Permalink
Browse files

Add support to Key Rollover. Be able to register future SP x509cert o…

…n the settings and publish it on SP metadata
  • Loading branch information...
pitbulk committed Apr 7, 2017
1 parent 304a43d commit aee91b845047b48afb233b603d5587ca3f37d10c
View
@@ -6,6 +6,7 @@
/demo-old/settings.php
/certs/sp.key
/certs/sp.crt
/certs/sp_new.crt
/certs/metadata.key
/certs/metadata.crt
/tests/build
View
@@ -183,6 +183,8 @@ Sometimes we could need a signature on the metadata published by the SP, in
this case we could use the x.509 cert previously mentioned or use a new x.509
cert: `metadata.crt` and `metadata.key`.
Use `sp_new.crt` if you are in a key rollover process and you want to
publish that x509certificate on Service Provider metadata.
#### `extlib/` ####
@@ -337,6 +339,14 @@ $settings = array (
'x509cert' => '',
'privateKey' => '',
/*
* Key rollover
* If you plan to update the SP x509cert and privateKey
* you can define here the new x509cert and it will be
* published on the SP metadata so Identity Providers can
* read them and get ready for rollover.
*/
// 'x509certNew' => '',
),
// Identity Provider Data that we want connected with our SP.
@@ -1250,6 +1260,7 @@ Configuration of the OneLogin PHP Toolkit
* `checkSPCerts` - Checks if the x509 certs of the SP exists and are valid.
* `getSPkey` - Returns the x509 private key of the SP.
* `getSPcert` - Returns the x509 public cert of the SP.
* `getSPcertNew` - Returns the future x509 public cert of the SP.
* `getIdPData` - Gets the IdP data.
* `getSPData`Gets the SP data.
* `getSecurityData` - Gets security data.
View
@@ -4,6 +4,7 @@ Onelogin PHP Toolkit expects certs for the SP stored at:
* sp.key Private Key
* sp.crt Public cert
* sp_new.crt Future Public cert
Also you can use other cert to sign the metadata of the SP using the:
View
@@ -699,6 +699,28 @@ public function getSPcert()
return $cert;
}
/**
* Returns the x509 public of the SP that is
* planed to be used soon instead the other
* public cert
* @return string SP public cert New
*/
public function getSPcertNew()
{
$cert = null;
if (isset($this->_sp['x509certNew']) && !empty($this->_sp['x509certNew'])) {
$cert = $this->_sp['x509certNew'];
} else {
$certFile = $this->_paths['cert'].'sp_new.crt';
if (file_exists($certFile)) {
$cert = file_get_contents($certFile);
}
}
return $cert;
}
/**
* Gets the IdP data.
*
@@ -780,8 +802,16 @@ public function getSPMetadata()
{
$metadata = OneLogin_Saml2_Metadata::builder($this->_sp, $this->_security['authnRequestsSigned'], $this->_security['wantAssertionsSigned'], null, null, $this->getContacts(), $this->getOrganization());
$cert = $this->getSPcert();
$certNew = $this->getSPcertNew();
if (!empty($certNew)) {
$metadata = OneLogin_Saml2_Metadata::addX509KeyDescriptors(
$metadata,
$certNew,
$this->_security['wantNameIdEncrypted'] || $this->_security['wantAssertionsEncrypted']
);
}
$cert = $this->getSPcert();
if (!empty($cert)) {
$metadata = OneLogin_Saml2_Metadata::addX509KeyDescriptors(
$metadata,
@@ -848,6 +878,7 @@ public function getSPMetadata()
$digestAlgorithm = $this->_security['digestAlgorithm'];
$metadata = OneLogin_Saml2_Metadata::signMetadata($metadata, $keyMetadata, $certMetadata, $signatureAlgorithm, $digestAlgorithm);
}
// print_r($metadata);
return $metadata;
}
View
@@ -10,10 +10,10 @@
// Enable debug mode (to print errors)
'debug' => false,
// Set a BaseURL to be used instead of try to guess
// Set a BaseURL to be used instead of try to guess
// the BaseURL of the view that process the SAML Message.
