenServiceList>"; - $infocardbuf .= "<TokenService>"; - $infocardbuf .= "<wsa:EndpointReference>"; - $infocardbuf .= "<wsa:Address>".$ICconfig['tokenserviceurl']."</wsa:Address>"; - $infocardbuf .= "<wsa:Metadata>"; - $infocardbuf .= "<wsx:Metadata>"; - $infocardbuf .= "<wsx:MetadataSection>"; - $infocardbuf .= "<wsx:MetadataReference>"; - $infocardbuf .= "<wsa:Address>".$ICconfig['mexurl']."</wsa:Address>"; - $infocardbuf .= "</wsx:MetadataReference>"; - $infocardbuf .= "</wsx:MetadataSection>"; - $infocardbuf .= "</wsx:Metadata>"; - $infocardbuf .= "</wsa:Metadata>"; - $infocardbuf .= "</wsa:EndpointReference>"; - - - - /*Types of User Credentials - * UsernamePasswordCredential - * KerberosV5Credential - * X509V3Credential - * SelfIssuedCredential - */ - $infocardbuf .= "<UserCredential>"; - $infocardbuf .= "<DisplayCredentialHint>".$ICdata['DisplayCredentialHint']."</DisplayCredentialHint>"; - switch($ICdata['UserCredential']){ - case "UsernamePasswordCredential": - $infocardbuf .= "<UsernamePasswordCredential>"; - $infocardbuf .= "<Username>".$ICdata['UserName']."</Username>"; - $infocardbuf .= "</UsernamePasswordCredential>"; - break; - case "KerberosV5Credential": - $infocardbuf .= "<KerberosV5Credential/>"; - break; - case "X509V3Credential": - $infocardbuf .= "<X509V3Credential>"; - $infocardbuf .= "<ds:X509Data>"; - $infocardbuf .= "<wsse:KeyIdentifier ValueType=\"http://docs.oasis-open.org/wss/2004/xx/oasis-2004xx-wss-soap-message-security-1.1#ThumbprintSHA1\" EncodingType=\"http://docs.oasis-open.org/wss/2004/01/oasis200401-wss-soap-message-security-1.0#Base64Binary"> - /*This element provides a key identifier for the X.509 certificate based on the SHA1 hash - of the entire certificate content expressed as a “thumbprint.” Note that the extensibility - point in the ds:X509Data element is used to add wsse:KeyIdentifier as a child - element.*/ - $infocardbuf .= $ICdata['KeyIdentifier']; //xs:base64binary; - $infocardbuf .= "</wsse:KeyIdentifier>"; - $infocardbuf .= "</ds:X509Data>"; - $infocardbuf .= "</X509V3Credential>"; - break; - default: //SelfIssuedCredential - $infocardbuf .= "<SelfIssuedCredential>"; - $infocardbuf .= "<PrivatePersonalIdentifier>"; - $infocardbuf .= $ICdata['PPID']; //xs:base64binary; - $infocardbuf .= "</PrivatePersonalIdentifier>"; - $infocardbuf .= "</SelfIssuedCredential> "; - break; - } - $infocardbuf .= "</UserCredential>"; - - $infocardbuf .= "</TokenService>"; - $infocardbuf .= "</TokenServiceList>"; - - - //Tokentype - $infocardbuf .= "<SupportedTokenTypeList>"; - $infocardbuf .= "<wst:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</wst:TokenType>"; - $infocardbuf .= "</SupportedTokenTypeList>"; - - //Claims - $infocardbuf .= "<SupportedClaimTypeList>"; - $url = $ICconfig['InfoCard']['schema']."/claims/"; - foreach ($ICconfig['InfoCard']['requiredClaims'] as $claim=>$data) { - $infocardbuf .= "<SupportedClaimType Uri=\"".$url.$claim."\">"; - $infocardbuf .= "<DisplayTag>".$data['displayTag']."</DisplayTag>"; - $infocardbuf .= "<Description>".$data['description']."</Description>"; - $infocardbuf .= "</SupportedClaimType>"; - } - foreach ($ICconfig['InfoCard']['optionalClaims'] as $claim=>$data) { - $infocardbuf .= "<SupportedClaimType Uri=\"".$url.$claim."\">"; - $infocardbuf .= "<DisplayTag>".$data['displayTag']."</DisplayTag>"; - $infocardbuf .= "<Description>".$data['description']."</Description>"; - $infocardbuf .= "</SupportedClaimType>"; - } - $infocardbuf .= "</SupportedClaimTypeList>"; - - //Privacy URL - $infocardbuf .= "<PrivacyNotice>".$ICconfig['InfoCard']['privacyURL']."</PrivacyNotice>"; - - $infocardbuf .= "</InformationCard>"; - $infocardbuf .= "</Object>"; - - $canonicalbuf = sspmod_InfoCard_Utils::canonicalize($infocardbuf); - - //construct a SignedInfo block - $signedinfo = "<SignedInfo xmlns=\"http://www.w3.org/2000/09/xmldsig#\">"; - $signedinfo .= "<CanonicalizationMethod Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/>"; - $signedinfo .= "<SignatureMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\"/>"; - $signedinfo .= "<Reference URI=\"#IC01\">"; - $signedinfo .= "<Transforms>"; - $signedinfo .= "<Transform Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/>"; - $signedinfo .= "</Transforms>"; - $signedinfo .= "<DigestMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#sha1\"/>"; - $signedinfo .= "<DigestValue>".base64_encode(sha1($canonicalbuf, TRUE))."</DigestValue>"; - $signedinfo .= "</Reference>"; - $signedinfo .= "</SignedInfo>"; - - $canonicalbuf = sspmod_InfoCard_Utils::canonicalize($signedinfo); - - $signature = ''; - $privkey = openssl_pkey_get_private(file_get_contents($ICconfig['sts_key'])); - openssl_sign($canonicalbuf, &$signature, $privkey); - openssl_free_key($privkey); - $infocard_signature = base64_encode($signature); - - //Envelope - $buf = "<Signature xmlns=\"http://www.w3.org/2000/09/xmldsig#\">"; - $buf .= $signedinfo; - $buf .= "<SignatureValue>".$infocard_signature."</SignatureValue>"; - $buf .= "<KeyInfo>"; - $buf .= "<X509Data>"; - // signing certificate(s) - foreach ($ICconfig['certificates'] as $idx=>$cert) - $buf .= "<X509Certificate>".sspmod_InfoCard_Utils::takeCert($cert)."</X509Certificate>"; - $buf .= "</X509Data>"; - $buf .= "</KeyInfo>"; - $buf .= $infocardbuf; - $buf .= "</Signature>"; - - return $buf; -} - - - -$username = $_POST['username']; -$password = $_POST['password']; - -if (sspmod_InfoCard_UserFunctions::validateUser($username,$password)){ - - $config = SimpleSAML_Configuration::getInstance(); - $autoconfig = $config->copyFromBase('logininfocard', 'config-login-infocard.php'); - $ICconfig['InfoCard'] = $autoconfig->getValue('InfoCard'); - $ICconfig['InfoCard']['issuer'] = $autoconfig->getValue('tokenserviceurl');//sspmod_InfoCard_Utils::getIssuer($sts_crt); - $ICconfig['tokenserviceurl'] = $autoconfig->getValue('tokenserviceurl'); - $ICconfig['mexurl'] = $autoconfig->getValue('mexurl'); - $ICconfig['sts_key'] = $autoconfig->getValue('sts_key'); - $ICconfig['certificates'] = $autoconfig->getValue('certificates'); - - $ICdata = sspmod_InfoCard_UserFunctions::fillICdata($username); - - $IC = create_card($ICdata,$ICconfig); - header("Content-Disposition: attachment; filename=\"".$ICdata['CardName'].".crd\""); - header('Content-Type: application/x-informationcard'); - header('Content-Length:'.strlen($IC)); -}else{ - $IC = "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\"><html xmlns=\"http://www.w3.org/1999/xhtml\" xml:lang=\"en\" lang=\"en\"><head><title>ERROR!</title></head><body><h1>Wrong credentials!</h1> Could not authenticate you</body></html>"; -} - -echo $IC; -?> diff --git a/modules/InfoCard/extra/mex.php b/modules/InfoCard/extra/mex.php deleted file mode 100644 index ba7f3908c..000000000 --- a/modules/InfoCard/extra/mex.php +++ /dev/null @@ -1,441 +0,0 @@ -<?php -/* - * Copyright (C) 2007 Carillon Information Security Inc. - * - * WS-MetadataExchange responder for the Carillon STS. Everything is - * pretty much hard-coded -- the only things that get customized are the - * tokenservice URL and the certificate. - * - */ - -/* -* COAUTHOR: Samuel Muñoz Hidalgo -* EMAIL: samuel.mh@gmail.com -* LAST REVISION: 22-DEC-08 -* DESCRIPTION: InfoCard module metadata exchange -*/ - - -$method = $_SERVER["REQUEST_METHOD"]; -if ($method == "POST") - $use_soap = true; -else - $use_soap = false; - -if ($use_soap) - Header('Content-Type: application/soap+xml;charset=utf-8'); -else - Header('Content-Type: application/xml;charset=utf-8'); - -$config = SimpleSAML_Configuration::getInstance(); -$autoconfig = $config->copyFromBase('logininfocard', 'config-login-infocard.php'); -$ICconfig['tokenserviceurl'] = $autoconfig->getValue('tokenserviceurl'); -$ICconfig['certificates'] = $autoconfig->getValue('certificates'); - - -// Grab the important parts of the token request. That's pretty much just -// the request ID. -$request_id = ''; -if ($use_soap && strlen($HTTP_RAW_POST_DATA)) -{ - $token = new DOMDocument(); - $token->loadXML($HTTP_RAW_POST_DATA); - $doc = $token->documentElement; - $elements = $doc->getElementsByTagname('MessageID'); - $request_id = $elements->item(0)->nodeValue; -} - -$buf = '<?xml version="1.0"?>'; - -if ($use_soap) -{ - $buf .= '<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">'; - $buf .= '<s:Header>'; - $buf .= '<a:Action s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2004/09/transfer/GetResponse</a:Action>'; - if ($request_id) - $buf .= "<a:RelatesTo>$request_id</a:RelatesTo>"; - $buf .= '</s:Header>'; - $buf .= '<s:Body>'; -} -$buf .= '<Metadata xmlns="http://schemas.xmlsoap.org/ws/2004/09/mex" xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex">'; -$buf .= '<wsx:MetadataSection xmlns="" Dialect="http://schemas.xmlsoap.org/wsdl/" Identifier="http://schemas.xmlsoap.org/ws/2005/02/trust">'; -$buf .= '<wsdl:definitions xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:tns="http://schemas.xmlsoap.org/ws/2005/02/trust" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsap="http://schemas.xmlsoap.org/ws/2004/08/addressing/policy" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:msc="http://schemas.microsoft.com/ws/2005/12/wsdl/contract" xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl" xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/" xmlns:wsa10="http://www.w3.org/2005/08/addressing" targetNamespace="http://schemas.xmlsoap.org/ws/2005/02/trust">'; -$buf .= '<wsdl:types>'; -$buf .= '<xsd:schema targetNamespace="http://schemas.xmlsoap.org/ws/2005/02/trust/Imports">'; -$buf .= '<xsd:import namespace="http://schemas.microsoft.com/Message"/>'; -$buf .= '</xsd:schema>'; -$buf .= '</wsdl:types>'; -$buf .= '<wsdl:message name="IWSTrustContract_Cancel_InputMessage">'; -$buf .= '<wsdl:part xmlns:q1="http://schemas.microsoft.com/Message" name="request" type="q1:MessageBody"/>'; -$buf .= '</wsdl:message>'; -$buf .= '<wsdl:message name="IWSTrustContract_Cancel_OutputMessage">'; -$buf .= '<wsdl:part xmlns:q2="http://schemas.microsoft.com/Message" name="CancelResult" type="q2:MessageBody"/>'; -$buf .= '</wsdl:message>'; -$buf .= '<wsdl:message name="IWSTrustContract_Issue_InputMessage">'; -$buf .= '<wsdl:part xmlns:q3="http://schemas.microsoft.com/Message" name="request" type="q3:MessageBody"/>'; -$buf .= '</wsdl:message>'; -$buf .= '<wsdl:message name="IWSTrustContract_Issue_OutputMessage">'; -$buf .= '<wsdl:part xmlns:q4="http://schemas.microsoft.com/Message" name="IssueResult" type="q4:MessageBody"/>'; -$buf .= '</wsdl:message>'; -$buf .= '<wsdl:message name="IWSTrustContract_Renew_InputMessage">'; -$buf .= '<wsdl:part xmlns:q5="http://schemas.microsoft.com/Message" name="request" type="q5:MessageBody"/>'; -$buf .= '</wsdl:message>'; -$buf .= '<wsdl:message name="IWSTrustContract_Renew_OutputMessage">'; -$buf .= '<wsdl:part xmlns:q6="http://schemas.microsoft.com/Message" name="RenewResult" type="q6:MessageBody"/>'; -$buf .= '</wsdl:message>'; -$buf .= '<wsdl:message name="IWSTrustContract_Validate_InputMessage">'; -$buf .= '<wsdl:part xmlns:q7="http://schemas.microsoft.com/Message" name="request" type="q7:MessageBody"/>'; -$buf .= '</wsdl:message>'; -$buf .= '<wsdl:message name="IWSTrustContract_Validate_OutputMessage">'; -$buf .= '<wsdl:part xmlns:q8="http://schemas.microsoft.com/Message" name="ValidateResult" type="q8:MessageBody"/>'; -$buf .= '</wsdl:message>'; -$buf .= '<wsdl:portType name="IWSTrustContract">'; -$buf .= '<wsdl:operation name="Cancel">'; -$buf .= '<wsdl:input wsaw:Action="http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Cancel" message="tns:IWSTrustContract_Cancel_InputMessage"/>'; -$buf .= '<wsdl:output wsaw:Action="http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Cancel" message="tns:IWSTrustContract_Cancel_OutputMessage"/>'; -$buf .= '</wsdl:operation>'; -$buf .= '<wsdl:operation name="Issue">'; -$buf .