From 8a2890fad856dfc90a96222c51062a8144abf7f8 Mon Sep 17 00:00:00 2001
From: Olav Morken <olav.morken@uninett.no>
Date: Mon, 7 Mar 2011 13:24:27 +0000
Subject: [PATCH] SAML_Assertion: Support encryption of NameID.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2747 44740490-163a-0410-bde0-09ae8108e29a
---
 lib/SAML2/Assertion.php | 40 ++++++++++++++++++++++++++++++++++++++--
 1 file changed, 38 insertions(+), 2 deletions(-)

diff --git a/lib/SAML2/Assertion.php b/lib/SAML2/Assertion.php
index 11a5434d5..b35e5d6c2 100644
--- a/lib/SAML2/Assertion.php
+++ b/lib/SAML2/Assertion.php
@@ -611,6 +611,36 @@ class SAML2_Assertion implements SAML2_SignedElement {
 	}
 
 
+	/**
+	 * Encrypt the NameID in the Assertion.
+	 *
+	 * @param XMLSecurityKey $key  The encryption key.
+	 */
+	public function encryptNameId(XMLSecurityKey $key) {
+
+		/* First create a XML representation of the NameID. */
+		$doc = new DOMDocument();
+		$root = $doc->createElement('root');
+		$doc->appendChild($root);
+		SAML2_Utils::addNameId($root, $this->nameId);
+		$nameId = $root->firstChild;
+
+		SimpleSAML_Utilities::debugMessage($nameId, 'encrypt');
+
+		/* Encrypt the NameID. */
+		$enc = new XMLSecEnc();
+		$enc->setNode($nameId);
+		$enc->type = XMLSecEnc::Element;
+
+		$symmetricKey = new XMLSecurityKey(XMLSecurityKey::AES128_CBC);
+		$symmetricKey->generateSessionKey();
+		$enc->encryptKey($key, $symmetricKey);
+
+		$this->encryptedNameId = $enc->encryptNode($symmetricKey);
+		$this->nameId = NULL;
+	}
+
+
 	/**
 	 * Decrypt the NameId of the subject in the assertion.
 	 *
@@ -1082,7 +1112,7 @@ class SAML2_Assertion implements SAML2_SignedElement {
 	 */
 	private function addSubject(DOMElement $root) {
 
-		if ($this->nameId === NULL) {
+		if ($this->nameId === NULL && $this->encryptedNameId === NULL) {
 			/* We don't have anything to create a Subject node for. */
 			return;
 		}
@@ -1090,7 +1120,13 @@ class SAML2_Assertion implements SAML2_SignedElement {
 		$subject = $root->ownerDocument->createElementNS(SAML2_Const::NS_SAML, 'saml:Subject');
 		$root->appendChild($subject);
 
-		SAML2_Utils::addNameId($subject, $this->nameId);
+		if ($this->encryptedNameId === NULL) {
+			SAML2_Utils::addNameId($subject, $this->nameId);
+		} else {
+			$eid = $subject->ownerDocument->createElementNS(SAML2_Const::NS_SAML, 'saml:' . 'EncryptedID');
+			$subject->appendChild($eid);
+			$eid->appendChild($subject->ownerDocument->importNode($this->encryptedNameId, TRUE));
+		}
 
 		foreach ($this->SubjectConfirmation as $sc) {
 			$sc->toXML($subject);
-- 
GitLab