8398c9048d
code was modified slightly, so the code differs from the original downloadable 1.9.5 version
305 lines
No EOL
12 KiB
PHP
305 lines
No EOL
12 KiB
PHP
<?php
|
|
/**
|
|
* Zend Framework
|
|
*
|
|
* LICENSE
|
|
*
|
|
* This source file is subject to the new BSD license that is bundled
|
|
* with this package in the file LICENSE.txt.
|
|
* It is also available through the world-wide-web at this URL:
|
|
* http://framework.zend.com/license/new-bsd
|
|
* If you did not receive a copy of the license and are unable to
|
|
* obtain it through the world-wide-web, please send an email
|
|
* to license@zend.com so we can send you a copy immediately.
|
|
*
|
|
* @category Zend
|
|
* @package Zend_InfoCard
|
|
* @subpackage Zend_InfoCard_Xml_Security
|
|
* @copyright Copyright (c) 2005-2009 Zend Technologies USA Inc. (http://www.zend.com)
|
|
* @license http://framework.zend.com/license/new-bsd New BSD License
|
|
* @version $Id: Security.php 16214 2009-06-21 19:34:03Z thomas $
|
|
*/
|
|
|
|
/**
|
|
* Zend_InfoCard_Xml_Security_Transform
|
|
*/
|
|
require_once 'Zend/InfoCard/Xml/Security/Transform.php';
|
|
|
|
/**
|
|
*
|
|
* @category Zend
|
|
* @package Zend_InfoCard
|
|
* @subpackage Zend_InfoCard_Xml_Security
|
|
* @copyright Copyright (c) 2005-2009 Zend Technologies USA Inc. (http://www.zend.com)
|
|
* @license http://framework.zend.com/license/new-bsd New BSD License
|
|
*/
|
|
class Zend_InfoCard_Xml_Security
|
|
{
|
|
/**
|
|
* ASN.1 type INTEGER class
|
|
*/
|
|
const ASN_TYPE_INTEGER = 0x02;
|
|
|
|
/**
|
|
* ASN.1 type BIT STRING class
|
|
*/
|
|
const ASN_TYPE_BITSTRING = 0x03;
|
|
|
|
/**
|
|
* ASN.1 type SEQUENCE class
|
|
*/
|
|
const ASN_TYPE_SEQUENCE = 0x30;
|
|
|
|
/**
|
|
* The URI for Canonical Method C14N Exclusive
|
|
*/
|
|
const CANONICAL_METHOD_C14N_EXC = 'http://www.w3.org/2001/10/xml-exc-c14n#';
|
|
|
|
/**
|
|
* The URI for Signature Method SHA1
|
|
*/
|
|
const SIGNATURE_METHOD_SHA1 = 'http://www.w3.org/2000/09/xmldsig#rsa-sha1';
|
|
|
|
/**
|
|
* The URI for Digest Method SHA1
|
|
*/
|
|
const DIGEST_METHOD_SHA1 = 'http://www.w3.org/2000/09/xmldsig#sha1';
|
|
|
|
/**
|
|
* The Identifier for RSA Keys
|
|
*/
|
|
const RSA_KEY_IDENTIFIER = '300D06092A864886F70D0101010500';
|
|
|
|
/**
|
|
* Constructor (disabled)
|
|
*
|
|
* @return void
|
|
*/
|
|
private function __construct()
|
|
{
|
|
}
|
|
|
|
/**
|
|
* Validates the signature of a provided XML block
|
|
*
|
|
* @param string $strXMLInput An XML block containing a Signature
|
|
* @return bool True if the signature validated, false otherwise
|
|
* @throws Zend_InfoCard_Xml_Security_Exception
|
|
*/
|
|
static public function validateXMLSignature($strXMLInput)
|
|
{
|
|
if(!extension_loaded('openssl')) {
|
|
require_once 'Zend/InfoCard/Xml/Security/Exception.php';
|
|
throw new Zend_InfoCard_Xml_Security_Exception("You must have the openssl extension installed to use this class");
|
|
}
|
|
|
|
$sxe = simplexml_load_string($strXMLInput);
|
|
|
|
if(!isset($sxe->Signature)) {
|
|
require_once 'Zend/InfoCard/Xml/Security/Exception.php';
|
|
throw new Zend_InfoCard_Xml_Security_Exception("Could not identify XML Signature element");
|
|
}
|
|
|
|
if(!isset($sxe->Signature->SignedInfo)) {
|
|
require_once 'Zend/InfoCard/Xml/Security/Exception.php';
|
|
throw new Zend_InfoCard_Xml_Security_Exception("Signature is missing a SignedInfo block");
|
|
}
|
|
|
|
