Fix SAML-Toolkits#76. Now the SP is able to add signatures using DSA_SHA1, RSA_SHA1,RSA_SHA256, RSA_SHA384 or RSA_SHA512

Author: pitbulk

README.md

@@ -411,6 +411,14 @@ $advancedSettings = array (
         // Indicates if the SP will validate all received xmls.
         // (In order to validate the xml, 'strict' and 'wantXMLValidation' must be true).
         'wantXMLValidation' => true,
+
+        // Algorithm that the toolkit will use on signing process. Options:
+        //    'http://www.w3.org/2000/09/xmldsig#rsa-sha1'
+        //    'http://www.w3.org/2000/09/xmldsig#dsa-sha1'
+        //    'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
+        //    'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384'
+        //    'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512'
+        'signatureAlgorithm' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1',
     ),
 
     // Contact information template, it is recommended to suply a
@@ -778,8 +786,8 @@ if (!OneLogin_Saml2_LogoutRequest::isValid($this->_settings, $request)) {
 
     $security = $this->_settings->getSecurityData();
     if (isset($security['logoutResponseSigned']) && $security['logoutResponseSigned']) {
-        $signature = $this->buildResponseSignature($logoutResponse, $parameters['RelayState']);
-        $parameters['SigAlg'] = XMLSecurityKey::RSA_SHA1;
+        $signature = $this->buildResponseSignature($logoutResponse, $parameters['RelayState'], $security['signatureAlgorithm']);
+        $parameters['SigAlg'] = $security['signatureAlgorithm'];
         $parameters['Signature'] = $signature;
     }
 

advanced_settings_example.php

@@ -55,6 +55,14 @@
         // Indicates if the SP will validate all received xmls.
         // (In order to validate the xml, 'strict' and 'wantXMLValidation' must be true).
         'wantXMLValidation' => true,
+
+        // Algorithm that the toolkit will use on signing process. Options:
+        //    'http://www.w3.org/2000/09/xmldsig#rsa-sha1'
+        //    'http://www.w3.org/2000/09/xmldsig#dsa-sha1'
+        //    'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
+        //    'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384'
+        //    'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512'
+        'signatureAlgorithm' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1',
     ),
 
     // Contact information template, it is recommended to suply a technical and support contacts

lib/Saml2/Auth.php

@@ -161,8 +161,8 @@ public function processSLO($keepLocalSession = false, $requestId = null, $retrie
 
                 $security = $this->_settings->getSecurityData();
                 if (isset($security['logoutResponseSigned']) && $security['logoutResponseSigned']) {
-                    $signature = $this->buildResponseSignature($logoutResponse, $parameters['RelayState']);
-                    $parameters['SigAlg'] = XMLSecurityKey::RSA_SHA1;
+                    $signature = $this->buildResponseSignature($logoutResponse, $parameters['RelayState'], $security['signatureAlgorithm']);
+                    $parameters['SigAlg'] = $security['signatureAlgorithm'];
                     $parameters['Signature'] = $signature;
                 }
 
@@ -300,8 +300,8 @@ public function login($returnTo = null, $parameters = array(), $forceAuthn = fal
 
         $security = $this->_settings->getSecurityData();
         if (isset($security['authnRequestsSigned']) && $security['authnRequestsSigned']) {
-            $signature = $this->buildRequestSignature($samlRequest, $parameters['RelayState']);
-            $parameters['SigAlg'] = XMLSecurityKey::RSA_SHA1;
+            $signature = $this->buildRequestSignature($samlRequest, $parameters['RelayState'], $security['signatureAlgorithm']);
+            $parameters['SigAlg'] = $security['signatureAlgorithm'];
             $parameters['Signature'] = $signature;
         }
         $this->redirectTo($this->getSSOurl(), $parameters);
@@ -344,8 +344,8 @@ public function logout($returnTo = null, $parameters = array(), $nameId = null,
 
         $security = $this->_settings->getSecurityData();
         if (isset($security['logoutRequestSigned']) && $security['logoutRequestSigned']) {
-            $signature = $this->buildRequestSignature($samlRequest, $parameters['RelayState']);
-            $parameters['SigAlg'] = XMLSecurityKey::RSA_SHA1;
+            $signature = $this->buildRequestSignature($samlRequest, $parameters['RelayState'], $security['signatureAlgorithm']);
+            $parameters['SigAlg'] = $security['signatureAlgorithm'];
             $parameters['Signature'] = $signature;
         }
 
@@ -381,12 +381,13 @@ public function getSLOurl()
     /**
      * Generates the Signature for a SAML Request
      *
-     * @param string $samlRequest The SAML Request
-     * @param string $relayState  The RelayState
+     * @param string $samlRequest    The SAML Request
+     * @param string $relayState     The RelayState
+     * @param string $sign_algorithm Signature algorithm method
      *
      * @return string A base64 encoded signature
      */
-    public function buildRequestSignature($samlRequest, $relayState)
+    public function buildRequestSignature($samlRequest, $relayState, $sign_algorithm = XMLSecurityKey::RSA_SHA1)
     {
         if (!$this->_settings->checkSPCerts()) {
             throw new OneLogin_Saml2_Error(
@@ -397,25 +398,26 @@ public function buildRequestSignature($samlRequest, $relayState)
 
         $key = $this->_settings->getSPkey();
 
-        $objKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type' => 'private'));
+        $objKey = new XMLSecurityKey($sign_algorithm, array('type' => 'private'));
         $objKey->loadKey($key, false);
 
