Created
October 23, 2015 09:02
-
-
Save grimurd/8fe12ba6d3e14634d35a to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| require __DIR__.'/vendor/autoload.php'; | |
| use RobRichards\XMLSecLibs\XMLSecurityDSig; | |
| use RobRichards\XMLSecLibs\XMLSecEnc; | |
| header('Content-type: application/json'); | |
| $response = new stdClass(); | |
| try { | |
| // Let's get the request body. | |
| $requestBody = file_get_contents('php://input'); | |
| if (!$requestBody) { | |
| throw new Exception('Invalid request body.'); | |
| } | |
| // Decode the body and get the base64 encoded token from it. | |
| $response->results = verifySaml(json_decode($requestBody)->token); | |
| http_response_code(200); | |
| echo json_encode($response); | |
| } catch (Exception $e) { | |
| $response->error = 'Error! '.$e->getMessage(); | |
| echo json_encode($response); | |
| } | |
| /** | |
| * Function that takes in a base64 token and returns whether it was successfully | |
| * validated or not. | |
| */ | |
| function verifySaml($token) | |
| { | |
| if ($token != null) { | |
| $saml = base64_decode($token); | |
| $xmlDoc = new DOMDocument(); | |
| $xmlDoc->loadXML($saml); | |
| $xmlsec = new XMLSecurityDSig(); | |
| $objXMLSecDSig = new XMLSecurityDSig(); | |
| $signature = $objXMLSecDSig->locateSignature($xmlDoc); | |
| if ($signature == null) { | |
| http_response_code(400); | |
| throw new Exception('Cannot locate Signature Node'); | |
| } | |
| $objXMLSecDSig->canonicalizeSignedInfo(); | |
| $objXMLSecDSig->idKeys = array('ID'); | |
| $objXMLSecDSig->idNS = array('wsu' => 'http://docs.oasis-open.org/wss/2004/01/oasis/200401-wss-wssecurity-utility-1.0.xsd'); | |
| // Attempt to validate the reference. | |
| if ($objXMLSecDSig->validateReference() == null) { | |
| http_response_code(400); | |
| throw new Exception('Reference validation failed'); | |
| } | |
| // Verify the date of the xml document. | |
| if (!VerifyDate($xmlDoc)) { | |
| http_response_code(400); | |
| throw new Exception('Conditions not valid.'); | |
| } | |
| $key = $objXMLSecDSig->locateKey(); | |
| if (!$key) { | |
| http_response_code(400); | |
| throw new Exception('Key not found'); | |
| } | |
| $keyInfo = XMLSecEnc::staticLocateKeyInfo($key, $signature); | |
| // Verify certain values inside the certificate. | |
| if (!verifyCert($keyInfo)) { | |
| http_response_code(400); | |
| throw new Exception('Certificate is not valid.'); | |
| } | |
| // Verify that the certificate is valid. | |
| if (!$objXMLSecDSig->verify($key)) { | |
| http_response_code(400); | |
| throw new Exception('Signature invalid!'); | |
| } | |
| // Compare the user agent in the certificate | |
| // with the one who performedthe request. | |
| checkUserAgent($xmlDoc, get_user_agent()); | |
| return 'Success'; | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment