📄 security.php
字号:
<?php/** * Zend Framework * * LICENSE * * This source file is subject to the new BSD license that is bundled * with this package in the file LICENSE.txt. * It is also available through the world-wide-web at this URL: * http://framework.zend.com/license/new-bsd * If you did not receive a copy of the license and are unable to * obtain it through the world-wide-web, please send an email * to license@zend.com so we can send you a copy immediately. * * @category Zend * @package Zend_InfoCard * @subpackage Zend_InfoCard_Xml_Security * @copyright Copyright (c) 2005-2008 Zend Technologies USA Inc. (http://www.zend.com) * @license http://framework.zend.com/license/new-bsd New BSD License * @version $Id: Security.php 8601 2008-03-06 20:50:55Z darby $ * @author John Coggeshall <john@zend.com> *//** * Zend_InfoCard_Xml_Security_Exception */require_once 'Zend/InfoCard/Xml/Security/Exception.php';/** * Zend_InfoCard_Xml_Security_Transform */require_once 'Zend/InfoCard/Xml/Security/Transform.php';/** * * @category Zend * @package Zend_InfoCard * @subpackage Zend_InfoCard_Xml_Security * @copyright Copyright (c) 2005-2008 Zend Technologies USA Inc. (http://www.zend.com) * @license http://framework.zend.com/license/new-bsd New BSD License * @author John Coggeshall <john@zend.com> */class Zend_InfoCard_Xml_Security{ /** * ASN.1 type INTEGER class */ const ASN_TYPE_INTEGER = 0x02; /** * ASN.1 type BIT STRING class */ const ASN_TYPE_BITSTRING = 0x03; /** * ASN.1 type SEQUENCE class */ const ASN_TYPE_SEQUENCE = 0x30; /** * The URI for Canonical Method C14N Exclusive */ const CANONICAL_METHOD_C14N_EXC = 'http://www.w3.org/2001/10/xml-exc-c14n#'; /** * The URI for Signature Method SHA1 */ const SIGNATURE_METHOD_SHA1 = 'http://www.w3.org/2000/09/xmldsig#rsa-sha1'; /** * The URI for Digest Method SHA1 */ const DIGEST_METHOD_SHA1 = 'http://www.w3.org/2000/09/xmldsig#sha1'; /** * The Identifier for RSA Keys */ const RSA_KEY_IDENTIFIER = '300D06092A864886F70D0101010500'; /** * Constructor (disabled) * * @return void */ private function __construct() { } /** * Validates the signature of a provided XML block * * @param string $strXMLInput An XML block containing a Signature * @return bool True if the signature validated, false otherwise * @throws Zend_InfoCard_Xml_Security_Exception */ static public function validateXMLSignature($strXMLInput) { if(!extension_loaded('openssl')) { throw new Zend_InfoCard_Xml_Security_Exception("You must have the openssl extension installed to use this class"); } $sxe = simplexml_load_string($strXMLInput); if(!isset($sxe->Signature)) { throw new Zend_InfoCard_Xml_Security_Exception("Could not identify XML Signature element"); } if(!isset($sxe->Signature->SignedInfo)) { throw new Zend_InfoCard_Xml_Security_Exception("Signature is missing a SignedInfo block"); } if(!isset($sxe->Signature->SignatureValue)) { throw new Zend_InfoCard_Xml_Security_Exception("Signature is missing a SignatureValue block"); } if(!isset($sxe->Signature->KeyInfo)) { throw new Zend_InfoCard_Xml_Security_Exception("Signature is missing a KeyInfo block"); } if(!isset($sxe->Signature->KeyInfo->KeyValue)) { throw new Zend_InfoCard_Xml_Security_Exception("Signature is missing a KeyValue block"); } switch((string)$sxe->Signature->SignedInfo->CanonicalizationMethod['Algorithm']) { case self::CANONICAL_METHOD_C14N_EXC: $cMethod = (string)$sxe->Signature->SignedInfo->CanonicalizationMethod['Algorithm']; break; default: throw new Zend_InfoCard_Xml_Security_Exception("Unknown or unsupported CanonicalizationMethod Requested"); } switch((string)$sxe->Signature->SignedInfo->SignatureMethod['Algorithm']) { case self::SIGNATURE_METHOD_SHA1: $sMethod = (string)$sxe->Signature->SignedInfo->SignatureMethod['Algorithm']; break; default: throw new Zend_InfoCard_Xml_Security_Exception("Unknown or unsupported SignatureMethod Requested"); } switch((string)$sxe->Signature->SignedInfo->Reference->DigestMethod['Algorithm']) { case self::DIGEST_METHOD_SHA1: $dMethod = (string)$sxe->Signature->SignedInfo->Reference->DigestMethod['Algorithm']; break; default: throw new Zend_InfoCard_Xml_Security_Exception("Unknown or unsupported DigestMethod Requested"); } $base64DecodeSupportsStrictParam = version_compare(PHP_VERSION, '5.2.0', '>='); if ($base64DecodeSupportsStrictParam) { $dValue = base64_decode((string)$sxe->Signature->SignedInfo->Reference->DigestValue, true); } else { $dValue = base64_decode((string)$sxe->Signature->SignedInfo->Reference->DigestValue); } if ($base64DecodeSupportsStrictParam) { $signatureValue = base64_decode((string)$sxe->Signature->SignatureValue, true); } else { $signatureValue = base64_decode((string)$sxe->Signature->SignatureValue); } $transformer = new Zend_InfoCard_Xml_Security_Transform(); foreach($sxe->Signature->SignedInfo->Reference->Transforms->children() as $transform) { $transformer->addTransform((string)$transform['Algorithm']); } $transformed_xml = $transformer->applyTransforms($strXMLInput); $transformed_xml_binhash = pack("H*", sha1($transformed_xml)); if($transformed_xml_binhash != $dValue) { throw new Zend_InfoCard_Xml_Security_Exception("Locally Transformed XML does not match XML Document. Cannot Verify Signature"); } $public_key = null; switch(true) { case isset($sxe->Signature->KeyInfo->KeyValue->X509Certificate): $certificate = (string)$sxe->Signature->KeyInfo->KeyValue->X509Certificate; $pem = "-----BEGIN CERTIFICATE-----\n" . wordwrap($certificate, 64, "\n", true) . "\n-----END CERTIFICATE-----"; $public_key = openssl_pkey_get_public($pem); if(!$public_key) { throw new Zend_InfoCard_Xml_Security_Exception("Unable to extract and prcoess X509 Certificate from KeyValue"); } break; case isset($sxe->Signature->KeyInfo->KeyValue->RSAKeyValue): if(!isset($sxe->Signature->KeyInfo->KeyValue->RSAKeyValue->Modulus) || !isset($sxe->Signature->KeyInfo->KeyValue->RSAKeyValue->Exponent)) { throw new Zend_InfoCard_Xml_Security_Exception("RSA Key Value not in Modulus/Exponent form"); } $modulus = base64_decode((string)$sxe->Signature->KeyInfo->KeyValue->RSAKeyValue->Modulus); $exponent = base64_decode((string)$sxe->Signature->KeyInfo->KeyValue->RSAKeyValue->Exponent); $pem_public_key = self::_getPublicKeyFromModExp($modulus, $exponent); $public_key = openssl_pkey_get_public ($pem_public_key); break; default: throw new Zend_InfoCard_Xml_Security_Exception("Unable to determine or unsupported representation of the KeyValue block"); } $transformer = new Zend_InfoCard_Xml_Security_Transform(); $transformer->addTransform((string)$sxe->Signature->SignedInfo->CanonicalizationMethod['Algorithm']); // The way we are doing our XML processing requires that we specifically add this // (even though it's in the <Signature> parent-block).. otherwise, our canonical form // fails signature verification $sxe->Signature->SignedInfo->addAttribute('xmlns', 'http://www.w3.org/2000/09/xmldsig#'); $canonical_signedinfo = $transformer->applyTransforms($sxe->Signature->SignedInfo->asXML()); if(@openssl_verify($canonical_signedinfo, $signatureValue, $public_key)) { return (string)$sxe->Signature->SignedInfo->Reference['URI']; } return false; } /** * Transform an RSA Key in Modulus/Exponent format into a PEM encoding and * return an openssl resource for it * * @param string $modulus The RSA Modulus in binary format * @param string $exponent The RSA exponent in binary format * @return string The PEM encoded version of the key */ static protected function _getPublicKeyFromModExp($modulus, $exponent) { $modulusInteger = self::_encodeValue($modulus, self::ASN_TYPE_INTEGER); $exponentInteger = self::_encodeValue($exponent, self::ASN_TYPE_INTEGER); $modExpSequence = self::_encodeValue($modulusInteger . $exponentInteger, self::ASN_TYPE_SEQUENCE); $modExpBitString = self::_encodeValue($modExpSequence, self::ASN_TYPE_BITSTRING); $binRsaKeyIdentifier = pack( "H*", self::RSA_KEY_IDENTIFIER ); $publicKeySequence = self::_encodeValue($binRsaKeyIdentifier . $modExpBitString, self::ASN_TYPE_SEQUENCE); $publicKeyInfoBase64 = base64_encode( $publicKeySequence ); $publicKeyString = "-----BEGIN PUBLIC KEY-----\n"; $publicKeyString .= wordwrap($publicKeyInfoBase64, 64, "\n", true); $publicKeyString .= "\n-----END PUBLIC KEY-----\n"; return $publicKeyString; } /** * Encode a limited set of data types into ASN.1 encoding format * which is used in X.509 certificates * * @param string $data The data to encode * @param const $type The encoding format constant * @return string The encoded value * @throws Zend_InfoCard_Xml_Security_Exception */ static protected function _encodeValue($data, $type) { // Null pad some data when we get it (integer values > 128 and bitstrings) if( (($type == self::ASN_TYPE_INTEGER) && (ord($data) > 0x7f)) || ($type == self::ASN_TYPE_BITSTRING)) { $data = "\0$data"; } $len = strlen($data); // encode the value based on length of the string // I'm fairly confident that this is by no means a complete implementation // but it is enough for our purposes switch(true) { case ($len < 128): return sprintf("%c%c%s", $type, $len, $data); case ($len < 0x0100): return sprintf("%c%c%c%s", $type, 0x81, $len, $data); case ($len < 0x010000): return sprintf("%c%c%c%c%s", $type, 0x82, $len / 0x0100, $len % 0x0100, $data); default: throw new Zend_InfoCard_Xml_Security_Exception("Could not encode value"); } throw new Zend_InfoCard_Xml_Security_Exception("Invalid code path"); }}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -