| Total Complexity | 94 | 
| Total Lines | 735 | 
| Duplicated Lines | 0 % | 
| Changes | 0 | ||
Complex classes like Utils often do a lot of different things. To break such a class down, we need to identify a cohesive component within that class. A common approach to find such a component is to look for fields/methods that share the same prefixes, or suffixes.
Once you have determined the fields that belong together, you can apply the Extract Class refactoring. If the component makes sense as a sub-class, Extract Subclass is also a candidate, and is often faster.
While breaking up the class, it is a good idea to analyze how other classes use Utils, and based on these observations, apply Extract Interface, too.
| 1 | <?php | ||
| 20 | class Utils | ||
| 21 | { | ||
| 22 | /** | ||
| 23 | * Check the Signature in a XML element. | ||
| 24 | * | ||
| 25 | * This function expects the XML element to contain a Signature-element | ||
| 26 | * which contains a reference to the XML-element. This is common for both | ||
| 27 | * messages and assertions. | ||
| 28 | * | ||
| 29 | * Note that this function only validates the element itself. It does not | ||
| 30 | * check this against any local keys. | ||
| 31 | * | ||
| 32 | * If no Signature-element is located, this function will return false. All | ||
| 33 | * other validation errors result in an exception. On successful validation | ||
| 34 | * an array will be returned. This array contains the information required to | ||
| 35 | * check the signature against a public key. | ||
| 36 | * | ||
| 37 | * @param \DOMElement $root The element which should be validated. | ||
| 38 | * @return array|bool An array with information about the Signature-element. | ||
| 39 | * @throws \Exception | ||
| 40 | */ | ||
| 41 | public static function validateElement(\DOMElement $root) | ||
| 42 |     { | ||
| 43 | /* Create an XML security object. */ | ||
| 44 | $objXMLSecDSig = new XMLSecurityDSig(); | ||
| 45 | |||
| 46 | /* Both SAML messages and SAML assertions use the 'ID' attribute. */ | ||
| 47 | $objXMLSecDSig->idKeys[] = 'ID'; | ||
| 48 | |||
| 49 | /* Locate the XMLDSig Signature element to be used. */ | ||
| 50 | $signatureElement = self::xpQuery($root, './ds:Signature'); | ||
| 51 |         if (count($signatureElement) === 0) { | ||
| 52 | /* We don't have a signature element ot validate. */ | ||
| 53 | |||
| 54 | return false; | ||
| 55 |         } elseif (count($signatureElement) > 1) { | ||
| 56 |             throw new \Exception('XMLSec: more than one signature element in root.'); | ||
| 57 | } | ||
| 58 | $signatureElement = $signatureElement[0]; | ||
| 59 | $objXMLSecDSig->sigNode = $signatureElement; | ||
| 60 | |||
| 61 | /* Canonicalize the XMLDSig SignedInfo element in the message. */ | ||
| 62 | $objXMLSecDSig->canonicalizeSignedInfo(); | ||
| 63 | |||
| 64 | /* Validate referenced xml nodes. */ | ||
| 65 |         if (!$objXMLSecDSig->validateReference()) { | ||
| 66 |             throw new \Exception('XMLsec: digest validation failed'); | ||
| 67 | } | ||
| 68 | |||
| 69 | /* Check that $root is one of the signed nodes. */ | ||
| 70 | $rootSigned = false; | ||
| 71 | /** @var \DOMNode $signedNode */ | ||
| 72 |         foreach ($objXMLSecDSig->getValidatedNodes() as $signedNode) { | ||
| 73 |             if ($signedNode->isSameNode($root)) { | ||
| 74 | $rootSigned = true; | ||
| 75 | break; | ||
| 76 |             } elseif ($root->parentNode instanceof \DOMDocument && $signedNode->isSameNode($root->ownerDocument)) { | ||
| 77 | /* $root is the root element of a signed document. */ | ||
| 78 | $rootSigned = true; | ||
| 79 | break; | ||
| 80 | } | ||
| 81 | } | ||
| 82 |         if (!$rootSigned) { | ||
| 83 |             throw new \Exception('XMLSec: The root element is not signed.'); | ||
| 84 | } | ||
| 85 | |||
| 86 | /* Now we extract all available X509 certificates in the signature element. */ | ||
| 87 | $certificates = []; | ||
| 88 |         foreach (self::xpQuery($signatureElement, './ds:KeyInfo/ds:X509Data/ds:X509Certificate') as $certNode) { | ||
