PageRenderTime 54ms CodeModel.GetById 27ms RepoModel.GetById 1ms app.codeStats 0ms

/contrib/signed_assertions/SAML.php

https://github.com/timdream/php-openid
PHP | 220 lines | 137 code | 17 blank | 66 comment | 29 complexity | 5717e81243fddc83ae71034595fd0ecb MD5 | raw file
    

  1. <?php
    2. 

  2. /**
    3. 

  3.  ** PHP versions 4 and 5
    4. 

  4.  **
    5. 

  5.  ** LICENSE: See the COPYING file included in this distribution.
    6. 

  6.  **
    7. 

  7.  ** @package OpenID
    8. 

  8.  ** @author Santosh Subramanian <subrasan@cs.sunysb.edu>
    9. 

  9.  ** @author Shishir Randive <srandive@cs.sunysb.edu>
    10. 

  10.  ** Stony Brook University.
    11. 

  11.  ** largely derived from 
    12. 

  12.  **
    13. 

  13.  * Copyright (C) 2007 Google Inc.
    14. 

  14.  *
    15. 

  15.  * Licensed under the Apache License, Version 2.0 (the "License");
    16. 

  16.  * you may not use this file except in compliance with the License.
    17. 

  17.  * You may obtain a copy of the License at
    18. 

  18.  *
    19. 

  19.  * http://www.apache.org/licenses/LICENSE-2.0
    20. 

  20.  *
    21. 

  21.  * Unless required by applicable law or agreed to in writing, software
    22. 

  22.  * distributed under the License is distributed on an "AS IS" BASIS,
    23. 

  23.  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    24. 

  24.  * See the License for the specific language governing permissions and
    25. 

  25.  * limitations under the License.
    26. 

  26.  **/
    27. 

  27. 

  28. class SAML{
    29. 

  29.    private $assertionTemplate=null;
    30. 

  30.    /**
    31. 

  31.     * Returns a SAML response with various elements filled in.
    32. 

  32.     * @param string $authenticatedUser The OpenId of the user 
    33. 

  33.     * @param string $notBefore The ISO 8601 formatted date before which the 
    34. 

  34.     response is invalid
    35. 

  35.     * @param string $notOnOrAfter The ISO 8601 formatted data after which the 
    36. 

  36.     response is invalid
    37. 

  37.     * @param string $rsadsa 'rsa' if the response will be signed with RSA keys, 
    38. 

  38.     'dsa' for DSA keys
    39. 

  39.     * @param string $requestID The ID of the request we're responding to
    40. 

  40.     * @param string $destination The ACS URL that the response is submitted to
    41. 

  41.     * @return string XML SAML response.
    42. 

  42.     */
    43. 

  43.    function createSamlAssertion($authenticatedUser, $notBefore, $notOnOrAfter, $rsadsa, $acsURI,$attribute,$value,$assertionTemplate)
    44. 

  44.    {
    45. 

  45.       $samlResponse = $assertionTemplate;
    46. 

  46.       $samlResponse = str_replace('USERNAME_STRING', $authenticatedUser, $samlResponse); 
    47. 

  47.       $samlResponse = str_replace('RESPONSE_ID', $this->samlCreateId(), $samlResponse);
    48. 

  48.       $samlResponse = str_replace('ISSUE_INSTANT', $this->samlGetDateTime(time()), $samlResponse);
    49. 

  49.       $samlResponse = str_replace('NOT_BEFORE', $this->samlGetDateTime(strtotime($notBefore)), $samlResponse);
    50. 

  50.       $samlResponse = str_replace('NOT_ON_OR_AFTER', $this->samlGetDateTime(strtotime($notOnOrAfter)),$samlResponse);
    51. 

  51.       $samlResponse = str_replace('ASSERTION_ID',$this->samlCreateId(), $samlResponse);
    52. 

  52.       $samlResponse = str_replace('RSADSA', strtolower($rsadsa), $samlResponse);
    53. 

  53.       $samlResponse = str_replace('ISSUER_DOMAIN', $acsURI, $samlResponse);
    54. 

  54.       $samlResponse = str_replace('ATTRIBUTE_NAME', $attribute, $samlResponse);
    55. 

  55.       $samlResponse = str_replace('ATTRIBUTE_VALUE', $value, $samlResponse);
    56. 

  56.       return $samlResponse;
    57. 

  57.    }
    58. 

  58. 

  59.    /**
    60. 

  60.     * Signs a SAML response with the given private key, and embeds the public key.
    61. 

  61.     * @param string $responseXmlString The unsigned Assertion which will be signed 
    62. 

  62.     * @param string $priKey Private key to sign the certificate 
    63. 

  63.     * @param string $cert Public key certificate of signee
    64. 

  64.     * @return string Signed Assertion 
    65. 

  65.     */
    66. 

  66.    function signAssertion($responseXmlString,$privKey,$cert) 
    67. 

  67.    {
    68. 

  68.       if (file_exists("/tmp/xml")) {
    69. 

  69.          $tempFileDir="/tmp/xml/";          
    70. 

  70.       
    71. 

  71.       } else {
    72. 

  72.              mkdir("/tmp/xml",0777);   
    73. 

  73.          $tempFileDir="/tmp/xml/";
    74. 

  74.       }
    75. 

  75.       $tempName = 'saml-response-' . $this->samlCreateId() . '.xml';
    76. 

  76.       $tempFileName=$tempFileDir.$tempName;
    77. 

  77.       while (file_exists($tempFileName)) 
    78. 

  78.          $tempFileName = 'saml-response-' . $this->samlCreateId() . '.xml';
    79. 

  79. 

  80.       if (!$handle = fopen($tempFileName, 'w')) {
    81. 

  81.          return null;
    82. 

  82.       }
    83. 

  83.       if (fwrite($handle, $responseXmlString) === false) {
    84. 

  84.          return null;
    85. 

  85.       }
    86. 

  86.       fclose($handle);
    87. 

  87.       $cmd = 'xmlsec1 --sign --privkey-pem ' . $privKey . 
    88. 

  88.          ',' . $cert . ' --output ' . $tempFileName . 
    89. 

  89.          '.out ' . $tempFileName;
    90. 

  90.       exec($cmd, $resp);
    91. 

  91.       unlink($tempFileName);
    92. 

  92. 

  93.       $xmlResult = @file_get_contents($tempFileName . '.out');
    94. 

  94.       if (!$xmlResult) { 
    95. 

  95.          return null;
    96. 

  96.       } else {
    97. 

  97.          unlink($tempFileName . '.out');
    98. 

  98.          return $xmlResult;
    99. 

  99.       }
    100. 

  100.    }
    101. 

  101. 

  102. 

  103.    /**
    104. 

  104.     * Verify a saml response with the given public key.
    105. 

  105.     * @param string $responseXmlString Response to sign
    106. 

  106.     * @param string $rootcert trusted public key certificate
    107. 

  107.     * @return string Signed SAML response
    108. 

  108.     */
    109. 

  109.    function verifyAssertion($responseXmlString,$rootcert) 
    110. 

  110.    {
    111. 

  111.       date_default_timezone_set("UTC");
    112. 

  112.       if (file_exists("/tmp/xml")) {
    113. 

  113.          $tempFileDir="/tmp/xml/";          
    114. 

  114.       
    115. 

  115.       } else {
    116. 

  116.              mkdir("/tmp/xml",0777);   
    117. 

  117.          $tempFileDir="/tmp/xml/";
    118. 

  118.       }
    119. 

  119.       
    120. 

  120.       $tempName = 'saml-response-' . $this->samlCreateId() . '.xml';
    121. 

  121.       $tempFileName=$tempFileDir.$tempName;
    122. 

  122.       while (file_exists($tempFileName)) 
    123. 

  123.          $tempFileName = 'saml-response-' . $this->samlCreateId() . '.xml';
    124. 

  124. 

  125.       if (!$handle = fopen($tempFileName, 'w')) {
    126. 

  126.          return false;
    127. 

  127.       }
    128. 

  128. 

  129.       if (fwrite($handle, $responseXmlString) === false) {
    130. 

  130.          return false;
    131. 

  131.       }
    132. 

  132. 

  133.       $p=xml_parser_create();
    134. 

  134.       $result=xml_parse_into_struct($p,$responseXmlString,$vals,$index);
    135. 

  135.       xml_parser_free($p);
    136. 

  136.       $cert_info=$index["X509CERTIFICATE"];
    137. 

  137.       $conditions=$index["CONDITIONS"];
    138. 

  138.       foreach($cert_info as $key=>$value){
    139. 

  139.          file_put_contents($tempFileName.'.cert',$vals[$value]['value']);
    140. 

  140.       }
    141. 

  141.       $cert=$tempFileName.'.cert';
    142. 

  142.       $before=0;
    143. 

  143.       $after=0;
    144. 

  144.       foreach($conditions as $key=>$value){
    145. 

  145.          $before=$vals[$value]['attributes']['NOTBEFORE'];
    146. 

  146.          $after=$vals[$value]['attributes']['NOTONORAFTER'];
    147. 

  147.       }
    148. 

  148.       $before=$this->validSamlDateFormat($before);
    149. 

  149.       $after=$this->validSamlDateFormat($after);
    150. 

  150.       if(strtotime("now") < $before || strtotime("now") >= $after){
    151. 

  151.          unlink($tempFileName);
    152. 

  152.          unlink($cert);
    153. 

  153.          return false;
    154. 

  154.       }
    155. 

  155.       fclose($handle);
    156. 

  156.       $cmd = 'xmlsec1 --verify --pubkey-cert ' . $cert .'--trusted '.$rootcert. ' '.$tempFileName.'* 2>&1 1>/dev/null';
    157. 

  157.       exec($cmd,$resp);
    158. 

  158.       if(strcmp($resp[0],"FAIL") == 0){
    159. 

  159.          $value = false;
    160. 

  160.       }elseif(strcmp($resp[0],"ERROR") == 0){
    161. 

  161.          $value = false;
    162. 

  162.       }elseif(strcmp($resp[0],"OK") == 0){
    163. 

  163.          $value = TRUE;
    164. 

  164.       }
    165. 

  165.       unlink($tempFileName);
    166. 

  166.       unlink($cert);
    167. 

  167.       return $value;
    168. 

  168.    }
    169. 

  169. 

  170.    /**
    171. 

  171.     * Creates a 40-character string containing 160-bits of pseudorandomness.
    172. 

  172.     * @return string Containing pseudorandomness of 160 bits
    173. 

  173.     */
    174. 

  174. 

  175.    function samlCreateId() 
    176. 

  176.    {
    177. 

  177.       $rndChars = 'abcdefghijklmnop';
    178. 

  178.       $rndId = '';
    179. 

  179.       for ($i = 0; $i < 40; $i++ ) {
    180. 

  180.          $rndId .= $rndChars[rand(0,strlen($rndChars)-1)];
    181. 

  181.       }
    182. 

  182.       return $rndId;
    183. 

  183.    }
    184. 

  184. 

  185.    /**
    186. 

  186.     * Returns a unix timestamp in xsd:dateTime format.
    187. 

  187.     * @param timestamp int UNIX Timestamp to convert to xsd:dateTime 
    188. 

  188.     * ISO 8601 format.
    189. 

  189.     * @return string
    190. 

  190.     */
    191. 

  191.    function samlGetDateTime($timestamp) 
    192. 

  192.    {
    193. 

  193.       return gmdate('Y-m-d\TH:i:s\Z', $timestamp);
    194. 

  194.    }
    195. 

  195.    /**
    196. 

  196.     * Attempts to check whether a SAML date is valid.  Returns true or false.
    197. 

  197.     * @param string $samlDate
    198. 

  198.     * @return bool
    199. 

  199.     */
    200. 

  200. 

  201.    function validSamlDateFormat($samlDate) 
    202. 

  202.    {
    203. 

  203.       if ($samlDate == "") return false;
    204. 

  204.       $indexT = strpos($samlDate, 'T');
    205. 

  205.       $indexZ = strpos($samlDate, 'Z');
    206. 

  206.       if (($indexT != 10) || ($indexZ != 19)) {
    207. 

  207.          return false;
    208. 

  208.       }
    209. 

  209.       $dateString = substr($samlDate, 0, 10);
    210. 

  210.       $timeString = substr($samlDate, $indexT + 1, 8);
    211. 

  211.       list($year, $month, $day) = explode('-', $dateString);
    212. 

  212.       list($hour, $minute, $second) = explode(':', $timeString);
    213. 

  213.       $parsedDate = gmmktime($hour, $minute, $second, $month, $day, $year);
    214. 

  214.       if (($parsedDate === false) || ($parsedDate == -1)) return false;
    215. 

  215.       if (!checkdate($month, $day, $year)) return false;
    216. 

  216.       return $parsedDate;
    217. 

  217.    }
    218. 

  218. 

  219. }
    220. 

  220. ?>
    221. 

  221.