Merge pull request SAML-Toolkits#206 from onelogin/key_rollover_mngmt

Improve Key Rollover management

Author: pitbulk

.gitignore

@@ -6,6 +6,7 @@
 /demo-old/settings.php
 /certs/sp.key
 /certs/sp.crt
+/certs/sp_new.crt
 /certs/metadata.key
 /certs/metadata.crt
 /tests/build

README.md

@@ -86,6 +86,7 @@ Installation
  * `mcrypt`. Install that library and its php driver if you gonna handle
    encrypted data (`nameID`, `assertions`).
  * `gettext`. Install that library and its php driver. It handles translations.
+ * `curl`. Install that library and its php driver if you plan to use the IdP Metadata parser.
 
 Since [PHP 5.3 is officially unsupported](http://php.net/eol.php) we recommend you to use a newer PHP version.
 
@@ -183,6 +184,8 @@ Sometimes we could need a signature on the metadata published by the SP, in
 this case we could use the x.509 cert previously mentioned or use a new x.509
 cert: `metadata.crt` and `metadata.key`.
 
+Use `sp_new.crt` if you are in a key rollover process and you want to
+publish that x509certificate on Service Provider metadata.
 
 #### `extlib/` ####
 
@@ -337,6 +340,14 @@ $settings = array (
         'x509cert' => '',
         'privateKey' => '',
 
+        /*
+         * Key rollover
+         * If you plan to update the SP x509cert and privateKey
+         * you can define here the new x509cert and it will be 
+         * published on the SP metadata so Identity Providers can
+         * read them and get ready for rollover.
+         */
+        // 'x509certNew' => '',
     ),
 
     // Identity Provider Data that we want connected with our SP.
@@ -379,6 +390,22 @@ $settings = array (
          */
         // 'certFingerprint' => '',
         // 'certFingerprintAlgorithm' => 'sha1',
+
+        /* In some scenarios the IdP uses different certificates for
+         * signing/encryption, or is under key rollover phase and
+         * more than one certificate is published on IdP metadata.
+         * In order to handle that the toolkit offers that parameter.
+         * (when used, 'x509cert' and 'certFingerprint' values are
+         * ignored).
+         */
+        // 'x509certMulti' => array(
+        //      'signing' => array(
+        //          0 => '<cert1-string>',
+        //      ),
+        //      'encryption' => array(
+        //          0 => '<cert2-string>',
+        //      )
+        // ),
     ),
 );
 ```
@@ -1085,6 +1112,26 @@ You should be able to workaround this by configuring your server so that it is a
 Or by using the method described on the previous section.
 
 
+### SP Key rollover ###
+
+If you plan to update the SP x509cert and privateKey you can define the new x509cert as $settings['sp']['x509certNew'] and it will be 
+published on the SP metadata so Identity Providers can read them and get ready for rollover.
+
+
+### IdP with multiple certificates ###
+
+In some scenarios the IdP uses different certificates for
+signing/encryption, or is under key rollover phase and more than one certificate is published on IdP metadata.
+
+In order to handle that the toolkit offers the $settings['idp']['x509certMulti'] parameter.
+
+When that parameter is used, 'x509cert' and 'certFingerprint' values will be ignored by the toolkit.
+
+The 'x509certMulti' is an array with 2 keys:
+- 'signing'. An array of certs that will be used to validate IdP signature 
+- 'encryption' An array with one unique cert that will be used to encrypt data to be sent to the IdP
+
+
 ### Replay attacks ###
 
 In order to avoid replay attacks, you can store the ID of the SAML messages already processed, to avoid processing them twice. Since the Messages expires and will be invalidated due that fact, you don't need to store those IDs longer than the time frame that you currently accepting.
@@ -1250,6 +1297,7 @@ Configuration of the OneLogin PHP Toolkit
  * `checkSPCerts` - Checks if the x509 certs of the SP exists and are valid.
  * `getSPkey` - Returns the x509 private key of the SP.
  * `getSPcert` - Returns the x509 public cert of the SP.
+ * `getSPcertNew` - Returns the future x509 public cert of the SP.
  * `getIdPData` - Gets the IdP data.
  * `getSPData`Gets the SP data.
  * `getSecurityData` - Gets security data.
@@ -1259,6 +1307,7 @@ Configuration of the OneLogin PHP Toolkit
  * `validateMetadata` - Validates an XML SP Metadata.
  * `formatIdPCert` - Formats the IdP cert.
  * `formatSPCert` - Formats the SP cert.
+ * `formatSPCertNew` - Formats the SP cert new.
  * `formatSPKey` - Formats the SP private key.
  * `getErrors` - Returns an array with the errors, the array is empty when
    the settings is ok.
@@ -1317,6 +1366,16 @@ Auxiliary class that contains several methods
    (Message or Assertion).
  * `validateSign` - Validates a signature (Message or Assertion).
 
+##### OneLogin_Saml2_IdPMetadataParser - `IdPMetadataParser.php` #####
+
+Auxiliary class that contains several methods to retrieve and process IdP metadata
+
+ * `parseRemoteXML` - Get IdP Metadata Info from URL.
+ * `parseFileXML` - Get IdP Metadata Info from File.
+ * `parseXML` - Get IdP Metadata Info from XML.
+ * `injectIntoSettings` - Inject metadata info into php-saml settings array.
+
+
 For more info, look at the source code; each method is documented and details
 about what it does and how to use it are provided. Make sure to also check the doc folder where
 HTML documentation about the classes and methods is provided for SAML and

certs/README

@@ -4,6 +4,7 @@ Onelogin PHP Toolkit expects certs for the SP stored at:
 
  * sp.key   Private Key
  * sp.crt  Public cert
+ * sp_new.crt Future Public cert
 
 Also you can use other cert to sign the metadata of the SP using the:
 

lib/Saml2/IdPMetadataParser.php

@@ -0,0 +1,211 @@
+<?php
+
+/**
+ * IdP Metadata Parser of OneLogin PHP Toolkit
+ *
+ */
+
+class OneLogin_Saml2_IdPMetadataParser
+{
+    /**
+     * Get IdP Metadata Info from URL
+     *
+     * @param string $url                   URL where the IdP metadata is published
+     * @param string $entityId              Entity Id of the desired IdP, if no
+     *                                      entity Id is provided and the XML
+     *                                      metadata contains more than one
+     *                                      IDPSSODescriptor, the first is returned