| 89 | $certData = trim($certNode->textContent); | ||
| 90 | $certData = str_replace(["\r", "\n", "\t", ' '], '', $certData); | ||
| 91 | $certificates[] = $certData; | ||
| 92 | } | ||
| 93 | |||
| 94 | $ret = [ | ||
| 95 | 'Signature' => $objXMLSecDSig, | ||
| 96 | 'Certificates' => $certificates, | ||
| 97 | ]; | ||
| 98 | |||
| 99 | return $ret; | ||
| 100 | } | ||
| 101 | |||
| 102 | |||
| 103 | /** | ||
| 104 | * Helper function to convert a XMLSecurityKey to the correct algorithm. | ||
| 105 | * | ||
| 106 | * @param XMLSecurityKey $key The key. | ||
| 107 | * @param string $algorithm The desired algorithm. | ||
| 108 | * @param string $type Public or private key, defaults to public. | ||
| 109 | * @return XMLSecurityKey The new key. | ||
| 110 | * @throws \Exception | ||
| 111 | */ | ||
| 112 | public static function castKey(XMLSecurityKey $key, $algorithm, $type = 'public') | ||
| 113 |     { | ||
| 114 | assert(is_string($algorithm)); | ||
| 115 | assert($type === "public" || $type === "private"); | ||
| 116 | |||
| 117 | // do nothing if algorithm is already the type of the key | ||
| 118 |         if ($key->type === $algorithm) { | ||
| 119 | return $key; | ||
| 120 | } | ||
| 121 | |||
| 122 | if (!in_array($algorithm, [ | ||
| 123 | XMLSecurityKey::RSA_1_5, | ||
| 124 | XMLSecurityKey::RSA_SHA1, | ||
| 125 | XMLSecurityKey::RSA_SHA256, | ||
| 126 | XMLSecurityKey::RSA_SHA384, | ||
| 127 | XMLSecurityKey::RSA_SHA512 | ||
| 128 |         ], true)) { | ||
| 129 |             throw new \Exception('Unsupported signing algorithm.'); | ||
| 130 | } | ||
| 131 | |||
| 132 | $keyInfo = openssl_pkey_get_details($key->key); | ||
| 133 |         if ($keyInfo === false) { | ||
| 134 |             throw new \Exception('Unable to get key details from XMLSecurityKey.'); | ||
| 135 | } | ||
| 136 |         if (!isset($keyInfo['key'])) { | ||
| 137 |             throw new \Exception('Missing key in public key details.'); | ||
| 138 | } | ||
| 139 | |||
| 140 | $newKey = new XMLSecurityKey($algorithm, ['type' => $type]); | ||
| 141 | $newKey->loadKey($keyInfo['key']); | ||
| 142 | |||
| 143 | return $newKey; | ||
| 144 | } | ||
| 145 | |||
| 146 | |||
| 147 | /** | ||
| 148 | * Check a signature against a key. | ||
| 149 | * | ||
| 150 | * An exception is thrown if we are unable to validate the signature. | ||
| 151 | * | ||
| 152 | * @param array $info The information returned by the validateElement()-function. | ||
| 153 | * @param XMLSecurityKey $key The publickey that should validate the Signature object. | ||
| 154 | * @throws \Exception | ||
| 155 | */ | ||
| 156 | public static function validateSignature(array $info, XMLSecurityKey $key) | ||
| 157 |     { | ||
| 158 |         assert(array_key_exists("Signature", $info)); | ||
| 159 | |||
| 160 | /** @var XMLSecurityDSig $objXMLSecDSig */ | ||
| 161 | $objXMLSecDSig = $info['Signature']; | ||
| 162 | |||
| 163 | $sigMethod = self::xpQuery($objXMLSecDSig->sigNode, './ds:SignedInfo/ds:SignatureMethod'); | ||
| 164 |         if (empty($sigMethod)) { | ||
| 165 |             throw new \Exception('Missing SignatureMethod element.'); | ||
| 166 | } | ||
| 167 | $sigMethod = $sigMethod[0]; | ||
| 168 |         if (!$sigMethod->hasAttribute('Algorithm')) { | ||
| 169 |             throw new \Exception('Missing Algorithm-attribute on SignatureMethod element.'); | ||
| 170 | } | ||
| 171 |         $algo = $sigMethod->getAttribute('Algorithm'); | ||
| 172 | |||
| 173 |         if ($key->type === XMLSecurityKey::RSA_SHA256 && $algo !== $key->type) { | ||
| 174 | $key = self::castKey($key, $algo); | ||
| 175 | } | ||
| 176 | |||
| 177 | /* Check the signature. */ | ||
| 178 |         if ($objXMLSecDSig->verify($key) !== 1) { | ||
| 179 |             throw new \Exception("Unable to validate Signature"); | ||
| 180 | } | ||
| 181 | } | ||
| 182 | |||
| 183 | |||
| 184 | /** | ||
| 185 | * Do an XPath query on an XML node. | ||
| 186 | * | ||
| 187 | * @param \DOMNode $node The XML node. | ||
| 188 | * @param string $query The query. | ||
| 189 | * @return \DOMElement[] Array with matching DOM nodes. | ||
| 190 | */ | ||
