robrichards / xmlseclibs Goto Github PK
View Code? Open in Web Editor NEWA PHP library for XML Security
License: BSD 3-Clause "New" or "Revised" License
A PHP library for XML Security
License: BSD 3-Clause "New" or "Revised" License
Travis-CI is a continuous integration environment with powerfull features for OSS (and private) projects.
Will be nice if you could enable the integration.
Later I'll to propose a PR with the required files for configure and execution
By the way sign-up https://travis-ci.org/ and enable the repo
What steps will reproduce the problem?
1. Edit php.ini, find mbstring.func_overload, and change the value to 7.
Save & quit.
2. Run tests
What is the expected output?
> php ./xml-sign.phpt
--TEST--
Basic Signature
--FILE--
DONE--EXPECTF--
DONE
> php ./xmlsec-decrypt.phpt
--TEST--
Basic Decryption
--FILE--
AOESP_SHA1: Passed
--EXPECTF--
AOESP_SHA1: Passed
> php ./xmlsec-encrypt.phpt
--TEST--
Basic Encryption
--FILE--
EncryptedData--EXPECTF--
EncryptedData
> php ./xmlsec-verify.phpt
--TEST--
Basic Verify
--FILE--
SIGN_TEST: Signature validated!
--EXPECTF--
SIGN_TEST: Signature validated!
What do you see instead?
> php ./xml-sign.phpt
--TEST--
Basic Signature
--FILE--
DONE--EXPECTF--
DONE
> php ./xmlsec-decrypt.phpt
--TEST--
Basic Decryption
--FILE--
AOESP_SHA1: PHP Warning: mcrypt_generic_init(): Iv size incorrect;
supplied length: 22, needed: 16 in
/usr/home/craig/xmlseclibs/xmlseclibs.php on line 356
Warning: mcrypt_generic_init(): Iv size incorrect; supplied length: 22,
needed: 16 in /usr/home/craig/xmlseclibs/xmlseclibs.php on line 356
PHP Warning: DOMDocument::loadXML(): Empty string supplied as input in
/usr/home/craig/xmlseclibs/xmlseclibs.php on line 1288
Warning: DOMDocument::loadXML(): Empty string supplied as input in
/usr/home/craig/xmlseclibs/xmlseclibs.php on line 1288
PHP Catchable fatal error: Argument 1 passed to DOMDocument::importNode()
must be an instance of DOMNode, null given, called in
/usr/home/craig/xmlseclibs/tests/xmlsec-decrypt.phpt on line 58 and defined
in /usr/home/craig/xmlseclibs/xmlseclibs.php on line 1292
Catchable fatal error: Argument 1 passed to DOMDocument::importNode() must
be an instance of DOMNode, null given, called in
/usr/home/craig/xmlseclibs/tests/xmlsec-decrypt.phpt on line 58 and defined
in /usr/home/craig/xmlseclibs/xmlseclibs.php on line 1292
> php ./xmlsec-encrypt.phpt
--TEST--
Basic Encryption
--FILE--
PHP Warning: mcrypt_generic_init(): Key size too large; supplied length:
46, max: 32 in /usr/home/craig/xmlseclibs/xmlseclibs.php on line 336
Warning: mcrypt_generic_init(): Key size too large; supplied length: 46,
max: 32 in /usr/home/craig/xmlseclibs/xmlseclibs.php on line 336
EncryptedData--EXPECTF--
EncryptedData
> php ./xmlsec-verify.phpt
--TEST--
Basic Verify
--FILE--
SIGN_TEST: Signature validated!
--EXPECTF--
SIGN_TEST: Signature validated!
What version of the product are you using? On what operating system?
xmlseclibs-1.2.1.tar.gz on FreeBSD, running PHP 5.2.9
Please provide any additional information below.
The problem is the the mb_strlen() and mb_substr() function intrepret the
random binary characters as multibyte characters. This causes mb_strlen()
to return a number that is not the same as the number of bytes. This
causes all sorts of problems with mb_substr() as well.
I have a patch, but only for decryptMcrypt(). This is the only function
that I had to fix to get my SimpleSAML message to work.
Original issue reported on code.google.com by [email protected]
on 20 Aug 2009 at 12:21
Attachments:
PSR-0 is the new way of structuring classes into include files. See
https://gist.github.com/1234504. Using PSR-0 will make xmlseclibs easily
embeddable in any system that uses a PSR-0-compatible class loader. Using
namespaces prevents collisions with other projects.
Original issue reported on code.google.com by [email protected]
on 28 Oct 2012 at 4:52
See http://thefsb.tumblr.com/post/110639027905/custodians-of-php-vote-to-keep-a-crypto-lib for some details.