if(!isset($sxe->Signature->SignatureValue)) {
|
|
require_once 'Zend/InfoCard/Xml/Security/Exception.php';
|
|
throw new Zend_InfoCard_Xml_Security_Exception("Signature is missing a SignatureValue block");
|
|
}
|
|
|
|
if(!isset($sxe->Signature->KeyInfo)) {
|
|
require_once 'Zend/InfoCard/Xml/Security/Exception.php';
|
|
throw new Zend_InfoCard_Xml_Security_Exception("Signature is missing a KeyInfo block");
|
|
}
|
|
|
|
if(!isset($sxe->Signature->KeyInfo->KeyValue)) {
|
|
require_once 'Zend/InfoCard/Xml/Security/Exception.php';
|
|
throw new Zend_InfoCard_Xml_Security_Exception("Signature is missing a KeyValue block");
|
|
}
|
|
|
|
switch((string)$sxe->Signature->SignedInfo->CanonicalizationMethod['Algorithm']) {
|
|
case self::CANONICAL_METHOD_C14N_EXC:
|
|
$cMethod = (string)$sxe->Signature->SignedInfo->CanonicalizationMethod['Algorithm'];
|
|
break;
|
|
default:
|
|
require_once 'Zend/InfoCard/Xml/Security/Exception.php';
|
|
throw new Zend_InfoCard_Xml_Security_Exception("Unknown or unsupported CanonicalizationMethod Requested");
|
|
break;
|
|
}
|
|
|
|
switch((string)$sxe->Signature->SignedInfo->SignatureMethod['Algorithm']) {
|
|
case self::SIGNATURE_METHOD_SHA1:
|
|
$sMethod = (string)$sxe->Signature->SignedInfo->SignatureMethod['Algorithm'];
|
|
break;
|
|
default:
|
|
require_once 'Zend/InfoCard/Xml/Security/Exception.php';
|
|
throw new Zend_InfoCard_Xml_Security_Exception("Unknown or unsupported SignatureMethod Requested");
|
|
break;
|
|
}
|
|
|
|
switch((string)$sxe->Signature->SignedInfo->Reference->DigestMethod['Algorithm']) {
|
|
case self::DIGEST_METHOD_SHA1:
|
|
$dMethod = (string)$sxe->Signature->SignedInfo->Reference->DigestMethod['Algorithm'];
|
|
break;
|
|
default:
|
|
require_once 'Zend/InfoCard/Xml/Security/Exception.php';
|
|
throw new Zend_InfoCard_Xml_Security_Exception("Unknown or unsupported DigestMethod Requested");
|
|
break;
|
|
}
|
|
|
|
$base64DecodeSupportsStrictParam = version_compare(PHP_VERSION, '5.2.0', '>=');
|
|
|
|
if ($base64DecodeSupportsStrictParam) {
|
|
$dValue = base64_decode((string)$sxe->Signature->SignedInfo->Reference->DigestValue, true);
|
|
} else {
|
|
$dValue = base64_decode((string)$sxe->Signature->SignedInfo->Reference->DigestValue);
|
|
}
|
|
|
|
if ($base64DecodeSupportsStrictParam) {
|
|
$signatureValue = base64_decode((string)$sxe->Signature->SignatureValue, true);
|
|
} else {
|
|
$signatureValue = base64_decode((string)$sxe->Signature->SignatureValue);
|
|
}
|
|
|
|
$transformer = new Zend_InfoCard_Xml_Security_Transform();
|
|
|
|
foreach($sxe->Signature->SignedInfo->Reference->Transforms->children() as $transform) {
|
|
$transformer->addTransform((string)$transform['Algorithm']);
|
|
}
|
|
|
|
$transformed_xml = $transformer->applyTransforms($strXMLInput);
|
|
|
|
$transformed_xml_binhash = pack("H*", sha1($transformed_xml));
|
|
|
|
if($transformed_xml_binhash != $dValue) {
|
|
require_once 'Zend/InfoCard/Xml/Security/Exception.php';
|
|
throw new Zend_InfoCard_Xml_Security_Exception("Locally Transformed XML does not match XML Document. Cannot Verify Signature");
|
|
}
|
|
|
|
$public_key = null;
|
|
|
|
switch(true) {
|
|
case isset($sxe->Signature->KeyInfo->KeyValue->X509Certificate):
|
|
|
|
$certificate = (string)$sxe->Signature->KeyInfo->KeyValue->X509Certificate;
|
|
|
|
|
|
$pem = "-----BEGIN CERTIFICATE-----\n" .
|
|
wordwrap($certificate, 64, "\n", true) .
|
|
"\n-----END CERTIFICATE-----";
|
|
|
|
$public_key = openssl_pkey_get_public($pem);
|
|
|
|
if(!$public_key) {
|
|
require_once 'Zend/InfoCard/Xml/Security/Exception.php';
|
|
throw new Zend_InfoCard_Xml_Security_Exception("Unable to extract and prcoess X509 Certificate from KeyValue");
|
|
}
|
|
|
|
break;
|
|
case isset($sxe->Signature->KeyInfo->KeyValue->RSAKeyValue):
|
|
|
|
if(!isset($sxe->Signature->KeyInfo->KeyValue->RSAKeyValue->Modulus) ||
|
|
!isset($sxe->Signature->KeyInfo->KeyValue->RSAKeyValue->Exponent)) {
|
|
require_once 'Zend/InfoCard/Xml/Security/Exception.php';
|
|
throw new Zend_InfoCard_Xml_Security_Exception("RSA Key Value not in Modulus/Exponent form");
|
|
}
|
|
|
|
$modulus = base64_decode((string)$sxe->Signature->KeyInfo->KeyValue->RSAKeyValue->Modulus);
|
|
$exponent = base64_decode((string)$sxe->Signature->KeyInfo->KeyValue->RSAKeyValue->Exponent);
|
|
|
|
$pem_public_key = self::_getPublicKeyFromModExp($modulus, $exponent);
|
|
|
|
$public_key = openssl_pkey_get_public ($pem_public_key);
|
|
|
|
break;
|
|
default:
|
|
require_once 'Zend/InfoCard/Xml/Security/Exception.php';
|
|
throw new Zend_InfoCard_Xml_Security_Exception("Unable to determine or unsupported representation of the KeyValue block");
|
|
}
|
|
|
|
$transformer = new Zend_InfoCard_Xml_Security_Transform();
|
|
$transformer->addTransform((string)$sxe->Signature->SignedInfo->CanonicalizationMethod['Algorithm']);
|
|
|
|
// The way we are doing our XML processing requires that we specifically add this
|
|
// (even though it's in the <Signature> parent-block).. otherwise, our canonical form
|
|
// fails signature verification
|
|
$sxe->Signature->SignedInfo->addAttribute('xmlns', 'http://www.w3.org/2000/09/xmldsig#');
|
|
|
|
$canonical_signedinfo = $transformer->applyTransforms($sxe->Signature->SignedInfo->asXML());
|
|
|
|
if(@openssl_verify($canonical_signedinfo, $signatureValue, $public_key)) {
|
|
return (string)$sxe->Signature->SignedInfo->Reference['URI'];
|
|
}
|
|
|
|
return false;
|
|
}
|
|
|
|
/**
|
|
* Transform an RSA Key in Modulus/Exponent format into a PEM encoding and
|
|
* return an openssl resource for it
|
|
*
|
|
* @param string $modulus The RSA Modulus in binary format
|
|
* @param string $exponent The RSA exponent in binary format
|
|
* @return string The PEM encoded version of the key
|
|
*/
|
|
static protected function _getPublicKeyFromModExp($modulus, $exponent)
|
|
{
|
|
$modulusInteger = self::_encodeValue($modulus, self::ASN_TYPE_INTEGER);
|
|
$exponentInteger = self::_encodeValue($exponent, self::ASN_TYPE_INTEGER);
|
|
$modExpSequence = self::_encodeValue($modulusInteger . $exponentInteger, self::ASN_TYPE_SEQUENCE);
|
|
$modExpBitString = self::_encodeValue($modExpSequence, self::ASN_TYPE_BITSTRING);
|
|
|
|
$binRsaKeyIdentifier = pack( "H*", self::RSA_KEY_IDENTIFIER );
|
|
|
|
$publicKeySequence = self::_encodeValue($binRsaKeyIdentifier . $modExpBitString, self::ASN_TYPE_SEQUENCE);
|
|
|
|
$publicKeyInfoBase64 = base64_encode( $publicKeySequence );
|
|
|
|
$publicKeyString = "-----BEGIN PUBLIC KEY-----\n";
|
|
$publicKeyString .= wordwrap($publicKeyInfoBase64, 64, "\n", true);
|
|
$publicKeyString .= "\n-----END PUBLIC KEY-----\n";
|
|
|
|
return $publicKeyString;
|
|
}
|
|
|
|
/**
|
|
* Encode a limited set of data types into ASN.1 encoding format
|
|
* which is used in X.509 certificates
|
|
*
|
|
* @param string $data The data to encode
|
|
* @param const $type The encoding format constant
|
|
* @return string The encoded value
|
|
* @throws Zend_InfoCard_Xml_Security_Exception
|
|
*/
|
|
static protected function _encodeValue($data, $type)
|
|
{
|
|
// Null pad some data when we get it (integer values > 128 and bitstrings)
|
|
if( (($type == self::ASN_TYPE_INTEGER) && (ord($data) > 0x7f)) ||
|
|
($type == self::ASN_TYPE_BITSTRING)) {
|
|
$data = "\0$data";
|
|
}
|
|
|
|
$len = strlen($data);
|
|
|
|
// encode the value based on length of the string
|
|
// I'm fairly confident that this is by no means a complete implementation
|
|
// but it is enough for our purposes
|
|
switch(true) {
|
|
case ($len < 128):
|
|
return sprintf("%c%c%s", $type, $len, $data);
|
|
case ($len < 0x0100):
|
|
return sprintf("%c%c%c%s", $type, 0x81, $len, $data);
|
|
case ($len < 0x010000):
|
|
return sprintf("%c%c%c%c%s", $type, 0x82, $len / 0x0100, $len % 0x0100, $data);
|
|
default:
|
|
require_once 'Zend/InfoCard/Xml/Security/Exception.php';
|
|
throw new Zend_InfoCard_Xml_Security_Exception("Could not encode value");
|
|
}
|
|
|
|
require_once 'Zend/InfoCard/Xml/Security/Exception.php';
|
|
throw new Zend_InfoCard_Xml_Security_Exception("Invalid code path");
|
|
}
|
|
} |