         $msg = 'SAMLRequest='.urlencode($samlRequest);
         $msg .= '&RelayState='.urlencode($relayState);
-        $msg .= '&SigAlg=' . urlencode(XMLSecurityKey::RSA_SHA1);
+        $msg .= '&SigAlg=' . urlencode($sign_algorithm);
         $signature = $objKey->signData($msg);
         return base64_encode($signature);
     }
 
     /**
      * Generates the Signature for a SAML Response
      *
-     * @param string $samlResponse The SAML Response
-     * @param string $relayState   The RelayState     
+     * @param string $samlResponse   The SAML Response
+     * @param string $relayState     The RelayState
+     * @param string $sign_algorithm Signature algorithm method
      *
      * @return string A base64 encoded signature 
      */
-    public function buildResponseSignature($samlResponse, $relayState)
+    public function buildResponseSignature($samlResponse, $relayState, $sign_algorithm = XMLSecurityKey::RSA_SHA1)
     {
         if (!$this->_settings->checkSPCerts()) {
             throw new OneLogin_Saml2_Error(
@@ -426,12 +428,12 @@ public function buildResponseSignature($samlResponse, $relayState)
 
         $key = $this->_settings->getSPkey();
 
-        $objKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type' => 'private'));
+        $objKey = new XMLSecurityKey($sign_algorithm, array('type' => 'private'));
         $objKey->loadKey($key, false);
 
         $msg = 'SAMLResponse='.urlencode($samlResponse);
         $msg .= '&RelayState='.urlencode($relayState);
-        $msg .= '&SigAlg=' . urlencode(XMLSecurityKey::RSA_SHA1);
+        $msg .= '&SigAlg=' . urlencode($sign_algorithm);
         $signature = $objKey->signData($msg);
         return base64_encode($signature);
     }

lib/Saml2/LogoutRequest.php

@@ -23,7 +23,7 @@ class OneLogin_Saml2_LogoutRequest
      * SAML Logout Request
      * @var string
      */
-    private $_logoutRequest;
+    protected $_logoutRequest;
 
     /**
     * After execute a validation process, this var contains the cause

lib/Saml2/LogoutResponse.php

@@ -17,7 +17,7 @@ class OneLogin_Saml2_LogoutResponse
      * The decoded, unprocessed XML response provided to the constructor.
      * @var string
      */
-    private $_logoutResponse;
+    protected $_logoutResponse;
 
     /**
      * A DOMDocument class loaded from the SAML LogoutResponse.

lib/Saml2/Metadata.php

@@ -113,9 +113,9 @@ public static function builder($sp, $authnsign = false, $wsign = false, $validUn
      *
      * @return string Signed Metadata
      */
-    public static function signMetadata($metadata, $key, $cert)
+    public static function signMetadata($metadata, $key, $cert, $sign_algorithm = XMLSecurityKey::RSA_SHA1)
     {
-        return OneLogin_Saml2_Utils::addSign($metadata, $key, $cert);
+        return OneLogin_Saml2_Utils::addSign($metadata, $key, $cert, $sign_algorithm);
     }
 
     /**

lib/Saml2/Response.php

@@ -548,7 +548,7 @@ public function validateSignedElements($signedElements)
      * @throws Exception
      * @return DOMNodeList The queried node
      */
-    private function _queryAssertion($assertionXpath)
+    protected function _queryAssertion($assertionXpath)
     {
         if ($this->encrypted) {
             $xpath = new DOMXPath($this->decryptedDocument);

lib/Saml2/Settings.php

@@ -334,6 +334,11 @@ private function _addDefaultValues()
             $this->_security['wantXMLValidation'] = true;
         }
 
+        // Algorithm
+        if (!isset($this->_security['signatureAlgorithm'])) {
+            $this->_security['signatureAlgorithm'] = XMLSecurityKey::RSA_SHA1;
+        }
+
         // Certificates / Private key /Fingerprint
         if (!isset($this->_idp['x509cert'])) {
             $this->_idp['x509cert'] = '';

lib/Saml2/Utils.php

@@ -908,11 +908,12 @@ public static function castKey(XMLSecurityKey $key, $algorithm, $type = 'public'
     /**
      * Adds signature key and senders certificate to an element (Message or Assertion).
      *
-     * @param string|DomDocument $xml  The element we should sign
-     * @param string             $key  The private key
-     * @param string             $cert The public
+     * @param string|DomDocument $xml            The element we should sign
+     * @param string             $key            The private key
+     * @param string             $cert           The public
+     * @param string             $sign_algorithm Signature algorithm method
      */
-    public static function addSign($xml, $key, $cert)
+    public static function addSign($xml, $key, $cert, $sign_algorithm = XMLSecurityKey::RSA_SHA1)
     {
         if ($xml instanceof DOMDocument) {
             $dom = $xml;
@@ -925,7 +926,7 @@ public static function addSign($xml, $key, $cert)
         }
 
         /* Load the private key. */
-        $objKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type' => 'private'));
+        $objKey = new XMLSecurityKey($sign_algorithm, array('type' => 'private'));
         $objKey->loadKey($key, false);
 
         /* Get the EntityDescriptor node we should sign. */

settings_example.php

@@ -37,7 +37,7 @@
         // Specifies constraints on the name identifier to be used to
         // represent the requested subject.
         // Take a look on lib/Saml2/Constants.php to see the NameIdFormat supported
-        'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
+        'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified',
 
         // Usually x509cert and privateKey of the SP are provided by files placed at
         // the certs folder. But we can also provide them with the following parameters