The openssl extension supports everything mcrypt supports and more. Would migrating to openssl be an option?
I have the following XML (prettyprinted):
<?xml version="1.0"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_7b8df9609dfcb6b735ce90ea50a975b1979f5f14cd" Version="2.0" IssueInstant="2014-12-01T23:05:49Z" Destination="https://pitbulk.no-ip.org/newonelogin/demo1/index.php?acs" InResponseTo="ONELOGIN_cca5c4b75c18612ca8cd5fbbcde3d32f9d092370">
<saml:Issuer>https://pitbulk.no-ip.org/simplesaml/saml2/idp/metadata.php</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="_2ff35216bf2e1021778885fadd78ac5d6f82f83f16" Version="2.0" IssueInstant="2014-12-01T23:05:49Z">
<saml:Issuer>https://pitbulk.no-ip.org/simplesaml/saml2/idp/metadata.php</saml:Issuer>
<Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#_2ff35216bf2e1021778885fadd78ac5d6f82f83f16">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>KRTtSoaoB8ypMqC2yZlb2AzRGRo=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>0nG/mSAzS01TfID3oE/v+uyLDloI6p8invoWJO/X2aotI8qNGFK2wvtsEhXZt7WHf2On5D/Ui/KDnBsL+iwSytajZ/M/3equVCG8LpHo4Zd1dAQJqnhIrB3oT4NEdwN3ePR1wBNX+EmdbQ/CBgG1T0jzLocdPtIP1LollBuDSaA=</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIICbDCCAdWgAwIBAgIBADANBgkqhkiG9w0BAQ0FADBTMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UECgwMT25lbG9naW4gSW5jMRgwFgYDVQQDDA9pZHAuZXhhbXBsZS5jb20wHhcNMTQwOTIzMTIyNDA4WhcNNDIwMjA4MTIyNDA4WjBTMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UECgwMT25lbG9naW4gSW5jMRgwFgYDVQQDDA9pZHAuZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOWA+YHU7cvPOrBOfxCscsYTJB+kH3MaA9BFrSHFS+KcR6cw7oPSktIJxUgvDpQbtfNcOkE/tuOPBDoech7AXfvH6d7Bw7xtW8PPJ2mB5Hn/HGW2roYhxmfh3tR5SdwN6i4ERVF8eLkvwCHsNQyK2Ref0DAJvpBNZMHCpS24916/AgMBAAGjUDBOMB0GA1UdDgQWBBQ77/qVeiigfhYDITplCNtJKZTM8DAfBgNVHSMEGDAWgBQ77/qVeiigfhYDITplCNtJKZTM8DAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAJO2j/1uO80E5C2PM6Fk9mzerrbkxl7AZ/mvlbOn+sNZE+VZ1AntYuG8ekbJpJtG1YfRfc7EA9mEtqvv4dhv7zBy4nK49OR+KpIBjItWB5kYvrqMLKBa32sMbgqqUqeF1ENXKjpvLSuPdfGJZA3dNa/+Dyb8GGqWe707zLyc5F8m</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<saml:Subject>
<saml:NameID SPNameQualifier="https://pitbulk.no-ip.org/newonelogin/demo1/metadata.php" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">_486af16ab7b1bb20c888be338e5dd19abed682d471</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2024-06-04T04:25:49Z" Recipient="https://pitbulk.no-ip.org/newonelogin/demo1/index.php?acs" InResponseTo="ONELOGIN_cca5c4b75c18612ca8cd5fbbcde3d32f9d092370"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2014-12-01T23:05:19Z" NotOnOrAfter="2024-06-04T04:25:49Z">
<saml:AudienceRestriction>
<saml:Audience>https://pitbulk.no-ip.org/newonelogin/demo1/metadata.php</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2014-12-01T23:05:49Z" SessionNotOnOrAfter="2014-12-02T07:05:49Z" SessionIndex="_1f1f4501c8077985135667801b97bd210dc4ca867e">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">test</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">[email protected]</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="cn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">test_cn</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="sn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">waa2</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="eduPersonAffiliation" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">user</saml:AttributeValue>
<saml:AttributeValue xsi:type="xs:string">manager</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="company" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">onelogin</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="street" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">street example</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="city" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">city example</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="country" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">country example</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="state" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">state example</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="zip" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">32323</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="telephone" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">878732323</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="fax" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">828732323</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
If I try to validate the Signature of the XML it will fail ("Cannot locate Signature Node") because the Signature does not contain the ds:Signature expected in that library. Do you know the best approach to solve that issue? May I transform the XML before try to validate it or should that library accept xpath queries without namespace?
Could support for
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" type
signatures be added? Much appreciated!
Original issue reported on code.google.com by [email protected]
on 25 Aug 2009 at 7:44
Rob Richards is currently working on this.
Original issue reported on code.google.com by [email protected]
on 22 Jan 2008 at 3:58
What steps will reproduce the problem?
1. use composer to include your library e.g. with a TYPO3.FLOW project
2. get Exception about missing package
3. add composer.json
4. runs
I used the tar version you provide as download
example composer.json
{
"name": "robrichards/xmlseclibs",
"description": "RobRichards XMLSecLibs",
"license": "Custom",
"authors": [
{
"name": "Rob Richards",
"email": "your mailadress"
}
],
}
this way i can include your library using these lines in my composer.json
{
...
"repositories": [
{
"type": "composer",
"url": "https://raw.github.com/kaystrobach/simplesamlphp-composer/master/"
}, {
"type": "package",
"package": {
"name": "robrichards/xmlseclibs",
"version": "1.3.1",
"dist": {
"url": "https://xmlseclibs.googlecode.com/files/xmlseclibs-1.3.1.tar.gz",
"type": "tar"
},
"autoload": {
"files": ["xmlseclibs.php"]
}
}
}
],
...
}
if you would also register on packagist.org and use tags in your svn we could
use the short form instead ;)
Thank you so much.
Kay
Original issue reported on code.google.com by [email protected]
on 19 Mar 2014 at 12:16
I had problems with http://www.aleksey.com/cgi-bin/xmldsigverify verifying a
signed XML using the library. The message return is as follows:
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X5
09_verify_cert:error=4:crypto library function
failed:subj=/C=US/ST=Maine/L=Limington/O=xmlseclibs.php
Library/CN=xmlseclibs/www.cdatazone.org;err=18;msg=self signed certificate
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=un
known:error=71:certificate verification failed:err=18;msg=self signed
certificate
func=xmlSecOpenSSLEvpSignatureVerify:file=signatures.c:line=346:obj=rsa-sha1:sub
j=EVP_VerifyFinal:error=18:data do not match:signature do not match
RESULT: Signature is INVALID
As I have used your php example almost exactly, I wanted to see if your signed
XML will get a Valid message, so I tried the sign-basic-test.res and the same
error message is returned.
What steps will reproduce the problem?
1. Open sign-basic-test.res in notepad
2. Copy all content
3. Paste in http://www.aleksey.com/cgi-bin/xmldsigverify text box
What is the expected output? What do you see instead?
What version of the product are you using? On what operating system?
1.2.2 on Windows 7
Please provide any additional information below.
Original issue reported on code.google.com by [email protected]
on 30 Aug 2011 at 9:39
I fixed some typos in XMLSecurityKey.
For downwards compability I signed the method getAlgorith() as deprecated and added the new method getAlgorithm(). To avoid duplicate code I moved it from getAlgorith() to getAlgorithm() and replaced the implementation of getAlgorith() with the call of getAlgorithm().
Fix validate references for documents like
<signature><object>data</object></signature>
Original issue reported on code.google.com by [email protected]
on 13 Apr 2013 at 7:51
Attachments:
What steps will reproduce the problem?
1. encrypt content ($enc->type = XMLSecEnc::Content;)
2. $dom->saveXML()
3. later during decryption, $objenc->decryptNode($objKey, TRUE)
What is the expected output? What do you see instead?
Fatal error: Call to undefined method
DOMDocument::createDOMDocumentFragment() in
/var/www/test/xml/xmlseclibs.php on line 1339
----------
Hello,
I got this error when I tried to decrypt a document, which was encrypted
with type : XMLSecEnc::Content instead of XMLSecEnc::Element
I changed the method name on line 1339 :
$newFrag = $doc->createDocumentFragment();
//$newFrag = $doc->createDOMDocumentFragment();
Then no error, but no parent node returned.
So i changed the following lines :
$this->rawNode->parentNode->replaceChild($newFrag, $this->rawNode);
return $this->rawNode->parentNode;
$parentNode = $this->rawNode->parentNode;
$this->rawNode->parentNode->replaceChild($newFrag, $this->rawNode);
return $parentNode;
And it worked.
Franรงois
Original issue reported on code.google.com by [email protected]
on 19 Nov 2009 at 8:57
In staticAdd509Cert()
in the node KeyInfo/X509Data
child X509Certificate
is always created, and optionally X509IssuerSerial
if $options['issuerSerial']
is supplied.
Implement optional creation of X509SubjectName
child node if $options['subjectName']
is supplied.
For better debugging and Identifikation of Errors add specified Exception e.g. XMLSecLibsException (extends \Exception)
According to XMLDSIG, the element is a base64Binary type, which is allowed to contain embedded whitespace.