| 191 | public static function xpQuery(\DOMNode $node, $query) | ||
| 192 |     { | ||
| 193 | assert(is_string($query)); | ||
| 194 | static $xpCache = null; | ||
| 195 | |||
| 196 |         if ($node instanceof \DOMDocument) { | ||
| 197 | $doc = $node; | ||
| 198 |         } else { | ||
| 199 | $doc = $node->ownerDocument; | ||
| 200 | } | ||
| 201 | |||
| 202 |         if ($xpCache === null || !$xpCache->document->isSameNode($doc)) { | ||
| 203 | $xpCache = new \DOMXPath($doc); | ||
| 204 |             $xpCache->registerNamespace('soap-env', Constants::NS_SOAP); | ||
| 205 |             $xpCache->registerNamespace('saml_protocol', Constants::NS_SAMLP); | ||
| 206 |             $xpCache->registerNamespace('saml_assertion', Constants::NS_SAML); | ||
| 207 |             $xpCache->registerNamespace('saml_metadata', Constants::NS_MD); | ||
| 208 |             $xpCache->registerNamespace('ds', XMLSecurityDSig::XMLDSIGNS); | ||
| 209 |             $xpCache->registerNamespace('xenc', XMLSecEnc::XMLENCNS); | ||
| 210 | } | ||
| 211 | |||
| 212 | $results = $xpCache->query($query, $node); | ||
| 213 | $ret = []; | ||
| 214 |         for ($i = 0; $i < $results->length; $i++) { | ||
| 215 | $ret[$i] = $results->item($i); | ||
| 216 | } | ||
| 217 | |||
| 218 | return $ret; | ||
| 219 | } | ||
| 220 | |||
| 221 | |||
| 222 | /** | ||
| 223 | * Make an exact copy the specific \DOMElement. | ||
| 224 | * | ||
| 225 | * @param \DOMElement $element The element we should copy. | ||
| 226 | * @param \DOMElement|null $parent The target parent element. | ||
| 227 | * @return \DOMElement The copied element. | ||
| 228 | */ | ||
| 229 | public static function copyElement(\DOMElement $element, \DOMElement $parent = null) | ||
| 230 |     { | ||
| 231 |         if ($parent === null) { | ||
| 232 | $document = DOMDocumentFactory::create(); | ||
| 233 |         } else { | ||
| 234 | $document = $parent->ownerDocument; | ||
| 235 | } | ||
| 236 | |||
| 237 | $namespaces = []; | ||
| 238 |         for ($e = $element; $e !== null; $e = $e->parentNode) { | ||
| 239 |             foreach (Utils::xpQuery($e, './namespace::*') as $ns) { | ||
| 240 | $prefix = $ns->localName; | ||
| 241 |                 if ($prefix === 'xml' || $prefix === 'xmlns') { | ||
| 242 | continue; | ||
| 243 | } | ||
| 244 | $uri = $ns->nodeValue; | ||
| 245 |                 if (!isset($namespaces[$prefix])) { | ||
| 246 | $namespaces[$prefix] = $uri; | ||
| 247 | } | ||
| 248 | } | ||
| 249 | } | ||
| 250 | |||
| 251 | /** @var \DOMElement $newElement */ | ||
| 252 | $newElement = $document->importNode($element, true); | ||
| 253 |         if ($parent !== null) { | ||
| 254 | /* We need to append the child to the parent before we add the namespaces. */ | ||
| 255 | $parent->appendChild($newElement); | ||
| 256 | } | ||
| 257 | |||
| 258 |         foreach ($namespaces as $prefix => $uri) { | ||
| 259 | $newElement->setAttributeNS($uri, $prefix.':__ns_workaround__', 'tmp'); | ||
| 260 | $newElement->removeAttributeNS($uri, '__ns_workaround__'); | ||
| 261 | } | ||
| 262 | |||
| 263 | return $newElement; | ||
| 264 | } | ||
| 265 | |||
| 266 | |||
| 267 | /** | ||
| 268 | * Parse a boolean attribute. | ||
| 269 | * | ||
| 270 | * @param \DOMElement $node The element we should fetch the attribute from. | ||
| 271 | * @param string $attributeName The name of the attribute. | ||
| 272 | * @param mixed $default The value that should be returned if the attribute doesn't exist. | ||
| 273 | * @return bool|mixed The value of the attribute, or $default if the attribute doesn't exist. | ||
| 274 | * @throws \Exception | ||
| 275 | */ | ||
| 276 | public static function parseBoolean(\DOMElement $node, $attributeName, $default = null) | ||
| 277 |     { | ||
| 278 | assert(is_string($attributeName)); | ||
| 279 | |||
| 280 |         if (!$node->hasAttribute($attributeName)) { | ||
| 281 | return $default; | ||
| 282 | } | ||
| 283 | $value = $node->getAttribute($attributeName); | ||
| 284 |         switch (strtolower($value)) { | ||
| 285 | case '0': | ||
| 286 | case 'false': | ||
| 287 | return false; | ||
