Added support for RSA-SHA256, RSA-SHA384 and RSA-SHA512 signature algorithms. New hosted IdP metadata option 'signature.algorithm' to configure this, defaults to SHA1 for backwards compatibility.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@3164 44740490-163a-0410-bde0-09ae8108e29a
author: Jaime Pérez Crespo <jaime.perez@uninett.no> 2012-09-20 09:12:13 +0000
committer: Jaime Pérez Crespo <jaime.perez@uninett.no> 2012-09-20 09:12:13 +0000
commit: eb2f40649d8d1eda26e03716487b5f62a370620f (patch)
tree: 24f6bb76f54c9d836126f048e68504ca026f6241 /lib
parent: 509d45ba750cd2f344aef9a47c9aba03370c8aa6 (diff)
download: simplesamlphp-eb2f40649d8d1eda26e03716487b5f62a370620f.zip
simplesamlphp-eb2f40649d8d1eda26e03716487b5f62a370620f.tar.gz
simplesamlphp-eb2f40649d8d1eda26e03716487b5f62a370620f.tar.bz2
2 files changed, 55 insertions, 3 deletions
diff --git a/lib/SAML2/Utils.php b/lib/SAML2/Utils.php
index 00e5a33..79576a2 100644
--- a/lib/SAML2/Utils.php
+++ b/lib/SAML2/Utils.php
@@ -133,8 +133,18 @@ class SAML2_Utils {
 		}
 		$algo = $sigMethod->getAttribute('Algorithm');
 
-		if ($key->type === XMLSecurityKey::RSA_SHA1 && $algo === XMLSecurityKey::RSA_SHA256) {
-			$key = self::castKey($key, XMLSecurityKey::RSA_SHA256);
+		if ($key->type === XMLSecurityKey::RSA_SHA1) {
+			switch ($algo) {
+				case XMLSecurityKey::RSA_SHA256:
+					$key = self::castKey($key, XMLSecurityKey::RSA_SHA256);
+					break;
+				case XMLSecurityKey::RSA_SHA384:
+					$key = self::castKey($key, XMLSecurityKey::RSA_SHA384);
+					break;
+				case XMLSecurityKey::RSA_SHA512:
+					$key = self::castKey($key, XMLSecurityKey::RSA_SHA512);
+					break;
+			}
 		}
 
 		/* Check the signature. */
@@ -314,9 +324,23 @@ class SAML2_Utils {
 		$objXMLSecDSig = new XMLSecurityDSig();
 		$objXMLSecDSig->setCanonicalMethod(XMLSecurityDSig::EXC_C14N);
 
+		switch ($key->type) {
+			case XMLSecurityKey::RSA_SHA256:
+				$type = XMLSecurityDSig::SHA256;
+				break;
+			case XMLSecurityKey::RSA_SHA384:
+				$type = XMLSecurityDSig::SHA384;
+				break;
+			case XMLSecurityKey::RSA_SHA512:
+				$type = XMLSecurityDSig::SHA512;
+				break;
+			default:
+				$type = XMLSecurityDSig::SHA1;
+		}
+
 		$objXMLSecDSig->addReferenceList(
 			array($root),
-			XMLSecurityDSig::SHA1,
+			$type,
 			array('http://www.w3.org/2000/09/xmldsig#enveloped-signature', XMLSecurityDSig::EXC_C14N),
 			array('id_name' => 'ID', 'overwrite' => FALSE)
 			);
diff --git a/lib/xmlseclibs.php b/lib/xmlseclibs.php
index fc328d4..75de0b6 100644
--- a/lib/xmlseclibs.php
+++ b/lib/xmlseclibs.php
@@ -180,6 +180,8 @@ class XMLSecurityKey {
     const DSA_SHA1 = 'http://www.w3.org/2000/09/xmldsig#dsa-sha1';
     const RSA_SHA1 = 'http://www.w3.org/2000/09/xmldsig#rsa-sha1';
     const RSA_SHA256 = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256';
+    const RSA_SHA384 = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384';
+    const RSA_SHA512 = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512';
 
     private $cryptParams = array();
     public $type = 0;
@@ -282,6 +284,28 @@ class XMLSecurityKey {
                 }
                 throw new Exception('Certificate "type" (private/public) must be passed via parameters');
                 break;
+            case (XMLSecurityKey::RSA_SHA384):
+                $this->cryptParams['library'] = 'openssl';
+                $this->cryptParams['method'] = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384';
+                $this->cryptParams['padding'] = OPENSSL_PKCS1_PADDING;
+                $this->cryptParams['digest'] = 'SHA384';
+                if (is_array($params) && ! empty($params['type'])) {
+                    if ($params['type'] == 'public' || $params['type'] == 'private') {
+                        $this->cryptParams['type'] = $params['type'];
+                        break;
+                    }
+                }
+            case (XMLSecurityKey::RSA_SHA512):
+                $this->cryptParams['library'] = 'openssl';
+                $this->cryptParams['method'] = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512';
+                $this->cryptParams['padding'] = OPENSSL_PKCS1_PADDING;
+                $this->cryptParams['digest'] = 'SHA512';
+                if (is_array($params) && ! empty($params['type'])) {
+                    if ($params['type'] == 'public' || $params['type'] == 'private') {
+                        $this->cryptParams['type'] = $params['type'];
+                        break;
+                    }
+                }
             default:
                 throw new Exception('Invalid Key Type');
                 return;
@@ -632,6 +656,7 @@ class XMLSecurityDSig {
     const XMLDSIGNS = 'http://www.w3.org/2000/09/xmldsig#';
     const SHA1 = 'http://www.w3.org/2000/09/xmldsig#sha1';
     const SHA256 = 'http://www.w3.org/2001/04/xmlenc#sha256';
+    const SHA384 = 'http://www.w3.org/2001/04/xmldsig-more#sha384';
     const SHA512 = 'http://www.w3.org/2001/04/xmlenc#sha512';
     const RIPEMD160 = 'http://www.w3.org/2001/04/xmlenc#ripemd160';
 
@@ -799,6 +824,9 @@ class XMLSecurityDSig {
             case XMLSecurityDSig::SHA256:
                 $alg = 'sha256';
                 break;
+            case XMLSecurityDSig::SHA384:
+                $alg = 'sha384';
+                break;
             case XMLSecurityDSig::SHA512:
                 $alg = 'sha512';
                 break;
author	Jaime Pérez Crespo <jaime.perez@uninett.no>	2012-09-20 09:12:13 +0000
committer	Jaime Pérez Crespo <jaime.perez@uninett.no>	2012-09-20 09:12:13 +0000
commit	eb2f40649d8d1eda26e03716487b5f62a370620f (patch)
tree	24f6bb76f54c9d836126f048e68504ca026f6241 /lib
parent	509d45ba750cd2f344aef9a47c9aba03370c8aa6 (diff)
download	simplesamlphp-eb2f40649d8d1eda26e03716487b5f62a370620f.zip simplesamlphp-eb2f40649d8d1eda26e03716487b5f62a370620f.tar.gz simplesamlphp-eb2f40649d8d1eda26e03716487b5f62a370620f.tar.bz2