= '<wsdl:input wsaw:Action="http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue" message="tns:IWSTrustContract_Issue_InputMessage"/>'; -$buf .= '<wsdl:output wsaw:Action="http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue" message="tns:IWSTrustContract_Issue_OutputMessage"/>'; -$buf .= '</wsdl:operation>'; -$buf .= '<wsdl:operation name="Renew">'; -$buf .= '<wsdl:input wsaw:Action="http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Renew" message="tns:IWSTrustContract_Renew_InputMessage"/>'; -$buf .= '<wsdl:output wsaw:Action="http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Renew" message="tns:IWSTrustContract_Renew_OutputMessage"/>'; -$buf .= '</wsdl:operation>'; -$buf .= '<wsdl:operation name="Validate">'; -$buf .= '<wsdl:input wsaw:Action="http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Validate" message="tns:IWSTrustContract_Validate_InputMessage"/>'; -$buf .= '<wsdl:output wsaw:Action="http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Validate" message="tns:IWSTrustContract_Validate_OutputMessage"/>'; -$buf .= '</wsdl:operation>'; -$buf .= '</wsdl:portType>'; -$buf .= '</wsdl:definitions>'; -$buf .= '</wsx:MetadataSection>'; -$buf .= '<wsx:MetadataSection xmlns="" Dialect="http://schemas.xmlsoap.org/wsdl/" Identifier="http://tempuri.org/">'; -$buf .= '<wsdl:definitions xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:tns="http://tempuri.org/" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:i0="http://schemas.xmlsoap.org/ws/2005/02/trust" xmlns:wsap="http://schemas.xmlsoap.org/ws/2004/08/addressing/policy" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:msc="http://schemas.microsoft.com/ws/2005/12/wsdl/contract" xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl" xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/" xmlns:wsa10="http://www.w3.org/2005/08/addressing" name="STS" targetNamespace="http://tempuri.org/">'; -$buf .= '<wsp:Policy wsu:Id="CustomBinding_IWSTrustContract_policy">'; -$buf .= '<wsp:ExactlyOne>'; -$buf .= '<wsp:All>'; -$buf .= '<sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">'; -$buf .= '<wsp:Policy>'; -$buf .= '<sp:TransportToken>'; -$buf .= '<wsp:Policy>'; -$buf .= '<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">'; -$buf .= '<wsp:Policy>'; -$buf .= '<sp:RequireThumbprintReference/>'; -$buf .= '<sp:WssX509V3Token10/>'; -$buf .= '</wsp:Policy>'; -$buf .= '</sp:X509Token>'; -$buf .= '</wsp:Policy>'; -$buf .= '</sp:TransportToken>'; -$buf .= '<sp:AlgorithmSuite>'; -$buf .= '<wsp:Policy>'; -$buf .= '<sp:Basic128/>'; -$buf .= '</wsp:Policy>'; -$buf .= '</sp:AlgorithmSuite>'; -$buf .= '<sp:Layout>'; -$buf .= '<wsp:Policy>'; -$buf .= '<sp:Strict/>'; -$buf .= '</wsp:Policy>'; -$buf .= '</sp:Layout>'; -if ($_GET['auth'] == 'x509') - $buf .= '<sp:IncludeTimestamp/>'; -$buf .= '</wsp:Policy>'; -$buf .= '</sp:TransportBinding>'; - -// is this metadata for an infocard that wants an x509-authenticated -// token, or a username/password token? -if ($_GET['auth'] == 'x509') -{ - $buf .= '<sp:EndorsingSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">'; - $buf .= '<wsp:Policy>'; - $buf .= '<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">'; - $buf .= '<wsp:Policy>'; - $buf .= '<sp:RequireThumbprintReference/>'; - $buf .= '<sp:WssX509V3Token10/>'; - $buf .= '</wsp:Policy>'; - $buf .= '</sp:X509Token>'; - $buf .= '</wsp:Policy>'; - $buf .= '</sp:EndorsingSupportingTokens>'; -} -else -{ - $buf .= '<sp:SignedSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">'; - $buf .= '<wsp:Policy>'; - $buf .= '<sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">'; - $buf .= '<wsp:Policy>'; - $buf .= '<sp:WssUsernameToken10/>'; - $buf .= '</wsp:Policy>'; - $buf .= '</sp:UsernameToken>'; - $buf .= '</wsp:Policy>'; - $buf .= '</sp:SignedSupportingTokens>'; -} - -$buf .= '<sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">'; -$buf .= '<wsp:Policy>'; -$buf .= '<sp:MustSupportRefKeyIdentifier/>'; -$buf .= '<sp:MustSupportRefIssuerSerial/>'; -$buf .= '<sp:MustSupportRefThumbprint/>'; -$buf .= '<sp:MustSupportRefEncryptedKey/>'; -$buf .= '</wsp:Policy>'; -$buf .= '</sp:Wss11>'; -$buf .= '<sp:Trust10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">'; -$buf .= '<wsp:Policy>'; -$buf .= '<sp:MustSupportIssuedTokens/>'; -$buf .= '<sp:RequireServerEntropy/>'; -$buf .= '</wsp:Policy>'; -$buf .= '</sp:Trust10>'; -$buf .= '</wsp:All>'; -$buf .= '</wsp:ExactlyOne>'; -$buf .= '</wsp:Policy>'; -$buf .= '<wsp:Policy wsu:Id="CustomBinding_IWSTrustContract_Cancel_Input_policy">'; -$buf .= '<wsp:ExactlyOne>'; -$buf .= '<wsp:All>'; -$buf .= '<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">'; -$buf .= '<sp:Body/>'; -$buf .= '<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>'; -$buf .= '<sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"/>'; -$buf .= '<sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"/>'; -$buf .= '<sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"/>'; -$buf .= '<sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"/>'; -$buf .= '<sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"/>'; -$buf .= '<sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"/>'; -$buf .= '</sp:SignedParts>'; -$buf .= '<sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">'; -$buf .= '<sp:Body/>'; -$buf .= '</sp:EncryptedParts>'; -$buf .= '</wsp:All>'; -$buf .= '</wsp:ExactlyOne>'; -$buf .= '</wsp:Policy>'; -$buf .= '<wsp:Policy wsu:Id="CustomBinding_IWSTrustContract_Cancel_output_policy">'; -$buf .= '<wsp:ExactlyOne>'; -$buf .= '<wsp:All>'; -$buf .= '<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">'; -$buf .= '<sp:Body/>'; -$buf .= '<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>'; -$buf .= '<sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"/>'; -$buf .= '<sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"/>'; -$buf .= '<sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"/>'; -$buf .= '<sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"/>'; -$buf .= '<sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"/>'; -$buf .= '<sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"/>'; -$buf .= '</sp:SignedParts>'; -$buf .= '<sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">'; -$buf .= '<sp:Body/>'; -$buf .= '</sp:EncryptedParts>'; -$buf .= '</wsp:All>'; -$buf .= '</wsp:ExactlyOne>'; -$buf .= '</wsp:Policy>'; -$buf .= '<wsp:Policy wsu:Id="CustomBinding_IWSTrustContract_Issue_policy">'; -$buf .= '<wsp:ExactlyOne>'; -$buf .= '<wsp:All>'; -$buf .= '<sp:EndorsingSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">'; -$buf .= '<wsp:Policy>'; -$buf .= '<mssp:RsaToken xmlns:mssp="http://schemas.microsoft.com/ws/2005/07/securitypolicy" sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never" wsp:Optional="true"/>'; -$buf .= '</wsp:Policy>'; -$buf .= '</sp:EndorsingSupportingTokens>'; -$buf .= '</wsp:All>'; -$buf .= '</wsp:ExactlyOne>'; -$buf .= '</wsp:Policy>'; -$buf .= '<wsp:Policy wsu:Id="CustomBinding_IWSTrustContract_Issue_Input_policy">'; -$buf .= '<wsp:ExactlyOne>'; -$buf .= '<wsp:All>'; -$buf .= '<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">'; -$buf .= '<sp:Body/>'; -$buf .= '<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>'; -$buf .= '<sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"/>'; -$buf .= '<sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"/>'; -$buf .= '<sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"/>'; -$buf .= '<sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"/>'; -$buf .= '<sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"/>'; -$buf .= '<sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"/>'; -$buf .= '</sp:SignedParts>'; -$buf .= '<sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">'; -$buf .= '<sp:Body/>'; -$buf .= '</sp:EncryptedParts>'; -$buf .= '</wsp:All>'; -$buf .= '</wsp:ExactlyOne>'; -$buf .= '</wsp:Policy>'; -$buf .= '<wsp:Policy wsu:Id="CustomBinding_IWSTrustContract_Issue_output_policy">'; -$buf .= '<wsp:ExactlyOne>'; -$buf .= '<wsp:All>'; -$buf .= '<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">'; -$buf .= '<sp:Body/>'; -$buf .= '<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>'; -$buf .= '<sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"/>'; -$buf .= '<sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"/>'; -$buf .= '<sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"/>'; -$buf .= '<sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"/>'; -$buf .= '<sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"/>'; -$buf .= '<sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"/>'; -$buf .= '</sp:SignedParts>'; -$buf .= '<sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">'; -$buf .= '<sp:Body/>'; -$buf .= '</sp:EncryptedParts>'; -$buf .= '</wsp:All>'; -$buf .= '</wsp:ExactlyOne>'; -$buf .= '</wsp:Policy>'; -$buf .= '<wsp:Policy wsu:Id="CustomBinding_IWSTrustContract_Renew_Input_policy">'; -$buf .= '<wsp:ExactlyOne>'; -$buf .= '<wsp:All>'; -$buf .= '<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">'; -$buf .= '<sp:Body/>'; -$buf .= '<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>'; -$buf .= '<sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"/>'; -$buf .= '<sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"/>'; -$buf .= '<sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"/>'; -$buf .= '<sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"/>'; -$buf .= '<sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"/>'; -$buf .= '<sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"/>'; -$buf .= '</sp:SignedParts>'; -$buf .= '<sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">'; -$buf .= '<sp:Body/>'; -$buf .= '</sp:EncryptedParts>'; -$buf .= '</wsp:All>'; -$buf .= '</wsp:ExactlyOne>'; -$buf .= '</wsp:Policy>'; -$buf .= '<wsp:Policy wsu:Id="CustomBinding_IWSTrustContract_Renew_output_policy">'; -$buf .= '<wsp:ExactlyOne>'; -$buf .= '<wsp:All>'; -$buf .= '<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">'; -$buf .= '<sp:Body/>'; -$buf .= '<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>'; -$buf .= '<sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"/>'; -$buf .= '<sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"/>'; -$buf .= '<sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"/>'; -$buf .= '<sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"/>'; -$buf .= '<sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"/>'; -$buf .= '<sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"/>'; -$buf .= '</sp:SignedParts>'; -$buf .= '<sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">'; -$buf .= '<sp:Body/>'; -$buf .= '</sp:EncryptedParts>'; -$buf .= '</wsp:All>'; -$buf .= '</wsp:ExactlyOne>'; -$buf .= '</wsp:Policy>'; -$buf .= '<wsp:Policy wsu:Id="CustomBinding_IWSTrustContract_Validate_Input_policy">'; -$buf .= '<wsp:ExactlyOne>'; -$buf .= '<wsp:All>'; -$buf .= '<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">'; -$buf .= '<sp:Body/>'; -$buf .= '<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>'; -$buf .= '<sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"/>'; -$buf .= '<sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"/>'; -$buf .= '<sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"/>'; -$buf .= '<sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"/>'; -$buf .= '<sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"/>'; -$buf .= '<sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"/>'; -$buf .= '</sp:SignedParts>'; -$buf .= '<sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">'; -$buf .= '<sp:Body/>'; -$buf .= '</sp:EncryptedParts>'; -$buf .= '</wsp:All>'; -$buf .= '</wsp:ExactlyOne>'; -$buf .= '</wsp:Policy>'; -$buf .= '<wsp:Policy wsu:Id="CustomBinding_IWSTrustContract_Validate_output_policy">'; -$buf .= '<wsp:ExactlyOne>'; -$buf .= '<wsp:All>'; -$buf .= '<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">'; -$buf .