| 288 | case '1': | ||
| 289 | case 'true': | ||
| 290 | return true; | ||
| 291 | default: | ||
| 292 |                 throw new \Exception('Invalid value of boolean attribute '.var_export($attributeName, true).': '.var_export($value, true)); | ||
| 293 | } | ||
| 294 | } | ||
| 295 | |||
| 296 | |||
| 297 | /** | ||
| 298 | * Create a NameID element. | ||
| 299 | * | ||
| 300 | * The NameId array can have the following elements: 'Value', 'Format', | ||
| 301 | * 'NameQualifier, 'SPNameQualifier' and 'SPProviderID'. | ||
| 302 | * | ||
| 303 | * Only the 'Value'-element is required. | ||
| 304 | * | ||
| 305 | * @param \DOMElement $node The DOM node we should append the NameId to. | ||
| 306 | * @param array $nameId The name identifier. | ||
| 307 | * | ||
| 308 | * @deprecated Please use \SAML2\XML\saml\NameID objects instead: | ||
| 309 | * $nameId = new \SAML2\XML\saml\NameID(); | ||
| 310 | * $nameId->value = $value; | ||
| 311 | * ... | ||
| 312 | * $nameId->toXML($node); | ||
| 313 | */ | ||
| 314 | public static function addNameId(\DOMElement $node, array $nameId) | ||
| 315 |     { | ||
| 316 |         assert(array_key_exists("Value", $nameId)); | ||
| 317 | |||
| 318 | $nid = new XML\saml\NameID(); | ||
| 319 | |||
| 320 | $nid->value = $nameId['Value']; | ||
| 321 | |||
| 322 |         if (array_key_exists('NameQualifier', $nameId) && $nameId['NameQualifier'] !== null) { | ||
| 323 | $nid->setNameQualifier($nameId['NameQualifier']); | ||
| 324 | } | ||
| 325 |         if (array_key_exists('SPNameQualifier', $nameId) && $nameId['SPNameQualifier'] !== null) { | ||
| 326 | $nid->setSPNameQualifier($nameId['SPNameQualifier']); | ||
| 327 | } | ||
| 328 |         if (array_key_exists('Format', $nameId) && $nameId['Format'] !== null) { | ||
| 329 | $nid->setFormat($nameId['Format']); | ||
| 330 | } | ||
| 331 | |||
| 332 | $nid->toXML($node); | ||
| 333 | } | ||
| 334 | |||
| 335 | /** | ||
| 336 | * Parse a NameID element. | ||
| 337 | * | ||
| 338 | * @param \DOMElement $xml The DOM element we should parse. | ||
| 339 | * @return array The parsed name identifier. | ||
| 340 | * @deprecated Please use \SAML2\XML\saml\NameID objects instead: | ||
| 341 | * $nameId = new \SAML2\XML\saml\NameID($xml); | ||
| 342 | */ | ||
| 343 | public static function parseNameId(\DOMElement $xml) | ||
| 344 |     { | ||
| 345 | $ret = ['Value' => trim($xml->textContent)]; | ||
| 346 | |||
| 347 |         foreach (['NameQualifier', 'SPNameQualifier', 'SPProvidedID', 'Format'] as $attr) { | ||
| 348 |             if ($xml->hasAttribute($attr)) { | ||
| 349 | $ret[$attr] = $xml->getAttribute($attr); | ||
| 350 | } | ||
| 351 | } | ||
| 352 | |||
| 353 | return $ret; | ||
| 354 | } | ||
| 355 | |||
| 356 | /** | ||
| 357 | * Insert a Signature-node. | ||
| 358 | * | ||
| 359 | * @param XMLSecurityKey $key The key we should use to sign the message. | ||
| 360 | * @param array $certificates The certificates we should add to the signature node. | ||
| 361 | * @param \DOMElement $root The XML node we should sign. | ||
| 362 | * @param \DOMNode $insertBefore The XML element we should insert the signature element before. | ||
| 363 | */ | ||
| 364 | public static function insertSignature( | ||
| 365 | XMLSecurityKey $key, | ||
| 366 | array $certificates, | ||
| 367 | \DOMElement $root, | ||
| 368 | \DOMNode $insertBefore = null | ||
| 369 |     ) { | ||
| 370 | $objXMLSecDSig = new XMLSecurityDSig(); | ||
| 371 | $objXMLSecDSig->setCanonicalMethod(XMLSecurityDSig::EXC_C14N); | ||
| 372 | |||
| 373 |         switch ($key->type) { | ||
| 374 | case XMLSecurityKey::RSA_SHA256: | ||
| 375 | $type = XMLSecurityDSig::SHA256; | ||
| 376 | break; | ||
| 377 | case XMLSecurityKey::RSA_SHA384: | ||
| 378 | $type = XMLSecurityDSig::SHA384; | ||
| 379 | break; | ||
| 380 | case XMLSecurityKey::RSA_SHA512: | ||
| 381 | $type = XMLSecurityDSig::SHA512; | ||
| 382 | break; | ||
| 383 | default: | ||
| 384 | $type = XMLSecurityDSig::SHA1; | ||
| 385 | } | ||
| 386 | |||
| 387 | $objXMLSecDSig->addReferenceList( | ||
| 388 | [$root], | ||
| 389 | $type, | ||
