From 96f8415b9238497e35bf122927f77f4585a4c194 Mon Sep 17 00:00:00 2001 From: Andreas Schamberger Date: Wed, 21 Aug 2013 22:32:09 +0200 Subject: [PATCH] added encryption to WS Security --- src/BeSimple/SoapServer/WsSecurityFilter.php | 295 +++---------------- 1 file changed, 38 insertions(+), 257 deletions(-) diff --git a/src/BeSimple/SoapServer/WsSecurityFilter.php b/src/BeSimple/SoapServer/WsSecurityFilter.php index 81e5486..6e412b2 100644 --- a/src/BeSimple/SoapServer/WsSecurityFilter.php +++ b/src/BeSimple/SoapServer/WsSecurityFilter.php @@ -24,6 +24,7 @@ use BeSimple\SoapCommon\SoapRequestFilter; use BeSimple\SoapCommon\SoapResponse as CommonSoapResponse; use BeSimple\SoapCommon\SoapResponseFilter; use BeSimple\SoapCommon\WsSecurityKey; +use BeSimple\SoapCommon\WsSecurityFilterClientServer; /** * This plugin implements a subset of the following standards: @@ -36,77 +37,8 @@ use BeSimple\SoapCommon\WsSecurityKey; * * @author Andreas Schamberger */ -class WsSecurityFilter implements SoapRequestFilter, SoapResponseFilter +class WsSecurityFilter extends WsSecurityFilterClientServer implements SoapRequestFilter, SoapResponseFilter { - /* - * The date format to be used with {@link \DateTime} - */ - const DATETIME_FORMAT = 'Y-m-d\TH:i:s.000\Z'; - - /** - * (X509 3.2.1) Reference to a Subject Key Identifier - */ - const TOKEN_REFERENCE_SUBJECT_KEY_IDENTIFIER = 0; - - /** - * (X509 3.2.1) Reference to a Security Token - */ - const TOKEN_REFERENCE_SECURITY_TOKEN = 1; - - /** - * (SMS_1.1 7.3) Key Identifiers - */ - const TOKEN_REFERENCE_THUMBPRINT_SHA1 = 2; - - /** - * Actor. - * - * @var string - */ - protected $actor; - - /** - * (SMS 10) Add security timestamp. - * - * @var boolean - */ - protected $addTimestamp; - - /** - * (SMS 10) Security timestamp expires time in seconds. - * - * @var int - */ - protected $expires; - - /** - * Sign all headers. - * - * @var boolean - */ - protected $signAllHeaders; - - /** - * (X509 3.2) Token reference type for encryption. - * - * @var int - */ - protected $tokenReferenceEncryption = null; - - /** - * (X509 3.2) Token reference type for signature. - * - * @var int - */ - protected $tokenReferenceSignature = null; - - /** - * Service WsSecurityKey. - * - * @var \BeSimple\SoapCommon\WsSecurityKey - */ - protected $serviceSecurityKey; - /** * Username/password callback that returns password or null. * @@ -114,20 +46,6 @@ class WsSecurityFilter implements SoapRequestFilter, SoapResponseFilter */ protected $usernamePasswordCallback; - /** - * Constructor. - * - * @param boolean $addTimestamp (SMS 10) Add security timestamp. - * @param int $expires (SMS 10) Security timestamp expires time in seconds. - * @param string $actor SOAP actor - */ - public function __construct($addTimestamp = true, $expires = 300, $actor = null) - { - $this->addTimestamp = $addTimestamp; - $this->expires = $expires; - $this->actor = $actor; - } - /** * Set username/password callback that returns password or null. * @@ -145,43 +63,10 @@ class WsSecurityFilter implements SoapRequestFilter, SoapResponseFilter */ public function resetFilter() { - $this->actor = null; - $this->addTimestamp = null; - $this->expires = null; - $this->serviceSecurityKey = null; - $this->signAllHeaders = null; - $this->tokenReferenceEncryption = null; - $this->tokenReferenceSignature = null; + parent::resetFilter(); $this->usernamePasswordCallback = null; } - /** - * Get service security key. - * - * @param \BeSimple\SoapCommon\WsSecurityKey $serviceSecurityKey Service security key - * - * @return void - */ - public function setServiceSecurityKeyObject(WsSecurityKey $serviceSecurityKey) - { - $this->serviceSecurityKey = $serviceSecurityKey; - } - - - /** - * Set security options. - * - * @param int $tokenReference self::TOKEN_REFERENCE_SUBJECT_KEY_IDENTIFIER | self::TOKEN_REFERENCE_SECURITY_TOKEN | self::TOKEN_REFERENCE_THUMBPRINT_SHA1 - * @param boolean $signAllHeaders Sign all headers? - * - * @return void - */ - public function setSecurityOptionsSignature($tokenReference, $signAllHeaders = false) - { - $this->tokenReferenceSignature = $tokenReference; - $this->signAllHeaders = $signAllHeaders; - } - /** * Modify the given request XML. * @@ -235,6 +120,17 @@ class WsSecurityFilter implements SoapRequestFilter, SoapResponseFilter $keyResolver = array($this, 'keyInfoSecurityTokenReferenceResolver'); XmlSecurityDSig::addKeyInfoResolver(Helper::NS_WSS, 'SecurityTokenReference', $keyResolver); + // do we have a reference list in header + $referenceList = XmlSecurityEnc::locateReferenceList($security); + // get a list of encrypted nodes + $encryptedNodes = XmlSecurityEnc::locateEncryptedData($dom, $referenceList); + // decrypt them + if (null !== $encryptedNodes) { + foreach ($encryptedNodes as $encryptedNode) { + XmlSecurityEnc::decryptNode($encryptedNode); + } + } + // locate signature node $signature = XmlSecurityDSig::locateSignature($security); if (null !== $signature) { @@ -297,15 +193,15 @@ class WsSecurityFilter implements SoapRequestFilter, SoapResponseFilter $security->appendChild($timestamp); } - if (null !== $this->serviceSecurityKey && $this->serviceSecurityKey->hasKeys()) { + if (null !== $this->userSecurityKey && $this->userSecurityKey->hasKeys()) { $guid = 'CertId-' . Helper::generateUUID(); // add token references $keyInfo = null; if (null !== $this->tokenReferenceSignature) { - $keyInfo = $this->createKeyInfo($filterHelper, $this->tokenReferenceSignature, $guid, $this->serviceSecurityKey->getPublicKey()); + $keyInfo = $this->createKeyInfo($filterHelper, $this->tokenReferenceSignature, $guid, $this->userSecurityKey->getPublicKey()); } $nodes = $this->createNodeListForSigning($dom, $security); - $signature = XmlSecurityDSig::createSignature($this->serviceSecurityKey->getPrivateKey(), XmlSecurityDSig::EXC_C14N, $security, null, $keyInfo); + $signature = XmlSecurityDSig::createSignature($this->userSecurityKey->getPrivateKey(), XmlSecurityDSig::EXC_C14N, $security, null, $keyInfo); $options = array( 'id_ns_prefix' => Helper::PFX_WSU, 'id_prefix_ns' => Helper::NS_WSU, @@ -313,151 +209,36 @@ class WsSecurityFilter implements SoapRequestFilter, SoapResponseFilter foreach ($nodes as $node) { XmlSecurityDSig::addNodeToSignature($signature, $node, XmlSecurityDSig::SHA1, XmlSecurityDSig::EXC_C14N, $options); } - XmlSecurityDSig::signDocument($signature, $this->serviceSecurityKey->getPrivateKey(), XmlSecurityDSig::EXC_C14N); + XmlSecurityDSig::signDocument($signature, $this->userSecurityKey->getPrivateKey(), XmlSecurityDSig::EXC_C14N); - $publicCertificate = $this->serviceSecurityKey->getPublicKey()->getX509Certificate(true); + $publicCertificate = $this->userSecurityKey->getPublicKey()->getX509Certificate(true); $binarySecurityToken = $filterHelper->createElement(Helper::NS_WSS, 'BinarySecurityToken', $publicCertificate); $filterHelper->setAttribute($binarySecurityToken, null, 'EncodingType', Helper::NAME_WSS_SMS . '#Base64Binary'); $filterHelper->setAttribute($binarySecurityToken, null, 'ValueType', Helper::NAME_WSS_X509 . '#X509v3'); $filterHelper->setAttribute($binarySecurityToken, Helper::NS_WSU, 'Id', $guid); $security->insertBefore($binarySecurityToken, $signature); - } - } - - /** - * Adds the configured KeyInfo to the parentNode. - * - * @param FilterHelper $filterHelper Filter helper object - * @param int $tokenReference Token reference type - * @param string $guid Unique ID - * @param \ass\XmlSecurity\Key $xmlSecurityKey XML security key - * - * @return \DOMElement - */ - protected function createKeyInfo(FilterHelper $filterHelper, $tokenReference, $guid, XmlSecurityKey $xmlSecurityKey = null) - { - $keyInfo = $filterHelper->createElement(XmlSecurityDSig::NS_XMLDSIG, 'KeyInfo'); - $securityTokenReference = $filterHelper->createElement(Helper::NS_WSS, 'SecurityTokenReference'); - $keyInfo->appendChild($securityTokenReference); - // security token - if (self::TOKEN_REFERENCE_SECURITY_TOKEN === $tokenReference) { - $reference = $filterHelper->createElement(Helper::NS_WSS, 'Reference'); - $filterHelper->setAttribute($reference, null, 'URI', '#' . $guid); - if (null !== $xmlSecurityKey) { - $filterHelper->setAttribute($reference, null, 'ValueType', Helper::NAME_WSS_X509 . '#X509v3'); - } - $securityTokenReference->appendChild($reference); - // subject key identifier - } elseif (self::TOKEN_REFERENCE_SUBJECT_KEY_IDENTIFIER === $tokenReference && null !== $xmlSecurityKey) { - $keyIdentifier = $filterHelper->createElement(Helper::NS_WSS, 'KeyIdentifier'); - $filterHelper->setAttribute($keyIdentifier, null, 'EncodingType', Helper::NAME_WSS_SMS . '#Base64Binary'); - $filterHelper->setAttribute($keyIdentifier, null, 'ValueType', Helper::NAME_WSS_X509 . '#509SubjectKeyIdentifier'); - $securityTokenReference->appendChild($keyIdentifier); - $certificate = $xmlSecurityKey->getX509SubjectKeyIdentifier(); - $dataNode = new \DOMText($certificate); - $keyIdentifier->appendChild($dataNode); - // thumbprint sha1 - } elseif (self::TOKEN_REFERENCE_THUMBPRINT_SHA1 === $tokenReference && null !== $xmlSecurityKey) { - $keyIdentifier = $filterHelper->createElement(Helper::NS_WSS, 'KeyIdentifier'); - $filterHelper->setAttribute($keyIdentifier, null, 'EncodingType', Helper::NAME_WSS_SMS . '#Base64Binary'); - $filterHelper->setAttribute($keyIdentifier, null, 'ValueType', Helper::NAME_WSS_SMS_1_1 . '#ThumbprintSHA1'); - $securityTokenReference->appendChild($keyIdentifier); - $thumbprintSha1 = base64_encode(sha1(base64_decode($xmlSecurityKey->getX509Certificate(true)), true)); - $dataNode = new \DOMText($thumbprintSha1); - $keyIdentifier->appendChild($dataNode); - } - - return $keyInfo; - } - - /** - * Create a list of \DOMNodes that should be signed. - * - * @param \DOMDocument $dom DOMDocument to query - * @param \DOMElement $security Security element - * - * @return array(\DOMNode) - */ - protected function createNodeListForSigning(\DOMDocument $dom, \DOMElement $security) - { - $nodes = array(); - $body = $dom->getElementsByTagNameNS($dom->documentElement->namespaceURI, 'Body')->item(0); - if (null !