Fix #356. Support 'x509cert' and 'privateKey' on signMetadata security setting

Author: pitbulk

README.md

@@ -420,10 +420,14 @@ $advancedSettings = array(
         'logoutResponseSigned' => false,
 
         /* Sign the Metadata
-         False || True (use sp certs) || array(
-                                                    keyFileName => 'metadata.key',
-                                                    certFileName => 'metadata.crt'
-                                                )
+         False || True (use sp certs) || array (
+                                                    'keyFileName' => 'metadata.key',
+                                                    'certFileName' => 'metadata.crt'
+                                               )
+                                      || array (
+                                                    'x509cert' => '',
+                                                    'privateKey' => ''
+                                               )
         */
         'signMetadata' => false,
 

advanced_settings_example.php

@@ -33,10 +33,14 @@
         'logoutResponseSigned' => false,
 
         /* Sign the Metadata
-         False || True (use sp certs) || array(
-                                                    keyFileName => 'metadata.key',
-                                                    certFileName => 'metadata.crt'
-                                                )
+         False || True (use sp certs) || array (
+                                                    'keyFileName' => 'metadata.key',
+                                                    'certFileName' => 'metadata.crt'
+                                               )
+                                      || array (
+                                                    'x509cert' => '',
+                                                    'privateKey' => ''
+                                               )
         */
         'signMetadata' => false,
 

src/Saml2/Metadata.php

@@ -200,7 +200,7 @@ public static function builder($sp, $authnsign = false, $wsign = false, $validUn
      * @param string $digestAlgorithm Digest algorithm method
      *
      * @return string Signed Metadata
-     * 
+     *
      * @throws Exception
      */
     public static function signMetadata($metadata, $key, $cert, $signAlgorithm = XMLSecurityKey::RSA_SHA256, $digestAlgorithm = XMLSecurityDSig::SHA256)
@@ -217,7 +217,7 @@ public static function signMetadata($metadata, $key, $cert, $signAlgorithm = XML
      * @param bool   $wantsEncrypted Whether to include the KeyDescriptor for encryption
      *
      * @return string Metadata with KeyDescriptors
-     * 
+     *
      * @throws Exception
      */
     public static function addX509KeyDescriptors($metadata, $cert, $wantsEncrypted = true)

src/Saml2/Settings.php

@@ -596,8 +596,10 @@ public function checkSPSettings(array $settings)
             }
 
             if (isset($security['signMetadata']) && is_array($security['signMetadata'])) {
-                if (!isset($security['signMetadata']['keyFileName'])
-                    || !isset($security['signMetadata']['certFileName'])
+                if ((!isset($security['signMetadata']['keyFileName'])
+                    || !isset($security['signMetadata']['certFileName'])) &&
+                    (!isset($security['signMetadata']['privateKey'])
+                    || !isset($security['signMetadata']['x509cert']))
                 ) {
                     $errors[] = 'sp_signMetadata_invalid';
                 }
@@ -800,7 +802,7 @@ public function shouldCompressResponses()
      *
      * @param bool $alwaysPublishEncryptionCert When 'true', the returned
      * metadata will always include an 'encryption' KeyDescriptor. Otherwise,
-     * the 'encryption' KeyDescriptor will only be included if 
+     * the 'encryption' KeyDescriptor will only be included if
      * $advancedSettings['security']['wantNameIdEncrypted'] or
      * $advancedSettings['security']['wantAssertionsEncrypted'] are enabled.
      * @param int|null      $validUntil    Metadata's valid time
@@ -851,15 +853,8 @@ public function getSPMetadata($alwaysPublishEncryptionCert = false, $validUntil
                         Error::PUBLIC_CERT_FILE_NOT_FOUND
                     );
                 }
-            } else {
-                if (!isset($this->_security['signMetadata']['keyFileName'])
-                    || !isset($this->_security['signMetadata']['certFileName'])
-                ) {
-                    throw new Error(
-                        'Invalid Setting: signMetadata value of the sp is not valid',
-                        Error::SETTINGS_INVALID_SYNTAX
-                    );
-                }
+            } else if (isset($this->_security['signMetadata']['keyFileName']) &&
+                isset($this->_security['signMetadata']['certFileName'])) {
                 $keyFileName = $this->_security['signMetadata']['keyFileName'];
                 $certFileName = $this->_security['signMetadata']['certFileName'];
 
@@ -883,6 +878,29 @@ public function getSPMetadata($alwaysPublishEncryptionCert = false, $validUntil
                 }
                 $keyMetadata = file_get_contents($keyMetadataFile);
                 $certMetadata = file_get_contents($certMetadataFile);
+            } else if (isset($this->_security['signMetadata']['privateKey']) &&
+                isset($this->_security['signMetadata']['x509cert'])) {
+                $keyMetadata = Utils::formatPrivateKey($this->_security['signMetadata']['privateKey']);
+                $certMetadata = Utils::formatCert($this->_security['signMetadata']['x509cert']);
+                if (!$keyMetadata) {
+                    throw new Error(
+                        'Private key not found.',
+                        Error::PRIVATE_KEY_FILE_NOT_FOUND
+                    );
+                }
+
+                if (!$certMetadata) {
+                    throw new Error(
+                        'Public cert not found.',
+                        Error::PUBLIC_CERT_FILE_NOT_FOUND
+                    );
+                }
+            } else {
+                throw new Error(
+                    'Invalid Setting: signMetadata value of the sp is not valid',
+                    Error::SETTINGS_INVALID_SYNTAX
+                );
+
             }
 
             $signatureAlgorithm = $this->_security['signatureAlgorithm'];

tests/src/OneLogin/Saml2/SettingsTest.php

@@ -374,6 +374,17 @@ public function testCheckSettings()
             $this->assertContains('organization_not_enought_data', $e->getMessage());
             $this->assertContains('contact_type_invalid', $e->getMessage());
         }
+
+        $settingsInfo['security']['signMetadata'] = ['privateKey' => file_get_contents(TEST_ROOT . '/data/customPath/certs/metadata.key')];
+
+        try {
+            $settings = new Settings($settingsInfo);
+            $this->fail('Error was not raised');
+        } catch (Error $e) {
+            $this->assertContains('sp_signMetadata_invalid', $e->getMessage());
+            $this->assertContains('organization_not_enought_data', $e->getMessage());
+            $this->assertContains('contact_type_invalid', $e->getMessage());
+        }
     }
 
     /**
@@ -567,6 +578,28 @@ public function testGetSPMetadataSigned()
         $this->assertContains('<ds:Reference', $metadata2);
         $this->assertContains('<ds:KeyInfo><ds:X509Data><ds:X509Certificate>', $metadata2);
 
+        $cert = file_get_contents(TEST_ROOT . '/data/customPath/certs/metadata.crt');
+        $settingsInfo['security']['signMetadata'] = [
+            'privateKey' => file_get_contents(TEST_ROOT . '/data/customPath/certs/metadata.key'),
+            'x509cert' => $cert,
+        ];
+        $settings3 = new Settings($settingsInfo);
+        $metadata3 = $settings3->getSPMetadata();
+
+        $this->assertNotEmpty($metadata3);
+        $this->assertContains('<md:SPSSODescriptor', $metadata3);
+        $this->assertContains('entityID="http://stuff.com/endpoints/metadata.php"', $metadata3);
+        $this->assertContains('AuthnRequestsSigned="false"', $metadata3);
+        $this->assertContains('WantAssertionsSigned="false"', $metadata3);
+        $this->assertContains('<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://stuff.com/endpoints/endpoints/acs.php" index="1"/>', $metadata3);
+        $this->assertContains('<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://stuff.com/endpoints/endpoints/sls.php"/>', $metadata3);
+        $this->assertContains('<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>', $metadata3);
+
+        $this->assertContains('<ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>', $metadata3);
+        $this->assertContains('<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>', $metadata3);
+        $this->assertContains('<ds:Reference', $metadata3);
+        $this->assertContains('<ds:KeyInfo><ds:X509Data><ds:X509Certificate>', $metadata3);
+        $this->assertContains(Utils::formatCert($cert, false), $metadata3);
     }
 
     /**