added encryption to WS Security

This commit is contained in:
Andreas Schamberger 2013-08-21 22:32:09 +02:00
parent 5229091033
commit 96f8415b92
1 changed files with 38 additions and 257 deletions

View File

@ -24,6 +24,7 @@ use BeSimple\SoapCommon\SoapRequestFilter;
use BeSimple\SoapCommon\SoapResponse as CommonSoapResponse; use BeSimple\SoapCommon\SoapResponse as CommonSoapResponse;
use BeSimple\SoapCommon\SoapResponseFilter; use BeSimple\SoapCommon\SoapResponseFilter;
use BeSimple\SoapCommon\WsSecurityKey; use BeSimple\SoapCommon\WsSecurityKey;
use BeSimple\SoapCommon\WsSecurityFilterClientServer;
/** /**
* This plugin implements a subset of the following standards: * This plugin implements a subset of the following standards:
@ -36,77 +37,8 @@ use BeSimple\SoapCommon\WsSecurityKey;
* *
* @author Andreas Schamberger <mail@andreass.net> * @author Andreas Schamberger <mail@andreass.net>
*/ */
class WsSecurityFilter implements SoapRequestFilter, SoapResponseFilter class WsSecurityFilter extends WsSecurityFilterClientServer implements SoapRequestFilter, SoapResponseFilter
{ {
/*
* The date format to be used with {@link \DateTime}
*/
const DATETIME_FORMAT = 'Y-m-d\TH:i:s.000\Z';
/**
* (X509 3.2.1) Reference to a Subject Key Identifier
*/
const TOKEN_REFERENCE_SUBJECT_KEY_IDENTIFIER = 0;
/**
* (X509 3.2.1) Reference to a Security Token
*/
const TOKEN_REFERENCE_SECURITY_TOKEN = 1;
/**
* (SMS_1.1 7.3) Key Identifiers
*/
const TOKEN_REFERENCE_THUMBPRINT_SHA1 = 2;
/**
* Actor.
*
* @var string
*/
protected $actor;
/**
* (SMS 10) Add security timestamp.
*
* @var boolean
*/
protected $addTimestamp;
/**
* (SMS 10) Security timestamp expires time in seconds.
*
* @var int
*/
protected $expires;
/**
* Sign all headers.
*
* @var boolean
*/
protected $signAllHeaders;
/**
* (X509 3.2) Token reference type for encryption.
*
* @var int
*/
protected $tokenReferenceEncryption = null;
/**
* (X509 3.2) Token reference type for signature.
*
* @var int
*/
protected $tokenReferenceSignature = null;
/**
* Service WsSecurityKey.
*
* @var \BeSimple\SoapCommon\WsSecurityKey
*/
protected $serviceSecurityKey;
/** /**
* Username/password callback that returns password or null. * Username/password callback that returns password or null.
* *
@ -114,20 +46,6 @@ class WsSecurityFilter implements SoapRequestFilter, SoapResponseFilter
*/ */
protected $usernamePasswordCallback; protected $usernamePasswordCallback;
/**
* Constructor.
*
* @param boolean $addTimestamp (SMS 10) Add security timestamp.
* @param int $expires (SMS 10) Security timestamp expires time in seconds.
* @param string $actor SOAP actor
*/
public function __construct($addTimestamp = true, $expires = 300, $actor = null)
{
$this->addTimestamp = $addTimestamp;
$this->expires = $expires;
$this->actor = $actor;
}
/** /**
* Set username/password callback that returns password or null. * Set username/password callback that returns password or null.
* *
@ -145,43 +63,10 @@ class WsSecurityFilter implements SoapRequestFilter, SoapResponseFilter
*/ */
public function resetFilter() public function resetFilter()
{ {
$this->actor = null; parent::resetFilter();
$this->addTimestamp = null;
$this->expires = null;
$this->serviceSecurityKey = null;
$this->signAllHeaders = null;
$this->tokenReferenceEncryption = null;
$this->tokenReferenceSignature = null;
$this->usernamePasswordCallback = null; $this->usernamePasswordCallback = null;
} }
/**
* Get service security key.
*
* @param \BeSimple\SoapCommon\WsSecurityKey $serviceSecurityKey Service security key
*
* @return void
*/
public function setServiceSecurityKeyObject(WsSecurityKey $serviceSecurityKey)
{
$this->serviceSecurityKey = $serviceSecurityKey;
}
/**
* Set security options.
*
* @param int $tokenReference self::TOKEN_REFERENCE_SUBJECT_KEY_IDENTIFIER | self::TOKEN_REFERENCE_SECURITY_TOKEN | self::TOKEN_REFERENCE_THUMBPRINT_SHA1
* @param boolean $signAllHeaders Sign all headers?
*
* @return void
*/
public function setSecurityOptionsSignature($tokenReference, $signAllHeaders = false)
{
$this->tokenReferenceSignature = $tokenReference;
$this->signAllHeaders = $signAllHeaders;
}
/** /**
* Modify the given request XML. * Modify the given request XML.
* *
@ -235,6 +120,17 @@ class WsSecurityFilter implements SoapRequestFilter, SoapResponseFilter
$keyResolver = array($this, 'keyInfoSecurityTokenReferenceResolver'); $keyResolver = array($this, 'keyInfoSecurityTokenReferenceResolver');
XmlSecurityDSig::addKeyInfoResolver(Helper::NS_WSS, 'SecurityTokenReference', $keyResolver); XmlSecurityDSig::addKeyInfoResolver(Helper::NS_WSS, 'SecurityTokenReference', $keyResolver);
// do we have a reference list in header
$referenceList = XmlSecurityEnc::locateReferenceList($security);
// get a list of encrypted nodes
$encryptedNodes = XmlSecurityEnc::locateEncryptedData($dom, $referenceList);
// decrypt them
if (null !== $encryptedNodes) {
foreach ($encryptedNodes as $encryptedNode) {
XmlSecurityEnc::decryptNode($encryptedNode);
}
}
// locate signature node // locate signature node
$signature = XmlSecurityDSig::locateSignature($security); $signature = XmlSecurityDSig::locateSignature($security);
if (null !== $signature) { if (null !== $signature) {
@ -297,15 +193,15 @@ class WsSecurityFilter implements SoapRequestFilter, SoapResponseFilter
$security->appendChild($timestamp); $security->appendChild($timestamp);
} }
if (null !== $this->serviceSecurityKey && $this->serviceSecurityKey->hasKeys()) { if (null !== $this->userSecurityKey && $this->userSecurityKey->hasKeys()) {
$guid = 'CertId-' . Helper::generateUUID(); $guid = 'CertId-' . Helper::generateUUID();
// add token references // add token references
$keyInfo = null; $keyInfo = null;
if (null !== $this->tokenReferenceSignature) { if (null !== $this->tokenReferenceSignature) {
$keyInfo = $this->createKeyInfo($filterHelper, $this->tokenReferenceSignature, $guid, $this->serviceSecurityKey->getPublicKey()); $keyInfo = $this->createKeyInfo($filterHelper, $this->tokenReferenceSignature, $guid, $this->userSecurityKey->getPublicKey());
} }
$nodes = $this->createNodeListForSigning($dom, $security); $nodes = $this->createNodeListForSigning($dom, $security);
$signature = XmlSecurityDSig::createSignature($this->serviceSecurityKey->getPrivateKey(), XmlSecurityDSig::EXC_C14N, $security, null, $keyInfo); $signature = XmlSecurityDSig::createSignature($this->userSecurityKey->getPrivateKey(), XmlSecurityDSig::EXC_C14N, $security, null, $keyInfo);
$options = array( $options = array(
'id_ns_prefix' => Helper::PFX_WSU, 'id_ns_prefix' => Helper::PFX_WSU,
'id_prefix_ns' => Helper::NS_WSU, 'id_prefix_ns' => Helper::NS_WSU,
@ -313,151 +209,36 @@ class WsSecurityFilter implements SoapRequestFilter, SoapResponseFilter
foreach ($nodes as $node) { foreach ($nodes as $node) {
XmlSecurityDSig::addNodeToSignature($signature, $node, XmlSecurityDSig::SHA1, XmlSecurityDSig::EXC_C14N, $options); XmlSecurityDSig::addNodeToSignature($signature, $node, XmlSecurityDSig::SHA1, XmlSecurityDSig::EXC_C14N, $options);
} }
XmlSecurityDSig::signDocument($signature, $this->serviceSecurityKey->getPrivateKey(), XmlSecurityDSig::EXC_C14N); XmlSecurityDSig::signDocument($signature, $this->userSecurityKey->getPrivateKey(), XmlSecurityDSig::EXC_C14N);