+     * @param string $desiredNameIdFormat   If available on IdP metadata, use that nameIdFormat
+     *
+     * @return array metadata info in php-saml settings format
+     */
+    public static function parseRemoteXML($url, $entityId = null, $desiredNameIdFormat = null)
+    {
+        $metadataInfo = array();
+
+        try {
+            $ch = curl_init($url);
+            curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "GET");
+            curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+            curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
+            curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
+            curl_setopt($ch, CURLOPT_FAILONERROR, 1);
+
+            $xml = curl_exec($ch);
+            if ($xml !== false) {
+                $metadataInfo = self::parseXML($xml, $entityId);
+            } else {
+                throw new Exception(curl_error($ch), curl_errno($ch));
+            }
+        } catch (Exception $e) {
+        }
+        return $metadataInfo;
+    }
+
+    /**
+     * Get IdP Metadata Info from File
+     *
+     * @param string $filepath              File path
+     * @param string $entityId              Entity Id of the desired IdP, if no
+     *                                      entity Id is provided and the XML
+     *                                      metadata contains more than one
+     *                                      IDPSSODescriptor, the first is returned
+     * @param string $desiredNameIdFormat   If available on IdP metadata, use that nameIdFormat
+     *
+     * @return array metadata info in php-saml settings format
+     */
+    public static function parseFileXML($filepath, $entityId = null, $desiredNameIdFormat = null)
+    {
+        $metadataInfo = array();
+
+        try {
+            if (file_exists($filepath)) {
+                $data = file_get_contents($filepath);
+                $metadataInfo = self::parseXML($data, $entityId);
+            }
+        } catch (Exception $e) {
+        }
+        return $metadataInfo;
+    }
+
+    /**
+     * Get IdP Metadata Info from URL
+     *
+     * @param string $xml                   XML that contains IdP metadata
+     * @param string $entityId              Entity Id of the desired IdP, if no
+     *                                      entity Id is provided and the XML
+     *                                      metadata contains more than one
+     *                                      IDPSSODescriptor, the first is returned
+     * @param string $desiredNameIdFormat   If available on IdP metadata, use that nameIdFormat
+     *
+     * @return array metadata info in php-saml settings format
+     */
+    public static function parseXML($xml, $entityId = null, $desiredNameIdFormat = null)
+    {
+        $metadataInfo = array();
+
+        $dom = new DOMDocument();
+        $dom->preserveWhiteSpace = false;
+        $dom->formatOutput = true;
+        try {
+            $dom = OneLogin_Saml2_Utils::loadXML($dom, $xml);
+            if (!$dom) {
+                throw new Exception('Error parsing metadata');
+            }
+
+            $customIdPStr = '';
+            if (!empty($entityId)) {
+                $customIdPStr = '[@entityID="' . $entityId . '"]';
+            }
+            $idpDescryptorXPath = '//md:EntityDescriptor' . $customIdPStr . '/md:IDPSSODescriptor';
+
+            $idpDescriptorNodes = OneLogin_Saml2_Utils::query($dom, $idpDescryptorXPath);
+
+            if (isset($idpDescriptorNodes) && $idpDescriptorNodes->length > 0) {
+                $metadataInfo['idp'] = array();
+
+                $idpDescriptor = $idpDescriptorNodes->item(0);
+
+                if (empty($entityId) && $idpDescriptor->parentNode->hasAttribute('entityID')) {
+                    $entityId = $idpDescriptor->parentNode->getAttribute('entityID');
+                }
+
+                if (!empty($entityId)) {
+                    $metadataInfo['idp']['entityId'] = $entityId;
+                }
+
+                $ssoNodes = OneLogin_Saml2_Utils::query($dom, './md:SingleSignOnService[@Binding="'.OneLogin_Saml2_Constants::BINDING_HTTP_REDIRECT.'"]', $idpDescriptor);
+                if ($ssoNodes->length < 1) {
+                    $ssoNodes = OneLogin_Saml2_Utils::query($dom, './md:SingleSignOnService', $idpDescriptor);
+                }
+                if ($ssoNodes->length > 0) {
+                    $metadataInfo['idp']['singleSignOnService'] = array(
+                        'url' => $ssoNodes->item(0)->getAttribute('Location'),
+                        'binding' => $ssoNodes->item(0)->getAttribute('Binding')
+                    );
+                }
+
+                $sloNodes = OneLogin_Saml2_Utils::query($dom, './md:SingleSignOnService[@Binding="'.OneLogin_Saml2_Constants::BINDING_HTTP_REDIRECT.'"]', $idpDescriptor);
+                if ($sloNodes->length < 1) {
+                    $sloNodes = OneLogin_Saml2_Utils::query($dom, './md:SingleSignOnService', $idpDescriptor);
+                }
+                if ($sloNodes->length > 0) {
+                    $metadataInfo['idp']['singleLogoutService'] = array(
+                        'url' => $sloNodes->item(0)->getAttribute('Location'),
+                        'binding' => $sloNodes->item(0)->getAttribute('Binding')
+                    );
+                }
+
+                $keyDescriptorCertSigningNodes = OneLogin_Saml2_Utils::query($dom, './md:KeyDescriptor[not(contains(@use, "encryption"))]/ds:KeyInfo/ds:X509Data/ds:X509Certificate', $idpDescriptor);
+
+                $keyDescriptorCertEncryptionNodes = OneLogin_Saml2_Utils::query($dom, './md:KeyDescriptor[not(contains(@use, "signing"))]/ds:KeyInfo/ds:X509Data/ds:X509Certificate', $idpDescriptor);
+
+                if (!empty($keyDescriptorCertSigningNodes) || !empty($keyDescriptorCertEncryptionNodes)) {
+                    $metadataInfo['idp']['x509certMulti'] = array();
+                    if (!empty($keyDescriptorCertSigningNodes)) {
+                        $idpInfo['x509certMulti']['signing'] = array();
+                        foreach ($keyDescriptorCertSigningNodes as $keyDescriptorCertSigningNode) {
+                            $metadataInfo['idp']['x509certMulti']['signing'][] = OneLogin_Saml2_Utils::formatCert($keyDescriptorCertSigningNode->nodeValue, false);
+                        }
+                    }
+                    if (!empty($keyDescriptorCertEncryptionNodes)) {
+                        $idpInfo['x509certMulti']['encryption'] = array();
+                        foreach ($keyDescriptorCertEncryptionNodes as $keyDescriptorCertEncryptionNode) {
+                            $metadataInfo['idp']['x509certMulti']['encryption'][] = OneLogin_Saml2_Utils::formatCert($keyDescriptorCertEncryptionNode->nodeValue, false);
+                        }
+                    }
+
+                    $idpCertdata = $metadataInfo['idp']['x509certMulti'];
+                    if (count($idpCertdata) == 1 || ((isset($idpCertdata['signing']) && count($idpCertdata['signing']) == 1) && isset($idpCertdata['encryption']) && count($idpCertdata['encryption']) == 1 && strcmp($idpCertdata['signing'][0], $idpCertdata['encryption'][0]) == 0)) {
+                        if (isset($metadataInfo['idp']['x509certMulti']['signing'][0])) {
+                            $metadataInfo['idp']['x509cert'] = $metadataInfo['idp']['x509certMulti']['signing'][0];
+                        } else {
+                            $metadataInfo['idp']['x509cert'] = $metadataInfo['idp']['x509certMulti']['encryption'][0];
+                        }
+                        unset($metadataInfo['idp']['x509certMulti']);
+                    }
+                }
+
+                $nameIdFormatNodes = OneLogin_Saml2_Utils::query($dom, './md:NameIDFormat', $idpDescriptor);
+                if ($nameIdFormatNodes->length > 0) {
+                    $metadataInfo['sp']['NameIDFormat'] = $nameIdFormatNodes->item(0)->nodeValue;
+                    if (!empty($desiredNameIdFormat)) {
+                        foreach ($nameIdFormatNodes as $nameIdFormatNode) {
+                            if (strcmp($nameIdFormatNode->nodeValue, $desiredNameIdFormat) == 0) {
+                                $metadataInfo['sp']['NameIDFormat'] = $nameIdFormatNode->nodeValue;
+                                break;
+                            }
+                        }
+                    }
+                }
+            }
+        } catch (Exception $e) {
+            throw new Exception('Error parsing metadata. '.$e->getMessage());
+        }
+
+        return $metadataInfo;
+    }
+
+    /**
+     * Inject metadata info into php-saml settings array
+     *
+     * @param string $settings      php-saml settings array
+     * @param string $metadataInfo  array metadata info
+     *
+     * @return array settings
+     */
+    public static function injectIntoSettings($settings, $metadataInfo)
+    {
+        if (isset($metadataInfo['idp']) && isset($settings['idp'])) {
+            if (isset($metadataInfo['idp']['x509certMulti']) && !empty($metadataInfo['idp']['x509certMulti']) && isset($settings['idp']['x509cert'])) {
+                unset($settings['idp']['x509cert']);
+            }
+
+            if (isset($metadataInfo['idp']['x509cert']) && !empty($metadataInfo['idp']['x509cert']) && isset($settings['idp']['x509certMulti'])) {
+                unset($settings['idp']['x509certMulti']);
+            }
+        }
+
+        return array_replace_recursive($settings, $metadataInfo);
+    }
+}