== $body) { - $nodes[] = $body; - } - foreach ($security->childNodes as $node) { - if (XML_ELEMENT_NODE === $node->nodeType) { - $nodes[] = $node; - } - } - if ($this->signAllHeaders) { - foreach ($security->parentNode->childNodes as $node) { - if (XML_ELEMENT_NODE === $node->nodeType && - Helper::NS_WSS !== $node->namespaceURI) { - $nodes[] = $node; + // encrypt soap document + if (null !== $this->serviceSecurityKey && $this->serviceSecurityKey->hasKeys()) { + $guid = 'EncKey-' . Helper::generateUUID(); + // add token references + $keyInfo = null; + if (null !== $this->tokenReferenceEncryption) { + $keyInfo = $this->createKeyInfo($filterHelper, $this->tokenReferenceEncryption, $guid, $this->serviceSecurityKey->getPublicKey()); + } + $encryptedKey = XmlSecurityEnc::createEncryptedKey($guid, $this->serviceSecurityKey->getPrivateKey(), $this->serviceSecurityKey->getPublicKey(), $security, $signature, $keyInfo); + $referenceList = XmlSecurityEnc::createReferenceList($encryptedKey); + // token reference to encrypted key + $keyInfo = $this->createKeyInfo($filterHelper, self::TOKEN_REFERENCE_SECURITY_TOKEN, $guid); + $nodes = $this->createNodeListForEncryption($dom, $security); + foreach ($nodes as $node) { + $type = XmlSecurityEnc::ELEMENT; + if ($node->localName == 'Body') { + $type = XmlSecurityEnc::CONTENT; + } + XmlSecurityEnc::encryptNode($node, $type, $this->serviceSecurityKey->getPrivateKey(), $referenceList, $keyInfo); } } } - - return $nodes; - } - - /** - * Gets the referenced node for the given URI. - * - * @param \DOMElement $node Node - * @param string $uri URI - * - * @return \DOMElement - */ - protected function getReferenceNodeForUri(\DOMElement $node, $uri) - { - $url = parse_url($uri); - $referenceId = $url['fragment']; - $query = '//*[@'.Helper::PFX_WSU.':Id="'.$referenceId.'" or @Id="'.$referenceId.'"]'; - $xpath = new \DOMXPath($node->ownerDocument); - $xpath->registerNamespace(Helper::PFX_WSU, Helper::NS_WSU); - - return $xpath->query($query)->item(0); - } - - /** - * Tries to resolve a key from the given \DOMElement. - * - * @param \DOMElement $node Node where to resolve the key - * @param string $algorithm XML security key algorithm - * - * @return \ass\XmlSecurity\Key|null - */ - public function keyInfoSecurityTokenReferenceResolver(\DOMElement $node, $algorithm) - { - foreach ($node->childNodes as $key) { - if (Helper::NS_WSS === $key->namespaceURI) { - switch ($key->localName) { - case 'KeyIdentifier': - - return $this->serviceSecurityKey->getPublicKey(); - case 'Reference': - $uri = $key->getAttribute('URI'); - $referencedNode = $this->getReferenceNodeForUri($node, $uri); - - if (XmlSecurityEnc::NS_XMLENC === $referencedNode->namespaceURI - && 'EncryptedKey' == $referencedNode->localName) { - $key = XmlSecurityEnc::decryptEncryptedKey($referencedNode, $this->serviceSecurityKey->getPrivateKey()); - - return XmlSecurityKey::factory($algorithm, $key, false, XmlSecurityKey::TYPE_PRIVATE); - } elseif (Helper::NS_WSS === $referencedNode->namespaceURI - && 'BinarySecurityToken' == $referencedNode->localName) { - - $key = XmlSecurityPem::formatKeyInPemFormat($referencedNode->textContent); - - return XmlSecurityKey::factory(XmlSecurityKey::RSA_SHA1, $key, false, XmlSecurityKey::TYPE_PUBLIC); - } - } - } - } - - return null; } } \ No newline at end of file