= '<sp:Body/>'; -$buf .= '<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>'; -$buf .= '<sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"/>'; -$buf .= '<sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"/>'; -$buf .= '<sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"/>'; -$buf .= '<sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"/>'; -$buf .= '<sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"/>'; -$buf .= '<sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"/>'; -$buf .= '</sp:SignedParts>'; -$buf .= '<sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">'; -$buf .= '<sp:Body/>'; -$buf .= '</sp:EncryptedParts>'; -$buf .= '</wsp:All>'; -$buf .= '</wsp:ExactlyOne>'; -$buf .= '</wsp:Policy>'; -$buf .= '<wsdl:import namespace="http://schemas.xmlsoap.org/ws/2005/02/trust" location=""/>'; -$buf .= '<wsdl:types/>'; -$buf .= '<wsdl:binding name="CustomBinding_IWSTrustContract" type="i0:IWSTrustContract">'; -$buf .= '<wsp:PolicyReference URI="#CustomBinding_IWSTrustContract_policy"/>'; -$buf .= '<soap12:binding transport="http://schemas.xmlsoap.org/soap/http"/>'; -$buf .= '<wsdl:operation name="Cancel">'; -$buf .= '<soap12:operation soapAction="http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Cancel" style="document"/>'; -$buf .= '<wsdl:input>'; -$buf .= '<wsp:PolicyReference URI="#CustomBinding_IWSTrustContract_Cancel_Input_policy"/>'; -$buf .= '<soap12:body use="literal"/>'; -$buf .= '</wsdl:input>'; -$buf .= '<wsdl:output>'; -$buf .= '<wsp:PolicyReference URI="#CustomBinding_IWSTrustContract_Cancel_output_policy"/>'; -$buf .= '<soap12:body use="literal"/>'; -$buf .= '</wsdl:output>'; -$buf .= '</wsdl:operation>'; -$buf .= '<wsdl:operation name="Issue">'; -$buf .= '<wsp:PolicyReference URI="#CustomBinding_IWSTrustContract_Issue_policy"/>'; -$buf .= '<soap12:operation soapAction="http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue" style="document"/>'; -$buf .= '<wsdl:input>'; -$buf .= '<wsp:PolicyReference URI="#CustomBinding_IWSTrustContract_Issue_Input_policy"/>'; -$buf .= '<soap12:body use="literal"/>'; -$buf .= '</wsdl:input>'; -$buf .= '<wsdl:output>'; -$buf .= '<wsp:PolicyReference URI="#CustomBinding_IWSTrustContract_Issue_output_policy"/>'; -$buf .= '<soap12:body use="literal"/>'; -$buf .= '</wsdl:output>'; -$buf .= '</wsdl:operation>'; -$buf .= '<wsdl:operation name="Renew">'; -$buf .= '<soap12:operation soapAction="http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Renew" style="document"/>'; -$buf .= '<wsdl:input>'; -$buf .= '<wsp:PolicyReference URI="#CustomBinding_IWSTrustContract_Renew_Input_policy"/>'; -$buf .= '<soap12:body use="literal"/>'; -$buf .= '</wsdl:input>'; -$buf .= '<wsdl:output>'; -$buf .= '<wsp:PolicyReference URI="#CustomBinding_IWSTrustContract_Renew_output_policy"/>'; -$buf .= '<soap12:body use="literal"/>'; -$buf .= '</wsdl:output>'; -$buf .= '</wsdl:operation>'; -$buf .= '<wsdl:operation name="Validate">'; -$buf .= '<soap12:operation soapAction="http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Validate" style="document"/>'; -$buf .= '<wsdl:input>'; -$buf .= '<wsp:PolicyReference URI="#CustomBinding_IWSTrustContract_Validate_Input_policy"/>'; -$buf .= '<soap12:body use="literal"/>'; -$buf .= '</wsdl:input>'; -$buf .= '<wsdl:output>'; -$buf .= '<wsp:PolicyReference URI="#CustomBinding_IWSTrustContract_Validate_output_policy"/>'; -$buf .= '<soap12:body use="literal"/>'; -$buf .= '</wsdl:output>'; -$buf .= '</wsdl:operation>'; -$buf .= '</wsdl:binding>'; -$buf .= '<wsdl:service name="STS">'; -$buf .= '<wsdl:port name="CustomBinding_IWSTrustContract" binding="tns:CustomBinding_IWSTrustContract">'; -$buf .= "<soap12:address location=\"".$ICconfig['tokenserviceurl']."\"/>"; -$buf .= '<wsa10:EndpointReference>'; -$buf .= "<wsa10:Address>".$ICconfig['tokenserviceurl']."</wsa10:Address>"; -$buf .= '<Identity xmlns="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity">'; -$buf .= '<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">'; -$buf .= '<X509Data>'; -$buf .= '<X509Certificate>'.sspmod_InfoCard_Utils::takeCert($ICconfig['certificates'][0]).'</X509Certificate>'; -$buf .= '</X509Data>'; -$buf .= '</KeyInfo>'; -$buf .= '</Identity>'; -$buf .= '</wsa10:EndpointReference>'; -$buf .= '</wsdl:port>'; -$buf .= '</wsdl:service>'; -$buf .= '</wsdl:definitions>'; -$buf .= '</wsx:MetadataSection>'; -$buf .= '<wsx:MetadataSection xmlns="" Dialect="http://www.w3.org/2001/XMLSchema" Identifier="http://schemas.microsoft.com/Message">'; -$buf .= '<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:tns="http://schemas.microsoft.com/Message" elementFormDefault="qualified" targetNamespace="http://schemas.microsoft.com/Message">'; -$buf .= '<xs:complexType name="MessageBody">'; -$buf .= '<xs:sequence>'; -$buf .= '<xs:any minOccurs="0" maxOccurs="unbounded" namespace="##any"/>'; -$buf .= '</xs:sequence>'; -$buf .= '</xs:complexType>'; -$buf .= '</xs:schema>'; -$buf .= '</wsx:MetadataSection>'; -$buf .= '</Metadata>'; - -if ($use_soap) -{ - $buf .= '</s:Body>'; - $buf .= '</s:Envelope>'; -} - - - -print($buf); - -?> diff --git a/modules/InfoCard/extra/tokenservice.php b/modules/InfoCard/extra/tokenservice.php deleted file mode 100644 index 7b6267c97..000000000 --- a/modules/InfoCard/extra/tokenservice.php +++ /dev/null @@ -1,296 +0,0 @@ -<?php -/* - * Copyright (C) 2007 Carillon Information Security Inc. - * - * Token responder for the Carillon STS. Accepts a SOAP token request from - * a relying party (or an infocard client, more likely) and produces a - * token with the proper attributes, as stored in the database of issued - * infocards. - * - */ - -/* -* COAUTHOR: Samuel Muñoz Hidalgo -* EMAIL: samuel.mh@gmail.com -* LAST REVISION: 22-DEC-08 -* DESCRIPTION: InfoCard module token generator -*/ - - - -// Windows CardSpace doesn't support using the infocard's certificate as -// the SSL cert for transport binding... so we make it sign a timestamp in -// the token request, and validate the signature on that. -function validate_embedded_cert() -{ - global $doc, $row; - global $db_usertable; - global $uidnum, $uname, $fullname; - global $HTTP_RAW_POST_DATA; - - // FIXME: Add error checking to this! - - // get the signed part (the timestamp) in a horribly cheating way for - // now - // first grab the namespace for u - $begin = 'xmlns:u="'; - $end = 'xsd"'; - $xmlnsu = $HTTP_RAW_POST_DATA; - $xmlnsu = substr($xmlnsu, strpos($xmlnsu, $begin)); - $xmlnsu = substr($xmlnsu, 0, strpos($xmlnsu, $end)+strlen($end)); - $begin = '<u:Timestamp '; - $end = '</u:Timestamp>'; - $tmp = $HTTP_RAW_POST_DATA; - $tmp = substr($tmp, strpos($tmp, $begin)); - $tmp = substr($tmp, 0, strpos($tmp, $end)+strlen($end)); - $tmp1 = substr($tmp, 0, strpos($tmp, ' ')); - $tmp2 = substr($tmp, strpos($tmp, ' ')+1); - $timestamp = $tmp1." $xmlnsu ".$tmp2; - - // canonicalize the timestamp and digest it - $canonical_timestamp = sspmod_InfoCard_Utils::canonicalize($timestamp); - $myhash = sha1($canonical_timestamp,TRUE); - $mydigest = base64_encode($myhash); - - // grab the digest from the request - $elements = $doc->getElementsByTagname('DigestValue'); - $request_digest = $elements->item(0)->nodeValue; - - // if the digests don't match, we fail - if ($mydigest != $request_digest) - return false; - - // get the SignedInfo in a horribly cheating way for now - $begin = '<SignedInfo'; - $end = '</SignedInfo>'; - $sinfo = $HTTP_RAW_POST_DATA; - $sinfo = substr($sinfo, strpos($sinfo, $begin)); - $sinfo = substr($sinfo, 0, strpos($sinfo, $end)+strlen($end)); - - // grab the signing certificate and PEM-encode it to satisfy openssl - $elements = $doc->getElementsByTagname('BinarySecurityToken'); - $cert = $elements->item(0)->nodeValue; - $certpem = "-----BEGIN CERTIFICATE-----\n"; - $offset = 0; - while ($segment=substr($cert, $offset, 64)) - { - $certpem .= $segment."\n"; - $offset += 64; - } - $certpem .= "-----END CERTIFICATE-----\n"; - - $pubkey = openssl_pkey_get_public($certpem); - - // canonicalize the signed info - $canonical_sinfo = sspmod_InfoCard_Utils::canonicalize($sinfo); - - // grab the signature from the request - $elements = $doc->getElementsByTagname('SignatureValue'); - $request_sig = $elements->item(0)->nodeValue; - - $request_sig = base64_decode($request_sig); - - // try to verify the signature... if we can't, we fail. - if (openssl_verify($canonical_sinfo, $request_sig, $pubkey) == false) - return false; - - // so, the signature is OK. Was it the right cert? Check its - // thumbprint against the cert we recorded in the infocard... - $thumb = sspmod_InfoCard_Utils::thumbcert($cert); - if ($row['x509thumb'] != $thumb) - return false; - - // at this point we've succeeded, but we need to populate some fields - // based on the usertable to create a card... - $arr = openssl_x509_parse($certpem); - $who = $arr['subject']['CN']; - $query = "SELECT * FROM $db_usertable WHERE full_name='$who'"; - $userrow = pg_fetch_assoc(do_query($query)); - if ($userrow['status'] == "1") - { - $uidnum = $userrow['id']; - $uname = $userrow['userid']; - $fullname = $userrow['full_name']; - return true; - } - return false; -} - - - -/* -* claimValues ( 'claim'('value','displayTag'), 'claim'('value','displayTag'), ... ) -*/ -function create_token($claimValues,$config){ - // build a SAML assertion - $now = gmdate('Y-m-d').'T'.gmdate('H:i:s').'Z'; - $later = gmdate('Y-m-d', time()+3600).'T'.gmdate('H:i:s', time()+3600).'Z'; - $assertionid = uniqid('uuid-'); - - $saml = "<saml:Assertion MajorVersion=\"1\" MinorVersion=\"0\" AssertionID=\"$assertionid\" Issuer=\"".$config['issuer']."\" IssueInstant=\"$now\" xmlns:saml=\"urn:oasis:names:tc:SAML:1.0:assertion\">"; - $saml .= "<saml:Conditions NotBefore=\"$now\" NotOnOrAfter=\"$later\" />"; - - $saml .= "<saml:AttributeStatement>"; - $saml .= "<saml:Subject>"; - $saml .= "<saml:SubjectConfirmation>"; - $saml .= "<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>"; - - // proof key - $saml .= "<dsig:KeyInfo xmlns:dsig=\"http://www.w3.org/2000/09/xmldsig#\">"; - $saml .= "<dsig:X509Data>"; - $saml .= "<dsig:X509Certificate>".sspmod_InfoCard_Utils::takeCert($config['sts_crt'])."</dsig:X509Certificate>"; - $saml .= "</dsig:X509Data>"; - $saml .= "</dsig:KeyInfo>"; - - $saml .= "</saml:SubjectConfirmation>"; - $saml .= "</saml:Subject>"; - - - foreach ($claimValues as $claim=>$data) { - $saml .= "<saml:Attribute AttributeName=\"$claim\" AttributeNamespace=\"".$config['InfoCard']['schema']."/claims\">"; - $saml .= "<saml:AttributeValue>".$data['value']."</saml:AttributeValue>"; - $saml .= "</saml:Attribute>"; - } - - $saml .= "</saml:AttributeStatement>"; - - - // calculate the digest for the signature... - $canonicalbuf = sspmod_InfoCard_Utils::canonicalize($saml."</saml:Assertion>"); - $myhash = sha1($canonicalbuf,TRUE); - $samldigest = base64_encode($myhash); - - - // construct a SignedInfo block - $signedinfo = "<dsig:SignedInfo xmlns:dsig=\"http://www.w3.org/2000/09/xmldsig#\">"; - $signedinfo .= "<dsig:CanonicalizationMethod Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\" />"; - $signedinfo .= "<dsig:SignatureMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\" />"; - $signedinfo .= "<dsig:Reference URI=\"#$assertionid\">"; - $signedinfo .= "<dsig:Transforms>"; - $signedinfo .= "<dsig:Transform Algorithm=\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\" />"; - $signedinfo .= "<dsig:Transform Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\" />"; - $signedinfo .= "</dsig:Transforms>"; - $signedinfo .= "<dsig:DigestMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#sha1\" />"; - $signedinfo .= "<dsig:DigestValue>$samldigest</dsig:DigestValue>"; - $signedinfo .= "</dsig:Reference>"; - $signedinfo .