Overview

Namespaces

  • webcoder31
    • ezxmldsig

Classes

  • X509Cert
  • XMLDSigToken
  • Overview
  • Namespace
  • Class

Class XMLDSigToken

Build or analyze an XML token.

An XML token is an enveloping XML Digital Signature (cf. RFC 3275) containing signed and timestamped user data. These data may also be encrypted. In this case we talk about Secure XML token.

This class uses the following default algorithms to operate:

  • Algorithm used to canonalize data before signing is: http://www.w3.org/TR/2001/REC-xml-c14n-20010315.

  • Algorithm used to generate the signature is: http://www.w3.org/2000/09/xmldsig#rsa-sha1.

  • Algorithm used to compute the hash of token data is: http://www.w3.org/2000/09/xmldsig#sha1.

  • Algorithm used to encode data's values is: Base64.

An XML token looks like this:

<?xml version="1.0"?>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <ds:SignedInfo>
    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
    <ds:Reference URI="#Token">
      <ds:Transforms>
        <ds:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
      </ds:Transforms>
      <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
      <ds:DigestValue>---- TOKEN HASH ----</ds:DigestValue>
    </ds:Reference>
  </ds:SignedInfo>
  <ds:SignatureValue>---- SIGNATURE VALUE ----</ds:SignatureValue>
  <ds:KeyInfo>
    <ds:X509Data>
      <ds:X509Certificate>---- X.509 CERTIFICATE ----</ds:X509Certificate>
    </ds:X509Data>
  </ds:KeyInfo>
  <ds:Object Id="Token">
    <Token>
      <TokenTimestamp>2016-10-24T08:33:14Z</TokenTimestamp>
      <TokenData>
        <data1 Algorithm="base64">---- BASE64 ENCODED DATA ----</data1>
        <data2 Algorithm="base64">---- BASE64 ENCODED DATA ----</data2>
        <data3>
          <data31 Algorithm="base64">---- BASE64 ENCODED DATA ----</data31>
          <data32 Algorithm="base64">---- BASE64 ENCODED DATA ----</data32>
        </data3>
        <data4 Algorithm="base64">---- BASE64 ENCODED DATA ----</data4>
      </TokenData>
    </Token>
  </ds:Object>
</ds:Signature>

The signing process consists in the following actions:

  • Load data from an associative array.

  • Encode data values using Base64.

  • Build a node from the encoded array of data (cf. node <TokenData />).

  • Compute an UTC timestamp and store it in a node <TokenTimestamp />.

  • Aggregate the nodes <TokenTimestamp /> and <TokenData /> inside a node <Token />.

  • Load the base DOM document representing an XML digital signature:

<ds:Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
  <ds:SignedInfo>
    <ds:SignatureMethod />
  </ds:SignedInfo>
</ds:Signature>

  • Create a node <ds:Object Id="Token" /> and append it to the node <ds:Signature />.

  • Add the node <Token /> to the node <ds:Object Id="Token" />.

  • NOTE : If data encryption is requested, this process will take place here (this will be described later).

  • Build a node <ds:Reference URI="#Token" /> and append it to the node <ds:SignedInfo />. This consists in:

    • Canonicalizing the content of the node <ds:Object Id="Token" />.
    • Computing the SHA1 hash of the canonicalized node and storing it in the node <ds:DigestValue />.

  • Includes, in the the XML token, the X.509 certificate associated to the private key that will be used to perform the signing (see the next steps below). This cerficate will be used to perform the signature validation process, avoiding the need, for the receiver of the XML Digital Signature to own it on its side.

  • Canonicalize the content of the node <ds:SignedInfo />.

  • Compute the signature of the canonicalized node using the private key dedicated to perform signing.

  • Store the result in the node <ds:SignatureValue />.

  • Save the DOM document in XML format.

The signature validation process consist in the following actions:

  • Load the XML Digital Singature in a DOM document.

  • Compute the SHA1 hash of the content of the node <ds:Object Id="Token" />.

  • Compare the computed hash with the one stored in the node <ds:DigestValue />. If the hash are different, this means that the content of the node <ds:Object Id="Token" /> has been altered.

  • Canonicalize the content of the node <ds:SignedInfo />.

  • Compute the signature of the node <ds:SignedInfo /> using the X.509 certificate included in the XML token.