// Ex. http://sp.example.com/
// http://example.com/sp/
// http://example.com/sp/
'baseurl' => null,
// Service Provider Data that we are deploying
@@ -32,7 +32,7 @@
),
// If you need to specify requested attributes, set a
// attributeConsumingService. nameFormat, attributeValue and
// friendlyName can be omitted. Otherwise remove this section.
// friendlyName can be omitted. Otherwise remove this section.
"attributeConsumingService"=> array(
"ServiceName" => "SP test",
"serviceDescription" => "Test Service",
@@ -65,6 +65,15 @@
// the certs folder. But we can also provide them with the following parameters
'x509cert' => '',
'privateKey' => '',
/*
* Key rollover
* If you plan to update the SP x509cert and privateKey
* you can define here the new x509cert and it will be
* published on the SP metadata so Identity Providers can
* read them and get ready for rollover.
*/
// 'x509certNew' => '',
),
// Identity Provider Data that we want connect with our SP
@@ -0,0 +1,55 @@
<?php
$settingsInfo = array (
'strict' => false,
'debug' => false,
'sp' => array (
'entityId' => 'http://stuff.com/endpoints/metadata.php',
'assertionConsumerService' => array (
'url' => 'http://stuff.com/endpoints/endpoints/acs.php',
),
'singleLogoutService' => array (
'url' => 'http://stuff.com/endpoints/endpoints/sls.php',
),
'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
'privateKey' => 'MIICXgIBAAKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABAoGAD4/Z4LWVWV6D1qMIp1Gzr0ZmdWTE1SPdZ7Ej8glGnCzPdguCPuzbhGXmIg0VJ5D+02wsqws1zd48JSMXXM8zkYZVwQYIPUsNn5FetQpwxDIMPmhHg+QNBgwOnk8JK2sIjjLPL7qY7Itv7LT7Gvm5qSOkZ33RCgXcgz+okEIQMYkCQQDzbTOyDL0c5WQV6A2k06T/azdhUdGXF9C0+WkWSfNaovmTgRXh1G+jMlr82Snz4p4/STt7P/XtyWzF3pkVgZr3AkEA7nPjXwHlttNEMo6AtxHd47nizK2NUN803ElIUT8P9KSCoERmSXq66PDekGNic4ldpsSvOeYCk8MAYoDBy9kvVwJBAMLgX4xg6lzhv7hR5+pWjTb1rIY6rCHbrPfU264+UZXz9v2BT/VUznLF81WMvStD9xAPHpFS6R0OLghSZhdzhI0CQQDL8Duvfxzrn4b9QlmduV8wLERoT6rEVxKLsPVz316TGrxJvBZLk/cV0SRZE1cZf4ukXSWMfEcJ/0Zt+LdG1CqjAkEAqwLSglJ9Dy3HpgMz4vAAyZWzAxvyA1zW0no9GOLcPQnYaNUN/Fy2SYtETXTb0CQ9X1rt8ffkFP7ya+5TC83aMg==',
'x509cert' => 'MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo',
'x509certNew' => 'MIICVDCCAb2gAwIBAgIBADANBgkqhkiG9w0BAQ0FADBHMQswCQYDVQQGEwJ1czEQMA4GA1UECAwHZXhhbXBsZTEQMA4GA1UECgwHZXhhbXBsZTEUMBIGA1UEAwwLZXhhbXBsZS5jb20wHhcNMTcwNDA3MDgzMDAzWhcNMjcwNDA1MDgzMDAzWjBHMQswCQYDVQQGEwJ1czEQMA4GA1UECAwHZXhhbXBsZTEQMA4GA1UECgwHZXhhbXBsZTEUMBIGA1UEAwwLZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKhPS4/0azxbQekHHewQGKD7Pivr3CDpsrKxY3xlVanxj427OwzOb5KUVzsDEazumt6sZFY8HfidsjXY4EYA4ZzyL7ciIAR5vlAsIYN9nJ4AwVDnN/RjVwj+TN6BqWPLpVIpHc6Dl005HyE0zJnk1DZDn2tQVrIzbD3FhCp7YeotAgMBAAGjUDBOMB0GA1UdDgQWBBRYZx4thASfNvR/E7NsCF2IaZ7wIDAfBgNVHSMEGDAWgBRYZx4thASfNvR/E7NsCF2IaZ7wIDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBACz4aobx9aG3kh+rNyrlgM3K6dYfnKG1/YH5sJCAOvg8kDr0fQAQifH8lFVWumKUMoAe0bFTfwWtp/VJ8MprrEJth6PFeZdczpuv+fpLcNj2VmNVJqvQYvS4m36OnBFh1QFZW8UrbFIfdtm2nuZ+twSKqfKwjLdqcoX0p39h7Uw/'
),
'idp' => array (
'entityId' => 'http://idp.example.com/',
'singleSignOnService' => array (
'url' => 'http://idp.example.com/SSOService.php',
),
'singleLogoutService' => array (
'url' => 'http://idp.example.com/SingleLogoutService.php',
),
'x509cert' => 'MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo'
),
'compress' => array(
'requests' => true,
'responses' => true
),
'security' => array (
'authnRequestsSigned' => false,
'wantAssertionsSigned' => false,
'signMetadata' => false,
),
'contactPerson' => array (
'technical' => array (
'givenName' => 'technical_name',
'emailAddress' => 'technical@example.com',
),
'support' => array (
'givenName' => 'support_name',
'emailAddress' => 'support@example.com',
),
),
'organization' => array (
'en-US' => array(
'name' => 'sp_test',
'displayname' => 'SP test',
'url' => 'http://sp.example.com',
),
),
);
@@ -263,4 +263,54 @@ public function testAddX509KeyDescriptors()
$this->assertContains('Error parsing metadata', $e->getMessage());
}
}
/**
* Tests the addX509KeyDescriptors method of the OneLogin_Saml2_Metadata
* Case: Execute 2 addX509KeyDescriptors calls
*
* @covers OneLogin_Saml2_Metadata::addX509KeyDescriptors
*/
public function testAddX509KeyDescriptors2Times()
{
$settingsDir = TEST_ROOT .'/settings/';
include $settingsDir.'settings1.php';
$settings = new OneLogin_Saml2_Settings($settingsInfo);
$spData = $settings->getSPData();
$metadata = OneLogin_Saml2_Metadata::builder($spData);
$this->assertNotContains('<md:KeyDescriptor use="signing"', $metadata);
$this->assertNotContains('<md:KeyDescriptor use="encryption"', $metadata);
$certPath = $settings->getCertPath();
$cert = file_get_contents($certPath.'sp.crt');
$metadata = OneLogin_Saml2_Metadata::addX509KeyDescriptors($metadata, $cert, false);
$this->assertEquals(1, substr_count($metadata, "<md:KeyDescriptor"));
$metadata = OneLogin_Saml2_Metadata::addX509KeyDescriptors($metadata, $cert, false);
$this->assertEquals(2, substr_count($metadata, "<md:KeyDescriptor"));
$metadata2 = OneLogin_Saml2_Metadata::builder($spData);
$metadata2 = OneLogin_Saml2_Metadata::addX509KeyDescriptors($metadata2, $cert);
$this->assertEquals(2, substr_count($metadata2, "<md:KeyDescriptor"));
$this->assertEquals(1, substr_count($metadata2, '<md:KeyDescriptor use="signing"'));
$this->assertEquals(1, substr_count($metadata2, '<md:KeyDescriptor use="encryption"'));
$metadata2 = OneLogin_Saml2_Metadata::addX509KeyDescriptors($metadata2, $cert);
$this->assertEquals(4, substr_count($metadata2, "<md:KeyDescriptor"));
$this->assertEquals(2, substr_count($metadata2, '<md:KeyDescriptor use="signing"'));
$this->assertEquals(2, substr_count($metadata2, '<md:KeyDescriptor use="encryption"'));
}
}
Oops, something went wrong.

0 comments on commit aee91b8

Please sign in to comment.