public static function addSign(SimpleSAML_Configuration $srcMetadata, SimpleSAML_Configuration $dstMetadata, \SAML2\SignedElement $element)
{
$dstPrivateKey = $dstMetadata->getString('signature.privatekey', NULL);
if ($dstPrivateKey !== NULL) {
$keyArray = SimpleSAML\Utils\Crypto::loadPrivateKey($dstMetadata, TRUE, 'signature.');
$certArray = SimpleSAML\Utils\Crypto::loadPublicKey($dstMetadata, FALSE, 'signature.');
} else {
$keyArray = SimpleSAML\Utils\Crypto::loadPrivateKey($srcMetadata, TRUE);
$certArray = SimpleSAML\Utils\Crypto::loadPublicKey($srcMetadata, FALSE);
}
$algo = $dstMetadata->getString('signature.algorithm', NULL);
if ($algo === NULL) {
/*
* In the NIST Special Publication 800-131A, SHA-1 became deprecated for generating
* new digital signatures in 2011, and will be explicitly disallowed starting the 1st
* of January, 2014. We'll keep this as a default for the next release and mark it
* as deprecated, as part of the transition to SHA-256.
*
* See http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf for more info.
*
* TODO: change default to XMLSecurityKey::RSA_SHA256.
*/
$algo = $srcMetadata->getString('signature.algorithm', XMLSecurityKey::RSA_SHA1);
}
$privateKey = new XMLSecurityKey($algo, array('type' => 'private'));
if (array_key_exists('password', $keyArray)) {
$privateKey->passphrase = $keyArray['password'];
}
$privateKey->loadKey($keyArray['PEM'], FALSE);
$element->setSignatureKey($privateKey);
if ($certArray === NULL) {
// We don't have a certificate to add
return;
}
if (!array_key_exists('PEM', $certArray)) {
// We have a public key with only a fingerprint.
return;
}
$element->setCertificates(array($certArray['PEM']));
}