Add AES-GCM support.

Prep for 3.1.0 release

Author: robrichards

CHANGELOG.txt

@@ -1,6 +1,15 @@
 xmlseclibs.php
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
-??, ??? 2018, 3.0.5-dev
+22, Apr 2020, 3.1.0
+Features:
+- Support AES-GCM. Requires PHP 7.1. (François Kooman)
+
+Improvements:
+- Fix Travis tests for older PHP versions.
+- Use DOMElement interface to fix some IDEs reporting documentation errors
+
+Bug Fixes:
+- FIX missing InclusiveNamespaces PrefixList from Java + Apache WSS4J. (njake)
 
 06, Nov 2019, 3.0.4
 Security Improvements:

src/XMLSecurityKey.php

@@ -50,6 +50,9 @@ class XMLSecurityKey
     const AES128_CBC = 'http://www.w3.org/2001/04/xmlenc#aes128-cbc';
     const AES192_CBC = 'http://www.w3.org/2001/04/xmlenc#aes192-cbc';
     const AES256_CBC = 'http://www.w3.org/2001/04/xmlenc#aes256-cbc';
+    const AES128_GCM = 'http://www.w3.org/2009/xmlenc11#aes128-gcm';
+    const AES192_GCM = 'http://www.w3.org/2009/xmlenc11#aes192-gcm';
+    const AES256_GCM = 'http://www.w3.org/2009/xmlenc11#aes256-gcm';
     const RSA_1_5 = 'http://www.w3.org/2001/04/xmlenc#rsa-1_5';
     const RSA_OAEP_MGF1P = 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p';
     const DSA_SHA1 = 'http://www.w3.org/2000/09/xmldsig#dsa-sha1';
@@ -58,6 +61,7 @@ class XMLSecurityKey
     const RSA_SHA384 = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384';
     const RSA_SHA512 = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512';
     const HMAC_SHA1 = 'http://www.w3.org/2000/09/xmldsig#hmac-sha1';
+    const AUTHTAG_LENGTH = 16;
 
     /** @var array */
     private $cryptParams = array();
@@ -142,6 +146,30 @@ public function __construct($type, $params=null)
                 $this->cryptParams['keysize'] = 32;
                 $this->cryptParams['blocksize'] = 16;
                 break;
+            case (self::AES128_GCM):
+                $this->cryptParams['library'] = 'openssl';
+                $this->cryptParams['cipher'] = 'aes-128-gcm';
+                $this->cryptParams['type'] = 'symmetric';
+                $this->cryptParams['method'] = 'http://www.w3.org/2009/xmlenc11#aes128-gcm';
+                $this->cryptParams['keysize'] = 32;
+                $this->cryptParams['blocksize'] = 16;
+                break;
+            case (self::AES192_GCM):
+                $this->cryptParams['library'] = 'openssl';
+                $this->cryptParams['cipher'] = 'aes-192-gcm';
+                $this->cryptParams['type'] = 'symmetric';
+                $this->cryptParams['method'] = 'http://www.w3.org/2009/xmlenc11#aes192-gcm';
+                $this->cryptParams['keysize'] = 32;
+                $this->cryptParams['blocksize'] = 16;
+                break;
+            case (self::AES256_GCM):
+                $this->cryptParams['library'] = 'openssl';
+                $this->cryptParams['cipher'] = 'aes-256-gcm';
+                $this->cryptParams['type'] = 'symmetric';
+                $this->cryptParams['method'] = 'http://www.w3.org/2009/xmlenc11#aes256-gcm';
+                $this->cryptParams['keysize'] = 32;
+                $this->cryptParams['blocksize'] = 16;
+                break;
             case (self::RSA_1_5):
                 $this->cryptParams['library'] = 'openssl';
                 $this->cryptParams['padding'] = OPENSSL_PKCS1_PADDING;
@@ -397,12 +425,22 @@ private function unpadISO10126($data)
     private function encryptSymmetric($data)
     {
         $this->iv = openssl_random_pseudo_bytes(openssl_cipher_iv_length($this->cryptParams['cipher']));
-        $data = $this->padISO10126($data, $this->cryptParams['blocksize']);
-        $encrypted = openssl_encrypt($data, $this->cryptParams['cipher'], $this->key, OPENSSL_RAW_DATA | OPENSSL_ZERO_PADDING, $this->iv);
+        $authTag = null;
+        if(in_array($this->cryptParams['cipher'], ['aes-128-gcm', 'aes-192-gcm', 'aes-256-gcm'])) {
+            if (version_compare(PHP_VERSION, '7.1.0') < 0) {
+                throw new Exception('PHP 7.1.0 is required to use AES GCM algorithms');
+            }
+            $authTag = openssl_random_pseudo_bytes(self::AUTHTAG_LENGTH);
+            $encrypted = openssl_encrypt($data, $this->cryptParams['cipher'], $this->key, OPENSSL_RAW_DATA, $this->iv, $authTag);
+        } else {
+            $data = $this->padISO10126($data, $this->cryptParams['blocksize']);
+            $encrypted = openssl_encrypt($data, $this->cryptParams['cipher'], $this->key, OPENSSL_RAW_DATA | OPENSSL_ZERO_PADDING, $this->iv);
+        }
+        
         if (false === $encrypted) {
             throw new Exception('Failure encrypting Data (openssl symmetric) - ' . openssl_error_string());
         }
-        return $this->iv . $encrypted;
+        return $this->iv . $encrypted . $authTag;
     }
 
     /**
@@ -416,11 +454,24 @@ private function decryptSymmetric($data)
         $iv_length = openssl_cipher_iv_length($this->cryptParams['cipher']);
         $this->iv = substr($data, 0, $iv_length);
         $data = substr($data, $iv_length);
-        $decrypted = openssl_decrypt($data, $this->cryptParams['cipher'], $this->key, OPENSSL_RAW_DATA | OPENSSL_ZERO_PADDING, $this->iv);
+        $authTag = null;
+        if(in_array($this->cryptParams['cipher'], ['aes-128-gcm', 'aes-192-gcm', 'aes-256-gcm'])) {
+            if (version_compare(PHP_VERSION, '7.1.0') < 0) {
+                throw new Exception('PHP 7.1.0 is required to use AES GCM algorithms');
+            }
+            // obtain and remove the authentication tag
+            $offset = 0 - self::AUTHTAG_LENGTH;
+            $authTag = substr($data, $offset);
+            $data = substr($data, 0, $offset);
+            $decrypted = openssl_decrypt($data, $this->cryptParams['cipher'], $this->key, OPENSSL_RAW_DATA, $this->iv, $authTag);
+        } else {
+            $decrypted = openssl_decrypt($data, $this->cryptParams['cipher'], $this->key, OPENSSL_RAW_DATA | OPENSSL_ZERO_PADDING, $this->iv);
+        }
+        
         if (false === $decrypted) {
             throw new Exception('Failure decrypting Data (openssl symmetric) - ' . openssl_error_string());
         }
-        return $this->unpadISO10126($decrypted);
+        return null !== $authTag ? $decrypted : $this->unpadISO10126($decrypted);
     }
 
     /**

tests/aes128-gcm-res.xml

@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Basic XML example -->
+<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" Type="http://www.w3.org/2001/04/xmlenc#Element"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes128-gcm"/><dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><xenc:EncryptedKey><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/><xenc:CipherData><xenc:CipherValue>rrX5MGztfar3yQz1IAyH4g2rC2g/YoSfS+AU0VnYh3F1bAlqiZADO//zVgntSG+YmzOZf3AxnZkbQgeU0SqqhHQANaWXk9cQcam6YvmP7m+Mz61i3zx3NUnf+5VE//JPIDB/nAoEv1lS/fjHdwUlRhksM8eiI8QZQRnwR46xlK5ixCdnjS1TZWB+lMqnKGsYGCCy8uY0FhhQuC/EHsved66b4fkgOZV2RUng8kSFB14Sbl7+BGgTBK0wEf3jxUHOLKyaJ7pR9iuDuB6iwJ6iAR+hxIPvImX8swSSA6XRmFjO2eQJ0sJrZDKj5If4cgy5PGSr+Dn5XhawY0SnuAz9Wg==</xenc:CipherValue></xenc:CipherData></xenc:EncryptedKey></dsig:KeyInfo>
+   <xenc:CipherData>
+      <xenc:CipherValue>NOP0SiaC1UmFtGOa+42ucZxEDMVzxVYCdY0qcIauDmbg4cac0SEMBdzB0H9UJVm8JQ0w/G83ItWaD94ruPI9TFaA6Xlzz0rWyB58xzeTgQj8tjsRewZ+P1IbfZQ5lYMfXcUW</xenc:CipherValue>
+   </xenc:CipherData>
+</xenc:EncryptedData>

tests/aes192-gcm-res.xml

@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Basic XML example -->
+<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" Type="http://www.w3.org/2001/04/xmlenc#Element"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes192-gcm"/><dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><xenc:EncryptedKey><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/><xenc:CipherData><xenc:CipherValue>wUHsk5XjaGLrW0BFPd5PqeZfbrGvtEblHVSx97yt20I4QGxrA86fqUg7IL/W1qEpolYiuTFHjOjdZtZVjdbk5K6qbU7v/CgCOq7A9BUGsIodQoNWMP4g8JlHzz+QC+A6MPdpE5FWY5nqlvp9uEc/AEj6sgwer0m4+yTckPyS3q43Lq8f7UpKtUf7KtdtpxO8z3JRFxIrel9WCG7SHgKwqQGK1tBdpqOrAFx/zJ8NyPB0Q4OiArRTW/2bL3ilo2cmaSdqn5NNafKxYnRihMZbSxEaELjVsUKOAGTtUX1BK3FVeRE4hppi1Tt8Q014c21nVK5IU8efMlHm4Gy93o21nw==</xenc:CipherValue></xenc:CipherData></xenc:EncryptedKey></dsig:KeyInfo>
+   <xenc:CipherData>
+      <xenc:CipherValue>ECGYFdVmVq4bzwcRmfF7N8R8ZtP04wNFb6kmMOvjKUUhXOAfMVuCFr5vK80Ehkc4J6xOVvz0yPAXeY9N7piEN0A0JjJ9lNgyBSi0a0ssDBqZgg+cSF0/xzJ1ucem68FByQcu</xenc:CipherValue>
+   </xenc:CipherData>
+</xenc:EncryptedData>

tests/aes256-gcm-res.xml

@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Basic XML example -->
+<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" Type="http://www.w3.org/2001/04/xmlenc#Element"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes256-gcm"/><dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><xenc:EncryptedKey><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/><xenc:CipherData><xenc:CipherValue>iiuhKthdJ7GKUL51Zr4XlbB9+BuhHUObOq3k6AHiNemgktyJom8BXMVI4lVcMScs8IYqF12fn/0xvCmhBJa2l/Hv0SxJOSpCDF6gdXc8d5H5knrQjJuYfy6XqBS2XidGN1vt/oMkbV7D+K+IHzXsHlrhpJTtqy9XJzZ+rAn3C5HfiFgkPwSrPzNYEc6BTFTJc8LIo+CFrEbDzPg5e4infwFs1w4VNTHJ+1AF3JqMxY+tj1o+uVGIAgktkY32yJMlk+PefYcyqh2UWXHVGHCMmxZqDUghhKjy11qi/arXmHBAHGhI4ZFGX2apjpvuxUDy5xcMlc0M2kUq3l7Aypmrbg==</xenc:CipherValue></xenc:CipherData></xenc:EncryptedKey></dsig:KeyInfo>
+   <xenc:CipherData>
+      <xenc:CipherValue>ZUssRnr2VTgYBN4nIxa3bsRpcwuRHT/Cw8tBryriqCgI8HfaNg+Qgpnhs24pCepUQ8GoAz7//XWvJxJjAcNUNbhfepSn6yHpVjGEp/LscqAvjSNfsGSXBK+17PVgWE4A7+OT</xenc:CipherValue>
+   </xenc:CipherData>
+</xenc:EncryptedData>

tests/saml/encryption.key

@@ -0,0 +1,40 @@
+-----BEGIN PRIVATE KEY-----
+MIIG/gIBADANBgkqhkiG9w0BAQEFAASCBugwggbkAgEAAoIBgQC29B4AeU9blbZr
+QXmHO4JlzqR2sSEgHozA0xXpd88pW1mh7tM/pNumo+KQpzlUuLSnxmhJpAsjPspZ
+HQzFZwp+OqacRYXpXJh9w8X8NHsNrwkhk8KDkhDHcelMPgXi+J5Jh6+4klsMweMj
+Z6jlEo2NYbeBtK3nndh9gcrjFvPnZf0uI3NwyM0T9VRfjaATYl0VPP1qKo2bPUqr
+KoGEoys9+E3DUVlflTLkfNOQeb8zMc1cbgCsiGVv/PXk6oPF+nerG/CbswQpH36y
+24Y/ApF7HodBZdj49bZdqaTRGFrw0BePyw7DUBivf5wrONI+cA/592f3dyScASRG
+g1RufaE4j+SC+5cBlRnqAXrk7Z482AndwIRPJshy8W3BpjKK85sDr8JYt6oObmIv
+zO15mv6f3p4agFxxkbmlEQEveuICasQCH1hnNiyqfAI5Ur5ncWPJrsDB+wsTqcxw
+nlPkpe7n9DOIcFfSOYG2aYZhbwsx3/UmoF0XntqBRBG8pxAFUE0CAwEAAQKCAYEA
+lClqSpPzcoXx7zZdBulolq4cfoq/+tUCw/2uVx5RxHpYQk25AmeuAmviRadHRJc4
+pk6Fkm2pH2fwUu61sv/ZfZRd7VxYMD5uuBrdsXuG0/QWfvy8n/SgZgSYHMh11/Pj
+rESYR+8ukUxLeBawrqKxw/eItx/tXg90jV+ZQQMLjzAHM2A+Uu4rNqiNJbz6D/iu
+zU5RI7NGbpvaZnfL3/CMSmlWAIFW0ZNwXZ3Bb9VIxFrmpp3nKdJj46eGM1bAVIqb
+Eh3lVdAIPLxhsImQNwfiZElul7+jtYD+1mqVfGLzIJLzJjifQlcxWiXFPy8XKoh1
+Fg1SjGNnfb6Z/4lTV8oyLsC+Wq7uzxYxCVrNuOF43TBr/N1U7r8+GPYT19aFxzMY
+n70JQYlwjikOWReZ/TGdPFLQhgYZIchU6oyB/gaa2JbKhjBJMIGAuekGvusJEUua
+ea71dlYut3tAIYmHjJ/nDnSe1TNfRLZHDAZU1nI5QwPecPZhARmUcOithdFsg+i5
+AoHBAPN+71Ogn/hrOZ6QnVd/mcc85dtIfL35tLDsHpXGRXNTBMRoZ3TbBtw5FoXu
+e+6BBxq5GdDP8NKaXehbZmPN1Wga4/wbzpT2xn+R2Dl4HFf7+UbW1qt+r1TmQ/0t
+P81yZ/lEX6XedyJSfUCdM6lABcoNrvFGcpPNcm+8+kY1OSAwotODim8y0iOoLpRh
+o/p+NMrlYlfwL+NukdfJjyXUQZ0FWq4QpI2BY8cEh04GpPqVZYpNd8QMAQH4sddM
+vz2CFwKBwQDAWUbWTxRvgKgmCXE2WHxCj1t937gaH6Z02VPDmbR2wTEKobBes1UO
+yp6+CHdkr6CbFgRTGL86LGIlOSK8x860KvdiZJqe5LCWeZhyEFT0m1kArNYRsDxs
+jxcjw0oEZUW99bA/UsdItiVYlEK8/vUt6VY5fOfetH4Q538l0C9igPYkebcj8RiB
+jUGl9K6rA9DiKr06OXIYu02Y/LOVMf5B6imAhYON7olLS0EYcrGmGY6rvsl3/OZ4
+UHdQ8yjYczsCgcEA1vU4Upt6ndQLCfCg9p2vJDSetvdHKG9JFOdeGNrwdN7VVo7U
+xlSVudSsDZB72BIQM4c1QyJPd5zPSlFmErWjsEQNAIOL2/X/Rp96Q0HFw+auKdt/
+p+Yu4sRlQRyxNq3JHEVAKy45/hLUgDZHZSMf+UAbMOUAQXsdi4dJarGRvNky5Yc6
+rvAuk0vl0xhfqsO/116pcviXTjBOkDFgLgUz52rSotgObN3NN+THjhpPiuhYu7+n
++2qdeSAT3/3g1mwBAoHAPmZ4GZxsB8RYSIa1qKjKHxm817gVVLxB1xSOHR2nMwN3
+snhD7GUHShYnq4S5nvtvAgEBhCe6Gdg+Os8vWskDYOWzfcMfej68nwRxlUeBGB2x
+oQtxIynmYF2HZz26rHRiTL8A33ouVoNo2DS49fFMfwl8xIel/VTWtQs074J7bNxj
+fe/SnyFfDuBRlNItPCOvxz+QRexO/ID/KouIgvVGBAJAVoZ56DijZ77RLmo/AaC2
+7Tamy3tLFWsdWjCYZqfzAoHAN54VE6Yn1OLb6q1WAskrS+OxigDRyT5DUKqPrdjf
+nfuibfm/BiSEofqV0KP7l2pGuLqPkVSXnWbbp1gNhKi3Rmr0sMTJhkYT3jyHk51k
+qRoJPBtIa6I62cAA6BNDLPiLYawF62fS5E+0jEDaCh1CpRKg0sBd+f9lJq88updg
+LakoPQfgYpX/B4NdZnuLb7eSlj4k3fxfMh7eb5U/TGASUVskFJ23CMBk0Z7IKJcm
+hd3JVswLnFqpRTh+ZTDZRU8F
+-----END PRIVATE KEY-----