  • Compare the computed signature with the one stored in the node <ds:SignatureValue>. If the signatures are different, this means that content the node <ds:SignedInfo /> has not been signed using the private key associated to the X.509 certificate included in the XML Digital Signature.

  • NOTE: If data decryption is required, this process will take place here (this will be described later).

  • Extract the timestamp stored in the content of the node <ds:Object Id="Token" /> and memorise it.

  • Extract the data stored in the content of the node <ds:Object Id="Token" />.

  • Decode data values using Base64.

  • Buid an associative array containing the decoded data.

Token data encryption / decryption:

The token data may also be encrypted before signing. In this case the class will use the following default algorithms to perform encryption and decryption of data:

  • Algorithm used to encrypt / decrypt data is: http://www.w3.org/2001/04/xmlenc#aes128-cbc (symetric ciphering).

  • Algorithm used to encrypt / decrypt the session key is: http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p (asymetric ciphering).

A secure (crypted) XML token looks like this:

<?xml version="1.0"?>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <ds:SignedInfo>
    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
    <ds:Reference URI="#Token">
      <ds:Transforms>
        <ds:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
      </ds:Transforms>
      <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
      <ds:DigestValue>---- TOKEN HASH ----</ds:DigestValue>
    </ds:Reference>
  </ds:SignedInfo>
  <ds:SignatureValue>---- SIGNATURE VALUE ----</ds:SignatureValue>
  <ds:KeyInfo>
    <ds:X509Data>
      <ds:X509Certificate>---- X.509 CERTIFICATE ----</ds:X509Certificate>
    </ds:X509Data>
  </ds:KeyInfo>
  <ds:Object Id="Token">
    <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Content">
      <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
      <ds:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
        <xenc:EncryptedKey>
          <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
          <xenc:CipherData>
            <xenc:CipherValue>---- CIPHERED SESSION KEY ----</xenc:CipherValue>
          </xenc:CipherData>
        </xenc:EncryptedKey>
      </ds:KeyInfo>
      <xenc:CipherData>
        <xenc:CipherValue>---- ENCRYPTED DATA ----</xenc:CipherValue>
      </xenc:CipherData>
    </xenc:EncryptedData>
  </ds:Object>
</ds:Signature>

The encryption process is the following:

  • Randomly generate a session key.

  • Cipher the session key using the X.509 certificate dedicated to the encryption process, in order to transmit it safely in the XML Digital Signature.

  • Store the ciphered session key in the node <xenc:CipherValue /> which is located inside the node <xenc:EncryptedKey />.

  • Encrypt the content of the node <ds:Object Id="Token" /> using the non-ciphered session key and store the result in the last node <xenc:CipherValue />.

The decryption process is the following:

  • Retrieve the node <xenc:EncryptedData />.

  • Decipher the ciphered session key stored in the node <xenc:CipherValue /> (the one which is located inside the node <xenc:EncryptedKey />) using the private key associated to the X.509 certificate that has been used to perform the encryption.

  • Decrypt the content of the last node <xenc:CipherValue /> using the deciphered session key.

Namespace: webcoder31\ezxmldsig
Copyright: 2017 - Thierry Thiers webcoder31@gmail.com
License: CeCILL-C License
Author: Thierry Thiers webcoder31@gmail.com
Located at XMLDSigToken.php
Methods summary
public
# __debugInfo( )

Defines a custom output for print_r() and var_dump() functions, in order to hide cryptographic material used by the object for security reasons.

Defines a custom output for print_r() and var_dump() functions, in order to hide cryptographic material used by the object for security reasons.
protected
# __construct( mixed $xmlOrData, string $signKeyPath = null, string $signKeyPassword = null, string $signCertPath = null, string $cryptKeyPath = null, string $cryptKeyPassword = null, string $cryptCertPath = null, array $options = [] )

Instantiate an XMLDSigToken object.

Instantiate an XMLDSigToken object.

This constructor is protected. To get an instance of an XMLDSigToken object use one of the following static functions according to what the object is intended for:

  • createXMLToken()

  • createSecureXMLToken()

  • analyzeXMLToken()

  • analyzeSecureXMLToken()

An XMLDSigToken object allows creating an XML token and also analyzing an existing XML token. The type of the $xmlOrData parameter determine how the object behave.

XML token creation:

If $xmlOrData is an array (a flat or multidimensional associative array), the object will create an enveloping XML digital signature containing an XML token that holds the provided data and a timestamp generated automatically. The envoloped XML token will be encrypted if an X.509 certificate is provided for that. In this case, the $signKeyPath and $signCertPath parameters are required. If the $cryptCertPath parameter is also provided, the XML token will be encrypted. If the $cryptCertPath parameter is also provided, the $cryptKeyPath parameter must be provided too, in order to verify that the created XML Digital Signature is well formed. If the X.509 certificate used for encryption (cf. $cryptCertPath parameter) is protected by a password, this password may be passed using the $cryptKeyPassword parameter.

XML token analysis:

If $xmlOrData is a string, the object will treat it as an enveloping XML digital signature containing a token:

  • It will check that the signature is valid.

  • It will decrypt the token if this one is encrypted.

  • It will extract timestamp and data from the token.

In this case, only the $xmlOrData parameters is required. If the XML token is encrypted, the $cryptKeyPath parameter must also be provided. If the private key used for encryption (cf. $cryptKeyPath parameter) is protected by a password this password may be passed using the $cryptKeyPassword parameter.

Configuring the object:

The $options parameter of this function allows to override the default configuration of the object passing it the desired options via an associative array.

Example:

$options = [
  'base64Encode' => false,
  'xmldsigNsPrefix' => '',
  'checkSigningAlgorithms' => false
];

Available options are the following:

  • base64Encode [boolean] Whether to base64 encode token data or not.
    Default value: TRUE.

  • xmldsigNsPrefix [string] The XML namespace (xmlns) prefix to use in the XML digital signature tags. Set it to empty string to avoid prefix usage.
    Default value: 'ds'.

  • checkSigningAlgorithms [boolean] Whether to check that the algorithms used to sign the token are the expected ones or not.
    Default value: TRUE.

  • checkCryptingAlgorithms [boolean] Whether to check that the algorithms used to crypt the token are the expected ones or not.
    Default value: TRUE.

  • canonicalizationAlgorithm [string] The algorithm used to canonicalize the XMLdigital signature and to canonicalize token data before computing its hash.
    Possible values:

    • C14N (Default value)
      cf. http://www.w3.org/TR/2001/REC-xml-c14n-20010315
    • C14N_COMMENTS
      cf. http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
    • EXC_C14N
      cf. http://www.w3.org/2001/10/xml-exc-c14n#
    • EXC_C14N_COMMENTS
      cf. http://www.w3.org/2001/10/xml-exc-c14n#WithComments

  • signatureAlgorithm [string] The asymmetric algorithm used to sign the hash of token data.
    Possible values:

    • RSA_1_5
      cf. http://www.w3.org/2001/04/xmlenc#rsa-1_5
    • RSA_OAEP_MGF1P
      cf. http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p
    • DSA_SHA1 (Does not work)
      cf. http://www.w3.org/2000/09/xmldsig#dsa-sha1)
    • RSA_SHA1 (Default value)
      cf. http://www.w3.org/2000/09/xmldsig#rsa-sha1
    • RSA_SHA256
      cf. http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
    • RSA_SHA384
      cf. http://www.w3.org/2001/04/xmldsig-more#rsa-sha384
    • RSA_SHA512
      cf. http://www.w3.org/2001/04/xmldsig-more#rsa-sha512
    • HMAC_SHA1 (Does not work)
      cf. http://www.w3.org/2000/09/xmldsig#hmac-sha1

  • digestAlgorithm [string] The algorithm used to compute the hash of token data.
    Possible values:

    • SHA1 (Default value)
      cf. http://www.w3.org/2000/09/xmldsig#sha1
    • SHA256
      cf. http://www.w3.org/2001/04/xmlenc#sha256
    • SHA384
      cf. http://www.w3.org/2001/04/xmldsig-more#sha384
    • SHA512
      cf. http://www.w3.org/2001/04/xmlenc#sha512
    • RIPEMD160
      cf. http://www.w3.org/2001/04/xmlenc#ripemd160

  • sessionKeyCipheringAlgorithm [string] The symmetric algorithm used to cipher the session key which will be used to encrypt token date.
    Possible values:

    • TRIPLEDES_CBC
      cf. http://www.w3.org/2001/04/xmlenc#tripledes-cbc
    • AES128_CBC (Default value)
      cf. http://www.w3.org/2001/04/xmlenc#aes128-cbc
    • AES192_CBC
      cf. http://www.w3.org/2001/04/xmlenc#aes192-cbc
    • AES256_CBC
      cf. http://www.w3.org/2001/04/xmlenc#aes256-cbc

  • cryptAlgorithm [string] The asymmetric algorithm used to encrypt token data with the ciphered session key.
    Possible values:

    • RSA_1_5
      cf. http://www.w3.org/2001/04/xmlenc#rsa-1_5
    • RSA_OAEP_MGF1P (Default value)
      cf. http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p
    • DSA_SHA1 (Does not work)
      cf. http://www.w3.org/2000/09/xmldsig#dsa-sha1
    • RSA_SHA1 (Does not work)
      cf. http://www.w3.org/2000/09/xmldsig#rsa-sha1
    • RSA_SHA256
      cf. http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
    • RSA_SHA384
      cf. http://www.w3.org/2001/04/xmldsig-more#rsa-sha384
    • RSA_SHA512
      cf. http://www.w3.org/2001/04/xmldsig-more#rsa-sha512
    • HMAC_SHA1 (Does not work)
      cf. http://www.w3.org/2000/09/xmldsig#hmac-sha1

Parameters

$xmlOrData

An XML token (string) or token data (associative array).

$signKeyPath

The path to the PEM private key file that will be used to sign the token.

$signKeyPassword

The password, if needed, to access the private key that will be used to sign the token. Use NULL if no password needed.

$signCertPath

The path to the PEM X.509 certificate file that will be included in the XML digital signature, in order to verify the signature.

$cryptKeyPath

The path to the PEM private key file that will be used to decrypt the session key which was used to encrypt the token.

$cryptKeyPassword

The password to access the private key that will be used to decrypt the session key which was used to encrypt the token. Use NULL if no password needed.

$cryptCertPath

The path to the PEM X.509 certificate file that will be used to encrypt the session key which will be used to encrypt the token.

$options
Configuration options.

Throws

Exception

See

webcoder31\ezxmldsig\XMLDSigToken::createXMLToken(), webcoder31\ezxmldsig\XMLDSigToken::createSecureXMLToken(), webcoder31\ezxmldsig\XMLDSigToken::analyzeXMLToken(), webcoder31\ezxmldsig\XMLDSigToken::analyzeSecureXMLToken()
public static webcoder31\ezxmldsig\XMLDSigToken
# createXMLToken( array $data, string $signKeyPath, string $signCertPath, string $signKeyPassword = null, array $options = [] )

Creates an XML token for the given user data.

Creates an XML token for the given user data.

The created XML token can be retrieved using the fucnction getXML().

Parameters

$data

Token data (an associative array that may be multi-dimensional).

$signKeyPath

The path to the PEM private key file that will be used to sign the token.

$signCertPath

The path to the PEM X.509 certificate file that will be included in the XML digital signature, in order to verify the signature.

$signKeyPassword

The password to access the private key that will be used to sign the token. Use NULL if no password needed.

$options

Configuration options (see __construct() for details).

Returns

webcoder31\ezxmldsig\XMLDSigToken

An XMLDSigToken object or NULL if the object creation failed.

Throws

Exception

See

webcoder31\ezxmldsig\XMLDSigToken::__construct()
public static webcoder31\ezxmldsig\XMLDSigToken
# createSecureXMLToken( array $data, string $signKeyPath, string $signCertPath, string $cryptKeyPath, string $cryptCertPath, string $signKeyPassword = null, string $cryptKeyPassword = null, array $options = [] )

Creates a secure (crypted) XML token for the given user data.

Creates a secure (crypted) XML token for the given user data.

The created XML token can be retrieved using the function getXML().

Parameters

$data

Token data (an associative array that may be multi-dimensional).

$signKeyPath

The path to the PEM private key file that will be used to sign the token.

$signCertPath

The path to the PEM X.509 certificate file that will be included in the XML digital signature, in order to verify the signature.

$cryptKeyPath

The path to the PEM private key file that will be used to decrypt the session key which was used to encrypt the token.

$cryptCertPath

The path to the PEM X.509 certificate file that will be used to encrypt the session key which will be used to encrypt the token.

$signKeyPassword

The password to access the private key that will be used to sign the token. Use NULL if no password needed.