| 390 | ['http://www.w3.org/2000/09/xmldsig#enveloped-signature', XMLSecurityDSig::EXC_C14N], | ||
| 391 | ['id_name' => 'ID', 'overwrite' => false] | ||
| 392 | ); | ||
| 393 | |||
| 394 | $objXMLSecDSig->sign($key); | ||
| 395 | |||
| 396 |         foreach ($certificates as $certificate) { | ||
| 397 | $objXMLSecDSig->add509Cert($certificate, true); | ||
| 398 | } | ||
| 399 | |||
| 400 | $objXMLSecDSig->insertSignature($root, $insertBefore); | ||
| 401 | } | ||
| 402 | |||
| 403 | /** | ||
| 404 | * Decrypt an encrypted element. | ||
| 405 | * | ||
| 406 | * This is an internal helper function. | ||
| 407 | * | ||
| 408 | * @param \DOMElement $encryptedData The encrypted data. | ||
| 409 | * @param XMLSecurityKey $inputKey The decryption key. | ||
| 410 | * @param array &$blacklist Blacklisted decryption algorithms. | ||
| 411 | * @return \DOMElement The decrypted element. | ||
| 412 | * @throws \Exception | ||
| 413 | */ | ||
| 414 | private static function doDecryptElement(\DOMElement $encryptedData, XMLSecurityKey $inputKey, array &$blacklist) | ||
| 415 |     { | ||
| 416 | $enc = new XMLSecEnc(); | ||
| 417 | |||
| 418 | $enc->setNode($encryptedData); | ||
| 419 |         $enc->type = $encryptedData->getAttribute("Type"); | ||
| 420 | |||
| 421 | $symmetricKey = $enc->locateKey($encryptedData); | ||
| 422 |         if (!$symmetricKey) { | ||
| 423 |             throw new \Exception('Could not locate key algorithm in encrypted data.'); | ||
| 424 | } | ||
| 425 | |||
| 426 | $symmetricKeyInfo = $enc->locateKeyInfo($symmetricKey); | ||
| 427 |         if (!$symmetricKeyInfo) { | ||
| 428 |             throw new \Exception('Could not locate <dsig:KeyInfo> for the encrypted key.'); | ||
| 429 | } | ||
| 430 | |||
| 431 | $inputKeyAlgo = $inputKey->getAlgorithm(); | ||
| 432 |         if ($symmetricKeyInfo->isEncrypted) { | ||
| 433 | $symKeyInfoAlgo = $symmetricKeyInfo->getAlgorithm(); | ||
| 434 | |||
| 435 |             if (in_array($symKeyInfoAlgo, $blacklist, true)) { | ||
| 436 |                 throw new \Exception('Algorithm disabled: '.var_export($symKeyInfoAlgo, true)); | ||
| 437 | } | ||
| 438 | |||
| 439 |             if ($symKeyInfoAlgo === XMLSecurityKey::RSA_OAEP_MGF1P && $inputKeyAlgo === XMLSecurityKey::RSA_1_5) { | ||
| 440 | /* | ||
| 441 | * The RSA key formats are equal, so loading an RSA_1_5 key | ||
| 442 | * into an RSA_OAEP_MGF1P key can be done without problems. | ||
| 443 | * We therefore pretend that the input key is an | ||
| 444 | * RSA_OAEP_MGF1P key. | ||
| 445 | */ | ||
| 446 | $inputKeyAlgo = XMLSecurityKey::RSA_OAEP_MGF1P; | ||
| 447 | } | ||
| 448 | |||
| 449 | /* Make sure that the input key format is the same as the one used to encrypt the key. */ | ||
| 450 |             if ($inputKeyAlgo !== $symKeyInfoAlgo) { | ||
| 451 | throw new \Exception( | ||
| 452 | 'Algorithm mismatch between input key and key used to encrypt '. | ||
| 453 | ' the symmetric key for the message. Key was: '. | ||
| 454 | var_export($inputKeyAlgo, true).'; message was: '. | ||
| 455 | var_export($symKeyInfoAlgo, true) | ||
| 456 | ); | ||
| 457 | } | ||
| 458 | |||
| 459 | /** @var XMLSecEnc $encKey */ | ||
| 460 | $encKey = $symmetricKeyInfo->encryptedCtx; | ||
| 461 | $symmetricKeyInfo->key = $inputKey->key; | ||
| 462 | |||
| 463 | $keySize = $symmetricKey->getSymmetricKeySize(); | ||
| 464 |             if ($keySize === null) { | ||
| 465 | /* To protect against "key oracle" attacks, we need to be able to create a | ||
| 466 | * symmetric key, and for that we need to know the key size. | ||
| 467 | */ | ||
| 468 |                 throw new \Exception('Unknown key size for encryption algorithm: '.var_export($symmetricKey->type, true)); | ||
| 469 | } | ||
| 470 | |||
| 471 |             try { | ||
| 472 | $key = $encKey->decryptKey($symmetricKeyInfo); | ||
| 473 |                 if (strlen($key) != $keySize) { | ||
| 474 | throw new \Exception( | ||
| 475 |                         'Unexpected key size ('.strlen($key)*8.'bits) for encryption algorithm: '. | ||
|  | |||
| 476 | var_export($symmetricKey->type, true) | ||
| 477 | ); | ||
| 478 | } | ||
| 479 |             } catch (\Exception $e) { | ||
| 480 | /* We failed to decrypt this key. Log it, and substitute a "random" key. */ | ||
| 481 |                 Utils::getContainer()->getLogger()->error('Failed to decrypt symmetric key: '.$e->getMessage()); | ||
| 482 | /* Create a replacement key, so that it looks like we fail in the same way as if the key was correctly padded. */ | ||
| 483 | |||
| 484 | /* We base the symmetric key on the encrypted key and private key, so that we always behave the | ||
| 485 | * same way for a given input key. | ||
| 486 | */ | ||
| 487 | $encryptedKey = $encKey->getCipherValue(); | ||
| 488 | $pkey = openssl_pkey_get_details($symmetricKeyInfo->key); | ||
| 489 | $pkey = sha1(serialize($pkey), true); | ||
| 490 | $key = sha1($encryptedKey.$pkey, true); | ||
| 491 | |||
| 492 | /* Make sure that the key has the correct length. */ | ||
| 493 |                 if (strlen($key) > $keySize) { | ||
| 494 | $key = substr($key, 0, $keySize); | ||
| 495 |                 } elseif (strlen($key) < $keySize) { | ||
| 496 | $key = str_pad($key, $keySize); | ||
| 497 | } | ||
| 498 | } | ||
| 499 | $symmetricKey->loadkey($key); | ||
| 500 |         } else { | ||
| 501 | $symKeyAlgo = $symmetricKey->getAlgorithm(); | ||
| 502 | /* Make sure that the input key has the correct format. */ | ||
| 503 |             if ($inputKeyAlgo !== $symKeyAlgo) { | ||
| 504 | throw new \Exception( | ||
| 505 | 'Algorithm mismatch between input key and key in message. '. | ||
| 506 | 'Key was: '.var_export($inputKeyAlgo, true).'; message was: '. | ||
| 507 | var_export($symKeyAlgo, true) | ||
| 508 | ); | ||
| 509 | } | ||
| 510 | $symmetricKey = $inputKey; | ||
| 511 | } | ||
| 512 | |||
| 513 | $algorithm = $symmetricKey->getAlgorithm(); | ||
| 514 |         if (in_array($algorithm, $blacklist, true)) { | ||
| 515 |             throw new \Exception('Algorithm disabled: '.var_export($algorithm, true)); | ||
| 516 | } | ||
| 517 | |||
| 518 | /** @var string $decrypted */ | ||
| 519 | $decrypted = $enc->decryptNode($symmetricKey, false); | ||
| 520 | |||
| 521 | /* | ||
| 522 | * This is a workaround for the case where only a subset of the XML | ||
| 523 | * tree was serialized for encryption. In that case, we may miss the | ||
| 524 | * namespaces needed to parse the XML. | ||
| 525 | */ | ||
| 526 | $xml = '<root xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" '. | ||
| 527 | 'xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">' . | ||
| 528 | $decrypted . | ||
| 529 | '</root>'; | ||
| 530 | |||
| 531 |         try { | ||
| 532 | $newDoc = DOMDocumentFactory::fromString($xml); | ||
| 533 |         } catch (RuntimeException $e) { | ||
| 534 |             throw new \Exception('Failed to parse decrypted XML. Maybe the wrong sharedkey was used?', 0, $e); | ||
| 535 | } | ||
| 536 | |||
| 537 | $decryptedElement = $newDoc->firstChild->firstChild; | ||
| 538 |         if ($decryptedElement === null) { | ||
| 539 |             throw new \Exception('Missing encrypted element.'); | ||
| 540 | } | ||
| 541 | |||
| 542 |         if (!($decryptedElement instanceof \DOMElement)) { | ||
| 543 |             throw new \Exception('Decrypted element was not actually a \DOMElement.'); | ||
| 544 | } | ||
| 545 | |||
| 546 | return $decryptedElement; | ||
| 547 | } | ||
| 548 | |||
| 549 | /** | ||
| 550 | * Decrypt an encrypted element. | ||
| 551 | * | ||
| 552 | * @param \DOMElement $encryptedData The encrypted data. | ||
| 553 | * @param XMLSecurityKey $inputKey The decryption key. | ||
| 554 | * @param array $blacklist Blacklisted decryption algorithms. | ||
| 555 | * @return \DOMElement The decrypted element. | ||
| 556 | * @throws \Exception | ||
| 557 | */ | ||
| 558 | public static function decryptElement(\DOMElement $encryptedData, XMLSecurityKey $inputKey, array $blacklist = []) | ||
| 559 |     { | ||
| 560 |         try { | ||
| 561 | return self::doDecryptElement($encryptedData, $inputKey, $blacklist); | ||
| 562 |         } catch (\Exception $e) { | ||
| 563 | /* | ||
