Use a local copy of Message:addSign that uses the xmlsecurity-library for signing

tvdijen · tvdijen · commit 4124e4e23273 · 2025-09-09T22:44:32.000+02:00
diff --git a/src/Controller/AttributeServer.php b/src/Controller/AttributeServer.php
@@ -9,11 +9,10 @@
 use SimpleSAML\{Configuration, Error, Logger};
 use SimpleSAML\HTTP\RunnableResponse;
 use SimpleSAML\Metadata\MetaDataStorageHandler;
-use SimpleSAML\Module\saml\Message;;
 use SimpleSAML\SAML2\Binding;
 use SimpleSAML\SAML2\Binding\HTTPPost;
 use SimpleSAML\SAML2\Constants as C;
-use SimpleSAML\SAML2\Utils;
+use SimpleSAML\SAML2\Utils as SAML2_Utils;
 use SimpleSAML\SAML2\XML\saml\{
     Assertion,
     Attribute,
@@ -30,7 +29,13 @@
     SubjectConfirmationData,
 };
 use SimpleSAML\SAML2\XML\samlp\{AttributeQuery, Response};
+use SimpleSAML\Utils;
 use SimpleSAML\XML\Utils\Random;
+use SimpleSAML\XMLSecurity\Alg\Signature\SignatureAlgorithmFactory;
+use SimpleSAML\XMLSecurity\CryptoEncoding\PEM;
+use SimpleSAML\XMLSecurity\Key\PrivateKey;
+use SimpleSAML\XMLSecurity\XML\ds\{KeyInfo, X509Certificate, X509Data};
+use SimpleSAML\XMLSecurity\XML\SignableElementInterface;
 use Symfony\Bridge\PsrHttpMessage\Factory\{HttpFoundationFactory, PsrHttpFactory};
 use Symfony\Component\HttpFoundation\Request;
 
@@ -159,7 +164,7 @@ public function main(/** @scrutinizer ignore-unused */ Request $request): Runnab
         }
 
         // $returnAttributes contains the attributes we should return. Send them
-        $clock = Utils::getContainer()->getClock();
+        $clock = SAML2_Utils::getContainer()->getClock();
 
         $assertion = new Assertion(
             issuer: new Issuer($idpEntityId),
@@ -192,8 +197,7 @@ public function main(/** @scrutinizer ignore-unused */ Request $request): Runnab
             ],
         );
 
-        // TODO:  Fix signing; should use xml-security lib
-        Message::addSign($idpMetadata, $spMetadata, $assertion);
+        self::addSign($idpMetadata, $spMetadata, $assertion);
 
         $response = new Response(
             status: new Status(
@@ -208,8 +212,7 @@ public function main(/** @scrutinizer ignore-unused */ Request $request): Runnab
             assertions: [$assertion],
         );
 
-        // TODO:  Fix signing; should use xml-security lib
-        Message::addSign($idpMetadata, $spMetadata, $response);
+        self::addSign($idpMetadata, $spMetadata, $response);
 
         $httpPost = new HTTPPost();
         $httpPost->setRelayState($binding->getRelayState());
@@ -238,4 +241,57 @@ private function filterAttributeValues(array $reqValues, array $values): array
 
         return $result;
     }
+
+
+    /**
+     * Add signature key and sender certificate to an element (Message or Assertion).
+     *
+     * @param \SimpleSAML\Configuration $srcMetadata The metadata of the sender.
+     * @param \SimpleSAML\Configuration $dstMetadata The metadata of the recipient.
+     * @param \SimpleSAML\XMLSecurity\XML\SignableElementInterface $element The element we should add the data to.
+     */
+    private static function addSign(
+        Configuration $srcMetadata,
+        Configuration $dstMetadata,
+        SignableElementInterface &$element,
+    ): void {
+        $dstPrivateKey = $dstMetadata->getOptionalString('signature.privatekey', null);
+        $cryptoUtils = new Utils\Crypto();
+
+        if ($dstPrivateKey !== null) {
+            /** @var array $keyArray */
+            $keyArray = $cryptoUtils->loadPrivateKey($dstMetadata, true, 'signature.');
+            $certArray = $cryptoUtils->loadPublicKey($dstMetadata, false, 'signature.');
+        } else {
+            /** @var array $keyArray */
+            $keyArray = $cryptoUtils->loadPrivateKey($srcMetadata, true);
+            $certArray = $cryptoUtils->loadPublicKey($srcMetadata, false);
+        }
+
+        $algo = $dstMetadata->getOptionalString('signature.algorithm', null);
+        if ($algo === null) {
+            $algo = $srcMetadata->getOptionalString('signature.algorithm', C::SIG_RSA_SHA256);
+        }
+
+        $privateKey = new PrivateKey(PEM::fromString($keyArray['PEM']));
+
+        $keyInfo = null;
+        if ($certArray !== null) {
+            $certificate = new X509Certificate(PEM::fromString($keyArray['PEM']));
+            $keyInfo = new KeyInfo([
+                new X509Data(
+                    [
+                        new X509Certificate($certArray['PEM']),
+                    ],
+                ),
+            ]);
+        }
+
+        $signer = (new SignatureAlgorithmFactory())->getAlgorithm(
+            $algo,
+            $privateKey,
+        );
+
+        $element->sign($signer, C::C14N_EXCLUSIVE_WITHOUT_COMMENTS, $keyInfo);
+    }
 }
