Add support to Key Rollover. Be able to register future SP x509cert on the settings and publish it on SP metadata

Author: pitbulk

.gitignore

@@ -6,6 +6,7 @@
 /demo-old/settings.php
 /certs/sp.key
 /certs/sp.crt
+/certs/sp_new.crt
 /certs/metadata.key
 /certs/metadata.crt
 /tests/build

README.md

@@ -183,6 +183,8 @@ Sometimes we could need a signature on the metadata published by the SP, in
 this case we could use the x.509 cert previously mentioned or use a new x.509
 cert: `metadata.crt` and `metadata.key`.
 
+Use `sp_new.crt` if you are in a key rollover process and you want to
+publish that x509certificate on Service Provider metadata.
 
 #### `extlib/` ####
 
@@ -337,6 +339,14 @@ $settings = array (
         'x509cert' => '',
         'privateKey' => '',
 
+        /*
+         * Key rollover
+         * If you plan to update the SP x509cert and privateKey
+         * you can define here the new x509cert and it will be 
+         * published on the SP metadata so Identity Providers can
+         * read them and get ready for rollover.
+         */
+        // 'x509certNew' => '',
     ),
 
     // Identity Provider Data that we want connected with our SP.
@@ -1250,6 +1260,7 @@ Configuration of the OneLogin PHP Toolkit
  * `checkSPCerts` - Checks if the x509 certs of the SP exists and are valid.
  * `getSPkey` - Returns the x509 private key of the SP.
  * `getSPcert` - Returns the x509 public cert of the SP.
+ * `getSPcertNew` - Returns the future x509 public cert of the SP.
  * `getIdPData` - Gets the IdP data.
  * `getSPData`Gets the SP data.
  * `getSecurityData` - Gets security data.

certs/README

@@ -4,6 +4,7 @@ Onelogin PHP Toolkit expects certs for the SP stored at:
 
  * sp.key   Private Key
  * sp.crt  Public cert
+ * sp_new.crt Future Public cert
 
 Also you can use other cert to sign the metadata of the SP using the:
 

lib/Saml2/Settings.php

@@ -699,6 +699,28 @@ public function getSPcert()
         return $cert;
     }
 
+    /**
+     * Returns the x509 public of the SP that is
+     * planed to be used soon instead the other
+     * public cert
+     * @return string SP public cert New
+     */
+    public function getSPcertNew()
+    {
+        $cert = null;
+
+        if (isset($this->_sp['x509certNew']) && !empty($this->_sp['x509certNew'])) {
+            $cert = $this->_sp['x509certNew'];
+        } else {
+            $certFile = $this->_paths['cert'].'sp_new.crt';
+
+            if (file_exists($certFile)) {
+                $cert = file_get_contents($certFile);
+            }
+        }
+        return $cert;
+    }
+
     /**
      * Gets the IdP data.
      *
@@ -780,8 +802,16 @@ public function getSPMetadata()
     {
         $metadata = OneLogin_Saml2_Metadata::builder($this->_sp, $this->_security['authnRequestsSigned'], $this->_security['wantAssertionsSigned'], null, null, $this->getContacts(), $this->getOrganization());
 
-        $cert = $this->getSPcert();
+        $certNew = $this->getSPcertNew();
+        if (!empty($certNew)) {
+            $metadata = OneLogin_Saml2_Metadata::addX509KeyDescriptors(
+                $metadata,
+                $certNew,
+                $this->_security['wantNameIdEncrypted'] || $this->_security['wantAssertionsEncrypted']
+            );
+        }
 
+        $cert = $this->getSPcert();
         if (!empty($cert)) {
             $metadata = OneLogin_Saml2_Metadata::addX509KeyDescriptors(
                 $metadata,
@@ -848,6 +878,7 @@ public function getSPMetadata()
             $digestAlgorithm = $this->_security['digestAlgorithm'];
             $metadata = OneLogin_Saml2_Metadata::signMetadata($metadata, $keyMetadata, $certMetadata, $signatureAlgorithm, $digestAlgorithm);
         }
+//        print_r($metadata);
         return $metadata;
     }
 

settings_example.php

@@ -10,10 +10,10 @@
     // Enable debug mode (to print errors)
     'debug' => false,
 
-    // Set a BaseURL to be used instead of try to guess 
+    // Set a BaseURL to be used instead of try to guess
     // the BaseURL of the view that process the SAML Message.
     // Ex. http://sp.example.com/
-    //     http://example.com/sp/ 
+    //     http://example.com/sp/
     'baseurl' => null,
 
     // Service Provider Data that we are deploying
@@ -32,7 +32,7 @@
         ),
         // If you need to specify requested attributes, set a
         // attributeConsumingService. nameFormat, attributeValue and
-        // friendlyName can be omitted. Otherwise remove this section. 
+        // friendlyName can be omitted. Otherwise remove this section.
         "attributeConsumingService"=> array(
                 "ServiceName" => "SP test",
                 "serviceDescription" => "Test Service",
@@ -65,6 +65,15 @@
         // the certs folder. But we can also provide them with the following parameters
         'x509cert' => '',
         'privateKey' => '',
+
+        /*
+         * Key rollover
+         * If you plan to update the SP x509cert and privateKey
+         * you can define here the new x509cert and it will be 
+         * published on the SP metadata so Identity Providers can
+         * read them and get ready for rollover.
+         */
+        // 'x509certNew' => '',
     ),
 
     // Identity Provider Data that we want connect with our SP

tests/settings/settings5.php

@@ -0,0 +1,55 @@
+<?php
+    $settingsInfo = array (
+        'strict' => false,
+        'debug' => false,
+        'sp' => array (
+            'entityId' => 'http://stuff.com/endpoints/metadata.php',
+            'assertionConsumerService' => array (
+                'url' => 'http://stuff.com/endpoints/endpoints/acs.php',
+            ),
+            'singleLogoutService' => array (
+                'url' => 'http://stuff.com/endpoints/endpoints/sls.php',
+            ),
+            'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
+            'privateKey' => 'MIICXgIBAAKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABAoGAD4/Z4LWVWV6D1qMIp1Gzr0ZmdWTE1SPdZ7Ej8glGnCzPdguCPuzbhGXmIg0VJ5D+02wsqws1zd48JSMXXM8zkYZVwQYIPUsNn5FetQpwxDIMPmhHg+QNBgwOnk8JK2sIjjLPL7qY7Itv7LT7Gvm5qSOkZ33RCgXcgz+okEIQMYkCQQDzbTOyDL0c5WQV6A2k06T/azdhUdGXF9C0+WkWSfNaovmTgRXh1G+jMlr82Snz4p4/STt7P/XtyWzF3pkVgZr3AkEA7nPjXwHlttNEMo6AtxHd47nizK2NUN803ElIUT8P9KSCoERmSXq66PDekGNic4ldpsSvOeYCk8MAYoDBy9kvVwJBAMLgX4xg6lzhv7hR5+pWjTb1rIY6rCHbrPfU264+UZXz9v2BT/VUznLF81WMvStD9xAPHpFS6R0OLghSZhdzhI0CQQDL8Duvfxzrn4b9QlmduV8wLERoT6rEVxKLsPVz316TGrxJvBZLk/cV0SRZE1cZf4ukXSWMfEcJ/0Zt+LdG1CqjAkEAqwLSglJ9Dy3HpgMz4vAAyZWzAxvyA1zW0no9GOLcPQnYaNUN/Fy2SYtETXTb0CQ9X1rt8ffkFP7ya+5TC83aMg==',
+            'x509cert' => 'MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo',
+            'x509certNew' => 'MIICVDCCAb2gAwIBAgIBADANBgkqhkiG9w0BAQ0FADBHMQswCQYDVQQGEwJ1czEQMA4GA1UECAwHZXhhbXBsZTEQMA4GA1UECgwHZXhhbXBsZTEUMBIGA1UEAwwLZXhhbXBsZS5jb20wHhcNMTcwNDA3MDgzMDAzWhcNMjcwNDA1MDgzMDAzWjBHMQswCQYDVQQGEwJ1czEQMA4GA1UECAwHZXhhbXBsZTEQMA4GA1UECgwHZXhhbXBsZTEUMBIGA1UEAwwLZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKhPS4/0azxbQekHHewQGKD7Pivr3CDpsrKxY3xlVanxj427OwzOb5KUVzsDEazumt6sZFY8HfidsjXY4EYA4ZzyL7ciIAR5vlAsIYN9nJ4AwVDnN/RjVwj+TN6BqWPLpVIpHc6Dl005HyE0zJnk1DZDn2tQVrIzbD3FhCp7YeotAgMBAAGjUDBOMB0GA1UdDgQWBBRYZx4thASfNvR/E7NsCF2IaZ7wIDAfBgNVHSMEGDAWgBRYZx4thASfNvR/E7NsCF2IaZ7wIDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBACz4aobx9aG3kh+rNyrlgM3K6dYfnKG1/YH5sJCAOvg8kDr0fQAQifH8lFVWumKUMoAe0bFTfwWtp/VJ8MprrEJth6PFeZdczpuv+fpLcNj2VmNVJqvQYvS4m36OnBFh1QFZW8UrbFIfdtm2nuZ+twSKqfKwjLdqcoX0p39h7Uw/'
+        ),
+        'idp' => array (
+            'entityId' => 'http://idp.example.com/',
+            'singleSignOnService' => array (
+                'url' => 'http://idp.example.com/SSOService.php',
+            ),
+            'singleLogoutService' => array (
+                'url' => 'http://idp.example.com/SingleLogoutService.php',
+            ),
+            'x509cert' => 'MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo'
+        ),
+        'compress' => array(
+            'requests' => true,
+            'responses' => true
+        ),
+        'security' => array (
+            'authnRequestsSigned' => false,
+            'wantAssertionsSigned' => false,
+            'signMetadata' => false,
+        ),
+        'contactPerson' => array (
+            'technical' => array (
+                'givenName' => 'technical_name',
+                'emailAddress' => '[email protected]',
+            ),
+            'support' => array (
+                'givenName' => 'support_name',
+                'emailAddress' => '[email protected]',
+            ),
+        ),
+
+        'organization' => array (
+            'en-US' => array(
+                'name' => 'sp_test',
+                'displayname' => 'SP test',
+                'url' => 'http://sp.example.com',
+            ),
+        ),
+    );

tests/src/OneLogin/Saml2/MetadataTest.php

@@ -263,4 +263,54 @@ public function testAddX509KeyDescriptors()
             $this->assertContains('Error parsing metadata', $e->getMessage());
         }
     }
+
+    /**
+    * Tests the addX509KeyDescriptors method of the OneLogin_Saml2_Metadata
+    * Case: Execute 2 addX509KeyDescriptors calls
+    *
+    * @covers OneLogin_Saml2_Metadata::addX509KeyDescriptors
+    */
+    public function testAddX509KeyDescriptors2Times()
+    {
+        $settingsDir = TEST_ROOT .'/settings/';
+        include $settingsDir.'settings1.php';
+
+        $settings = new OneLogin_Saml2_Settings($settingsInfo);
+        $spData = $settings->getSPData();
+
+        $metadata = OneLogin_Saml2_Metadata::builder($spData);
+
+        $this->assertNotContains('<md:KeyDescriptor use="signing"', $metadata);
+        $this->assertNotContains('<md:KeyDescriptor use="encryption"', $metadata);
+
+        $certPath = $settings->getCertPath();
+        $cert = file_get_contents($certPath.'sp.crt');
+
+        $metadata = OneLogin_Saml2_Metadata::addX509KeyDescriptors($metadata, $cert, false);
+
+        $this->assertEquals(1, substr_count($metadata, "<md:KeyDescriptor"));
+
+        $metadata = OneLogin_Saml2_Metadata::addX509KeyDescriptors($metadata, $cert, false);
+
+        $this->assertEquals(2, substr_count($metadata, "<md:KeyDescriptor"));
+
+
+        $metadata2 = OneLogin_Saml2_Metadata::builder($spData);
+
+        $metadata2 = OneLogin_Saml2_Metadata::addX509KeyDescriptors($metadata2, $cert);
+
+        $this->assertEquals(2, substr_count($metadata2, "<md:KeyDescriptor"));
+
+        $this->assertEquals(1, substr_count($metadata2, '<md:KeyDescriptor use="signing"'));
+
+        $this->assertEquals(1, substr_count($metadata2, '<md:KeyDescriptor use="encryption"'));
+
+        $metadata2 = OneLogin_Saml2_Metadata::addX509KeyDescriptors($metadata2, $cert);
+
+        $this->assertEquals(4, substr_count($metadata2, "<md:KeyDescriptor"));
+
+        $this->assertEquals(2, substr_count($metadata2, '<md:KeyDescriptor use="signing"'));
+
+        $this->assertEquals(2, substr_count($metadata2, '<md:KeyDescriptor use="encryption"'));
+    }
 }