Your function calculateDigest() uses base64_encode() which produces a whitespace-free base64 representation of the selected digestโs value.
The document itself may contain a base64 representation of the same value which has whitespace for its own reasons (e.g. if the base64 representation of the digest is longer than 76 characters (such as is the case with SHA-512), it may have added a line break which was converted by the XML parser to a single inline whitespace character before passing it on for validation).
The comparison in function validateDigest(), around line 298:
return ($digValue == $digestValue);
will fail if the base64-encoded representations of the same actual digest value differ in whitespace only; while it should not fail.
The obvious one-line fix to this is
return (base64_decode($digValue) == base64_decode($digestValue));
but a more thorough way of fixing might be to let calculateDigest() return a direct binary value, and only let the calling functions encode this with base64_encode() if they have a need for it.
NB: your code is already doing this correctly/consistently in other places, such as when comparing the element, in function verify() around line 662:
return $objKey->verifySignature($this->signedInfo, base64_decode($sigValue));
Here you are correctly getting rid of whitespace if any, by comparing the binary representations, not the base64 encoded versions.
What steps will reproduce the problem?
1. Using PHP 5.2.17
What is the expected output? What do you see instead?
The expected output is that the script works, now I get an error:
Warning: openssl_sign() expects parameter 4 to be long, string given in
*/xmlseclibs.php on line 479
What version of the product are you using? On what operating system?
Using xmlseclibs 1.3.0 on PHP 5.2.17.
Please provide any additional information below.
The script I use works on PHP 5.3.x but not on my other server with PHP 5.2.17.
Is there something I can do to get it working?
Original issue reported on code.google.com by [email protected]
on 15 Feb 2013 at 8:14
Hi,
processRefNode() contains this code:
if ($uri = $refNode->getAttribute("URI")) {
$arUrl = parse_url($uri);
if (empty($arUrl['path'])) {
...
} else {
$dataObject = file_get_contents($arUrl);
I think this cannot work. parse_url will either return an array or false.
If it returns false or an array without path, the (omitted) code block after the if is triggered. This can only happen when the URL is very invalid, or scheme://host
without a path. I'm not sure why those two cases should be united.
In all other cases, the else block will be triggered. However, by then we're sure that $arUrl
will contain an array with a 'path' element, which when cast to string to be fed to file_get_contents will always be "Array".
So either I'm completely misunderstanding this code, or it cannot work in this form.
If needed the branch can be recreated starting from the last 1.2 version
I had problems with my signature validations by the prefix "ds", so I made
changes to indicate whether the firm is required prefix or not.
Attachment changes made.
require(dirname(__FILE__) . '/../xmlseclibs.php');
if (file_exists(dirname(__FILE__) . '/sign-basic-test.xml')) {
unlink(dirname(__FILE__) . '/sign-basic-test.xml');
}
$doc = new DOMDocument();
$doc->formatOutput = FALSE;
$doc->preserveWhiteSpace = TRUE;
$semilla = getSeed();
$xml =
"<getToken>\n\t<item>\n\t\t<Semilla>$semilla</Semilla>\n\t</item>\n</getToken>";
$doc->loadXML($xml);
$objDSig = new XMLSecurityDSig(FALSE);
//die;
$objDSig->setCanonicalMethod(XMLSecurityDSig::C14N);
$options['prefix'] = '';
$options['prefix_ns'] = '';
$options['force_uri'] = TRUE;
$options['id_name'] = 'ID';
$objDSig->addReference($doc, XMLSecurityDSig::SHA1,
array(XMLSecurityDSig::TR_ENV_SIG), $options);
$objKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1,
array('type'=>'private'));
$pfx = file_get_contents(dirname(__FILE__) . "/file.pfx");
openssl_pkcs12_read($pfx, $key, "pass");
$objKey->loadKey($key["pkey"]);
$objDSig->add509Cert($key["cert"]);
$objDSig->sign($objKey, $doc->documentElement);
$doc->save(dirname(__FILE__) . '/sign-basic-test.xml');
Original issue reported on code.google.com by atiruz
on 20 Sep 2012 at 9:35
Attachments:
hi, sorry about my english, i need to append the modulus and exponent to the signature and i dont know how, is there any way to do this in this branch?
this is the format i need
<KeyInfo>
<KeyValue>
<RSAKeyValue>
<Modulus>
</Modulus>
<Exponent>
</Exponent>
</RSAKeyValue>
</KeyValue>
<X509Data>
<X509Certificate>
</X509Certificate>
</X509Data>
</KeyInfo>
Would it be possible to convert the CHANGELOG.txt file to UTF-8?
iconv --from=ISO-8859-1 --to=UTF-8 CHANGELOG.txt > CHANGELOG.txt.new
touch -r CHANGELOG.txt CHANGELOG.txt.new
mv CHANGELOG.txt.new CHANGELOG.txt
Original issue reported on code.google.com by [email protected]
on 18 Jun 2013 at 8:04
Hello all , I am new to PHP.
How do i add Key Info and
<ds:KeyInfo>
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>?
with encrypted XML data
As there is no addX509Cert(..) implementation in class XMLSecurityKey
I am using XMLSecLibs @version 1.3.1-dev in windows
But with XML signature i am getting the above KeyInfo but i am not sure how to
exclude <ds:X509Certificate> value
Kindly provide the sample code right way to call these 2 classes for adding the
KeyInfo
How to provide the input for $options
add509Cert($cert, $isPEMFormat=TRUE, $isURL=False, $options=NULL)
I am just learning PHP , sorry for my very basic question.
Thanks in advance
Bosco
Original issue reported on code.google.com by [email protected]
on 14 Jan 2013 at 2:18
Hi,
I know it is a DC-braking Change but the public Member-Variables should be replaced by - at least - protected ones with public access via Getters and Setters.
I do not want to repeat the same argues again and again e.g. it is answered here: http://programmers.stackexchange.com/questions/143736/why-do-we-need-private-variables
Filename: soap-wsse.php
function attachTokentoSig
Set attribute of token reference:
$reference->setAttribute('ValueType',
'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#
X509v3');
Original issue reported on code.google.com by [email protected]
on 19 May 2013 at 9:32
a (naive?) proposal to add support for locating signatures created with
different algorithms (eg. the SHA256 algorithm used by default in ADFS 2.0), in
the same way as locateKey does; notice that this specific patch does strictly
break the existing API which would return a signature XML node instead of a
public key object; don't know if it hurts though
--- xmlseclibs.php (revision xxxx)
+++ xmlseclibs.php (working copy)
@@ -672,7 +672,16 @@
$query = ".//secdsig:Signature";
$nodeset = $xpath->query($query, $objDoc);
$this->sigNode = $nodeset->item(0);
- return $this->sigNode;
+ $query =
"string(./secdsig:SignedInfo/secdsig:SignatureMethod/@Algorithm)";
+ $algorithm = $xpath->evaluate($query, $this->sigNode);
+ if ($algorithm) {
+ try {
+ $objKey = new XMLSecurityKey($algorithm,
array('type'=>'public'));
+ } catch (Exception $e) {
+ return NULL;
+ }
+ return $objKey;
+ }
}
return NULL;
}
Original issue reported on code.google.com by [email protected]
on 30 Aug 2010 at 7:06
Iยดm working on a C#-App that should verify the signature of an XML-file that
has been signed by my server before.
The problem is that XML-files signed by Microsoftยดs algorithm slightly differ
from the ones produced by xmlseclibs:
like in the example given by the W3C
(http://www.w3.org/TR/xmldsig-core/#sec-o-Simple), they donยดt include an
additional "ds:"-namespace tag in front of the signatureยดs tags - as
xmlseclibs does.
This difference then caused the signature check to fail.
Therefore, my question is if there is a way to make the XML produced by
xmlseclibs to look like the one in the example from the W3C.
Any help would be appreciated!
---------
Here is an example of a file signed by xmlseclibs:
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference>
...
Original issue reported on code.google.com by [email protected]
on 1 Dec 2011 at 1:47
See http://stackoverflow.com/questions/2200988/ for more detail. Basically
the exclusive canonicalization being used is incorrect.
Original issue reported on code.google.com by [email protected]
on 4 Feb 2010 at 5:02
Hi, in first place, appreciate your effort of developing this useful library.
I'm try using it for signing XML responses in Google Apps Single Sign On
process.
However I realized that the are some differeces between the xmlsec1 command and
your library.
I've followed the test examples, but the result of the signing process isnt the
same in both executions.
In the xmlsec1 command, the RSA key is appended to the signed response, however
in the library test no key is added.
I've inspected the source code, and I've found a XMLSecurityDSig class method
called appendKey which call to XMLSecurityKey class method called serializeKey,
but no one is implemented.