= "</dsig:SignedInfo>"; - - // compute the signature of hte canonicalized digest - $canonicalbuf = sspmod_InfoCard_Utils::canonicalize($signedinfo); - $privkey = openssl_pkey_get_private(file_get_contents($config['sts_key'])); - $signature = ''; - openssl_sign($canonicalbuf, &$signature, $privkey); - openssl_free_key($privkey); - $samlsignature = base64_encode($signature); - - - // now put it all together - $saml .= "<dsig:Signature xmlns:dsig=\"http://www.w3.org/2000/09/xmldsig#\">"; - $saml .= $signedinfo; - $saml .= "<dsig:SignatureValue>$samlsignature</dsig:SignatureValue>"; - - $saml .= "<dsig:KeyInfo>"; - $saml .= "<dsig:X509Data>"; - $saml .= "<dsig:X509Certificate>".sspmod_InfoCard_Utils::takeCert($config['sts_crt'])."</dsig:X509Certificate>"; - $saml .= "</dsig:X509Data>"; - $saml .= "</dsig:KeyInfo>"; - $saml .= "</dsig:Signature>"; - - $saml .= "</saml:Assertion>"; - - - // cram the SAML assertion in a SOAP envelope - $buf = '<?xml version="1.0"?>'; - $buf .= "<soap:Envelope xmlns:ic=\"http://schemas.xmlsoap.org/ws/2005/05/identity\" xmlns:soap=\"http://www.w3.org/2003/05/soap-envelope\" xmlns:wsa=\"http://www.w3.org/2005/08/addressing\" xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\" xmlns:wst=\"http://schemas.xmlsoap.org/ws/2005/02/trust\" xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">"; - if ($include_timestamp) { - $buf .= "<soap:Header>"; - $buf .= "<wsse:Security>"; - $buf .= "<wsu:Timestamp>"; - $buf .= "<wsu:Created>$now</wsu:Created>"; - $buf .= "<wsu:Expires>$later</wsu:Expires>"; - $buf .= "</wsu:Timestamp>"; - $buf .= "</wsse:Security>"; - $buf .= "</soap:Header>"; - } else - $buf .= "<soap:Header />"; - - $buf .= "<soap:Body>"; - $buf .= "<wst:RequestSecurityTokenResponse Context=\"ProcessRequestSecurityToken\">"; - $buf .= "<wst:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</wst:TokenType>"; - $buf .= "<wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType>"; - $buf .= "<wst:RequestedSecurityToken>"; - - $buf .= $saml; - - $buf .= "</wst:RequestedSecurityToken>"; - - // references - $buf .= "<wst:RequestedAttachedReference>"; - $buf .= "<wsse:SecurityTokenReference>"; - $buf .= "<wsse:KeyIdentifier ValueType=\"http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID\">$assertionid</wsse:KeyIdentifier>"; - $buf .= "</wsse:SecurityTokenReference>"; - $buf .= "</wst:RequestedAttachedReference>"; - $buf .= "<wst:RequestedUnattachedReference>"; - $buf .= "<wsse:SecurityTokenReference>"; - $buf .= "<wsse:KeyIdentifier ValueType=\"http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID\">$assertionid</wsse:KeyIdentifier>"; - $buf .= "</wsse:SecurityTokenReference>"; - $buf .= "</wst:RequestedUnattachedReference>"; - - // display token - $buf .= "<ic:RequestedDisplayToken>"; - $buf .= "<ic:DisplayToken xml:lang=\"en\">"; - - foreach ($claimValues as $claim=>$data) { - $buf .= "<ic:DisplayClaim Uri=\"".$config['InfoCard']['schema']."/claims/".$claim."\">"; - $buf .= "<ic:DisplayTag>".$data['displayTag']."</ic:DisplayTag>"; - $buf .= "<ic:DisplayValue>".$data['value']."</ic:DisplayValue>"; - $buf .= "</ic:DisplayClaim>"; - } - - $buf .= "</ic:DisplayToken>"; - $buf .= "</ic:RequestedDisplayToken>"; - - // the end - $buf .= "</wst:RequestSecurityTokenResponse>"; - $buf .= "</soap:Body>"; - $buf .= "</soap:Envelope>"; - - return $buf; -} - - - - -// grab the important parts of the token request. these are the username, -// password, and cardid. - -Header('Content-Type: application/soap+xml;charset=utf-8'); - - -$token = new DOMDocument(); -$token->loadXML($HTTP_RAW_POST_DATA); -$doc = $token->documentElement; -$username = $doc->getElementsByTagname('Username')->item(0)->nodeValue; -$password = $doc->getElementsByTagname('Password')->item(0)->nodeValue; -$cardId = $doc->getElementsByTagname('CardId')->item(0)->nodeValue; - - -if (sspmod_InfoCard_UserFunctions::validateUser($username,$password)){ - $config = SimpleSAML_Configuration::getInstance(); - $autoconfig = $config->copyFromBase('logininfocard', 'config-login-infocard.php'); - $ICconfig['InfoCard'] = $autoconfig->getValue('InfoCard'); - $ICconfig['issuer'] = $autoconfig->getValue('issuer'); - $ICconfig['sts_crt'] = $autoconfig->getValue('sts_crt'); - $ICconfig['sts_key'] = $autoconfig->getValue('sts_key'); - - $requiredClaims = sspmod_InfoCard_Utils::extractClaims($ICconfig['InfoCard']['schema'], $doc->getElementsByTagname('ClaimType')); - $claimValues = sspmod_InfoCard_UserFunctions::fillClaims($username, $ICconfig['InfoCard']['requiredClaims'], $ICconfig['InfoCard']['optionalClaims'],$requiredClaims); - $buf = create_token($claimValues,$ICconfig); - Header('Content-length: '.strlen($buf)+1); - print($buf); -}else{ - $bad = true; - print(""); -} - -?> \ No newline at end of file diff --git a/modules/InfoCard/lib/STS.php b/modules/InfoCard/lib/STS.php new file mode 100644 index 000000000..9d8d137a7 --- /dev/null +++ b/modules/InfoCard/lib/STS.php @@ -0,0 +1,384 @@ +<?php +/* +* COAUTHOR: Samuel Muñoz Hidalgo +* EMAIL: samuel.mh@gmail.com +* LAST REVISION: 13-FEB-09 +* DESCRIPTION: Things the STS can do +* - InfoCard issue +* - Error response (if the user send us wrong credentials) +* - Request Security Token Response +*/ + +class sspmod_InfoCard_STS { + + +/* +* USED IN: www/getcardform.php +* INPUT: data and configuration +* OUTPUT; a custom error message for the identity selector +*/ + static public function createCard($ICdata,$ICconfig) { + + $infocardbuf = '<Object Id="IC01" xmlns="http://www.w3.org/2000/09/xmldsig#">'; + $infocardbuf .= '<InformationCard xml:lang="en-us" xmlns="http://schemas.xmlsoap.org/ws/2005/05/identity" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust" xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex">'; + + //cardId + $infocardbuf .= '<InformationCardReference>'; + $infocardbuf .= '<CardId>'.$ICdata['CardId'].'</CardId>'; //xs:anyURI cardId (="$cardurl/$ppid"; $ppid = "$uname-" . time();) + $infocardbuf .= '<CardVersion>1</CardVersion>'; //xs:unsignedInt + $infocardbuf .= '</InformationCardReference>'; + + //cardName + $infocardbuf .= '<CardName>'.$ICdata['CardName'].'</CardName>'; + + //image + $infocardbuf .= '<CardImage MimeType="'.mime_content_type($ICdata['CardImage']).'">'; + $infocardbuf .= base64_encode(file_get_contents($ICdata['CardImage'])); + $infocardbuf .= '</CardImage>'; + + //issuer - times + $infocardbuf .= '<Issuer>'.$ICconfig['InfoCard']['issuer'].'</Issuer>'; + $infocardbuf .= '<TimeIssued>'.gmdate('Y-m-d').'T'.gmdate('H:i:s').'Z'.'</TimeIssued>'; + $infocardbuf .= '<TimeExpires>'.$ICdata['TimeExpires'].'</TimeExpires>'; + + //Token Service List + $infocardbuf .= '<TokenServiceList>'; + $infocardbuf .= '<TokenService>'; + $infocardbuf .= '<wsa:EndpointReference>'; + $infocardbuf .= '<wsa:Address>'.$ICconfig['tokenserviceurl'].'</wsa:Address>'; + $infocardbuf .= '<wsa:Metadata>'; + $infocardbuf .= '<wsx:Metadata>'; + $infocardbuf .= '<wsx:MetadataSection>'; + $infocardbuf .= '<wsx:MetadataReference>'; + $infocardbuf .= '<wsa:Address>'.$ICconfig['mexurl'].'</wsa:Address>'; + $infocardbuf .= '</wsx:MetadataReference>'; + $infocardbuf .= '</wsx:MetadataSection>'; + $infocardbuf .= '</wsx:Metadata>'; + $infocardbuf .= '</wsa:Metadata>'; + $infocardbuf .= '</wsa:EndpointReference>'; + + + + /*Types of User Credentials + * Supported: UsernamePasswordCredential, SelfIssuedCredential + * Unsupported: KerberosV5Credential, X509V3Credential + */ + $infocardbuf .= '<UserCredential>'; + $infocardbuf .= '<DisplayCredentialHint>'.$ICdata['DisplayCredentialHint'].'</DisplayCredentialHint>'; + switch($ICconfig['UserCredential']){ + case 'UsernamePasswordCredential': + $infocardbuf .= '<UsernamePasswordCredential>'; + $infocardbuf .= '<Username>'.$ICdata['UserName'].'</Username>'; + $infocardbuf .= '</UsernamePasswordCredential>'; + break; + case 'KerberosV5Credential': + $infocardbuf .= '<KerberosV5Credential/>'; + break; + case 'X509V3Credential': + $infocardbuf .= '<X509V3Credential>'; + $infocardbuf .= '<ds:X509Data>'; + $infocardbuf .= '<wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/2004/xx/oasis-2004xx-wss-soap-message-security-1.1#ThumbprintSHA1" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis200401-wss-soap-message-security-1.0#Base64Binary">'; + /*This element provides a key identifier for the X.509 certificate based on the SHA1 hash + of the entire certificate content expressed as a “thumbprint.” Note that the extensibility + point in the ds:X509Data element is used to add wsse:KeyIdentifier as a child + element.*/ + $infocardbuf .= $ICdata['KeyIdentifier']; //xs:base64binary; + $infocardbuf .= '</wsse:KeyIdentifier>'; + $infocardbuf .= '</ds:X509Data>'; + $infocardbuf .= '</X509V3Credential>'; + break; + case 'SelfIssuedCredential': + $infocardbuf .= '<SelfIssuedCredential>'; + $infocardbuf .= '<PrivatePersonalIdentifier>'; + $infocardbuf .= $ICdata['PPID']; //xs:base64binary; + $infocardbuf .= '</PrivatePersonalIdentifier>'; + $infocardbuf .= '</SelfIssuedCredential> '; + break; + default: + break; + } + $infocardbuf .= '</UserCredential>'; + + $infocardbuf .= '</TokenService>'; + $infocardbuf .= '</TokenServiceList>'; + + + //Tokentype + $infocardbuf .= '<SupportedTokenTypeList>'; + $infocardbuf .= '<wst:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</wst:TokenType>'; + $infocardbuf .= '</SupportedTokenTypeList>'; + + //Claims + $infocardbuf .= '<SupportedClaimTypeList>'; + $url = $ICconfig['InfoCard']['schema'].'/claims/'; + foreach ($ICconfig['InfoCard']['requiredClaims'] as $claim=>$data) { + $infocardbuf .= '<SupportedClaimType Uri="'.$url.$claim.'">'; + $infocardbuf .= '<DisplayTag>'.$data['displayTag'].'</DisplayTag>'; + $infocardbuf .= '<Description>'.$data['description'].'</Description>'; + $infocardbuf .= '</SupportedClaimType>'; + } + foreach ($ICconfig['InfoCard']['optionalClaims'] as $claim=>$data) { + $infocardbuf .= '<SupportedClaimType Uri="'.$url.$claim.'">'; + $infocardbuf .= '<DisplayTag>'.$data['displayTag'].'</DisplayTag>'; + $infocardbuf .= '<Description>'.$data['description'].'</Description>'; + $infocardbuf .= '</SupportedClaimType>'; + } + $infocardbuf .= '</SupportedClaimTypeList>'; + + //Privacy URL + $infocardbuf .= '<PrivacyNotice>'.$ICconfig['InfoCard']['privacyURL'].'</PrivacyNotice>'; + + $infocardbuf .= '</InformationCard>'; + $infocardbuf .= '</Object>'; + + + $canonicalbuf = sspmod_InfoCard_Utils::canonicalize($infocardbuf); + + //construct a SignedInfo block + $signedinfo = '<SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#">'; + $signedinfo .= '<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>'; + $signedinfo .= '<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>'; + $signedinfo .= '<Reference URI="#IC01">'; + $signedinfo .= '<Transforms>'; + $signedinfo .= '<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>'; + $signedinfo .= '</Transforms>'; + $signedinfo .= '<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>'; + $signedinfo .= '<DigestValue>'.base64_encode(sha1($canonicalbuf, TRUE)).'</DigestValue>'; + $signedinfo .= '</Reference>'; + $signedinfo .= '</SignedInfo>'; + + $canonicalbuf = sspmod_InfoCard_Utils::canonicalize($signedinfo); + + $signature = ''; + $privkey = openssl_pkey_get_private(file_get_contents($ICconfig['sts_key'])); + openssl_sign($canonicalbuf, &$signature, $privkey); + openssl_free_key($privkey); + $infocard_signature = base64_encode($signature); + + //Envelope + $buf = '<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">'; + $buf .= $signedinfo; + $buf .= '<SignatureValue>'.$infocard_signature.'</SignatureValue>'; + $buf .= '<KeyInfo>'; + $buf .= '<X509Data>'; + // signing certificate(s) + foreach ($ICconfig['certificates'] as $idx=>$cert) + $buf .= '<X509Certificate>'.sspmod_InfoCard_Utils::takeCert($cert).'</X509Certificate>'; + $buf .= '</X509Data>'; + $buf .= '</KeyInfo>'; + $buf .= $infocardbuf; + $buf .= '</Signature>'; + + return $buf; + } + + + + +/* +* USED IN: www/tokenservice.php +* INPUT: error message, uuid of the RST +* OUTPUT; a custom error message for the identity selector +*/ + static public function errorMessage($msg,$relatesto){ + $buf = '<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">'; + $buf .= '<s:Header>'; + $buf .= '<a:Action s:mustUnderstand="1">http://www.w3.org/2005/08/addressing/soap/fault</a:Action>'; + $buf .= '<a:RelatesTo>'.$relatesto.'</a:RelatesTo>'; + $buf .= '</s:Header>'; + $buf .= '<s:Body>'; + $buf .= '<s:Fault>'; + $buf .= '<s:Code>'; + $buf .= '<s:Value xmlns:a="http://www.w3.org/2003/05/soap-envelope">'; + $buf .= 'a:Sender'; + $buf .= '</s:Value>'; + $buf .= '<s:Subcode>'; + $buf .= '<s:Value xmlns:a="http://schemas.xmlsoap.org/ws/2005/05/identity">'; + $buf .= 'a:MissingAppliesTo'; + $buf .= '</s:Value>'; + $buf .= '</s:Subcode>'; + $buf .= '</s:Code>'; + $buf .= '<s:Reason>'; + $buf .= '<s:Text xml:lang="en">'; + $buf .= $msg; + $buf .= '</s:Text>'; + $buf .= '</s:Reason>'; + $buf .= '</s:Fault>'; + $buf .= '</s:Body>'; + $buf .= '</s:Envelope>'; + return $buf; + } + + + +/* +* USED IN: www/tokenservice.php +* INPUT: claims value, configuration, uuid of the RST +* OUTPUT; a security token for the identity selector +*/ + static public function createToken($claimValues,$config,$relatesto){ + $assertionid = uniqid('uuid-'); + $created = gmdate('Y-m-d').'T'.gmdate('H:i:s').'Z'; + $expires = gmdate('Y-m-d', time()+3600).'T'.gmdate('H:i:s', time()+3600).'Z'; + + + //SOAP ENVELOPE + $env = '<?xml version="1.0"?>'; + $env .= '<S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity" xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust" xmlns:xenc="http://www.w3.org/2001/04/xmlenc" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">'; + + $env .= '<S:Header>'; + $env .= '<wsa:Action wsu:Id="_1">'; + $env .= 'http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue'; + $env .= '</wsa:Action>'; + $env .= '<wsa:RelatesTo wsu:Id="_2">'; + $env .= $relatesto; + $env .= '</wsa:RelatesTo>'; + $env .= '<wsa:To wsu:id="_3">'; + $env .= 'http://www.w3.org/2005/08/addressing/anonymous'; + $env .= '</wsa:To>'; + $env .= '<wsse:Security S:mustUnderstand="1">'; + $env .= '<wsu:Timestamp wsu:Id="_6">'; + $env .= '<wsu:Created>'.$created.'</wsu:Created>'; + $env .= '<wsu:Expires>'.$expires.'</wsu:Expires>'; + $env .= '</wsu:Timestamp>'; + $env .= '</wsse:Security>'; + $env .= '</S:Header>'; + + + $env .= '<S:Body wsu:Id="_10">'; + //RequestSecurityTokenResponse + $env .= sspmod_InfoCard_STS::RequestSecurityTokenResponse($claimValues,$config,$assertionid,$created,$expires); + $env .= '</S:Body>'; + $env .= '</S:Envelope>'; + + return $env; + } + + + +/* +* USED IN: createToken +* INPUT: claims value, configuration, uuid, times +* OUTPUT; returns the <wst:RequestSecurityTokenResponse>' of the RSTR +*/ + static private function RequestSecurityTokenResponse ($claimValues,$config,$assertionid,$created,$expires){ + $tr = '<wst:RequestSecurityTokenResponse>'; + $tr .= '<wst:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</wst:TokenType>'; + $tr .= '<wst:LifeTime>'; + $tr .= '<wsu:Created>'.$created.'</wsu:Created>'; + $tr .= '<wsu:Expires>'.$expires.'</wsu:Expires>'; + $tr .= '</wst:LifeTime>'; + + //Encrypted token: SAML assertion + $tr .= '<wst:RequestedSecurityToken>'; + $tr .= sspmod_InfoCard_STS::saml_assertion($claimValues,$config,$assertionid,$created,$expires); + $tr .= '</wst:RequestedSecurityToken>'; + + //RequestedAattachedReference + $tr .= '<wst:RequestedAttachedReference>'; + $tr .= '<wsse:SecurityTokenReference>'; + $tr .= '<wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">'; + $tr .= $assertionid; + $tr .= '</wsse:KeyIdentifier>'; + $tr .= '</wsse:SecurityTokenReference>'; + $tr .= '</wst:RequestedAttachedReference>'; + + //RequestedUnattachedReference + $tr .= '<wst:RequestedUnattachedReference>'; + $tr .= '<wsse:SecurityTokenReference>'; + $tr .= '<wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">'; + $tr .= $assertionid; + $tr .= '</wsse:KeyIdentifier>'; + $tr .= '</wsse:SecurityTokenReference>'; + $tr .= '</wst:RequestedUnattachedReference>'; + + //RequestedDisplayToken + $tr .= '<ic:RequestedDisplayToken>'; + $tr .= '<ic:DisplayToken xml:lang="en-us">'; + foreach ($claimValues as $claim=>$data) { + $tr .= '<ic:DisplayClaim Uri="'.$config['InfoCard']['schema'].'/claims/'.$claim.'">'; + $tr .= '<ic:DisplayTag>'.$data['displayTag'].'</ic:DisplayTag>'; + $tr .= '<ic:DisplayValue>'.$data['value'].'</ic:DisplayValue>'; + $tr .= "</ic:DisplayClaim>"; + } + $tr .= '</ic:DisplayToken>'; + $tr .= '</ic:RequestedDisplayToken>'; + $tr .= '</wst:RequestSecurityTokenResponse>'; + return $tr; + } + + + + +/* +* USED IN: RequestSecurityTokenResponse +* INPUT: claims value, configuration, uuid, times +* OUTPUT; STS Signed SAML assertion +*/ + static private function saml_assertion($claimValues,$config,$assertionid,$created,$expires){ + $saml = '<saml:Assertion MajorVersion="1" MinorVersion="0" AssertionID="'.$assertionid.'" Issuer="'.$config['issuer'].'" IssueInstant="'.$created.'" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">'; + $saml .= '<saml:Conditions NotBefore="'.$created.'" NotOnOrAfter="'.$expires.'" />'; + $saml .= '<saml:AttributeStatement>'; + $saml .= '<saml:Subject>'; + $saml .= '<saml:SubjectConfirmation>'; + $saml .= '<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>'; + // proof key + $saml .= '<dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">'; + $saml .= '<dsig:X509Data>'; + $saml .= '<dsig:X509Certificate>'.sspmod_InfoCard_Utils::takeCert($config['sts_crt']).'</dsig:X509Certificate>'; + $saml .= '</dsig:X509Data>'; + $saml .= '</dsig:KeyInfo>'; + $saml .= '</saml:SubjectConfirmation>'; + $saml .= '</saml:Subject>'; + foreach ($claimValues as $claim=>$data) { + $saml .= '<saml:Attribute AttributeName="'.$claim.'" AttributeNamespace="'.$config['InfoCard']['schema'].'/claims">'; + $saml .= '<saml:AttributeValue>'.$data['value'].'</saml:AttributeValue>'; + $saml .= '</saml:Attribute>'; + } + $saml .= '</saml:AttributeStatement>'; + + //Pure SAML Assertion digest + $canonicalbuf = sspmod_InfoCard_Utils::canonicalize($saml.'</saml:Assertion>'); + $myhash = sha1($canonicalbuf,TRUE); + $samldigest = base64_encode($myhash); + + //Digest block + $signedinfo = '<dsig:SignedInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" >'; + $signedinfo .= '<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />'; + $signedinfo .= '<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />'; + $signedinfo .= '<dsig:Reference URI="#'.$assertionid.'">'; + $signedinfo .= '<dsig:Transforms>'; + $signedinfo .= '<dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />'; + $signedinfo .= '<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />'; + $signedinfo .= '</dsig:Transforms>'; + $signedinfo .= '<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />'; + $signedinfo .= '<dsig:DigestValue>'.$samldigest.'</dsig:DigestValue>'; + $signedinfo .= '</dsig:Reference>'; + $signedinfo .= '</dsig:SignedInfo>'; + + //Signature of the digest + $canonicalbuf = sspmod_InfoCard_Utils::canonicalize($signedinfo); + $privkey = openssl_pkey_get_private(file_get_contents($config['sts_key'])); + $signature = ''; + openssl_sign($canonicalbuf, &$signature, $privkey); + openssl_free_key($privkey); + $samlsignature = base64_encode($signature); + + //Signature block + $saml .= '<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">'; + $saml .= $signedinfo; + $saml .= '<dsig:SignatureValue>'.$samlsignature.'</dsig:SignatureValue>'; + $saml .= '<dsig:KeyInfo>'; + $saml .= '<dsig:X509Data>'; + $saml .= '<dsig:X509Certificate>'.sspmod_InfoCard_Utils::takeCert($config['sts_crt']).'</dsig:X509Certificate>'; + $saml .= '</dsig:X509Data>'; + $saml .= '</dsig:KeyInfo>'; + $saml .= '</dsig:Signature>'; + $saml .= '</saml:Assertion>'; + return $saml; + } + + +} + +?> \ No newline at end of file diff --git a/modules/InfoCard/templates/default/temp-getcardform.php b/modules/InfoCard/templates/default/temp-getcardform.php new file mode 100644 index 000000000..bf8f728ec --- /dev/null +++ b/modules/InfoCard/templates/default/temp-getcardform.php @@ -0,0 +1,70 @@ +<?php +/* +* AUTHOR: Samuel Muñoz Hidalgo +* EMAIL: samuel.mh@gmail.com +* LAST REVISION: 22-DEC-08 +* DESCRIPTION: InfoCard module template. +*/ + $this->includeAtTemplateBase('includes/header.php'); + if (!array_key_exists('icon', $this->data)) $this->data['icon'] = 'lock.png'; + if (isset($this->data['error'])) { ?> + <div style="border-left: 1px solid #e8e8e8; border-bottom: 1px solid #e8e8e8; background: #f5f5f5"> + <img src="/<?php echo $this->data['baseurlpath']; ?>resources/icons/bomb.png" style="float: left; margin: 15px " /> + <h2><?php echo $this->t('error_header'); ?></h2> + + <p><?php echo $this->t($this->data['error']); ?> </p> + </div> + <?php } ?> + + +<!-- GET INFOCARD SECTION --> + <?php + if (strcmp($this->data['CardGenerator'],'')>0) { + + if(strcmp($this->data['form'],"validate")==0){ + echo '<h2>'.$this->t('getcardform_title').'</h2>'; + echo '<form action = ?AuthState='.$this->data['stateparams']['AuthState']." method='post'>"; + echo '<table border="0">'; + echo "<tr><td>".$this->t('form_username').": </td><td><input type='text' name='username' value='usuario' /></td></tr>"; + echo "<tr><td>".$this->t('form_password').": </td><td><input type='password' name='password' value='clave' /></td></tr>"; + echo "<tr><td></td><td><input type='submit' name='get_button' value='".$this->t('get_button')."' /></td></tr>"; + echo "<input type='hidden' name='form' value='".$this->data['form']."'/>"; + echo '</table>'; + echo '</form>'; + + } else if(strcmp($this->data['form'],"selfIssued")==0){ //ASK FOR A SELF-ISSUED CARD + echo '<h2>'.$this->t('getcardform_self_title').'</h2>'; + echo '<p>'.$this->t('getcardform_self_text').'</p>'; + echo '<form name="ctl00" id="ctl00" method="post" action="?AuthState='.$this->data['stateparams']['AuthState'].'">'; + echo '<OBJECT type="application/x-informationCard" name="xmlToken">'; + echo '<PARAM Name="issuer" Value="http://schemas.xmlsoap.org/ws/2005/05/identity/issuer/self" />'; + if ($this->data['InfoCard']['issuerPolicy']!='') echo '<PARAM Name="issuerPolicy" Value="'.$this->data['InfoCard']['issuerPolicy']."\">\n"; + if ($this->data['InfoCard']['tokenType']!='') echo '<PARAM Name="tokenType" Value="'.$this->data['InfoCard']['tokenType']."\">\n"; + if ($this->data['InfoCard']['privacyURL']!='') echo '<PARAM Name="privacyUrl" Value="'.$this->data['InfoCard']['privacyURL']."\">\n"; + if ($this->data['InfoCard']['privacyVersion']!='')echo '<PARAM Name="privacyVersion" Value="'.$this->data['InfoCard']['privacyVersion']."\">\n"; + echo '<PARAM Name="requiredClaims" Value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier">'; + echo '</OBJECT>'; + echo "<input type='hidden' name='username' value='".$this->data['username']."'/>"; + echo "<input type='hidden' name='password' value='".$this->data['password']."'/>"; + echo "<input type='hidden' name='form' value='".$this->data['form']."'/>"; + echo "<input type='image' src='resources/infocard_self_114x80.png' style='cursor:pointer' />"; + echo '</form>'; + } else { + echo '<h2>'.$this->t('getcardform_finished_title').'</h2>'; + echo '<p>'.$this->t('getcardform_finished_text').'</p>'; + echo '<p> <a href="login-infocard.php?AuthState='.$this->data['stateparams']['AuthState'].'">LOGIN</a></p>'; + } + } + ?> + +<!-- HELP SECTION --> + <h2><?php echo $this->t('help_header'); ?></h2> + <p><?php echo $this->t('help_text'); ?></p> + <?php + if ((array_key_exists('contact_info_URL',$this->data)) && ($this->data['contact_info_URL']!=null)) + echo "<p><a href='".$this->data['contact_info_URL']."'>".$this->t('contact_info')."</a><p/>"; + if ((array_key_exists('help_desk_email_URL',$this->data)) && ($this->data['help_desk_email_URL']!=null)) + echo "<p><a href='".$this->data['help_desk_email_URL']."'>".$this->t('help_desk_email')."