$cryptKeyPassword

The password to access the private key that will be used to decrypt the session key which was used to encrypt the token. Use NULL if no password needed.

$options

Configuration options (see __construct() for details).

Returns

webcoder31\ezxmldsig\XMLDSigToken

An XMLDSigToken object or NULL if the object creation failed.

Throws

Exception

See

webcoder31\ezxmldsig\XMLDSigToken::__construct()
public static webcoder31\ezxmldsig\XMLDSigToken
# analyzeXMLToken( string $xml, array $options = [] )

Parse an XML token.

Parse an XML token.

Parameters

$xml
An XML token.
$options

Configuration options (see __construct() for details).

Returns

webcoder31\ezxmldsig\XMLDSigToken

An XMLDSigToken object or NULL if the object creation failed.

Throws

Exception

See

webcoder31\ezxmldsig\XMLDSigToken::__construct()
public static webcoder31\ezxmldsig\XMLDSigToken
# analyzeSecureXMLToken( string $xml, string $cryptKeyPath, string $cryptKeyPassword = null, array $options = [] )

Parse an XML token whose data are crypted.

Parse an XML token whose data are crypted.

NOTE: Uncrypted token can also be parsed using this function.

Parameters

$xml
An XML token.
$cryptKeyPath

The path to the PEM private key file that will be used to decrypt the session key which was used to encrypt token data.

$cryptKeyPassword

The password to access the private key that will be used to decrypt the session key which was used to encrypt the token. Use NULL if no password needed.

$options

Configuration options (see __construct() for details).

Returns

webcoder31\ezxmldsig\XMLDSigToken

An XMLDSigToken object or NULL if the object creation failed.

Throws

Exception

See

webcoder31\ezxmldsig\XMLDSigToken::__construct()
public boolean
# isSignatureValid( )

Indicates whether XML token signature is valid or not.

Indicates whether XML token signature is valid or not.

This means that:

  • No error occured during the analysis of the XML digital signature.

  • No anomaly detected during the analysis of the XML digital signature.

  • The token hash has been verified and is valid.

  • The token hash signature has been verified and is valid.

NOTE: This function only guarantee the integrity of the token regarding the X.509 certificate included in the XML token. It does not verify whether this certificate is valid or not.

Returns

boolean
TRUE if XML token is valid, FALSE otherwise.
public boolean
# isOutOfDate( integer $ttl = self::TOKEN_DEFAULT_TTL )

Indicates whether the XML token is out of date or not.

Indicates whether the XML token is out of date or not.

NOTE: If token timestamp is over the current date/time, we assume token is peremted too.

Parameters

$ttl
The time to live (in seconds) allowed for the token.

Returns

boolean
TRUE if token is out of date, FALSE otherwise.
public boolean
# isDataEncrypted( )

Indicates whether token data is encrypted or not.

Indicates whether token data is encrypted or not.

NOTE: If not evaluated (because an error occured before), this function return NULL.

Returns

boolean
TRUE if token data is encrypted, FALSE otherwise.
public boolean|null
# isDigestValueOk( )

Indicates whether the digest of token data (a hash) has been verified and is valid or not.

Indicates whether the digest of token data (a hash) has been verified and is valid or not.

NOTE: If not evaluated (because an error occured before), this function return NULL.

Returns

boolean|null

TRUE if token hash has been verified and is valid, FALSE otherwise, NULL if cannot be evaluated.
public boolean|null
# isSignatureValueOk( )

Indicates whether signature of the digest of the token data has been verified and is valid or not.

Indicates whether signature of the digest of the token data has been verified and is valid or not.

NOTE: If not evaluated (because an error occured before), this function return NULL.

Returns

boolean|null

TRUE if token hash signature has been verified and is valid, FALSE otherwise, NULL if cannot be evaluated.
public string|null
# getXML( )

Get the XML token.

Get the XML token.

Returns

string|null
The XML token, NULL if not available.
public array|null
# getData( )

Get the user data contained in the XML token.

Get the user data contained in the XML token.

Returns

array|null

The associative array containing token data, NULL if not available.
public string|null
# getTimestamp( )

Get the timestamp of the XML token.

Get the timestamp of the XML token.

Returns

string|null
The token timestamp, NULL if not available.
public string|null
# getError( )

Get the message of the error that occured while parsing the XML token.