tests/saml/encryption_rsa.key

@@ -0,0 +1,39 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIG5AIBAAKCAYEAtvQeAHlPW5W2a0F5hzuCZc6kdrEhIB6MwNMV6XfPKVtZoe7T
+P6TbpqPikKc5VLi0p8ZoSaQLIz7KWR0MxWcKfjqmnEWF6VyYfcPF/DR7Da8JIZPC
+g5IQx3HpTD4F4vieSYevuJJbDMHjI2eo5RKNjWG3gbSt553YfYHK4xbz52X9LiNz
+cMjNE/VUX42gE2JdFTz9aiqNmz1KqyqBhKMrPfhNw1FZX5Uy5HzTkHm/MzHNXG4A
+rIhlb/z15OqDxfp3qxvwm7MEKR9+stuGPwKRex6HQWXY+PW2Xamk0Rha8NAXj8sO
+w1AYr3+cKzjSPnAP+fdn93cknAEkRoNUbn2hOI/kgvuXAZUZ6gF65O2ePNgJ3cCE
+TybIcvFtwaYyivObA6/CWLeqDm5iL8zteZr+n96eGoBccZG5pREBL3riAmrEAh9Y
+ZzYsqnwCOVK+Z3Fjya7AwfsLE6nMcJ5T5KXu5/QziHBX0jmBtmmGYW8LMd/1JqBd
+F57agUQRvKcQBVBNAgMBAAECggGBAJQpakqT83KF8e82XQbpaJauHH6Kv/rVAsP9
+rlceUcR6WEJNuQJnrgJr4kWnR0SXOKZOhZJtqR9n8FLutbL/2X2UXe1cWDA+brga
+3bF7htP0Fn78vJ/0oGYEmBzIddfz46xEmEfvLpFMS3gWsK6iscP3iLcf7V4PdI1f
+mUEDC48wBzNgPlLuKzaojSW8+g/4rs1OUSOzRm6b2mZ3y9/wjEppVgCBVtGTcF2d
+wW/VSMRa5qad5ynSY+OnhjNWwFSKmxId5VXQCDy8YbCJkDcH4mRJbpe/o7WA/tZq
+lXxi8yCS8yY4n0JXMVolxT8vFyqIdRYNUoxjZ32+mf+JU1fKMi7Avlqu7s8WMQla
+zbjheN0wa/zdVO6/Phj2E9fWhcczGJ+9CUGJcI4pDlkXmf0xnTxS0IYGGSHIVOqM
+gf4GmtiWyoYwSTCBgLnpBr7rCRFLmnmu9XZWLrd7QCGJh4yf5w50ntUzX0S2RwwG
+VNZyOUMD3nD2YQEZlHDorYXRbIPouQKBwQDzfu9ToJ/4azmekJ1Xf5nHPOXbSHy9
++bSw7B6VxkVzUwTEaGd02wbcORaF7nvugQcauRnQz/DSml3oW2ZjzdVoGuP8G86U
+9sZ/kdg5eBxX+/lG1tarfq9U5kP9LT/Ncmf5RF+l3nciUn1AnTOpQAXKDa7xRnKT
+zXJvvPpGNTkgMKLTg4pvMtIjqC6UYaP6fjTK5WJX8C/jbpHXyY8l1EGdBVquEKSN
+gWPHBIdOBqT6lWWKTXfEDAEB+LHXTL89ghcCgcEAwFlG1k8Ub4CoJglxNlh8Qo9b
+fd+4Gh+mdNlTw5m0dsExCqGwXrNVDsqevgh3ZK+gmxYEUxi/OixiJTkivMfOtCr3
+YmSanuSwlnmYchBU9JtZAKzWEbA8bI8XI8NKBGVFvfWwP1LHSLYlWJRCvP71LelW
+OXzn3rR+EOd/JdAvYoD2JHm3I/EYgY1BpfSuqwPQ4iq9OjlyGLtNmPyzlTH+Qeop
+gIWDje6JS0tBGHKxphmOq77Jd/zmeFB3UPMo2HM7AoHBANb1OFKbep3UCwnwoPad
+ryQ0nrb3RyhvSRTnXhja8HTe1VaO1MZUlbnUrA2Qe9gSEDOHNUMiT3ecz0pRZhK1
+o7BEDQCDi9v1/0afekNBxcPmrinbf6fmLuLEZUEcsTatyRxFQCsuOf4S1IA2R2Uj
+H/lAGzDlAEF7HYuHSWqxkbzZMuWHOq7wLpNL5dMYX6rDv9deqXL4l04wTpAxYC4F
+M+dq0qLYDmzdzTfkx44aT4roWLu/p/tqnXkgE9/94NZsAQKBwD5meBmcbAfEWEiG
+taioyh8ZvNe4FVS8QdcUjh0dpzMDd7J4Q+xlB0oWJ6uEuZ77bwIBAYQnuhnYPjrP
+L1rJA2Dls33DH3o+vJ8EcZVHgRgdsaELcSMp5mBdh2c9uqx0Yky/AN96LlaDaNg0
+uPXxTH8JfMSHpf1U1rULNO+Ce2zcY33v0p8hXw7gUZTSLTwjr8c/kEXsTvyA/yqL
+iIL1RgQCQFaGeeg4o2e+0S5qPwGgtu02pst7SxVrHVowmGan8wKBwDeeFROmJ9Ti
+2+qtVgLJK0vjsYoA0ck+Q1Cqj63Y3537om35vwYkhKH6ldCj+5dqRri6j5FUl51m
+26dYDYSot0Zq9LDEyYZGE948h5OdZKkaCTwbSGuiOtnAAOgTQyz4i2GsBetn0uRP
+tIxA2godQqUSoNLAXfn/ZSavPLqXYC2pKD0H4GKV/weDXWZ7i2+3kpY+JN38XzIe
+3m+VP0xgElFbJBSdtwjAZNGeyCiXJoXdyVbMC5xaqUU4fmUw2UVPBQ==
+-----END RSA PRIVATE KEY-----

tests/saml/saml-decrypt.phpt

@@ -0,0 +1,78 @@
+--TEST--
+Basic Decryption
+--FILE--
+<?php
+require(dirname(__FILE__) . '/../../xmlseclibs.php');
+use RobRichards\XMLSecLibs\XMLSecEnc;
+
+/* When we need to locate our own key based on something like a key name */
+function locateLocalKey($objKey) {
+	/* In this example the key is identified by filename */
+	$filename = $objKey->name;
+	if (! empty($filename)) {
+		$objKey->loadKey(dirname(__FILE__) . "/$filename", TRUE);
+	} else {
+		$objKey->loadKey(dirname(__FILE__) . "/encryption_rsa.key", TRUE);
+	}
+}
+
+$testFile = "saml-encrypted.xml";
+
+$output = NULL;
+
+$doc = new DOMDocument();
+$doc->load(dirname(__FILE__) . "/$testFile");
+
+try {
+	$objenc = new XMLSecEnc();
+	$encData = $objenc->locateEncryptedData($doc);
+	if (! $encData) {
+		throw new Exception("Cannot locate Encrypted Data");
+	}
+	$objenc->setNode($encData);
+	$objenc->type = $encData->getAttribute("Type");
+	if (! $objKey = $objenc->locateKey()) {
+		throw new Exception("We know the secret key, but not the algorithm");
+	}
+	$key = NULL;
+	
+	if ($objKeyInfo = $objenc->locateKeyInfo($objKey)) {
+		if ($objKeyInfo->isEncrypted) {
+			$objencKey = $objKeyInfo->encryptedCtx;
+			locateLocalKey($objKeyInfo);
+			$key = $objencKey->decryptKey($objKeyInfo);
+		}
+	}
+	
+	if (! $objKey->key && empty($key)) {
+		locateLocalKey($objKey);
+	}
+	if (empty($objKey->key)) {
+		$objKey->loadKey($key);
+	}
+	
+	$token = NULL;
+
+	if ($decrypt = $objenc->decryptNode($objKey, TRUE)) {
+		$output = NULL;
+		
+		$xpath = new DOMXpath($decrypt->ownerDocument);
+		$xpath->registerNamespace('saml2p', 'urn:oasis:names:tc:SAML:2.0:protocol');
+		$xpath->registerNamespace('saml2', 'urn:oasis:names:tc:SAML:2.0:assertion');
+		
+		$xpathQuery = 'string(/saml2p:Response/saml2:EncryptedAssertion/saml2:Assertion/saml2:AttributeStatement/saml2:Attribute/saml2:AttributeValue/saml2:NameID/text())';
+		
+		$nameID = $xpath->evaluate($xpathQuery);
+		
+		print "$nameID\n";
+		
+	} else {
+		throw new Exception("Unable to decrypt node");;
+	}
+} catch (Exception $e) {
+	var_dump($e);
+}
+	
+?>
+--EXPECTF--
+KYzsRqRzQY5qp+bv9T8bHA/AvsI=