</a></p>"; + ?> + +<?php $this->includeAtTemplateBase('includes/footer.php'); ?> diff --git a/modules/InfoCard/templates/login-infocard.php b/modules/InfoCard/templates/default/temp-login.php similarity index 86% rename from modules/InfoCard/templates/login-infocard.php rename to modules/InfoCard/templates/default/temp-login.php index 48821e7e8..70cd74f74 100644 --- a/modules/InfoCard/templates/login-infocard.php +++ b/modules/InfoCard/templates/default/temp-login.php @@ -21,6 +21,7 @@ <p><?php echo $this->t('user_IC_text'); ?></p> <form name="ctl00" id="ctl00" method="post" action="?AuthState=<?php echo $this->data['stateparams']['AuthState']?>"> + <!-- <ic:informationCard xmlns:ic="<?php echo $this->data['InfoCard']['schema'] ?>" name="xmlToken" issuer="<?php echo $this->data['InfoCard']['issuer']; ?>" <?php @@ -62,16 +63,12 @@ </form> <!-- GET INFOCARD SECTION --> - <?php if (strcmp($this->data['CardGenerator'],'')>0) { - echo '<h2>'.$this->t('get_IC').'</h2>'; - echo "<form action=\"". $this->data['CardGenerator'] ."\" method='post'>"; - echo '<table border="0">'; - echo "<tr><td>".$this->t('form_username').": </td><td><input type='text' name='username' value='usuario' /></td></tr>"; - echo "<tr><td>".$this->t('form_password').": </td><td><input type='password' name='password' value='clave' /></td></tr>"; - echo "<tr><td></td><td><input type='submit' name='get_button' value='".$this->t('get_button')."' /></td></tr>"; - echo '</table>'; - echo '</form>'; - } ?> + <?php + if (strcmp($this->data['CardGenerator'],'')>0) { + echo '<h2>'.$this->t('get_IC').'</h2>'; + echo '<a href="'.$this->data['CardGenerator'].'?AuthState='.$this->data['stateparams']['AuthState'].'">'.$this->t('get_IC_link').'</a>'; + } + ?> <!-- HELP SECTION --> <h2><?php echo $this->t('help_header'); ?></h2> diff --git a/modules/InfoCard/www/getcardform.php b/modules/InfoCard/www/getcardform.php new file mode 100644 index 000000000..992af0f57 --- /dev/null +++ b/modules/InfoCard/www/getcardform.php @@ -0,0 +1,155 @@ +<?php + +/* +* AUTHOR: Samuel Muñoz Hidalgo +* EMAIL: samuel.mh@gmail.com +* LAST REVISION: 13-FEB-09 +* DESCRIPTION: +* Pretty form to get a managed InfoCard +* User flow controller. +* Displays the template and request a non null xmlToken +*/ + + +/* Load the configuration. */ +$config = SimpleSAML_Configuration::getInstance(); +$autoconfig = $config->copyFromBase('logininfocard', 'config-login-infocard.php'); + +$Infocard = $autoconfig->getValue('InfoCard'); + + +/* Load the session of the current user. */ +$session = SimpleSAML_Session::getInstance(); +if($session == NULL) { + SimpleSAML_Utilities::fatalError($session->getTrackID(), 'NOSESSION'); +} + +if (!array_key_exists('AuthState', $_REQUEST)) { +SimpleSAML_Logger::debug('NO AUTH STATE'); +SimpleSAML_Logger::debug('ERROR: NO AUTH STATE'); + throw new SimpleSAML_Error_BadRequest('Missing AuthState parameter.'); +} else { + $authStateId = $_REQUEST['AuthState']; +SimpleSAML_Logger::debug('AUTH STATE: '.$authStateId); +} + +$username = null; +$password = null; + +$state = "validate"; +if(array_key_exists('form', $_POST) && ($_POST['form']!=NULL) ) { + if(array_key_exists('username', $_POST) && ($_POST['username']!=NULL) ) { + if(array_key_exists('password', $_POST) && ($_POST['password']!=NULL) ) { + //Validation: Username/Password + $username = $_POST['username']; + $password = $_POST['password']; + if (sspmod_InfoCard_UserFunctions::validateUser(array('username'=>$username,'password'=>$password),'UsernamePasswordCredential')){ + $userCredential = $autoconfig->getValue('UserCredential'); + if (strcmp($userCredential,'UsernamePasswordCredential')==0){ + + $ICconfig['InfoCard'] = $Infocard; + $ICconfig['InfoCard']['issuer'] = $autoconfig->getValue('tokenserviceurl');//sspmod_InfoCard_Utils::getIssuer($sts_crt); + $ICconfig['tokenserviceurl'] = $autoconfig->getValue('tokenserviceurl'); + $ICconfig['mexurl'] = $autoconfig->getValue('mexurl'); + $ICconfig['sts_key'] = $autoconfig->getValue('sts_key'); + $ICconfig['certificates'] = $autoconfig->getValue('certificates'); + $ICconfig['UserCredential'] = $autoconfig->getValue('UserCredential'); + + $ICdata = sspmod_InfoCard_UserFunctions::fillICdata($username,$userCredential); + $IC = sspmod_InfoCard_STS::createCard($ICdata,$ICconfig); + header("Content-Disposition: attachment; filename=\"".$ICdata['CardName'].".crd\""); + header('Content-Type: application/x-informationcard'); + header('Content-Length:'.strlen($IC)); + echo $IC; + $state = 'end'; + }else if (strcmp($userCredential,'SelfIssuedCredential')==0){ + /* + * VERY IMPORTANT: + * The STS is acting as a Relying Party to get the PPID in order to generate a + * managed card with a self issued credential, that's why we use the STS + * certificate private key to decrypt the token. + */ + if(array_key_exists('xmlToken', $_POST) && ($_POST['xmlToken']!=NULL) ) { + SimpleSAML_Logger::debug('HAY XML TOKEN'); + $token = new sspmod_InfoCard_RP_InfoCard(); + $idp_key = $autoconfig->getValue('sts_key'); + $token->addIDPKey($idp_key); + $token->addSTSCertificate(''); + $claims = $token->process($_POST['xmlToken']); + if(($claims->isValid()) && ($claims->privatepersonalidentifier!=NULL)) { + $ppid = $claims->privatepersonalidentifier; + $ICconfig['InfoCard'] = $Infocard; + $ICconfig['InfoCard']['issuer'] = $autoconfig->getValue('tokenserviceurl');//sspmod_InfoCard_Utils::getIssuer($sts_crt); + $ICconfig['tokenserviceurl'] = $autoconfig->getValue('tokenserviceurl'); + $ICconfig['mexurl'] = $autoconfig->getValue('mexurl'); + $ICconfig['sts_key'] = $autoconfig->getValue('sts_key'); + $ICconfig['certificates'] = $autoconfig->getValue('certificates'); + $ICconfig['UserCredential'] = $autoconfig->getValue('UserCredential'); + + $ICdata = sspmod_InfoCard_UserFunctions::fillICdata($username,$userCredential,$ppid); + $IC = sspmod_InfoCard_STS::createCard($ICdata,$ICconfig); + header('Content-Disposition: attachment; filename="'.$ICdata['CardName'].'.crd"'); + header('Content-Type: application/x-informationcard'); + header('Content-Length:'.strlen($IC)); + echo $IC; + $state = 'end'; + }else { + SimpleSAML_Logger::debug('Wrong Self-Issued card'); + $error = 'wrong_IC'; + $state = "selfIssued"; + } + }else{ + SimpleSAML_Logger::debug('NO HAY XML TOKEN'); + $error = NULL; + $state = "selfIssued"; + } + }else{ + SimpleSAML_Logger::debug('CONFIGURATION ERROR: UserCredential '.$userCredential.' NOT SUPPORTED'); + } + }else{ + $error = 'Wrong_user_pass'; + SimpleSAML_Logger::debug('WRONG username or password'); + } + }else{ + $error = 'NO_password'; + SimpleSAML_Logger::debug('NO PASSWORD'); + } + }else { + $error = 'NO_user'; + SimpleSAML_Logger::debug('NO USERNAME'); + } +}else{ + $error = NULL; +} + + +unset($_POST); //Show the languages bar if reloaded + +$t = new SimpleSAML_XHTML_Template($config, 'InfoCard:temp-getcardform.php', 'InfoCard:dict-InfoCard'); //(configuracion, template, diccionario) +$t->data['header'] = 'simpleSAMLphp: Get your Infocard'; +$t->data['stateparams'] = array('AuthState' => $authStateId); + + +$t->data['InfoCard'] = $Infocard; + +$cardGenerator = $autoconfig->getValue('CardGenerator'); +$t->data['CardGenerator'] = $cardGenerator; + +$help_desk_email_URL = $autoconfig->getValue('help_desk_email_URL'); +$t->data['help_desk_email_URL'] = $help_desk_email_URL; + +$contact_info_URL = $autoconfig->getValue('contact_info_URL'); +$t->data['contact_info_URL'] = $contact_info_URL; + +$t->data['error'] = $error; +$t->data['form'] = $state; + +//For testing purposes +$t->data['username']=$username; +$t->data['password']=$password; + + + +$t->show(); +exit(); +?> \ No newline at end of file diff --git a/modules/InfoCard/www/login-infocard.php b/modules/InfoCard/www/login-infocard.php index d33c7dbb7..af12e8f85 100644 --- a/modules/InfoCard/www/login-infocard.php +++ b/modules/InfoCard/www/login-infocard.php @@ -3,7 +3,7 @@ /* * AUTHOR: Samuel Muñoz Hidalgo * EMAIL: samuel.mh@gmail.com -* LAST REVISION: 22-DEC-08 +* LAST REVISION: 13-FEB-09 * DESCRIPTION: * User flow controller. * Displays the template and request a non null xmlToken @@ -52,7 +52,7 @@ SimpleSAML_Logger::debug('NO HAY XML TOKEN'); unset($_POST); //Show the languages bar if reloaded //Login Page -$t = new SimpleSAML_XHTML_Template($config, 'InfoCard:login-infocard.php', 'InfoCard:logininfocard'); //(configuracion, template, diccionario) +$t = new SimpleSAML_XHTML_Template($config, 'InfoCard:temp-login.php', 'InfoCard:dict-InfoCard'); //(configuracion, template, diccionario) $t->data['header'] = 'simpleSAMLphp: Infocard login'; $t->data['stateparams'] = array('AuthState' => $authStateId); $t->data['IClogo'] = $IClogo; diff --git a/modules/InfoCard/www/mex.php b/modules/InfoCard/www/mex.php new file mode 100644 index 000000000..43c6554c6 --- /dev/null +++ b/modules/InfoCard/www/mex.php @@ -0,0 +1,257 @@ +<?php + +/* +* AUTHOR: Samuel Muñoz Hidalgo +* EMAIL: samuel.mh@gmail.com +* LAST REVISION: 13-FEB-09 +* DESCRIPTION: InfoCard module metadata exchange (POLICY) +*/ + + +$method = $_SERVER["REQUEST_METHOD"]; + +if ($method == "POST"){ + $use_soap = true; + Header('Content-Type: application/soap+xml;charset=utf-8'); +}else{ + $use_soap = false; + Header('Content-Type: application/xml;charset=utf-8'); +} + + +$config = SimpleSAML_Configuration::getInstance(); +$autoconfig = $config->copyFromBase('logininfocard', 'config-login-infocard.php'); +$ICconfig['tokenserviceurl'] = $autoconfig->getValue('tokenserviceurl'); +$ICconfig['certificates'] = $autoconfig->getValue('certificates'); +$ICconfig['UserCredential'] = $autoconfig->getValue('UserCredential'); + + +// Grab the important parts of the token request. That's pretty much just +// the request ID. +$request_id = ''; +if ($use_soap && strlen($HTTP_RAW_POST_DATA)) +{ + $token = new DOMDocument(); + $token->loadXML($HTTP_RAW_POST_DATA); + $doc = $token->documentElement; + $elements = $doc->getElementsByTagname('MessageID'); + $request_id = $elements->item(0)->nodeValue; +} + +$buf = '<?xml version="1.0"?>'; + +$buf .= '<S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://www.w3.org/2005/08/addressing">'; + + $buf .= '<S:Header>'; + $buf .= '<wsa:Action S:mustUnderstand="1">'; + $buf .= 'http://schemas.xmlsoap.org/ws/2004/09/transfer/GetResponse'; + $buf .= '</wsa:Action>'; + $buf .= '<wsa:RelatesTo>'; + $buf .= $request_id; + $buf .= '</wsa:RelatesTo>'; + $buf .= '</S:Header>'; + + $buf .= '<S:Body>'; + $buf .= '<Metadata xmlns="http://schemas.xmlsoap.org/ws/2004/09/mex">'; + + $buf .= '<MetadataSection Dialect="http://schemas.xmlsoap.org/wsdl/" Identifier="http://schemas.xmlsoap.org/ws/2005/02/trust">'; + $buf .= '<wsdl:definitions name="STS_wsdl" targetNamespace="'.$ICconfig['tokenserviceurl'].'" xmlns:tns="'.$ICconfig['tokenserviceurl'].'" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust" xmlns:wsid="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity" xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity" xmlns:q1="'.$ICconfig['tokenserviceurl'].'">'; + + $buf .= '<wsdl:types>'; + $buf .= '<xs:schema targetNamespace="http://schemas.xmlsoap.org/ws/2005/02/trust/Imports">'; + $buf .= '<xs:import schemaLocation="" namespace="'.$ICconfig['tokenserviceurl'].'"/>'; + $buf .= '</xs:schema>'; + $buf .= '</wsdl:types>'; + + $buf .= '<wsdl:message name="RequestSecurityTokenMsg">'; + $buf .= '<wsdl:part name="request" type="q1:MessageBody" />'; + $buf .= '</wsdl:message>'; + $buf .= '<wsdl:message name="RequestSecurityTokenResponseMsg">'; + $buf .= '<wsdl:part name="response" type="q1:MessageBody" />'; + $buf .= '</wsdl:message>'; + + $buf .= '<wsdl:portType name="SecurityTokenService">'; + $buf .= '<wsdl:operation name="Issue">'; + $buf .= '<wsdl:input wsaw:Action="http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue" message="tns:RequestSecurityTokenMsg">'; + $buf .= '</wsdl:input>'; + $buf .