Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Merge pull request #192 from sproogen/master
Added ability to configure DigestAlgorithm in settings
  • Loading branch information
pitbulk committed Feb 10, 2017
2 parents 5099e97 + c4dc1fb commit 4210bc8
Show file tree
Hide file tree
Showing 4 changed files with 81 additions and 6 deletions.
7 changes: 7 additions & 0 deletions advanced_settings_example.php
Expand Up @@ -85,6 +85,13 @@
// 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512'
'signatureAlgorithm' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1',

// Algorithm that the toolkit will use on digest process. Options:
// 'http://www.w3.org/2000/09/xmldsig#sha1'
// 'http://www.w3.org/2001/04/xmlenc#sha256'
// 'http://www.w3.org/2001/04/xmldsig-more#sha384'
// 'http://www.w3.org/2001/04/xmlenc#sha512'
'digestAlgorithm' => 'http://www.w3.org/2000/09/xmldsig#sha1',

// ADFS URL-Encodes SAML data as lowercase, and the toolkit by default uses
// uppercase. Turn it True for ADFS compatibility on signature verification
'lowercaseUrlencoding' => false,
Expand Down
10 changes: 8 additions & 2 deletions lib/Saml2/Settings.php
Expand Up @@ -384,11 +384,16 @@ private function _addDefaultValues()
$this->_security['wantXMLValidation'] = true;
}

// Algorithm
// SignatureAlgorithm
if (!isset($this->_security['signatureAlgorithm'])) {
$this->_security['signatureAlgorithm'] = XMLSecurityKey::RSA_SHA1;
}

// DigestAlgorithm
if (!isset($this->_security['digestAlgorithm'])) {
$this->_security['digestAlgorithm'] = XMLSecurityDSig::SHA1;
}

if (!isset($this->_security['lowercaseUrlencoding'])) {
$this->_security['lowercaseUrlencoding'] = false;
}
Expand Down Expand Up @@ -835,7 +840,8 @@ public function getSPMetadata()
}

$signatureAlgorithm = $this->_security['signatureAlgorithm'];
$metadata = OneLogin_Saml2_Metadata::signMetadata($metadata, $keyMetadata, $certMetadata, $signatureAlgorithm);
$digestAlgorithm = $this->_security['digestAlgorithm'];
$metadata = OneLogin_Saml2_Metadata::signMetadata($metadata, $keyMetadata, $certMetadata, $signatureAlgorithm, $digestAlgorithm);
}
return $metadata;
}
Expand Down
52 changes: 52 additions & 0 deletions tests/src/OneLogin/Saml2/MetadataTest.php
Expand Up @@ -159,6 +159,58 @@ public function testSignMetadata()
}
}

/**
* Tests the signMetadata method of the OneLogin_Saml2_Metadata
*
* @covers OneLogin_Saml2_Metadata::signMetadata
*/
public function testSignMetadataDefaultAlgorithms()
{
$settingsDir = TEST_ROOT .'/settings/';
include $settingsDir.'settings1.php';

$settings = new OneLogin_Saml2_Settings($settingsInfo);
$spData = $settings->getSPData();
$security = $settings->getSecurityData();

$metadata = OneLogin_Saml2_Metadata::builder($spData, $security['authnRequestsSigned'], $security['wantAssertionsSigned']);

$certPath = $settings->getCertPath();
$key = file_get_contents($certPath.'sp.key');
$cert = file_get_contents($certPath.'sp.crt');

$signedMetadata = OneLogin_Saml2_Metadata::signMetadata($metadata, $key, $cert);

$this->assertContains('<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>', $signedMetadata);
$this->assertContains('<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>', $signedMetadata);
}

/**
* Tests the signMetadata method of the OneLogin_Saml2_Metadata
*
* @covers OneLogin_Saml2_Metadata::signMetadata
*/
public function testSignMetadataCustomAlgorithms()
{
$settingsDir = TEST_ROOT .'/settings/';
include $settingsDir.'settings1.php';

$settings = new OneLogin_Saml2_Settings($settingsInfo);
$spData = $settings->getSPData();
$security = $settings->getSecurityData();

$metadata = OneLogin_Saml2_Metadata::builder($spData, $security['authnRequestsSigned'], $security['wantAssertionsSigned']);

$certPath = $settings->getCertPath();
$key = file_get_contents($certPath.'sp.key');
$cert = file_get_contents($certPath.'sp.crt');

$signedMetadata = OneLogin_Saml2_Metadata::signMetadata($metadata, $key, $cert, XMLSecurityKey::RSA_SHA256, XMLSecurityDSig::SHA512);

$this->assertContains('<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>', $signedMetadata);
$this->assertContains('<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>', $signedMetadata);
}

