'; $infocardbuf .= ''; //cardId $infocardbuf .= ''; $infocardbuf .= ''.$ICdata['CardId'].''; //xs:anyURI cardId (="$cardurl/$ppid"; $ppid = "$uname-" . time();) $infocardbuf .= '1'; //xs:unsignedInt $infocardbuf .= ''; //cardName $infocardbuf .= ''.$ICdata['CardName'].''; //image $infocardbuf .= ''; $infocardbuf .= base64_encode(file_get_contents($ICdata['CardImage'])); $infocardbuf .= ''; //issuer - times $infocardbuf .= ''.$ICconfig['InfoCard']['issuer'].''; $infocardbuf .= ''.gmdate('Y-m-d').'T'.gmdate('H:i:s').'Z'.''; $infocardbuf .= ''.$ICdata['TimeExpires'].''; //Token Service List $infocardbuf .= ''; $infocardbuf .= ''; $infocardbuf .= ''; $infocardbuf .= ''.$ICconfig['tokenserviceurl'].''; $infocardbuf .= ''; $infocardbuf .= ''; $infocardbuf .= ''; $infocardbuf .= ''; $infocardbuf .= ''.$ICconfig['mexurl'].''; $infocardbuf .= ''; $infocardbuf .= ''; $infocardbuf .= ''; $infocardbuf .= ''; $infocardbuf .= ''; /*Types of User Credentials * Supported: UsernamePasswordCredential, SelfIssuedCredential * Unsupported: KerberosV5Credential, X509V3Credential */ $infocardbuf .= ''; $infocardbuf .= ''.$ICdata['DisplayCredentialHint'].''; switch($ICconfig['UserCredential']){ case 'UsernamePasswordCredential': $infocardbuf .= ''; $infocardbuf .= ''.$ICdata['UserName'].''; $infocardbuf .= ''; break; case 'KerberosV5Credential': $infocardbuf .= ''; break; case 'X509V3Credential': $infocardbuf .= ''; $infocardbuf .= ''; $infocardbuf .= ''; /*This element provides a key identifier for the X.509 certificate based on the SHA1 hash of the entire certificate content expressed as a “thumbprint.” Note that the extensibility point in the ds:X509Data element is used to add wsse:KeyIdentifier as a child element.*/ $infocardbuf .= $ICdata['KeyIdentifier']; //xs:base64binary; $infocardbuf .= ''; $infocardbuf .= ''; $infocardbuf .= ''; break; case 'SelfIssuedCredential': $infocardbuf .= ''; $infocardbuf .= ''; $infocardbuf .= $ICdata['PPID']; //xs:base64binary; $infocardbuf .= ''; $infocardbuf .= ' '; break; default: break; } $infocardbuf .= ''; $infocardbuf .= ''; $infocardbuf .= ''; //Tokentype $infocardbuf .= ''; $infocardbuf .= 'urn:oasis:names:tc:SAML:1.0:assertion'; $infocardbuf .= ''; //Claims $infocardbuf .= ''; $url = $ICconfig['InfoCard']['schema'].'/claims/'; foreach ($ICconfig['InfoCard']['requiredClaims'] as $claim=>$data) { $infocardbuf .= ''; $infocardbuf .= ''.$data['displayTag'].''; $infocardbuf .= ''.$data['description'].''; $infocardbuf .= ''; } foreach ($ICconfig['InfoCard']['optionalClaims'] as $claim=>$data) { $infocardbuf .= ''; $infocardbuf .= ''.$data['displayTag'].''; $infocardbuf .= ''.$data['description'].''; $infocardbuf .= ''; } $infocardbuf .= ''; //Privacy URL $infocardbuf .= ''.$ICconfig['InfoCard']['privacyURL'].''; $infocardbuf .= ''; $infocardbuf .= ''; $canonicalbuf = sspmod_InfoCard_Utils::canonicalize($infocardbuf); //construct a SignedInfo block $signedinfo = ''; $signedinfo .= ''; $signedinfo .= ''; $signedinfo .= ''; $signedinfo .= ''; $signedinfo .= ''; $signedinfo .= ''; $signedinfo .= ''; $signedinfo .= ''.base64_encode(sha1($canonicalbuf, TRUE)).''; $signedinfo .= ''; $signedinfo .= ''; $canonicalbuf = sspmod_InfoCard_Utils::canonicalize($signedinfo); $signature = ''; $privkey = openssl_pkey_get_private(file_get_contents($ICconfig['sts_key'])); openssl_sign($canonicalbuf, $signature, $privkey); openssl_free_key($privkey); $infocard_signature = base64_encode($signature); //Envelope $buf = ''; $buf .= $signedinfo; $buf .= ''.$infocard_signature.''; $buf .= ''; $buf .= ''; // signing certificate(s) foreach ($ICconfig['certificates'] as $idx=>$cert) $buf .= ''.sspmod_InfoCard_Utils::takeCert($cert).''; $buf .= ''; $buf .= ''; $buf .= $infocardbuf; $buf .= ''; return $buf; } /* * USED IN: www/tokenservice.php * INPUT: error message, uuid of the RST * OUTPUT; a custom error message for the identity selector */ static public function errorMessage($msg,$relatesto){ $buf = ''; $buf .