Get the message of the error that occured while parsing the XML token.

Returns

string|null
The error message. If no error, NULL is returned.
public array|null
# getAnomalies( )

Get the list of anomalies that occured while parsing the XML token.

Get the list of anomalies that occured while parsing the XML token.

Returns

array|null
The list of anomalies if any, NULL otherwise.
public string|null
# getCertificate( )

Get the X.509 certificate that is included in the XML token (PEM format).

Get the X.509 certificate that is included in the XML token (PEM format).

Returns

string|null

The content of the X.509 certificate, NULL if not available.
public array|null
# getCertIssuer( )

Get the issuer information of the X.509 certificate that is included in the XML token.

Get the issuer information of the X.509 certificate that is included in the XML token.

Returns

array|null

The issuer information of the X.509 certificate, NULL if not available.
public array|null
# getCertSubject( )

Get the subject information of the X.509 certificate that is included in the XML token.

Get the subject information of the X.509 certificate that is included in the XML token.

Returns

array|null

The subject information of the X.509 certificate, NULL if not available.
public string|null
# getCertDN( )

Get the Distinguished Name of the X.509 certificate that is included in the XML token.

Get the Distinguished Name of the X.509 certificate that is included in the XML token.

Returns

string|null

The Distinguished Name of the X.509 certificate, NULL if not available.
public string|null|false
# getCertValidFrom( string $dateFormat = self::TOKEN_TIMESTAMP_FORMAT )

Get the UTC date from which the X.509 certificate that is included in the XML token is valid.

Get the UTC date from which the X.509 certificate that is included in the XML token is valid.

Parameters

$dateFormat

format of the returned date (Default: XMLDSigToken::TOKEN_TIMESTAMP_FORMAT).

Returns

string|null|false

The date from which the X.509 certificate is valid, NULL if not available, FALSE if $dateFormat is invalid.
public string|null|false
# getCertValidTo( string $dateFormat = self::TOKEN_TIMESTAMP_FORMAT )

Get the UTC date to which the X.509 certificate that is included in the XML token is valid.

Get the UTC date to which the X.509 certificate that is included in the XML token is valid.

Parameters

$dateFormat

format of the returned date (Default: XMLDSigToken::TOKEN_TIMESTAMP_FORMAT).

Returns

string|null|false

The date to which the X.509 certificate, NULL if not available, FALSE if $dateFormat is invalid.
public boolean
# isCertOutOfDate( )

Indicates whether the X.509 certificate included in the XML token is out of date or not.

Indicates whether the X.509 certificate included in the XML token is out of date or not.

Returns

boolean

TRUE if X.509 certificate is out of date, FALSE otherwise.
public boolean
# isValidCertIssuer( array $expectedIssuerInfo )

Check that the issuer information of the X.509 certificate that is included in the XML token matches the expected one.

Check that the issuer information of the X.509 certificate that is included in the XML token matches the expected one.

The expected issuer information must me passed as an array to the function:

$ExpectedIssuerInfo = [
    'C' => 'DK',
    'ST' => 'Jylland',
    'O' => 'Lothbrok Ltd',
    'OU' => 'Jarl Dept',
    'CN' => 'www.Lothbrok.dk',
    'emailAddress' => 'ragnar@Lothbrok.dk'
];

NOTE: Character case of data is significant.

Parameters

$expectedIssuerInfo

The issuer information that the X.509 certificate should match.

Returns

boolean

TRUE if the X.509 certificate has been signed with the provided CA certificate, FALSE otherwise.

Throws

Exception
public boolean
# isValidCertCA( string $caCertPath )

Check that the X.509 certificate included in the XML token comes from the expected CA.

Check that the X.509 certificate included in the XML token comes from the expected CA.

Note that more than one CA certificate can give a positive result, some certificates re-issue signing certificates after having only changed the expiration dates.

Note that it also works with self-signed certificates. In this case, passes the X.509 certificate that is supposed been included in the XML token to the function.

Parameters

$caCertPath

The PEM certificate (public key) that is supposed been used by CA to sign the X.509 certificate included in the XML token.

Returns

boolean

TRUE if the X.509 certificate has been signed by the expected CA, FALSE otherwise.

Throws

Exception
public static string|false
# alterXML( string & $xml, string $nodePath, string $nodeAttribute, string $newValue, boolean $delete = false )

Utility function for modifying a node of an XML content.

