From ca5877545dd7601ef3230693998a7e66b3d59a70 Mon Sep 17 00:00:00 2001
From: Olav Morken <olav.morken@uninett.no>
Date: Mon, 22 Sep 2008 07:09:18 +0000
Subject: [PATCH] Aggregator: Add support for signing metadata.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@885 44740490-163a-0410-bde0-09ae8108e29a
---
 modules/aggregator/config-template/aggregator.php | 13 +++++++++++++
 modules/aggregator/www/index.php                  | 15 +++++++++++++++
 2 files changed, 28 insertions(+)

diff --git a/modules/aggregator/config-template/aggregator.php b/modules/aggregator/config-template/aggregator.php
index ff5e4bf5e..772f59a2f 100644
--- a/modules/aggregator/config-template/aggregator.php
+++ b/modules/aggregator/config-template/aggregator.php
@@ -12,6 +12,19 @@ $config = array(
 		),
 	),
 
+
+	/* Whether metadata should be signed. */
+	'sign.enable' => FALSE,
+
+	/* Private key which should be used when signing the metadata. */
+	'sign.privatekey' => 'server.key',
+
+	/* Password to decrypt private key, or NULL if the private key is unencrypted. */
+	'sign.privatekey_pass' => NULL,
+
+	/* Certificate which should be included in the signature. Should correspond to the private key. */
+	'sign.certificate' => 'server.crt',
+
 );
 
 ?>
\ No newline at end of file
diff --git a/modules/aggregator/www/index.php b/modules/aggregator/www/index.php
index 92434d3e4..af4fee7d8 100644
--- a/modules/aggregator/www/index.php
+++ b/modules/aggregator/www/index.php
@@ -103,6 +103,21 @@ foreach ($entities as $entity => $sets) {
 	$entitiesDescriptor->appendChild($xml->importNode($entityDescriptor, TRUE));
 }
 
+/* Sign the metadata if enabled. */
+if ($aggregatorConfig->getBoolean('sign.enable', FALSE)) {
+	$privateKey = $aggregatorConfig->getString('sign.privatekey');
+	$privateKeyPass = $aggregatorConfig->getString('sign.privatekey_pass', NULL);
+	$certificate = $aggregatorConfig->getString('sign.certificate');
+
+	$signer = new SimpleSAML_XML_Signer(array(
+		'privatekey' => $privateKey,
+		'privatekey_pass' => $privateKeyPass,
+		'certificate' => $certificate,
+		'id' => 'ID',
+		));
+	$signer->sign($entitiesDescriptor, $entitiesDescriptor, $entitiesDescriptor->firstChild);
+}
+
 /* Show the metadata. */
 if(array_key_exists('mimetype', $_GET)) {
 	$mimeType = $_GET['mimetype'];
-- 
GitLab