| 564 | * Something went wrong during decryption, but for security | ||
| 565 | * reasons we cannot tell the user what failed. | ||
| 566 | */ | ||
| 567 |             Utils::getContainer()->getLogger()->error('Decryption failed: '.$e->getMessage()); | ||
| 568 |             throw new \Exception('Failed to decrypt XML element.', 0, $e); | ||
| 569 | } | ||
| 570 | } | ||
| 571 | |||
| 572 | /** | ||
| 573 | * Extract localized strings from a set of nodes. | ||
| 574 | * | ||
| 575 | * @param \DOMElement $parent The element that contains the localized strings. | ||
| 576 | * @param string $namespaceURI The namespace URI the localized strings should have. | ||
| 577 | * @param string $localName The localName of the localized strings. | ||
| 578 | * @return array Localized strings. | ||
| 579 | */ | ||
| 580 | public static function extractLocalizedStrings(\DOMElement $parent, $namespaceURI, $localName) | ||
| 581 |     { | ||
| 582 | assert(is_string($namespaceURI)); | ||
| 583 | assert(is_string($localName)); | ||
| 584 | |||
| 585 | $ret = []; | ||
| 586 |         for ($node = $parent->firstChild; $node !== null; $node = $node->nextSibling) { | ||
| 587 |             if ($node->namespaceURI !== $namespaceURI || $node->localName !== $localName) { | ||
| 588 | continue; | ||
| 589 | } | ||
| 590 | |||
| 591 |             if ($node->hasAttribute('xml:lang')) { | ||
| 592 |                 $language = $node->getAttribute('xml:lang'); | ||
| 593 |             } else { | ||
| 594 | $language = 'en'; | ||
| 595 | } | ||
| 596 | $ret[$language] = trim($node->textContent); | ||
| 597 | } | ||
| 598 | |||
| 599 | return $ret; | ||
| 600 | } | ||
| 601 | |||
| 602 | /** | ||
| 603 | * Extract strings from a set of nodes. | ||
| 604 | * | ||
| 605 | * @param \DOMElement $parent The element that contains the localized strings. | ||
| 606 | * @param string $namespaceURI The namespace URI the string elements should have. | ||
| 607 | * @param string $localName The localName of the string elements. | ||
| 608 | * @return array The string values of the various nodes. | ||
| 609 | */ | ||
| 610 | public static function extractStrings(\DOMElement $parent, $namespaceURI, $localName) | ||
| 611 |     { | ||
| 612 | assert(is_string($namespaceURI)); | ||
| 613 | assert(is_string($localName)); | ||
| 614 | |||
| 615 | $ret = []; | ||
| 616 |         for ($node = $parent->firstChild; $node !== null; $node = $node->nextSibling) { | ||
| 617 |             if ($node->namespaceURI !== $namespaceURI || $node->localName !== $localName) { | ||
| 618 | continue; | ||
| 619 | } | ||
| 620 | $ret[] = trim($node->textContent); | ||
| 621 | } | ||
| 622 | |||
| 623 | return $ret; | ||
| 624 | } | ||
| 625 | |||
| 626 | /** | ||
| 627 | * Append string element. | ||
| 628 | * | ||
| 629 | * @param \DOMElement $parent The parent element we should append the new nodes to. | ||
| 630 | * @param string $namespace The namespace of the created element. | ||
| 631 | * @param string $name The name of the created element. | ||
| 632 | * @param string $value The value of the element. | ||
| 633 | * @return \DOMElement The generated element. | ||
| 634 | */ | ||
| 635 | public static function addString(\DOMElement $parent, $namespace, $name, $value) | ||
| 636 |     { | ||
| 637 | assert(is_string($namespace)); | ||
| 638 | assert(is_string($name)); | ||
| 639 | assert(is_string($value)); | ||
| 640 | |||
| 641 | $doc = $parent->ownerDocument; | ||
| 642 | |||
| 643 | $n = $doc->createElementNS($namespace, $name); | ||
| 644 | $n->appendChild($doc->createTextNode($value)); | ||
| 645 | $parent->appendChild($n); | ||
| 646 | |||
| 647 | return $n; | ||
| 648 | } | ||
| 649 | |||
| 650 | /** | ||
| 651 | * Append string elements. | ||
| 652 | * | ||
| 653 | * @param \DOMElement $parent The parent element we should append the new nodes to. | ||
| 654 | * @param string $namespace The namespace of the created elements | ||
| 655 | * @param string $name The name of the created elements | ||
| 656 | * @param bool $localized Whether the strings are localized, and should include the xml:lang attribute. | ||
| 657 | * @param array $values The values we should create the elements from. | ||
| 658 | */ | ||
| 659 | public static function addStrings(\DOMElement $parent, $namespace, $name, $localized, array $values) | ||
| 660 |     { | ||
| 661 | assert(is_string($namespace)); | ||
| 662 | assert(is_string($name)); | ||
| 663 | assert(is_bool($localized)); | ||
| 664 | |||
| 665 | $doc = $parent->ownerDocument; | ||
| 666 | |||
| 667 |         foreach ($values as $index => $value) { | ||
| 668 | $n = $doc->createElementNS($namespace, $name); | ||
| 669 | $n->appendChild($doc->createTextNode($value)); | ||
| 670 |             if ($localized) { | ||
| 671 |                 $n->setAttribute('xml:lang', $index); | ||
| 672 | } | ||
| 673 | $parent->appendChild($n); | ||
| 674 | } | ||
| 675 | } | ||
| 676 | |||
| 677 | /** | ||
| 678 | * Create a KeyDescriptor with the given certificate. | ||
| 679 | * | ||
| 680 | * @param string $x509Data The certificate, as a base64-encoded DER data. | ||
| 681 | * @return \SAML2\XML\md\KeyDescriptor The keydescriptor. | ||
| 682 | */ | ||
| 683 | public static function createKeyDescriptor($x509Data) | ||
| 684 |     { | ||
| 685 | assert(is_string($x509Data)); | ||
| 686 | |||
| 687 | $x509Certificate = new X509Certificate(); | ||
| 688 | $x509Certificate->setCertificate($x509Data); | ||
| 689 | |||
| 690 | $x509Data = new X509Data(); | ||
| 691 | $x509Data->addData($x509Certificate); | ||
| 692 | |||
| 693 | $keyInfo = new KeyInfo(); | ||
| 694 | $keyInfo->addInfo($x509Data); | ||
| 695 | |||
| 696 | $keyDescriptor = new KeyDescriptor(); | ||
| 697 | $keyDescriptor->KeyInfo = $keyInfo; | ||
| 698 | |||
| 699 | return $keyDescriptor; | ||
| 700 | } | ||
| 701 | |||
| 702 | /** | ||
| 703 | * This function converts a SAML2 timestamp on the form | ||
| 704 | * yyyy-mm-ddThh:mm:ss(\.s+)?Z to a UNIX timestamp. The sub-second | ||
| 705 | * part is ignored. | ||
| 706 | * | ||
| 707 | * Andreas comments: | ||
| 708 | * I got this timestamp from Shibboleth 1.3 IdP: 2008-01-17T11:28:03.577Z | ||
| 709 | * Therefore I added to possibility to have microseconds to the format. | ||
| 710 |      * Added: (\.\\d{1,3})? to the regex. | ||
| 711 | * | ||
| 712 | * Note that we always require a 'Z' timezone for the dateTime to be valid. | ||
| 713 | * This is not in the SAML spec but that's considered to be a bug in the | ||
| 714 | * spec. See https://github.com/simplesamlphp/saml2/pull/36 for some | ||
| 715 | * background. | ||
| 716 | * | ||
| 717 | * @param string $time The time we should convert. | ||
| 718 | * @return int Converted to a unix timestamp. | ||
| 719 | * @throws \Exception | ||
| 720 | */ | ||
| 721 | public static function xsDateTimeToTimestamp($time) | ||
| 722 |     { | ||
| 723 | $matches = []; | ||
| 724 | |||
| 725 | // We use a very strict regex to parse the timestamp. | ||
| 726 |         $regex = '/^(\\d\\d\\d\\d)-(\\d\\d)-(\\d\\d)T(\\d\\d):(\\d\\d):(\\d\\d)(?:\\.\\d{1,9})?Z$/D'; | ||
| 727 |         if (preg_match($regex, $time, $matches) == 0) { | ||
| 728 | throw new \Exception( | ||
| 729 | 'Invalid SAML2 timestamp passed to xsDateTimeToTimestamp: '.$time | ||
| 730 | ); | ||
| 731 | } | ||
| 732 | |||
| 733 | // Extract the different components of the time from the matches in the regex. | ||
| 734 | // intval will ignore leading zeroes in the string. | ||
| 735 | $year = intval($matches[1]); | ||
| 736 | $month = intval($matches[2]); | ||
| 737 | $day = intval($matches[3]); | ||
| 738 | $hour = intval($matches[4]); | ||
| 739 | $minute = intval($matches[5]); | ||
| 740 | $second = intval($matches[6]); | ||
| 741 | |||
| 742 | // We use gmmktime because the timestamp will always be given | ||
| 743 | //in UTC. | ||
| 744 | $ts = gmmktime($hour, $minute, $second, $month, $day, $year); | ||
| 745 | |||
| 746 | return $ts; | ||
| 747 | } | ||
| 748 | |||
| 749 | /** | ||
| 750 | * @return \SAML2\Compat\Ssp\Container | ||
| 751 | */ | ||
| 752 | public static function getContainer() | ||
| 753 |     { | ||
| 754 | return ContainerSingleton::getInstance(); | ||
| 755 | } | ||
| 757 |