1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
|
#!/usr/bin/env php
<?php
/*
* This script can be used to generate metadata for SimpleSAMLphp
* based on an XML metadata file.
*/
use RobRichards\XMLSecLibs\XMLSecurityDSig;
// This is the base directory of the SimpleSAMLphp installation
$baseDir = dirname(dirname(dirname(dirname(__FILE__))));
// Add library autoloader.
require_once($baseDir.'/lib/_autoload.php');
if (!\SimpleSAML\Module::isModuleEnabled('metarefresh')) {
echo "You need to enable the metarefresh module before this script can be used.\n";
echo "You can enable it by running the following command:\n";
echo ' echo >"'.$baseDir.'/modules/metarefresh/enable'."\"\n";
exit(1);
}
// Initialize the configuration
$configdir = \SimpleSAML\Utils\Config::getConfigDir();
\SimpleSAML\Configuration::setConfigDir($configdir);
// $outputDir contains the directory we will store the generated metadata in
$outputDir = \SimpleSAML\Utils\System::resolvePath('metadata-generated');
/* $toStdOut is a boolean telling us wheter we will print the output to stdout instead
* of writing it to files in $outputDir.
*/
$toStdOut = false;
/* $certificates contains the certificates which should be used to check the signature of the signed
* EntityDescriptor in the metadata, or NULL if signature verification shouldn't be done.
*/
$certificates = null;
/* $validateFingerprint contains the fingerprint of the certificate which should have been used
* to sign the EntityDescriptor in the metadata, or NULL if fingerprint validation shouldn't be
* done.
*/
$validateFingerprint = null;
/* $validateFingerprintAlgorithm is the algorithm to use to compute the fingerprint of the
* certificate that signed the metadata.
*/
$validateFingerprintAlgorithm = null;
// This variable contains the files we will parse
$files = [];
// Parse arguments
$progName = array_shift($argv);
foreach ($argv as $a) {
if (strlen($a) === 0) {
continue;
}
if ($a[0] !== '-') {
// Not an option. Assume that it is a file we should parse
$files[] = $a;
continue;
}
if (strpos($a, '=') !== false) {
$p = strpos($a, '=');
$v = substr($a, $p + 1);
$a = substr($a, 0, $p);
} else {
$v = null;
}
// Map short options to long options
$shortOptMap = [
'-h' => '--help',
'-o' => '--out-dir',
'-s' => '--stdout',
];
if (array_key_exists($a, $shortOptMap)) {
$a = $shortOptMap[$a];
}
switch ($a) {
case '--certificate':
if ($v === null || strlen($v) === 0) {
echo 'The --certficate option requires an parameter.'."\n";
echo 'Please run `'.$progName.' --help` for usage information.'."\n";
exit(1);
}
$certificates[] = $v;
break;
case '--validate-fingerprint':
if ($v === null || strlen($v) === 0) {
echo 'The --validate-fingerprint option requires an parameter.'."\n";
echo 'Please run `'.$progName.' --help` for usage information.'."\n";
exit(1);
}
$validateFingerprint = $v;
break;
case '--validate-fingerprint-algorithm':
$validateFingerprintAlgorithm = $v;
break;
case '--help':
printHelp();
exit(0);
case '--out-dir':
if ($v === null || strlen($v) === 0) {
echo 'The --out-dir option requires an parameter.'."\n";
echo 'Please run `'.$progName.' --help` for usage information.'."\n";
exit(1);
}
$outputDir = \SimpleSAML\Utils\System::resolvePath($v);
break;
case '--stdout':
$toStdOut = true;
break;
default:
echo 'Unknown option: '.$a."\n";
echo 'Please run `'.$progName.' --help` for usage information.'."\n";
exit(1);
}
}
if (count($files) === 0) {
echo $progName.': Missing input files. Please run `'.$progName.' --help` for usage information.'."\n";
exit(1);
}
// The metadata global variable will be filled with the metadata we extract
$metaloader = new \SimpleSAML\Module\metarefresh\MetaLoader();
foreach ($files as $f) {
$source = ['src' => $f];
if (isset($certificates)) {
$source['certificates'] = $certificates;
}
if (isset($validateFingerprint)) {
$source['validateFingerprint'] = $validateFingerprint;
}
if (isset($validateFingerprintAlgorithm)) {
$source['validateFingerprintAlgorithm'] = $validateFingerprintAlgorithm;
}
$metaloader->loadSource($source);
}
if ($toStdOut) {
$metaloader->dumpMetadataStdOut();
} else {
$metaloader->writeMetadataFiles($outputDir);
}
/**
* This function prints the help output.
* @return void
*/
function printHelp()
{
global $progName;
/* '======================================================================' */
echo 'Usage: '.$progName.' [options] [files]'."\n";
echo "\n";
echo 'This program parses a SAML metadata files and output pieces that can'."\n";
echo 'be added to the metadata files in metadata/.'."\n";
echo "\n";
echo 'Options:'."\n";
echo ' --certificate=<FILE> The certificate which should be used'."\n";
echo ' to check the signature of the metadata.'."\n";
echo ' The file are stored in the cert dir.'."\n";
echo ' It is possibility to add multiple'."\n";
echo ' --certificate options to handle'."\n";
echo ' key rollover.'."\n";
echo ' --validate-fingerprint=<FINGERPRINT>'."\n";
echo ' Check the signature of the metadata,'."\n";
echo ' and check the fingerprint of the'."\n";
echo ' certificate against <FINGERPRINT>.'."\n";
echo ' --validate-fingerprint-algorithm=<ALGORITHM>'."\n";
echo ' Use <ALGORITHM> to validate fingerprint of'."\n";
echo ' the certificate that signed the metadata.'."\n";
echo ' Default: '.XMLSecurityDSig::SHA1.".\n";
echo ' -h, --help Print this help.'."\n";
echo ' -o=<DIR>, --out-dir=<DIR> Write the output to this directory. The'."\n";
echo ' default directory is metadata-generated/.'."\n";
echo ' Path will be relative to the SimpleSAMLphp'."\n";
echo ' base directory.'."\n";
echo ' -s, --stdout Write the output to stdout instead of'."\n";
echo ' seperate files in the output directory.'."\n";
echo "\n";
}
|