= ''; $buf .= 'http://www.w3.org/2005/08/addressing/soap/fault'; $buf .= ''.$relatesto.''; $buf .= ''; $buf .= ''; $buf .= ''; $buf .= ''; $buf .= ''; $buf .= 'a:Sender'; $buf .= ''; $buf .= ''; $buf .= ''; $buf .= 'a:MissingAppliesTo'; $buf .= ''; $buf .= ''; $buf .= ''; $buf .= ''; $buf .= ''; $buf .= $msg; $buf .= ''; $buf .= ''; $buf .= ''; $buf .= ''; $buf .= ''; return $buf; } /* * USED IN: www/tokenservice.php * INPUT: claims value, configuration, uuid of the RST * OUTPUT; a security token for the identity selector */ static public function createToken($claimValues,$config,$relatesto){ $assertionid = uniqid('uuid-'); $created = gmdate('Y-m-d').'T'.gmdate('H:i:s').'Z'; $expires = gmdate('Y-m-d', time()+3600).'T'.gmdate('H:i:s', time()+3600).'Z'; //SOAP ENVELOPE $env = ''; $env .= ''; $env .= ''; $env .= ''; $env .= 'http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue'; $env .= ''; $env .= ''; $env .= $relatesto; $env .= ''; $env .= ''; $env .= 'http://www.w3.org/2005/08/addressing/anonymous'; $env .= ''; $env .= ''; $env .= ''; $env .= ''.$created.''; $env .= ''.$expires.''; $env .= ''; $env .= ''; $env .= ''; $env .= ''; //RequestSecurityTokenResponse $env .= sspmod_InfoCard_STS::RequestSecurityTokenResponse($claimValues,$config,$assertionid,$created,$expires); $env .= ''; $env .= ''; return $env; } /* * USED IN: createToken * INPUT: claims value, configuration, uuid, times * OUTPUT; returns the ' of the RSTR */ static private function RequestSecurityTokenResponse ($claimValues,$config,$assertionid,$created,$expires){ $tr = ''; $tr .= 'urn:oasis:names:tc:SAML:1.0:assertion'; $tr .= ''; $tr .= ''.$created.''; $tr .= ''.$expires.''; $tr .= ''; //Encrypted token: SAML assertion $tr .= ''; $tr .= sspmod_InfoCard_STS::saml_assertion($claimValues,$config,$assertionid,$created,$expires); $tr .= ''; //RequestedAattachedReference $tr .= ''; $tr .= ''; $tr .= ''; $tr .= $assertionid; $tr .= ''; $tr .= ''; $tr .= ''; //RequestedUnattachedReference $tr .= ''; $tr .= ''; $tr .= ''; $tr .= $assertionid; $tr .= ''; $tr .= ''; $tr .= ''; //RequestedDisplayToken $tr .= ''; $tr .= ''; foreach ($claimValues as $claim=>$data) { $tr .= ''; $tr .= ''.$data['displayTag'].''; $tr .= ''.$data['value'].''; $tr .= ""; } $tr .= ''; $tr .= ''; $tr .= ''; return $tr; } /* * USED IN: RequestSecurityTokenResponse * INPUT: claims value, configuration, uuid, times * OUTPUT; STS Signed SAML assertion */ static private function saml_assertion($claimValues,$config,$assertionid,$created,$expires){ $saml = ''; $saml .= ''; $saml .= ''; $saml .= ''; $saml .= ''; $saml .= 'urn:oasis:names:tc:SAML:1.0:cm:holder-of-key'; // proof key $saml .= ''; $saml .= ''; $saml .= ''.sspmod_InfoCard_Utils::takeCert($config['sts_crt']).''; $saml .= ''; $saml .= ''; $saml .= ''; $saml .= ''; foreach ($claimValues as $claim=>$data) { $saml .= ''; $saml .= ''.$data['value'].''; $saml .= ''; } $saml .= ''; //Pure SAML Assertion digest $canonicalbuf = sspmod_InfoCard_Utils::canonicalize($saml.''); $myhash = sha1($canonicalbuf,TRUE); $samldigest = base64_encode($myhash); //Digest block $signedinfo = ''; $signedinfo .= ''; $signedinfo .= ''; $signedinfo .= ''; $signedinfo .= ''; $signedinfo .= ''; $signedinfo .= ''; $signedinfo .= ''; $signedinfo .= ''; $signedinfo .= ''.$samldigest.''; $signedinfo .= ''; $signedinfo .= ''; //Signature of the digest $canonicalbuf = sspmod_InfoCard_Utils::canonicalize($signedinfo); $privkey = openssl_pkey_get_private(file_get_contents($config['sts_key'])); $signature = ''; openssl_sign($canonicalbuf, $signature, $privkey); openssl_free_key($privkey); $samlsignature = base64_encode($signature); //Signature block $saml .= ''; $saml .= $signedinfo; $saml .= ''.$samlsignature.''; $saml .= ''; $saml .= ''; $saml .= ''.sspmod_InfoCard_Utils::takeCert($config['sts_crt']).''; $saml .= ''; $saml .= ''; $saml .= ''; $saml .= ''; return $saml; } } ?>