I attach the original response, the xmlsec1 command signed response, and the
library signed response for comparying
I write here, the test code:
$doc = new DOMDocument();
$doc->loadXML($responseXmlString);
I have to delete Signature node, due to the library doesnt realize of the
presence of it (xmlsec1 command detect the node and append the values in it)
$nodelist=$doc->getElementsByTagName("Signature");
$parentnode=$doc->getElementsByTagName("Response");
$parentnode=$parentnode->item(0);
$domElement=$nodelist->item(0);
$parentnode->removeChild($domElement);
///////////////////////////////////////////
$objDSig = new XMLSecurityDSig();
$objDSig->setCanonicalMethod(XMLSecurityDSig::EXC_C14N);
$objDSig->addReference($doc, XMLSecurityDSig::SHA1,
array('http://www.w3.org/2000/09/xmldsig#enveloped-signature'));
$objKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1,
array('type'=>'private'));
$objKey->loadKey($privKey,true);
$objDSig->appendKey($objKey); // DO NOTHING
$objDSig->sign($objKey);
$objDSig->appendSignature($doc->documentElement);
Sorry, but my skills of php DOM-XML and XML standars are poor.
I wish you give me a reponse about the difficulty of complete the library,
which methods would be affected and in which way I could help us.
Thank so much.
Original issue reported on code.google.com by [email protected]
on 9 Aug 2011 at 9:36
Attachments:
getXPathObj to use let me know.
With all respect, I do not know.
I am not used to set xPath. Please.
- [email protected]
Original issue reported on code.google.com by [email protected]
on 18 Nov 2009 at 10:26
Suport XAdES format.
http://en.wikipedia.org/wiki/XAdES
Original issue reported on code.google.com by [email protected]
on 1 Oct 2011 at 6:12
The patch in attachment adds HMAC-SHA1 support to the xmlseclibs library.
Interop with Java has been tested.
Original issue reported on code.google.com by [email protected]
on 14 Apr 2014 at 3:27
Attachments:
A similar CR to #71 but without changing members visibility (only marking them as deprecated) - the change to - at least - protected should be done in a later Version.
I'm not sure whenever this is the right place, but I'd like to say thanks for such a great lib for PHP!
As many of other users, I also had a 'chance' to work with gov (i.e. Oracle's) services. This lib helped me a lot to understand the inner workings of xml-dsig, canonicalization etc.
So, if someone out there will ever have a chance to work with Oracle OSB interface, I'd like to point some steps in order to avoid pitfalls.
First, do not try to sign the entire message (SOAP envelope), you just need to sign the 'business part' of the message, i.e. xml<Transaction>..........</Transaction>
without xml<soap-env ....> </soap-env>
elements.
The hardest part was to find out how the damn thing (OSB) works with SOAP messages and what happens before it validates signature.
So, you sign your message without any SOAP tags, and then just before sending HTTP POST request with XML-SOAP as body you put back entire SOAP header, SOAP body etc. elements. OSB will wipe them out anyway and send only the business message to validation, but you're required to send entire SOAP elements in order to be able to pass OSB's parser, ugly I know.
And the most interesting part - you just cannot have XML declaration at all! If you leave XML declaration on top of SOAP enveloped message, OSB will not be able to parse the message. So just remove XML delcaration.
Full example:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope"><soapenv:Header/><soapenv:Body>
<ExampleTransaction>
.... business data ..............
</ExampleTransaction>
</soapenv:Body></soapenv:Envelope>
Where only this part:
<ExampleTransaction>
.... business data ..............
</ExampleTransaction>
is being signed!
Also, you can have any prefix as ds:Signature, it just doesn't care about what you will put there, so I prefer an empty prefixes, and doing that with xmlseclibs is as easy as:
$objDSig = new XMLSecurityDSig(0); //empty string or 0 (which evaluates as an empty value)
If anybody have any issues with OSB's black boxes, feel free to post a comment, so we could try to find workaround with joined forces!
Would it be possible to add a license file to the source code?
The license seems to be http://opensource.org/licenses/BSD-3-Clause.
Original issue reported on code.google.com by [email protected]
on 18 Jun 2013 at 8:00
Curerntly simpleSAMLphp depends on a svn checkout of the project due to the
need to have new signature methods. Would it be possible to create a new
release?
Original issue reported on code.google.com by [email protected]
on 7 Jun 2013 at 9:29
Wiki branch was automatically migrated from Google Code.
Actually have the same contents present in README.md
Hello!
I know that you maintain this wonderful xmlseclib library which I am currently using.
And I have a question about it, maybe you could help me with finding a proper soultion.
Here is a problem:
This is the WS-POLICY for the service:
<wsp:Policy wsu:Id="CustomBinding_IServiceCustomer_policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:SymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:ProtectionToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:RequireDerivedKeys/>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:ProtectionToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128Rsa15/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</sp:SymmetricBinding>
<sp:EndorsingSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:EndorsingSupportingTokens>
<sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportRefThumbprint/>
<sp:MustSupportRefEncryptedKey/>
<sp:RequireSignatureConfirmation/>
</wsp:Policy>
</sp:Wss11>
<sp:Trust10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportIssuedTokens/>
<sp:RequireClientEntropy/>
<sp:RequireServerEntropy/>
</wsp:Policy>
</sp:Trust10>
<sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken RequireClientCertificate="false"/>
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
</wsp:Policy>
</sp:TransportBinding>
<wsaw:UsingAddressing/>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
The problem is following:
As a result, I receive following response after I send generated XML:
CryptographicException: Unable to resolve the '#...' URI in the signature to compute the digest.
Can you please help me with those tokens? Do you find it reasonable to add such support for DerivedKeyToken into your class?
Thank you!
What steps will reproduce the problem?
1. Tried to canonize an XML
What is the expected output? What do you see instead?
Expected output - canonized XML, instead - Call to undefined method
SimpleXMLElement::importNode() in xmlseclibs.php on line 77
What version of the product are you using? On what operating system?
xmlseclibs 1.3.1, PHP 5.3.3
Please provide any additional information below.
Method appendChild was replaced by addChild
Original issue reported on code.google.com by [email protected]
on 14 Nov 2013 at 8:14
Hi,
I have the following PHP code to generate SOAP code using xmlseclibs,soap-wsa
and soap-wsse.
I am tasked to connect using SOAP in the staging server, which uses self-signed
certificate.
My code below sends a request to the client's server, however it generates
"hash values do not match" in the server side.
<?php
ini_set('display_errors', 'On');
require('soap-wsa.php');
require('soap-wsse.php');
define('PRIVATE_KEY', 'privatekey-20150225.pem');
define('CERT_FILE', 'selfsignedcertificate-20150225.crt');
class mySoap extends SoapClient {
function __doRequest($request, $location, $saction, $version) {
$dom = new DOMDocument();
$dom->loadXML($request);
$objWSA = new WSASoap($dom);
$objWSA->addAction($saction);
$objWSA->addTo($location);
$objWSA->addMessageID();
$objWSA->addReplyTo();
$dom = $objWSA->getDoc();
$objWSSE = new WSSESoap($dom);
/* Sign all headers to include signing the WS-Addressing headers */
$objWSSE->signAllHeaders = TRUE;
$objWSSE->addTimestamp();
/* create new XMLSec Key using RSA SHA-1 and type is private key */
$objKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type'=>'private'));
/* load the private key from file - last arg is bool if key in file (TRUE) or is string (FALSE) */
$objKey->loadKey(PRIVATE_KEY, TRUE);
/* Sign the message - also signs appropraite WS-Security items */
$objWSSE->signSoapDoc($objKey);
/* Add certificate (BinarySecurityToken) to the message and attach pointer to Signature */
$token = $objWSSE->addBinaryToken(file_get_contents(CERT_FILE));
$objWSSE->attachTokentoSig($token);
$request = $objWSSE->saveXML();
return parent::__doRequest($request, $location, $saction, $version);
}
}
$url = "TheURL"; // censored
$wsdl = "TheWSDL"; // censored
$client = new mySoap($wsdl, array(
'trace' => 1,
'exceptions' => 0,
'uri'=>$url,
'location'=>$url,
));
$result = $client->ReturnWorkEntitlement(
array(
'Id'=>'1',
"PersonIdentifier"=>array(
"FamilyName"=>"Jane",
"GivenNames"=>"Doe",
"BirthDate"=>array(
"BirthDay"=>"---01",
"BirthMonth"=>"--03",
"BirthYear"=>"1964"
)
)
)
);
?>
What is the expected output? What do you see instead?
It should connect to the server an displaying the correct answer to your
question.
What version of the product are you using? On what operating system?
1.3.0-dev in Windows 7.
I have tried tweaking here and there for 2-3 days, but to no avail.
Please advise whether my code is correct or not, especially since this is
supposed to be self-signed X509.
Original issue reported on code.google.com by [email protected]
on 4 Mar 2015 at 5:26
Any plans to support ECDSA in the near future?
Im newbie
Any help with this?
Thanks in advance
@EvgenyNikolaev said:
I'm not sure, but I think this is a bug
first set key as a certificate string
openssl_x509_export($this->key, $str_cert);
...
$this->key = $str_cert;and then try to get privatekey from cert string
$this->key = openssl_get_privatekey($this->key, $this->passphrase);If I'm not right, then sorry for wasting your time.
Web: EvgenyNikolaev/xmlseclibs@403b12f
Patch:
https://github.com/EvgenyNikolaev/xmlseclibs/commit/403b12fc71bb3238046fa7869d07344b8861e357.patch
Undefined variable: issuer in xmlseclibs/xmlseclibs.php on line 1375
change
array_unshift($parts, "$key=$value" . $issuer);
to
array_unshift($parts, "$key=$value");
Original issue reported on code.google.com by [email protected]
on 14 Nov 2013 at 11:29
Hello.