/**
* Tests the addX509KeyDescriptors method of the OneLogin_Saml2_Metadata
*
Expand Down
18 changes: 14 additions & 4 deletions tests/src/OneLogin/Saml2/UtilsTest.php
Expand Up @@ -1056,39 +1056,49 @@ public function testAddSign()
$xmlAuthn = base64_decode(file_get_contents(TEST_ROOT . '/data/requests/authn_request.xml.base64'));
$xmlAuthnSigned = OneLogin_Saml2_Utils::addSign($xmlAuthn, $key, $cert);
$this->assertContains('<ds:SignatureValue>', $xmlAuthnSigned);
$this->assertContains('<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>', $xmlAuthnSigned);
$this->assertContains('<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>', $xmlAuthnSigned);
$res = new DOMDocument();
$res->loadXML($xmlAuthnSigned);
$dsSignature = $res->firstChild->firstChild->nextSibling->nextSibling;
$this->assertContains('ds:Signature', $dsSignature->tagName);

$dom = new DOMDocument();
$dom->loadXML($xmlAuthn);
$xmlAuthnSigned2 = OneLogin_Saml2_Utils::addSign($dom, $key, $cert);
$xmlAuthnSigned2 = OneLogin_Saml2_Utils::addSign($dom, $key, $cert, XMLSecurityKey::RSA_SHA256, XMLSecurityDSig::SHA512);
$this->assertContains('<ds:SignatureValue>', $xmlAuthnSigned2);
$this->assertContains('<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>', $xmlAuthnSigned2);
$this->assertContains('<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>', $xmlAuthnSigned2);
$res2 = new DOMDocument();
$res2->loadXML($xmlAuthnSigned2);
$dsSignature2 = $res2->firstChild->firstChild->nextSibling->nextSibling;
$this->assertContains('ds:Signature', $dsSignature2->tagName);

$xmlLogoutReq = base64_decode(file_get_contents(TEST_ROOT . '/data/logout_requests/logout_request.xml.base64'));
$xmlLogoutReqSigned = OneLogin_Saml2_Utils::addSign($xmlLogoutReq, $key, $cert);
$xmlLogoutReqSigned = OneLogin_Saml2_Utils::addSign($xmlLogoutReq, $key, $cert, XMLSecurityKey::RSA_SHA256, XMLSecurityDSig::SHA512);
$this->assertContains('<ds:SignatureValue>', $xmlLogoutReqSigned);
$this->assertContains('<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>', $xmlLogoutReqSigned);
$this->assertContains('<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>', $xmlLogoutReqSigned);
$res3 = new DOMDocument();
$res3->loadXML($xmlLogoutReqSigned);
$dsSignature3 = $res3->firstChild->firstChild->nextSibling->nextSibling;
$this->assertContains('ds:Signature', $dsSignature3->tagName);

$xmlLogoutRes = base64_decode(file_get_contents(TEST_ROOT . '/data/logout_responses/logout_response.xml.base64'));
$xmlLogoutResSigned = OneLogin_Saml2_Utils::addSign($xmlLogoutRes, $key, $cert);
$xmlLogoutResSigned = OneLogin_Saml2_Utils::addSign($xmlLogoutRes, $key, $cert, XMLSecurityKey::RSA_SHA256, XMLSecurityDSig::SHA512);
$this->assertContains('<ds:SignatureValue>', $xmlLogoutResSigned);
$this->assertContains('<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>', $xmlLogoutResSigned);
$this->assertContains('<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>', $xmlLogoutResSigned);
$res4 = new DOMDocument();
$res4->loadXML($xmlLogoutResSigned);
$dsSignature4 = $res4->firstChild->firstChild->nextSibling->nextSibling;
$this->assertContains('ds:Signature', $dsSignature4->tagName);

$xmlMetadata = file_get_contents(TEST_ROOT . '/data/metadata/metadata_settings1.xml');
$xmlMetadataSigned = OneLogin_Saml2_Utils::addSign($xmlMetadata, $key, $cert);
$xmlMetadataSigned = OneLogin_Saml2_Utils::addSign($xmlMetadata, $key, $cert, XMLSecurityKey::RSA_SHA256, XMLSecurityDSig::SHA512);
$this->assertContains('<ds:SignatureValue>', $xmlMetadataSigned);
$this->assertContains('<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>', $xmlMetadataSigned);
$this->assertContains('<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>', $xmlMetadataSigned);
$res5 = new DOMDocument();
$res5->loadXML($xmlMetadataSigned);
$dsSignature5 = $res5->firstChild->firstChild;
Expand Down

0 comments on commit 4210bc8

Please sign in to comment.