From 7b558e9098e9f1c9c198a00f78888c4d88262a04 Mon Sep 17 00:00:00 2001
From: Dan Tsosie <dtsosie@godaddy.com>
Date: Fri, 5 Sep 2014 14:41:01 -0700
Subject: [PATCH] Add support for signature.privatekey for saml-sp-remote

---
 docs/simplesamlphp-reference-sp-remote.txt |  8 ++++++++
 modules/saml/lib/Message.php               | 12 ++++++++++--
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/docs/simplesamlphp-reference-sp-remote.txt b/docs/simplesamlphp-reference-sp-remote.txt
index bb012079d..6d9d82d0c 100644
--- a/docs/simplesamlphp-reference-sp-remote.txt
+++ b/docs/simplesamlphp-reference-sp-remote.txt
@@ -249,6 +249,14 @@ The following SAML 2.0 options are available:
     * `http://www.w3.org/2001/04/xmldsig-more#rsa-sha384`
     * `http://www.w3.org/2001/04/xmldsig-more#rsa-sha512`
 
+`signature.privatekey`
+:   Name of private key file for this IdP, in PEM format. The filename is relative to the cert/-directory.
+:   Note that this option also exists in the IdP-hosted metadata. This entry in the SP-remote metadata overrides the option `privatekey` in the IdP-hosted metadata.
+
+`signature.privatekey_pass`
+:   Passphrase for the private key. Leave this option out if the private key is unencrypted.
+:   Note that this option only is used if `signature.privatekey` is present.
+
 `simplesaml.nameidattribute`
 :   When the value of the `NameIDFormat`-option is set to either
     `email` or `persistent`, this is the name of the attribute which
diff --git a/modules/saml/lib/Message.php b/modules/saml/lib/Message.php
index 62731a7b0..0a1a7eae2 100644
--- a/modules/saml/lib/Message.php
+++ b/modules/saml/lib/Message.php
@@ -18,8 +18,16 @@ class sspmod_saml_Message {
 	 */
 	public static function addSign(SimpleSAML_Configuration $srcMetadata, SimpleSAML_Configuration $dstMetadata, SAML2_SignedElement $element) {
 
-		$keyArray = SimpleSAML_Utilities::loadPrivateKey($srcMetadata, TRUE);
-		$certArray = SimpleSAML_Utilities::loadPublicKey($srcMetadata, FALSE);
+		$dstPrivateKey = $dstMetadata->getString('signature.privatekey', NULL);
+
+		if($dstPrivateKey !== NULL) {
+			$keyArray = SimpleSAML_Utilities::loadPrivateKey($dstMetadata, TRUE, 'signature.');
+			$certArray = SimpleSAML_Utilities::loadPublicKey($dstMetadata, FALSE, 'signature.');
+		}
+		else {
+			$keyArray = SimpleSAML_Utilities::loadPrivateKey($srcMetadata, TRUE);
+			$certArray = SimpleSAML_Utilities::loadPublicKey($srcMetadata, FALSE);
+		}
 
 		$algo = $dstMetadata->getString('signature.algorithm', NULL);
 		if ($algo === NULL) {
-- 
GitLab