Here is fork with namespaces (and 2 bugs fixed):
https://github.com/jamm/XMLSecurity
If owner of original code will request to delete this - I'll delete it.
Hope this code will be useful somehow for somebody.
Original issue reported on code.google.com by [email protected]
on 3 Sep 2013 at 12:48
i recieve this
<DAERespuesta>
<Objeto>
<ErrorCodigo>1</ErrorCodigo>
<ErrorDescripcion>Sobre en archivo</ErrorDescripcion>
<FechaHoraArchivado>2012-02-23 19:32:02</FechaHoraArchivado>
</Objeto>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>EPotVVQvsv9YuFKiBqXPGQLlJZg=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
JMIKvfJKbqbCusCHKh9BbHoSeMjGYpwXxJXCLROVGoWN+Q+PdGv3kNiwuHMxnK0j1BphdjKesee7T0g0
mFQpkJRrfwRKXqzwk/DEDoZ4sV56t6botF/Mk1XQ8FZbEBTByq+2sxHhIRxcMunxT+3/U0TkYFtOWLlS
5Izjs0IUVSw=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIFfjCCA2agAwIBAgIQXSJREhWadv9PUQE2Ra5EtzANBgkqhkiG9w0BAQUFADB6MQswCQYDVQQGEwJV
WTErMCkGA1UECgwiQURNSU5JU1RSQUNJT04gTkFDSU9OQUwgREUgQ09SUkVPUzEfMB0GA1UECwwWU0VS
VklD
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
</DAERespuesta>
and c# dont validate because ds: prefix in signature labels please let me know
if there is a way to safely remove this prefix, i remove manualy from
xmlseclibs.php line 655 ( private $prefix = 'ds';) to private $prefix =
''; but this change throw exceptions i realice the prefix is needed in other
way not only prefix of signature tags... so i dont know how to remove only in
tags this ds: prefix???
Original issue reported on code.google.com by [email protected]
on 13 Mar 2012 at 9:48
What steps will reproduce the problem?
1. Create text node in xml with line break eq. <address>large text {line break}
large text</address>
2. Sign xml
3. Try to verify signature in other software
I used some java application to send/recive xml message with signatures between
php and java.
The problem is with line break in text element and C14N function. C14N function
won't remove line break while other software when canonicalize xml did it. So
the hash of xml was diffrent.
That was my problem.
To fix it replace return in function canonicalizeData to:
return str_replace(array("\r\n", "\n\r", "\r", "\n"), '',
$node->C14N($exclusive, $withComments, $arXPath, $prefixList));
Original issue reported on code.google.com by [email protected]
on 7 May 2014 at 7:59
Even if there is no need of doc-blocks while using IDEs it is helpfull if you are looking at the code e.g. via Github.
can you tell me how validate an xml document signed with your library in a c# program im trying to do that but i cant.THK and sorry my bad english lol
When decryptNode() replaces encrypted data with the unencrypted node it uses
DOMElement::replaceChild().
For some reason PHP thought it would be a fun idea to suddenly inject a new
namespace prefix into the document called "default".
This screws over signature validation of the data, because suddenly "Signature"
becomes "default:Signature" ("SignedInfo" becomes "default:SignedInfo" and so
on for all descendants).
Mind you, the default namespace of "SignedInfo" is actually set
("xmlns="http://www.w3.org/2000/09/xmldsig#"), so if the DOM lib just left the
element untouched everything would've been fine.
The problem occurs on line 1606:
https://code.google.com/p/xmlseclibs/source/browse/trunk/xmlseclibs.php?r=52#160
6
The following added line fixed it for me:
$importEnc->removeAttributeNS('http://www.w3.org/2000/09/xmldsig#', 'default');
That is obviously not a very nice or general solution to the problem, but I
thought it'd be better to share than not :-)
Original issue reported on code.google.com by [email protected]
on 6 May 2014 at 4:52
I'm noticing when I try to validateReference on an incoming saml2.0 token from
a Thinktecture IdM the validation fails because data sent to validateDigest is
null since it fails to populate the $dataObject in processRefNode(). I
realized it's null because the xpath query is looking for the "Id" attribute in
the Assertion element instead of an "ID" attribute. So far from what I've
researched the attribute should be caps, "ID". If there's a specific case
where "Id" is also appropriate cool, perhaps adding in a check for both would
be a solution?
Using xmlseclibs 1.3.1
Original issue reported on code.google.com by [email protected]
on 4 Feb 2015 at 8:00
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.