$publicCertificate = $this->serviceSecurityKey->getPublicKey()->getX509Certificate(true); $publicCertificate = $this->userSecurityKey->getPublicKey()->getX509Certificate(true);
$binarySecurityToken = $filterHelper->createElement(Helper::NS_WSS, 'BinarySecurityToken', $publicCertificate); $binarySecurityToken = $filterHelper->createElement(Helper::NS_WSS, 'BinarySecurityToken', $publicCertificate);
$filterHelper->setAttribute($binarySecurityToken, null, 'EncodingType', Helper::NAME_WSS_SMS . '#Base64Binary'); $filterHelper->setAttribute($binarySecurityToken, null, 'EncodingType', Helper::NAME_WSS_SMS . '#Base64Binary');
$filterHelper->setAttribute($binarySecurityToken, null, 'ValueType', Helper::NAME_WSS_X509 . '#X509v3'); $filterHelper->setAttribute($binarySecurityToken, null, 'ValueType', Helper::NAME_WSS_X509 . '#X509v3');
$filterHelper->setAttribute($binarySecurityToken, Helper::NS_WSU, 'Id', $guid); $filterHelper->setAttribute($binarySecurityToken, Helper::NS_WSU, 'Id', $guid);
$security->insertBefore($binarySecurityToken, $signature); $security->insertBefore($binarySecurityToken, $signature);
}
// encrypt soap document
if (null !== $this->serviceSecurityKey && $this->serviceSecurityKey->hasKeys()) {
$guid = 'EncKey-' . Helper::generateUUID();
// add token references
$keyInfo = null;
if (null !== $this->tokenReferenceEncryption) {
$keyInfo = $this->createKeyInfo($filterHelper, $this->tokenReferenceEncryption, $guid, $this->serviceSecurityKey->getPublicKey());
} }
$encryptedKey = XmlSecurityEnc::createEncryptedKey($guid, $this->serviceSecurityKey->getPrivateKey(), $this->serviceSecurityKey->getPublicKey(), $security, $signature, $keyInfo);
/** $referenceList = XmlSecurityEnc::createReferenceList($encryptedKey);
* Adds the configured KeyInfo to the parentNode. // token reference to encrypted key
* $keyInfo = $this->createKeyInfo($filterHelper, self::TOKEN_REFERENCE_SECURITY_TOKEN, $guid);
* @param FilterHelper $filterHelper Filter helper object $nodes = $this->createNodeListForEncryption($dom, $security);
* @param int $tokenReference Token reference type foreach ($nodes as $node) {
* @param string $guid Unique ID $type = XmlSecurityEnc::ELEMENT;
* @param \ass\XmlSecurity\Key $xmlSecurityKey XML security key if ($node->localName == 'Body') {
* $type = XmlSecurityEnc::CONTENT;
* @return \DOMElement
*/
protected function createKeyInfo(FilterHelper $filterHelper, $tokenReference, $guid, XmlSecurityKey $xmlSecurityKey = null)
{
$keyInfo = $filterHelper->createElement(XmlSecurityDSig::NS_XMLDSIG, 'KeyInfo');
$securityTokenReference = $filterHelper->createElement(Helper::NS_WSS, 'SecurityTokenReference');
$keyInfo->appendChild($securityTokenReference);
// security token
if (self::TOKEN_REFERENCE_SECURITY_TOKEN === $tokenReference) {
$reference = $filterHelper->createElement(Helper::NS_WSS, 'Reference');
$filterHelper->setAttribute($reference, null, 'URI', '#' . $guid);
if (null !== $xmlSecurityKey) {
$filterHelper->setAttribute($reference, null, 'ValueType', Helper::NAME_WSS_X509 . '#X509v3');
} }
$securityTokenReference->appendChild($reference); XmlSecurityEnc::encryptNode($node, $type, $this->serviceSecurityKey->getPrivateKey(), $referenceList, $keyInfo);
// subject key identifier
} elseif (self::TOKEN_REFERENCE_SUBJECT_KEY_IDENTIFIER === $tokenReference && null !== $xmlSecurityKey) {
$keyIdentifier = $filterHelper->createElement(Helper::NS_WSS, 'KeyIdentifier');
$filterHelper->setAttribute($keyIdentifier, null, 'EncodingType', Helper::NAME_WSS_SMS . '#Base64Binary');
$filterHelper->setAttribute($keyIdentifier, null, 'ValueType', Helper::NAME_WSS_X509 . '#509SubjectKeyIdentifier');
$securityTokenReference->appendChild($keyIdentifier);
$certificate = $xmlSecurityKey->getX509SubjectKeyIdentifier();
$dataNode = new \DOMText($certificate);
$keyIdentifier->appendChild($dataNode);
// thumbprint sha1
} elseif (self::TOKEN_REFERENCE_THUMBPRINT_SHA1 === $tokenReference && null !== $xmlSecurityKey) {
$keyIdentifier = $filterHelper->createElement(Helper::NS_WSS, 'KeyIdentifier');
$filterHelper->setAttribute($keyIdentifier, null, 'EncodingType', Helper::NAME_WSS_SMS . '#Base64Binary');
$filterHelper->setAttribute($keyIdentifier, null, 'ValueType', Helper::NAME_WSS_SMS_1_1 . '#ThumbprintSHA1');
$securityTokenReference->appendChild($keyIdentifier);
$thumbprintSha1 = base64_encode(sha1(base64_decode($xmlSecurityKey->getX509Certificate(true)), true));
$dataNode = new \DOMText($thumbprintSha1);
$keyIdentifier->appendChild($dataNode);
}
return $keyInfo;
}
/**
* Create a list of \DOMNodes that should be signed.
*
* @param \DOMDocument $dom DOMDocument to query
* @param \DOMElement $security Security element
*
* @return array(\DOMNode)
*/
protected function createNodeListForSigning(\DOMDocument $dom, \DOMElement $security)
{
$nodes = array();
$body = $dom->getElementsByTagNameNS($dom->documentElement->namespaceURI, 'Body')->item(0);
if (null !== $body) {
$nodes[] = $body;
}
foreach ($security->childNodes as $node) {
if (XML_ELEMENT_NODE === $node->nodeType) {
$nodes[] = $node;
}
}
if ($this->signAllHeaders) {
foreach ($security->parentNode->childNodes as $node) {
if (XML_ELEMENT_NODE === $node->nodeType &&
Helper::NS_WSS !== $node->namespaceURI) {
$nodes[] = $node;
}
}
}
return $nodes;
}
/**
* Gets the referenced node for the given URI.
*
* @param \DOMElement $node Node
* @param string $uri URI
*
* @return \DOMElement
*/
protected function getReferenceNodeForUri(\DOMElement $node, $uri)
{
$url = parse_url($uri);
$referenceId = $url['fragment'];
$query = '//*[@'.Helper::PFX_WSU.':Id="'.$referenceId.'" or @Id="'.$referenceId.'"]';
$xpath = new \DOMXPath($node->ownerDocument);
$xpath->registerNamespace(Helper::PFX_WSU, Helper::NS_WSU);
return $xpath->query($query)->item(0);
}
/**
* Tries to resolve a key from the given \DOMElement.
*
* @param \DOMElement $node Node where to resolve the key
* @param string $algorithm XML security key algorithm
*
* @return \ass\XmlSecurity\Key|null
*/
public function keyInfoSecurityTokenReferenceResolver(\DOMElement $node, $algorithm)
{
foreach ($node->childNodes as $key) {
if (Helper::NS_WSS === $key->namespaceURI) {
switch ($key->localName) {
case 'KeyIdentifier':
return $this->serviceSecurityKey->getPublicKey();
case 'Reference':
$uri = $key->getAttribute('URI');
$referencedNode = $this->getReferenceNodeForUri($node, $uri);
if (XmlSecurityEnc::NS_XMLENC === $referencedNode->namespaceURI
&& 'EncryptedKey' == $referencedNode->localName) {
$key = XmlSecurityEnc::decryptEncryptedKey($referencedNode, $this->serviceSecurityKey->getPrivateKey());
return XmlSecurityKey::factory($algorithm, $key, false, XmlSecurityKey::TYPE_PRIVATE);
} elseif (Helper::NS_WSS === $referencedNode->namespaceURI
&& 'BinarySecurityToken' == $referencedNode->localName) {
$key = XmlSecurityPem::formatKeyInPemFormat($referencedNode->textContent);
return XmlSecurityKey::factory(XmlSecurityKey::RSA_SHA1, $key, false, XmlSecurityKey::TYPE_PUBLIC);
} }
} }
} }
} }
return null;
}
} }