= '<wsdl:output wsaw:Action="http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue" message="tns:RequestSecurityTokenResponseMsg">'; + $buf .= '</wsdl:output>'; + $buf .= '</wsdl:operation>'; + $buf .= '</wsdl:portType>'; + + $buf .= '<wsp:Policy wsu:Id="STS_endpoint_policy">'; + $buf .= '<wsp:ExactlyOne>'; + $buf .= '<wsp:All>'; + $buf .= '<ic:RequireFederatedIdentityProvisioning />'; + $buf .= '<sp:TransportBinding>'; + $buf .= '<wsp:Policy>'; + $buf .= '<sp:TransportToken>'; + $buf .= '<wsp:Policy>'; + $buf .= '<sp:HttpsToken RequireClientCertificate="false" />'; + $buf .= '</wsp:Policy>'; + $buf .= '</sp:TransportToken>'; + $buf .= '<sp:AlgorithmSuite>'; + $buf .= '<wsp:Policy>'; + $buf .= '<sp:Basic256/>'; + $buf .= '</wsp:Policy>'; + $buf .= '</sp:AlgorithmSuite>'; + $buf .= '<sp:Layout>'; + $buf .= '<wsp:Policy>'; + $buf .= '<sp:Strict/>'; + $buf .= '</wsp:Policy>'; + $buf .= '</sp:Layout>'; + $buf .= '<sp:IncludeTimestamp/>'; + $buf .= '</wsp:Policy>'; + $buf .= '</sp:TransportBinding>'; + + // Authentication token assertion + switch($ICconfig['UserCredential']){ + case "UsernamePasswordCredential": + $buf .= '<sp:SignedSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">'; + $buf .= '<wsp:Policy>'; + $buf .= '<sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">'; + $buf .= '<wsp:Policy>'; + $buf .= '<sp:WssUsernameToken10/>'; + $buf .= '</wsp:Policy>'; + $buf .= '</sp:UsernameToken>'; + $buf .= '</wsp:Policy>'; + $buf .= '</sp:SignedSupportingTokens>'; + break; + case "KerberosV5Credential": + $buf .= '<sp:ProtectionToken>'; + $buf .= '<wsp:Policy>'; + $buf .= '<sp:KerberosToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Once">'; + $buf .= '<wsp:Policy>'; + $buf .= '<sp: WssGssKerberosV5ApReqToken11/>'; + $buf .= '</wsp:Policy>'; + $buf .= '</sp:KerberosToken>'; + $buf .= '<wsp:Policy>'; + $buf .= '</sp:ProtectionToken>'; + break; + case "X509V3Credential": + $buf .= '<sp:EndorsingSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">'; + $buf .= '<wsp:Policy>'; + $buf .= '<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">'; + $buf .= '<wsp:Policy>'; + $buf .= '<sp:WssX509V3Token10/>'; + $buf .= '</wsp:Policy>'; + $buf .= '</sp:X509Token>'; + $buf .= '</wsp:Policy>'; + $buf .= '</sp:EndorsingSupportingTokens>'; + break; + case "SelfIssuedCredential": + $buf .= '<sp:EndorsingSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy" xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">'; + $buf .= '<wsp:Policy>'; + $buf .= '<sp:IssuedToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">'; + $buf .= '<sp:Issuer>'; + $buf .= '<wsa:Address>'; + $buf .= 'http://schemas.xmlsoap.org/ws/2005/05/identity/issuer/self'; + $buf .= '</wsa:Address>'; + $buf .= '</sp:Issuer>'; + $buf .= '<sp:RequestSecurityTokenTemplate>'; + $buf .= '<wst:TokenType>'; + $buf .= 'urn:oasis:names:tc:SAML:1.0:assertion'; + $buf .= '</wst:TokenType>'; + $buf .= '<wst:KeyType>'; + $buf .= 'http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey'; + $buf .= '</wst:KeyType>'; + $buf .= '<wst:Claims xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity">'; + $buf .= '<ic:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier"/>'; + $buf .= '</wst:Claims>'; + $buf .= '</sp:RequestSecurityTokenTemplate>'; + $buf .= '<wsp:Policy>'; + $buf .= '<sp:RequireInternalReference/>'; + $buf .= '</wsp:Policy>'; + $buf .= '</sp:IssuedToken>'; + $buf .= '</wsp:Policy>'; + $buf .= '</sp:EndorsingSupportingTokens>'; + break; + default: + break; + } + + $buf .= '<sp:Wss11>'; + $buf .= '<wsp:Policy>'; + $buf .= '<sp:MustSupportRefThumbprint/>'; + $buf .= '<sp:MustSupportRefEncryptedKey/>'; + $buf .= '</wsp:Policy>'; + $buf .= '</sp:Wss11>'; + $buf .= '<sp:Trust10>'; + $buf .= '<wsp:Policy>'; + $buf .= '<sp:RequireClientEntropy/>'; + $buf .= '<sp:RequireServerEntropy/>'; + $buf .= '</wsp:Policy>'; + $buf .= '</sp:Trust10>'; + $buf .= '<wsaw:UsingAddressing wsdl:required="true" />'; + $buf .= '</wsp:All>'; + $buf .= '</wsp:ExactlyOne>'; + $buf .= '</wsp:Policy>'; + + $buf .= '<wsdl:binding name="Transport_binding" type="tns:SecurityTokenService">'; + $buf .= '<wsp:PolicyReference URI="#STS_endpoint_policy"/>'; + $buf .= '<soap12:binding transport="http://schemas.xmlsoap.org/soap/http"/>'; + $buf .= '<wsdl:operation name="Issue">'; + $buf .= '<soap12:operation soapAction="http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue" style="document"/>'; + $buf .= '<wsdl:input>'; + $buf .= '<soap12:body use="literal"/>'; + $buf .= '</wsdl:input>'; + $buf .= '<wsdl:output>'; + $buf .= '<soap12:body use="literal"/>'; + $buf .= '</wsdl:output>'; + $buf .= '</wsdl:operation>'; + $buf .= '</wsdl:binding>'; + + $buf .= '<wsdl:service name="STS_0">'; + $buf .= '<wsdl:port name="STS_0_port" binding="tns:Transport_binding">'; + $buf .= '<soap12:address location="'.$ICconfig['tokenserviceurl'].'" />'; + $buf .= '<wsa:EndpointReference>'; + $buf .= '<wsa:Address>'.$ICconfig['tokenserviceurl'].'</wsa:Address>'; + $buf .= '<wsid:Identity>'; + $buf .= '<ds:KeyInfo>'; + $buf .= '<ds:X509Data>'; + $buf .= '<ds:X509Certificate>'; + $buf .= sspmod_InfoCard_Utils::takeCert($ICconfig['certificates'][0]); + $buf .='</ds:X509Certificate>'; + $buf .= '</ds:X509Data>'; + $buf .= '</ds:KeyInfo>'; + $buf .= '</wsid:Identity>'; + $buf .= '</wsa:EndpointReference>'; + $buf .= '</wsdl:port>'; + $buf .= '</wsdl:service>'; + + $buf .= '</wsdl:definitions>'; + $buf .= '</MetadataSection>'; + + + $buf .= '<MetadataSection Dialect="http://www.w3.org/2001/XMLSchema" Identifier="'.$ICconfig['tokenserviceurl'].'">'; + $buf .= '<xs:schema xmlns:tns="'.$ICconfig['tokenserviceurl'].'" xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" targetNamespace="'.$ICconfig['tokenserviceurl'].'">'; + $buf .= '<xs:complexType name="MessageBody">'; + $buf .= '<xs:sequence>'; + $buf .= '<xs:any maxOccurs="unbounded" minOccurs="0" namespace="##any"/>'; + $buf .= '</xs:sequence>'; + $buf .= '</xs:complexType>'; + $buf .= '</xs:schema>'; + $buf .= '</MetadataSection>'; + + $buf .= '</Metadata>'; + $buf .= '</S:Body>'; + +$buf .= '</S:Envelope>'; + + +print($buf); + +?> + + + + + + + + + + + + + diff --git a/modules/InfoCard/www/resources/infocard_self_114x80.png b/modules/InfoCard/www/resources/infocard_self_114x80.png new file mode 100644 index 0000000000000000000000000000000000000000..9351cbcebdace06d93a7a5d00287732823bc676f GIT binary patch literal 9302 zcmeAS@N?(olHy`uVBq!ia0y~yU?^f>U<lw~V_;x7x>M1Cfq{XsILO_JVcj{ImkbOH zY)RhkE(~Ds(|LD20|NtRfk$L90|U1(2s1Lwnj^u$z`$PO>FdgVlaY_xg!k=~oB0e3 z3Jjhujv*Dd-qu!62|2p+{rar$JfG*y6O@n$U}LG&?648-lyEUr2|skP_{?FCbA~57 z6^|9?zw>(JIpqjTzR>kuJ5)~EUKgJu@%4y!7DM1f!KvF9G<=#T`NWdvbIQECdsn}c zufBdS{_48Bws*F^`}_LM)~eF-x9;!P-TxQ2|NUyMHksSZ#o>JgT^lq4yIlP^*FED@ z`8faf|IfZD7pA>*SbMuQYP<C6Y1j2~&zISpW=n`uoyIHCqI%e!$NlL7uMoaHEUv1q z2|N=n?Qf`O)fC)v`R^Br+lAZ8Zdcwae06T=)A=WK{s&3@k2v<Fsa|HU`{#dWs<;02 zzg@p!Zu0Bh@6P3InUn8!`lr~O9E;9<YHPf<C*Azy>)rod`ow(wh{|$D)36??_{n>c z9*KH9dD>{GFx6|}+NGvdteght7z_%|ZF$eI$E<$-l!xWV7>-Fu7~h`xUwvk|?Ek7B zLxcabdVbIUn;p@(>5lr}b4wZ-F0Vg$BK>xATHN$Phc2D{`V0jQyZ&+BDVoz`r}HvI z%H7VoXIC?C?q2o6|Le_lV&@8<Xy3Q%)66F)4yj&0Gpj2l)iP+MNS};dOIvd3i+8WO z>@M;==wm)-DRaE>u&f0qd*9=RVs^gg5B`;Jov$uq(bK$oTg&}(mUCK|&&j9={rj0U z|8R5min4Q-7SH7-@Gx%p(r>uT{KET#hW`#HS*ux0v(tGc;Z}X0-GM2{>wOWAfKyci z$JO{tzh!I`?v)>7c=+r1A?rA=m6<Jl+sbOTJXPKz`#$pP>F{ZFvmZUnP|%C}d1irO zs`t9xg=Sse-331`IM)35mu520vbjV{wsjt3PvQRJN)Dy)x$l_|a89rjU^KYHaR1}M zCu~1NJieaWq5soP!c0Jtu|rtkZ`rLhIp!C+XQo>%GhyPMIF-YZ<@?qtOpOf^4*G}K z6$ElTRi=CH_jTIAB;??jsMyvo(Rc0KvenCDjr4!sTUaWs<nZs$w5jFceVQ?5)%S9q zJbj+{{M%ZKk_QYe+G`lJN{@?5glKuDv;XE;a3|wA%MXE^b&c!KEq)uK#WXeBOJJ&2 zDUWeqqwA*^hCMe@xy)EQ8$48f7`3LRuual7wbpFmSsHTUL9EC7r)fq4K??N_c5Qs? z-GYC=jJ$k0FYiW8&RzA!X>|$jP6@Ie-k9{NG<f2P(}&OHMi=f`7x&wF*58Q?7R>2) zsx4#KCsy7+TRW%NAYS&;^v4x%`>s99IBwu}F3~1rvCfoZ935&7XBOF+KJQu)k+yv& zj}FT@c6Oc#I#XPh8s+vyeOSyD65Og~y((mj$OI<`j>ZzL-h21rp75VIY`S^bq6CRB zn}WxuJ~5ow!=)o_x=$@KF0fCzo&QlqZS5ZR7x^M8zh-{SkpAA-CG*~U<#IP&hT`M5 zmaPt4Rz3gBj~s^6IdZF4Ch=~NELr)zF6dRPij#ZmEn9!C)C{jyCjU$}Pt%+PXItyn zD?=4qzDII=`T9-q>U5_~n`EZ<O3pjuoy5wpf&JM!9ev5}ZL{-tO9pwZseNpkGR1bw z&aXUm%iH?6(#57`1utKA%g5qaUEaptI%`Yw<;BSx^LG_zt?)l`!&P!s;(O!EOMGvd zth};_qcMcfk6}?!MMTG}f~D8azheAwkG18CLy5885|M&faVHKA#lU$!i`H)!pM5RY z>A9lH&fpH!(5s;*PM>#nuAR%SbXuswXqor)PbR(F0&ekm7FT?^@gUW5-Zo>uB`P7k zKDQjNG<1GU%Dp7hX5V&8^|_}&wVSiF*exdm&SRaYR1~rjyS_LHoxkUG{-EHY$!_sV ztpXE*4wc$E{QgxH7!lI4>Xp_9#)u<xlg`N6Y~c!G;w>%RmDTkpQ0$idDyN<5hG&@6 z_+_N-{$o|J-gWoNf%1~l94jTk<E=+6^wcD7_B}k4C!To2?&a$6Gz)8?BL@}dX{0dB zQ(O7UCZ3l&Ra|t&lc&4p?VS>|VE1b79>(VOFvY+w*G?D7XVb!`D9-g;xOeSYIUDwm zi`G3#QoZo7O*v)y7K_f%w>?{2Z9+VM-7fK)aqs7uAMzVkMjS3Ps*)A@e6hjSBJR}z z4bzqHJe^)WUva_dhy8Kqf~D*IT1D&@%==h6HRabs54FjS0!&XuQwzEZOPii6Mo!al z4^B=#61zM>Yo$b0r0BYM3)!WjstdU$37z3*pD`uQ`uW8&Q6mq|XSc2N)gFH<i|@^T z`|9a;v&|pV%+~4jeK)prl#WmPRC4p&_Ky<|EvUBOzy0TY+>1jOug`Tmyl-=c^>t1~ zr<GHlsMf6XSsJ9_J?*fj18@J+$_}s8BkRt_S;#JZ>Uyx(;FwJVM}t(ys=0qMx!Rbx zxGpGscy`b-YPWCbt7AHHF2W5v{x+7Jd{KJlyjj9o_Ji+*d0ozxCe(JG*Dfe{*>Z4} z6|c(04O4GzcD(Ar;u8P2V7}kuIg3pqWttu~AGtDL*eO4}KB%LEC5V%wAxKE#hIXvg zRm(GJ?~59Rk1^d;4UtVx-sZc~_-5hc2}}2<Hn}goSX#UFm8|`O2KEI9`K_0TOb}>$ z#rybtOYhg~|C$$DYp&Wn^+@JDotyFuE0#=J;m>Pxt~9`hGel@L1J9n|X|a1}D$H<* zko+*?N~`YE#Oet-FQvcUUgH14nl)f$#K{PTdCxxV*thnJ<C5*uIvPCg?M$}NKjN2} z6|_}2RM=w@Q%qx`ml|v5zTgX;xjk=PqTO%jEb~>J6_j#%{Y|^?$Ja&O6iE{Q`~Fg? zqU7fq^?0XNCf^eW%vRmFw0ZhN=gAvp3BB}Q<b0U>eQfZ;EzPYAQ@&_=c5kj<mh$Vm z#fH6%ujk)v{2TrHV%0mQODlOku|HY3W)VlIvX<eqR}W|WX}vh3`1X>F_FFQ2ISZt3 z?^*PF>wD?l;V-hny!L!Qb-dzlCx2nid(Dz<Uo%YZ9GiE1leIgG$=cPD+)D!LuQ^>{ z`N?yCb15&oR^sW|hQ}UR`e*&G`CudZ#wAyob;87k16#To=G7JG#?{pnKPmfF6_oMH zbK%Pp>2LXK53jDj^`<mxj<K_~esudShyH2>iNmk`>pG6VtKL}u@^4+r*{NPrkCb_7 zGN1f1N5*qcC?}_CZ=LndxGOgm6|xe36)G0bdC+dU(!@%6f{#|?s|aV;{Hnr!(IY$F z{^{(i5O^H2?(EEyYFpc0)f66GcIScSfk!#23xBA5Ok)n{+#Axk|M-&%p%rfyZ<_gK z{fkwhPUlSw7DfG?vp~%J(uJlQo=<;V@VoTLLAfR3_Z73X{%YqWTJ`mJ$~CXjez1#a z`Rj8J7vE~W@$Fh&$|b#7ecKl&d2r6Lk&`!1>t@|txpCXMbe?qSSzGU(m#YwPb`MEg z|9eB41JBBkZ4<Zso|ARpgTPiVXMx09Cmd{Ko1Kbzr24F9xiktfxxCGqw}x}xf0dy2 z<^L`l-<tpTSN&erqp7V8ET2Bf_RO;2nI3N`v%RKPEbh-^H;(W}PR0C_LR|$5?CSn& z-23&JuV&X?#<S_SCVHk$kcsKiPVYT(s5&kA6mRk`@$_HUXNUh#e!VWg?|<l(dCw{& z4#_OzxUxz`aaM{>Nrk}D7fUYe3}1a+YQn=Q&sAQkeeJ4PW-@Jw4$s!^W$9jTS4=6m zye?0C_hk(|?Vc2qQ`+7I=k@cLB__N(oiX?F-HXll>%Lpoe7JSbquy+8&f#U#za?Du zt}b|ecXPr2$MyX#^CsVxJjGhF?Um8#(h$y$FLPx)B->;r-LO69+%LMYS$RdvuPd<& z1XeE3YFcs1NP_$78ny+#OtqhEgci+UnADzr<cH#||8<`pUjJ~Cz5U|do7uW+E)`8+ zXnFl;q4oT2O&NKw!}AZH`v0xSCVDdOgnt&6hWD4M-jwlB*gDf?E0<u=nxK}49jCf3 ze6VnwujM;;(i`Tpzt|o3&%CA7Siit7bB<@7`{EZ2I=jmG<o@2{KKRw|y7|MIPwSZ( zro;y|on9x=v@uxku&H^^*BPqI%CGINzuSCwHedGKlJDomADsSv#?7-*v20%{Lx0`> z%91T5%nbJ`9y#m$xaQL{+e}G4LAqLwc}Y*3y4iWl*|8ygeFBUtO!`_jP45y=_?YB! zR4f0w+eO19<+U%Dy1aP9a<2Dri@x!b4J;oECt3b~eR<=L-^E{F|BkLMR{xf3+co{) z4?VeG*Mx8Uxa7y+aPq*R2fOnBrnZ-zll^}7=yth?hEoTZp3pyW_|5v5*56@w*2#W8 zCM+Lkb6EKKQZGqwey_`VQVIc8ep>5p^(!x3=%sq-{IV?H3pO(8Hf!pXUxn<IdG{i* zRjHvi`J9ZpR8hdOHm_xy*4EvQ<-gO^d0GGXHs0SKZl0@}lV`EsP`n{s{JPCYIj#07 zNr&cmH@}wu`D01ho$32(bC-Nhzh~t5dtbeG?0=_e|5n_{nR=5;W%lt^GBVe%-jH+c zYQHjPLyF_3fRZSs>6eQAG!}Zbu9ClI5%&0HukxwfkQmQY#&vu4u`#z#d93aIOyTPE zV=H&5$=tcy@csS|iMelW50;wm{Ux~X<L22-_h03_zWD3w?O?f+vfcCY&c8i#<HY+M zok^L@oE_WDJY^L{+cf;mJPck3Nv1e1xp0U-&r79OUN+A|?c`$CjZ2uWO+Vvtz<;w0 zTZci>1ZI8R!y5{xH(2xhWUZ92Tqw2uUa9Q6-+%2hWJ^AIOkQ@$Yf`JY?Y2eRt*_Si zo4(s&;nq>L;NNMnFYE_q@%4Y;V3^(P9RFn-hvESx(Y$4g7aM(TOkSKf<x=sosHJ}W zf^)Pz|6V`(U;6u>SK2#jE*XUI=sMm!pj2W~u6*}(tLjnFpHcBopIXn-lD5s9@$8Mw z*Ngsv#&sTL$JD0ZI^%Z#>4`?KNdeoKR;cuQ={#ppWH*^~M>H{0<zZ~5RQKiI4>*r2 zpVnOb__<POwL+ugtkV~-tUmTc<Kz<0B(1G=zx#OEKir+U|8Rf)U*>Cen?;wuKDW@q zl40uAqdP8K>{OSlihX@}R;TmUbF;s1&Ajz5{?130d-b{cR<o=XW5jJ^Yb^?&$lR-c zEBxoBdUnD0Cr@`CTy*Zt(IYe1c-48;Jf%LS6zpLNOtoX-v~J1MzxuDEcS_yL`9aH9 z9SK}*|MjL^_P>i_#!;JoinwsCx%KUe+_8DL4qIM*H2wcatF^|@>vN^9+3ppcpZEDy zq5t){$2YCFy=%|DbibdEeR2QBOYSz|!Bv_&yo^?sOKqIm_&Is=#4{yjQ?#zCPD!