Added support for RSA-SHA256, RSA-SHA384 and RSA-SHA512 signature algorithms. New hosted IdP metadata option 'signature.algorithm' to configure this, defaults to SHA1 for backwards compatibility.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@3164 44740490-163a-0410-bde0-09ae8108e29a

1 files changed, 27 insertions, 3 deletions

diff --git a/lib/SAML2/Utils.php b/lib/SAML2/Utils.php
index 00e5a33..79576a2 100644
--- a/lib/SAML2/Utils.php
+++ b/lib/SAML2/Utils.php
@@ -133,8 +133,18 @@ class SAML2_Utils {
 		}
 		$algo = $sigMethod->getAttribute('Algorithm');
 
-		if ($key->type === XMLSecurityKey::RSA_SHA1 && $algo === XMLSecurityKey::RSA_SHA256) {
-			$key = self::castKey($key, XMLSecurityKey::RSA_SHA256);
+		if ($key->type === XMLSecurityKey::RSA_SHA1) {
+			switch ($algo) {
+				case XMLSecurityKey::RSA_SHA256:
+					$key = self::castKey($key, XMLSecurityKey::RSA_SHA256);
+					break;
+				case XMLSecurityKey::RSA_SHA384:
+					$key = self::castKey($key, XMLSecurityKey::RSA_SHA384);
+					break;
+				case XMLSecurityKey::RSA_SHA512:
+					$key = self::castKey($key, XMLSecurityKey::RSA_SHA512);
+					break;
+			}
 		}
 
 		/* Check the signature. */
@@ -314,9 +324,23 @@ class SAML2_Utils {
 		$objXMLSecDSig = new XMLSecurityDSig();
 		$objXMLSecDSig->setCanonicalMethod(XMLSecurityDSig::EXC_C14N);
 
+		switch ($key->type) {
+			case XMLSecurityKey::RSA_SHA256:
+				$type = XMLSecurityDSig::SHA256;
+				break;
+			case XMLSecurityKey::RSA_SHA384:
+				$type = XMLSecurityDSig::SHA384;
+				break;
+			case XMLSecurityKey::RSA_SHA512:
+				$type = XMLSecurityDSig::SHA512;
+				break;
+			default:
+				$type = XMLSecurityDSig::SHA1;
+		}
+
 		$objXMLSecDSig->addReferenceList(
 			array($root),
-			XMLSecurityDSig::SHA1,
+			$type,
 			array('http://www.w3.org/2000/09/xmldsig#enveloped-signature', XMLSecurityDSig::EXC_C14N),
 			array('id_name' => 'ID', 'overwrite' => FALSE)
 			);