[google-apps-apis] Problem Signing SAML with PHP

Fri, 30 Jan 2009 09:59:36 -0800 

Hello,

I'd like to sign the XML of the SAML response with pure PHP 5 (no
command line calls of xmlsec1). I've seen that the simple saml php
project http://rnd.feide.no/simplesamlphp does exactly this with the
xmlseclib.php library. I tried to port the xml signature part to my
app but the signed response is not valid to Google. Here is what I
did:

    public static function signResponse($responseXmlString, $pubKey,
$privKey) {
        $xml = new DOMDocument();
        if(!$xml->loadXML($responseXmlString)) {
            throw new Exception();
        }
        /* Load the private key. */
        $objKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array
('type' => 'private'));
        $objKey->loadKey($privKey, true);

        /* Get the EntityDescriptor node we should sign. */
        $rootNode = $xml->firstChild;

        /* Sign the metadata with our private key. */
        $objXMLSecDSig = new XMLSecurityDSig();
        $objXMLSecDSig->setCanonicalMethod(XMLSecurityDSig::EXC_C14N);

        $objXMLSecDSig->addReferenceList(array($rootNode),
XMLSecurityDSig::SHA1,
            array('http://www.w3.org/2000/09/xmldsig#enveloped-
signature', XMLSecurityDSig::EXC_C14N),
            array('id_name' => 'ID'));

        $objXMLSecDSig->sign($objKey);

        /* Add the certificate to the signature. */
        $publicCert = file_get_contents($pubKey);
        $objXMLSecDSig->add509Cert($publicCert, false, false);

        /* Add the signature to the metadata. */
        $objXMLSecDSig->insertSignature($rootNode, $rootNode-
>firstChild);

        /* Return the DOM tree as a string. */
        return $xml->saveXML();
    }

The signed XML looks like:

<samlp:Response xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xenc="http://
www.w3.org/2001/04/xmlenc#" ID="pfx091359c1-a7ef-
e501-0455-1323df8d6502" IssueInstant="2009-01-30T17:34:01Z"
Version="2.0" Destination="https://www.google.com/a/unbosque.edu.co/
acs"
InResponseTo="aalpmhflehehnnbngdfaddelckndjiihfflakfhc"><ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://
www.w3.org/2001/10/xml-exc-c14n#"/>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/
xmldsig#rsa-sha1"/>
  <ds:Reference URI="#pfx091359c1-a7ef-
e501-0455-1323df8d6502"><ds:Transforms><ds:Transform Algorithm="http://
www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></
ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/
xmldsig#sha1"/><ds:DigestValue>VVXUdt2Ob/kFv4mupa07P/ViEU4=</
ds:DigestValue></ds:Reference></
ds:SignedInfo><ds:SignatureValue>FBzpPMcX5yms0exp8e4uga7hrYOqr
+UprkYhp0RbCePPWt/JUt2Nu5F5kkWK+Cj2QRsEUejsHO6s
+zLMgb0MP7LrtJiEKRk59MY7xtQPrF1ieKEj7Zjvu2ap0juFLCkchJ9/
xORUSsrEVTc6AhM2iZjr2YKqioY8fDhtXk7kQF0=</ds:SignatureValue>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate></ds:X509Certificate></
ds:X509Data></ds:KeyInfo></ds:Signature>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#";>
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/TR/
2001/REC-xml-c14n-20010315#WithComments"/>
            <SignatureMethod Algorithm="http://www.w3.org/2000/09/
xmldsig#rsa-sha1"/>
            <Reference URI="">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/
xmldsig#enveloped-signature"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2000/09/
xmldsig#sha1"/>
                <DigestValue/>
            </Reference>
        </SignedInfo>
        <SignatureValue/>
        <KeyInfo>
            <KeyValue/>
        </KeyInfo>
    </Signature>
        <samlp:Status>
                <samlp:StatusCode 
Value="urn:oasis:names:tc:SAML:2.0:status:Success"/
>
        </samlp:Status>
        <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
ID="jlmaghekccjbghadceopcgoefkepgphaleaclemn"
IssueInstant="2009-01-30T17:34:01Z" Version="2.0">
                <Issuer>unbosque.edu.co</Issuer>
                <Subject>
                        <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-
format:emailAddress">
                                cifuentesandres
                        </NameID>
                        <SubjectConfirmation Method="urn:oasis:names:tc:SAML:
2.0:cm:bearer">
                                <SubjectConfirmationData 
Recipient="https://www.google.com/a/
unbosque.edu.co/acs" NotOnOrAfter="2009-01-30T17:44:01Z"
InResponseTo="aalpmhflehehnnbngdfaddelckndjiihfflakfhc"/>
                        </SubjectConfirmation>
                </Subject>
                <Conditions NotBefore="2009-01-30T17:29:01Z"
NotOnOrAfter="2009-01-30T17:44:01Z">
                        <AudienceRestriction>
                                
<Audience>https://www.google.com/a/unbosque.edu.co/acs</Audience>
                        </AudienceRestriction>
                </Conditions>
                <AuthnStatement AuthnInstant="2009-01-30T17:34:01Z">
                        <AuthnContext>
                                <AuthnContextClassRef>
                                        
urn:oasis:names:tc:SAML:2.0:ac:classes:Password
                                </AuthnContextClassRef>
                        </AuthnContext>
                </AuthnStatement>
        </Assertion>
</samlp:Response>

If anyone have used this library or can tell what's wrong I would
appreciate it.

Thanks,

David Cifuentes
Eforcers.com
Bogotá, Colombia
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"Google Apps APIs" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to 
[email protected]
For more options, visit this group at 
http://groups.google.com/group/google-apps-apis?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to