(1 zy6vIOpi!G{Wj4qCt?K7DiS^sp-}}va=TGm;TbJLf$o%>B^nJpwKZWAy8k?V*7c=H^ z{!6wEzLhuG%ZrUgkxR2vB<OQYsD{wSiC#%-wk{D&aGoT?642Y%z54V-q1xDW=JQ&3 zCRUgIZ~pOPukwxkYx$0Uo9p!Wx$cXMmu|cCo0}fhgv5q*avHlO9NeCk_-Kt(_VQ_= zA`d5;-aovqxBbJp&$~a|{KmFr&Rd67=DkgiYIvlk9qIV!Y*6^j<IJ8?r<yG7zMAun zr#&yN^OXFU(Of2fhojWJPu$62m(%v{b?+E1?w@dB=bMaUhZT<=oFf*d$<UjUDHB+? za4G-uzOBl0i`Gtk=-kG8Xu^K!mY>_J?|W-=2UdA1PIB&gYia9k$@W<0a=uji%g@J; zr`sguBpkSMgkkr_YFEGGp0|?Rgd=80ea%(rRXy9JJ=unTuIg-;O*66z78NP8hA;af zxOLUH(()yRpDw4>>bUv@Zqzb<ne);yJ)1x3d`Z%Y8C)V_&%f$F&i9T#%KE*~)Z)vJ z9R8N08!x`FIQ3%1<CEV{e4O%h;*zxETaQl??DET%<9+VJ_FzS$*&U53T^2TGyH7}* zlga934~){<<ylw|UoLgr-mZOH@!ee}$EIpMle#@m*Lh<1D&zjC7kz9!d?W(bo{9_l zH+4$Yg-QJrB&J6h&74*jvHHahC6<tx`&V%!tkRm(Z0tVWLA2|_jtM~}3{|_0JihO| z#qrQX(WK{~*{i~5iHC0{-<$CL$pfY8gCXl~1>Ksr)=F=7%dApUFRe2T_b&)s>QHCq zzb>{+<5u6Q&>&0kTfQsrnqB|5JM!McmSpjl2Kj554y@rZPx72N@uHCTu{V!}5+yx* z0<30B-MV;rX5X~j8*$>oNk^`3KIW;-=+d^Bt)zeIEyKr(7aYWursPe!Cgk=&-oWa@ zYL-Pe`H!thw%o$FjIaONrb{;_crD}7<r3b-P?V-A>24u&N5@X>RX9iIvh%keTi>cV zdefiVV4~0ji)qJ$s+G^~QD&Xc<o+$%GV*Zt)=5uOTEzZx$0)O`S={;6afRc>jgciw zHz}F;s;YkCmJv~Be=*5@>BOG%%aaARUh;V)@-@a|;cjJ7{*d}P3;!9IL<*e`32hSd zp6R&1H#u~Y%<`_#q?@L0DKo!X<;AozB*@DiwYk0G%`(r62NjrdOs$>W!>d|@u1tsu zS+mt-vU}rOi~G6yOE%qfls-`S>W13dwq1P|25!84k%9@ms+=#v4*d1{tk9{`yXv!o zeC7?0RZ(+iC>Hdj*`JBHRKTWjo{OP%>CY82V_KEsjm{eWo#?pYS@|;N+t=rwo9Wcm zYkT&*T1DiZ$X@BCtRZP9994a_^HmJhRGD?wOnA0(my*)LS2o#}DHduMxA&T`6ncop z)+c!e9p};vjF{9uaWZ@Q*&Xp2FOSYt)|G455R~j*lvNsZcjiCATQ`?2>XM!@IXNO$ zWrO*pFsZj`UTa>SR7%P`6fsFm-FvT*L!<ZctRmTtg0x<RvXq4`R($=_N+XWxTv}43 zGe0vhap`oCqz@-j_LLYco^i|U&)H-5Zd}P;7Zn~Ixbfx8Tepgz%KM&N!mx^`W7SQ= zgNttpXl`kbS)cv%n2BbO!1Fmhe-*xcxc2G)y3!xFWB(hQG^=$K3h$n1KgC{QVXshM z#rkI%uVRF*%4cr%T(|V|)*t7$6fgUpxxq(mLpjg?sb$gUumAV)cL~0raeS3UM4}?g zjQnb$x;H0GR-K#e*Yop9gPF(iOMyDk-xk<!<}>1sJn%)*Od{gjtD@O0&yuQ=RDxE` zQn_rrb>fq45tpXz+m!33IyX!*!N_{T#MiA4*&i%lBV*ASASCOobe3_A+4p&TVOxzf z&92+2eY>1?BjH3`{jBUcDR*{m`|QiryULkMr_xo!>T^Z6S8unfY2Q`e;P5Oa)ne~} zz=DufT&o-`=gjo-Wm>p&{To5&{ch$*+24o>bY}6YG4v=O{2k4i&K=Hkb<IuV=oJZ8 zT7^$`uAO!@?6;Sy@TDx}y&?%2OSZmo&p1@WAiU(zoc5Ec!CQ~1rS!hNaWA;y=f|iw zw}aY0FTXv}bGL?kM9-{`&IXm|GR{PrNSX?_xp91+?0!D+vA1<$&VA1<rlp5UW2a0J zU$`qxAx(EqgXMN#r?W?1aRfZ8;MH}V`c~pogC~Rh{&JT5zp3hWw=Xt4GnPHE#7ILv zq>0lwdqcuWAD?}7AsNQKIc~py>h0OGNX*(?#_97+K9Q+>2ShKoB_Evha!1y=6%hu^ zolAK5J|_4|i>=L86^V72Vx4x>a^Z_VK__B1-hSuX{&BPG|F#~(eT%n#WQvm3Pw;;$ zxTdONubqG!6MMON!c+hFmf07tdboRwTSe_EDER*I!=4x&-}-OD);F(SY`%ZAN7=G| zmF(>JpDZB!dA}v^ce`C2eogJ$LcD6~HVE?H-N?1}xz)+q^5pB$?HgaOJ^W+0{Mn7o zFRIrr;OV=<y}@MqOhr5SlNt>wwM)-hrAl6q3V;6TigSH;!;IC&lF1RDpFHE}_#b{X zPdxbB!}EuByg9dA*;ydx_U-fUoRrQV{9a!lEg=1^Z25;1lb)LhoPGQB_`Uw{wf~+g zgu2><Os-y5WvjyShqI(~cgC4F9@-CHu&_tY`;}bnpLxIj^QUry+<z4*L6UQ<%H*oE z_#e-GUM|UKRq*PD<=Z_=|35D4nIFb%u6&_llc?_V=#S^PcNa0eIQv59_wyeN72ntI zR#v$8^}yL3r6+wvrivz9w`Tu%gFpUQYgoTp%>OfGXMW!@m9X6@738(&^PjvqEAu(e z>1v!hY}>DMWXtUJ3`>smne#tfSs&ZKZ(hk4v5v(qwjsu8J!kxuO?NgjVw+U4a^EUm zCx+01))|^XJqdSo)>v(LT`Y66m}%yg?$heLhu_-I>Hfd<>2a&0>Wwb@?6mg%JCIpZ zw?lB|mhOj(*&l!Vz36$W?vhviP7EKu74P1%?Wp(uhV}nb>?SpPO_=`v!L8QtDj|<; zU(e_8+vQg#@89-*w*CBmeVu(=tw(=qXq-Df=V<t&bMw#i{@a#R5@WvR=Evk?6KW0O zHh8EoJ7ua|_Njiz-Z<AQZCl91{bzSn+L-O#qW<IG8)fMaZ<OyH+0WcQHTjkJ@uZLZ zc?VvcJiJx?-Km+2H@v>f?0EUs)#wdnU&Zuy+H7Dk&Y#<H^!qu^^RN9CL&c(3+5{KN zoNU^i{%YfrDKn}rNBn(wr_N@=lJop8W~Cf!Dimx>KQ{eX^4Cq<l`pN>6Q(tFlHbOh z-I);_j8;$P{QM%5+;Vf;F%PZTS*9uv?zxLE{^+7@cl%yKsf^j5O7?qodE(Rd|BCh5 zuc?#%r~P-HlXo)vD?3|J%k^(-)Xn}>THmY7Q=hi~ldRAFN~iyCRgw!X&%9Cl%wp1e zzyG!8yv^pn<=AuW9e3@meV4kJdY?`VTC`=6!M$u=mCNt$M1+SmSauwrarMUHCm}Nz z|6g~k!lG}kfWf0}rw%Ty*z+yEAfei}EZ3&xm;d<(M;;buSQMDeNQ>UVw7P!pz14M} z=g;2MmGtL{fBC|^|C%-1Hp?x4HS0pfBGz=NbL_1<4~a(noo)X2^P6HO4#kIDob5a} zv#qX*?M=16rmd;ZaV+p#`Rmty?E9lbX7!)j7I!vUS3Y9R$4zg~#%^3?x+j0))tx6F zy=iH2kZ3c=)ns81ykwKEI{QEK<Mb;De|lyuczfibn@-@;-wb_kZDp(0rUYG?D7-4r zc%jvd#*H6cjO!}D2mh*U>($XX^_}hIkLbrA(?a@XB&ON@JD#_D+9aXr{!(qWTiu(! z+1LHhmoQB1u(P?d!guMD1F4T!eYm-;AhS<4U+#$S{T*(`*}KhT`j)<Qns-gFa#o4Z z)8j8U+5{|*vA#V!n0?`9=bw(npS903Up0CCz2e`+@((Y!Rc)F7zU4L7my&M}FR%R? znCtVYpa1{m%Mt&lueI3rU&ZS7u7_zcU%o9V$oZeSTTH#>^M#4iGmihc&Afi`(>ttR zVqP5G6&n5V`P2NUtsPT@%>VrrS^M*0{y%HGnp%0Qs9g`zj9$F-dU)lcT26F1!+Dz> za`rR+&X_iR&d!28W&eu%_jL1Ld*hy;E?;H+`@_N2zds(zH$OU=ab5OQi?a_MO^z<V z>0x@T`DgcPmOC>x{&DpCH2ucv<Z6FcCxP2$b#A;5V;d*CpMUt|VzGGny!D)E|EGK2 z@==uEv(5bZAEs6P`zoG??Acl6o^bj674zhuch7(GXJ-8IXm0R^cPHOw*t`q<`?X}* zhxXs`=ieHx){I)CD7$90&5>(cR~abJ*gD_Pf9b54?USr#_o_T8tlz%rl+vBwyVtYD ztZv!!<Fm)|dmk4|8@~C}xbgYl$D3Niq&Z*Sywn~S(X{gOx)<O72HTnKS7?;CuVg>P zE_PgQ{|ol(x5_WrP2Cw(Zuqd>eb((@o@=kRSzPsct}M#r|Nfumwl#PAYvr#ke7JdY zM&_G_*=2zdQ4J3lvnRdUQ~2YR{dvcy7mD6;))aiTPkhhrURZLUbIv;Z_bbi97c4N4 zZ*B{J@ay)vu6fV%RiCz2)Lj1i<NH(T4XJPIOy+00du|e#yiUINc6|l2TAVePzkakd zw}<B@fz$tzIm_~`x_s;J_B!vjbN7DCx}@4zB4A3t_o~wcFGZUT%5E*4@#&~x)xIE( zn5v@+f65M*e|Ys+KH<By`-MvtjIFB725DZV&+ePD3a^*%G_AiOm0EU2QYHCHhRa!| zgwy-C2i3j&);b}G?R8Wmvyai;lOM0I-}R~O;Wf#I&8u$Y7;8x#FWLV6;gy4F=kHuB z6?sw4*|WQ@V#@8a+h)xQR8H2GS*EGB`CG^=&LriHYj~Lj4%NvTeUC{I;&3*a|LZJw z;7j8rpV}%v8)OuSUfa86TAF=^dPUjAImR|WY;RvVw`#7JX6WXdYAdc@@=S3m=UOzS zY-`f)zPIHy50uWes@h9<a$MfnzvNn5T=?gdvtC6hGxZPDFtnbC3SF@>Dzj60W$|I2 zvbl{<w?&mWMV>Y}Z^?d%<)=f-<lV>DWGTB&TeW>gyW6qQwJV<#PMedMViB|L5?}We z_p}|84C5L&lkNz08gVNss2-5yzAG;&rpJE$X=KRCOy%FslaEfR$+)~p!au>F`oC*R zaL&?pDT%_+ylE;M%lc+Um}x)uN%*VC#<-#DNQZH7;WojWk36`W7wBGmzTRZ=tFteJ z*9J43l{WOYOA3*@d#Scc##J?VWrb#A$oko_YcH`M4y(@!Zok>E^@jJXmcF$r0s9>p zHs5l+v|Rkw@AEpDPbWOH66?{)In>c&)c)|zMYEJ3rLw+v94AWZ`3!<>CAZ9dyXCfP zd{Aic<&R}MG6n6|O)N<}@-OhXa`eH%n8?MPLX7%lM>eTe%DgnL5a!LVOOAeLacRv> zLCGy!w{KHFt$k|mR>9t*0ZoT=+F6+c`17rw9-m&dcIBs>W_E{`=b75iE|@OO*e|?3 zB>E|v%hF%n8QV<D7Ovf>eMi05RHpVpt3W}kcUIh;1>cU|(mQ0j;zix`IqEIaA}%}s zS@4GYK1jIjU+4epsdQMh_;w}T&DJ(2ySTP&-*)(|BlGz!i?=Oa>-=8lBvXLo_k#<n zX1+dtVO4c$ALpX9bteub94ya0X%>6bT}*WG>U$o0IW!|&`*;L+ReGo0J+2eI#CJ!+ zYVE1VCKN<HTy{*4EBPC*`I&Frnwy%%4EK~xjhg49WN$Aon=4ze`=ep`?tt63?g-s- z+7K}J*q?@^nk`Ow^RG>w)S&UA!u|h>gsW!ED`r##PLBE-`|7#ZW2?lIwvunNrGIAk z9KU`{S<2y}%lZ=6Eio5u?wLLdFWp;hFunAW6KC4_f48S?UnTicv|z6FWsdFKTkpI* zI%_ho`b5v=TT7=G_ysdCFrNag1(=g!;k@SS%Ztw&(q~C6V_6XOMre}Y%1H;A5~Mmd zcrV-1s%YYpc#&N>PjeARz_O52FQ&{obhc>CEav09*DFL`ZT5br7-4dWuSax?gz0RL zCkxY_Xq1$fF8)}ed`E80qtoWPw)e{UR=?uE&R(V}q4Ct<?#+h`<xbWsbYs2ULoF}1 zE_K%A56@j3mmwkVw0W{n2j7c@WfLUthnB@2>(Ravvi!oe%q5StR+wb-H*0QPr}*~L z3W4w6XLm1%JZQ4i=$M_~o>y8=_)ob1omln7H1X=ETT9={FkD(2QI_$3;<j(s%FfR$ zN?j5$<5I~LKelsyi@u#XxMp9})JY91tnN=;D6IWx^(i0EsS^TsYb^BafBsO&R3dPt z5tl;j=83l~J||8%Cc(2R>!k#5((JVx7n}*&Cz!15-Xqm%n0$QU-mS8w>{7Qbt&L#& z(Ve>g{)TmbcO8tkx~+OkEHpmqt+;&krR91DWS8mgUiYcpk>y~oV6Z~28l&<Fq4yWA z2dC(KiBP_$vtrAuSEe&`PZ=?{ZSh!o=IH~Ey#^LRAK&_K&a5@y5zU#pO~PM<P1mbm z*04w=Ev8!6=%vZFz1w-k`%?e?G=HyCtIr_BU?v~^{p6Qbm8NTDeZ%?pZn>rXd4gQS zor}}AFOAF25SNUM47FE_h?up?H90X;_lO9aY`es{&{sYEYOLEhf411|EpeF|m7_A3 z%e6Qm$Ly-=@zp<!qPb3)Jvy^VAX~|vKiqep)Z}G8j;r*0-_G8?aOt}2tB32Oe|eX# za$f)WUSsKcUwNDL%eHQQ`6?w<h?$G6<u!x%dbg0m^|z#E#l&-7Wr>>Y<r2O5#%_by z6_fQ!vo93}c{%@<D4XcFAfY&_<!E!Sj*8l%W}jSR$;p{PTiP3aeu!rX&7R&Rli;;r z#S)3+V||C$+}v!qV-?riwQq0ieX49C`!)i+6hYeZkJ6t<*QVM_1@xvStM_{L$ruZD z?%8vIuj*>q$C*mGzKJjH>wdO*v8|!K%=p3FKTq!@bN6qV5t22Z*^DD-a^B0`Pa5y? z-CHWS-RsfG(+g&F+u6u@I?L&b^4+w#vO}k>RYXHi&n>W!Q-V3DHq%6A?eT?s-EUR- zKl&G+AF)g7=I1jHza8k+c7GC@5LsB7baKKg#T8Ovt(#ILySlnJEn_S$Z2CJhMEP}s zuBTi2(W^NIDeChk?sW^XHa#7cRrs0jmQiWp>5`*MgLYf*E?l^nxp%o#;kPT1C38=% z@!Fnn^V6-R$0s)b>14g4d1R4`rr1+eL-GGR|JL8W^mfJBl7!ydy{3f>tKR-+Xtp(+ Uyhp8IHE2nYr>mdKI;Vst0QzL@jsO4v literal 0 HcmV?d00001 diff --git a/modules/InfoCard/www/tokenservice.php b/modules/InfoCard/www/tokenservice.php new file mode 100644 index 000000000..3c076dfaf --- /dev/null +++ b/modules/InfoCard/www/tokenservice.php @@ -0,0 +1,139 @@ +<?php + +/* +* AUTHOR: Samuel Muñoz Hidalgo +* EMAIL: samuel.mh@gmail.com +* LAST REVISION: 13-FEB-09 +* DESCRIPTION: Web interface for the token generator +*/ + + +//Borrowed from xlmseclibs, TEMPORAL +function decryptMcrypt($data,$key) { + $td = mcrypt_module_open(MCRYPT_RIJNDAEL_128,'',MCRYPT_MODE_CBC,''); + $iv_length = mcrypt_enc_get_iv_size($td); + + $iv = substr($data, 0, $iv_length); + $data = substr($data, $iv_length); + + mcrypt_generic_init($td, $key, $iv); + $decrypted_data = mdecrypt_generic($td, $data); + mcrypt_generic_deinit($td); + mcrypt_module_close($td); + + $dataLen = strlen($decrypted_data); + $paddingLength = substr($decrypted_data, $dataLen - 1, 1); + $decrypted_data = substr($decrypted_data, 0, $dataLen - ord($paddingLength)); + + return $decrypted_data; +} + + + +//Input: self issued saml token +//Returns ppid coded in base 64 + function getppid($samlToken){ + $token = new DOMDocument(); + $token->loadXML($samlToken); + $doc = $token->documentElement; + return($doc->getElementsByTagname('AttributeValue')->item(0)->nodeValue); +} + + +// grab the important parts of the token request. these are the username, +// password, and cardid. + +Header('Content-Type: application/soap+xml;charset=utf-8'); + +$config = SimpleSAML_Configuration::getInstance(); +SimpleSAML_Logger::debug('Tokenservice'); + +$token = new DOMDocument(); +$token->loadXML($HTTP_RAW_POST_DATA); +$doc = $token->documentElement; + +$cardId = $doc->getElementsByTagname('CardId')->item(0)->nodeValue; + +$authenticated = false; + + +$autoconfig = $config->copyFromBase('logininfocard', 'config-login-infocard.php'); +$ICconfig['UserCredential'] = $autoconfig->getValue('UserCredential'); +$debugDir = $autoconfig->getValue('debugDir'); + + +SimpleSAML_Logger::debug('USERCREDENTIAL: '.$ICconfig['UserCredential']); +switch($ICconfig['UserCredential']){ + case "UsernamePasswordCredential": + $username = $doc->getElementsByTagname('Username')->item(0)->nodeValue; + $password = $doc->getElementsByTagname('Password')->item(0)->nodeValue; + if (sspmod_InfoCard_UserFunctions::validateUser(array('username'=>$username,'password'=>$password),$ICconfig['UserCredential'])){ + $authenticated = true; + } + break; + case "KerberosV5Credential": + break; + case "X509V3Credential": + break; + case "SelfIssuedCredential": + //Obtener clave simétrica + $encKey = base64_decode($doc->getElementsByTagname('CipherValue')->item(0)->nodeValue); + $sts_key = $autoconfig->getValue('sts_key'); + $privkey = openssl_pkey_get_private(file_get_contents($sts_key)); + $key=NULL; + openssl_private_decrypt($encKey,$key,$privkey,OPENSSL_PKCS1_OAEP_PADDING); + openssl_free_key($privkey); + + //Recuperar información + $encSamlToken = base64_decode($doc->getElementsByTagname('CipherValue')->item(1)->nodeValue); + $samlToken=decryptMcrypt($encSamlToken,$key); + SimpleSAML_Logger::debug('$samlToken'.$samlToken); + $ppid=getppid($samlToken); + SimpleSAML_Logger::debug('PPID: '.$ppid); + + if (sspmod_InfoCard_UserFunctions::validateUser(array('PPID'=>$ppid),$ICconfig['UserCredential'])){ + $authenticated = true; + } + break; + default: + break; +} + + +$messageid = $doc->getElementsByTagname('MessageID')->item(0)->nodeValue; + +if ($authenticated){ + $ICconfig['InfoCard'] = $autoconfig->getValue('InfoCard'); + $ICconfig['issuer'] = $autoconfig->getValue('issuer'); + $ICconfig['sts_crt'] = $autoconfig->getValue('sts_crt'); + $ICconfig['sts_key'] = $autoconfig->getValue('sts_key'); + + $requiredClaims = sspmod_InfoCard_Utils::extractClaims($ICconfig['InfoCard']['schema'], $doc->getElementsByTagname('ClaimType')); + $claimValues = sspmod_InfoCard_UserFunctions::fillClaims($username, $ICconfig['InfoCard']['requiredClaims'], $ICconfig['InfoCard']['optionalClaims'],$requiredClaims); + + $response = sspmod_InfoCard_STS::createToken($claimValues,$ICconfig,$messageid); + + +}else{ + $response = sspmod_InfoCard_STS::errorMessage('Wrong Credentials',$messageid); +} + + +Header('Content-length: '.strlen($buf)+1); +print($response); + +//LOG +if ($debugDir!=null){ + $handle=fopen($debugDir.'/'.$messageid.".log","w"); + fwrite($handle," ------ InfoCard simpleSAMLphp Module LOG ------\n\n"); + fwrite($handle,"-- TIME: ".gmdate('Y-m-d').' '.gmdate('H:i:s')."\n"); + fwrite($handle,"-- MESSAGE ID: ".$messageid."\n\n\n"); + fwrite($handle,"-- RST\n"); + fwrite($handle,$HTTP_RAW_POST_DATA); + fwrite($handle,"\n\n\n-- RSTR\n"); + fwrite($handle,$response); + fclose($handle); +} + + +?> \ No newline at end of file -- GitLab