Utility function for modifying a node of an XML content.

Parameters

$xml
XML content, passed by reference.
$nodePath

The xpath query to select the node to modify. This should be a full path that identifies a single node.

$nodeAttribute

In case you want to modify an attribute of the specified node, provide its name here, otherwise set this parameter to NULL.

$newValue

The value that will replace original the value of the node or of the attribute of the node if $nodeAttribute parameter is provided.

$delete
If TRUE delete the specified node or attribute.

Returns

string|false

The value of the node or attribute before modification or deletion, FALSE otherwise.
public string
# getPrettyXML( )

Return the XML token in a pretty readable format.

Return the XML token in a pretty readable format.

This function is intented for display purpose only. Use the getXML() function to obtain the raw XML token you want to work with.

Returns

string
The pretty formatted XMLDSigToken signature.
public
# getHTMLDump( )

Utility function that returns information on the XML token in HTML format.

Utility function that returns information on the XML token in HTML format.
Constants summary
string XMLDSIG_NS_PREFIX

Const

string The default XMLDSIG namespace prefix used in the XML digital signature.
# 'ds'
string TOKEN_NAME

Const

string The name of the token node.
# 'Token'
string TOKEN_DATA_NAME

Const

string The name of the token data node.
# 'TokenData'
string TOKEN_TIMESTAMP_NAME

Const

string The name of the token timestamp node.
# 'TokenTimestamp'
string TOKEN_TIMESTAMP_FORMAT

Const

string The format of the token timestamp (YYYY-MM-DDThh:mm:ssZ). NOTE: The timestamp should always be expressed in UTC.
# 'Y-m-d\TH:i:s\Z'
integer TOKEN_DEFAULT_TTL

Const

int The default time to live (in seconds) used to check token peremption.
# 60
integer DESYNC_TOLERANCE

Const

int The synchronization offset (in seconds) allowed for verifying if token is out of date.
# 30
string C14N
# webcoder31\ezxmldsig\XMLSecurityDSig::C14N
string C14N_COMMENTS
# webcoder31\ezxmldsig\XMLSecurityDSig::C14N_COMMENTS
string EXC_C14N
# webcoder31\ezxmldsig\XMLSecurityDSig::EXC_C14N
string EXC_C14N_COMMENTS
# webcoder31\ezxmldsig\XMLSecurityDSig::EXC_C14N_COMMENTS
string SHA1
# webcoder31\ezxmldsig\XMLSecurityDSig::SHA1
string SHA256
# webcoder31\ezxmldsig\XMLSecurityDSig::SHA256
string SHA384
# webcoder31\ezxmldsig\XMLSecurityDSig::SHA384
string SHA512
# webcoder31\ezxmldsig\XMLSecurityDSig::SHA512
string RIPEMD160
# webcoder31\ezxmldsig\XMLSecurityDSig::RIPEMD160
string TRIPLEDES_CBC
# webcoder31\ezxmldsig\XMLSecurityKey::TRIPLEDES_CBC
string AES128_CBC
# webcoder31\ezxmldsig\XMLSecurityKey::AES128_CBC
string AES192_CBC
# webcoder31\ezxmldsig\XMLSecurityKey::AES192_CBC
string AES256_CBC
# webcoder31\ezxmldsig\XMLSecurityKey::AES256_CBC
string RSA_1_5
# webcoder31\ezxmldsig\XMLSecurityKey::RSA_1_5
string RSA_OAEP_MGF1P
# webcoder31\ezxmldsig\XMLSecurityKey::RSA_OAEP_MGF1P
string DSA_SHA1
# webcoder31\ezxmldsig\XMLSecurityKey::DSA_SHA1
string RSA_SHA1
# webcoder31\ezxmldsig\XMLSecurityKey::RSA_SHA1
string RSA_SHA256
# webcoder31\ezxmldsig\XMLSecurityKey::RSA_SHA256
string RSA_SHA384
# webcoder31\ezxmldsig\XMLSecurityKey::RSA_SHA384
string RSA_SHA512
# webcoder31\ezxmldsig\XMLSecurityKey::RSA_SHA512
string HMAC_SHA1
# webcoder31\ezxmldsig\XMLSecurityKey::HMAC_SHA1
API documentation generated by ApiGen