根据 PHP 中的证书验证 SAML 响应中的数字签名

使用 xmldsig 语法签名的 XML 有 3 个重要部分：

1. Signature -> KeyInfo包含有关从用于对数据进行签名的私钥派生的公钥的信息
2. Signature -> SignedInfo包含将使用上述私钥签名的数据;数据包含有关如何计算验证的信息，例如：、 、CanonicalizationMethodSignatureMethodReference
3. Signature -> SignatureValue包含使用私钥签名时生成的签名的值Signature -> SignedInfo

从理论上讲，这就是代码应该如何查找 rsa-sha1 算法（由 指定），具有以下规范化方法：独占 XML 规范化 1.0（省略注释）和提供的 x509 证书：Signature -> SignedInfo -> SignatureMethod

$xmlDoc = new DOMDocument();
$xmlDoc->loadXML($xmlString);

$xpath = new DOMXPath($xmlDoc);
$xpath->registerNamespace('secdsig', 'http://www.w3.org/2000/09/xmldsig#');

// fetch Signature node from XML
$query = ".//secdsig:Signature";
$nodeset = $xpath->query($query, $xmlDoc);
$signatureNode = $nodeset->item(0);

// fetch SignedInfo node from XML
$query = "./secdsig:SignedInfo";
$nodeset = $xpath->query($query, $signatureNode);
$signedInfoNode = $nodeset->item(0);

// canonicalize SignedInfo using the method descried in
// ./secdsig:SignedInfo/secdsig:CanonicalizationMethod/@Algorithm
$signedInfoNodeCanonicalized = $signedInfoNode->C14N(true, false);

// fetch the x509 certificate from XML
$query = 'string(./secdsig:KeyInfo/secdsig:X509Data/secdsig:X509Certificate)';
$x509cert = $xpath->evaluate($query, $signatureNode);
// we have to re-wrap the certificate from XML to respect the PEM standard
$x509cert = "-----BEGIN CERTIFICATE-----\n"
    . $x509cert . "\n"
    . "-----END CERTIFICATE-----";
// fetch public key from x509 certificate
$publicKey = openssl_get_publickey($x509cert);

// fetch the signature from XML
$query = 'string(./secdsig:SignatureValue)';
$signature = base64_decode($xpath->evaluate($query, $signatureNode));

// verify the signature
$ok = openssl_verify($signedInfoNodeCanonicalized, $signature, $publicKey);    

这个库在php中实现xmldsig方面做得很好：xmlseclibs;如何验证 xmldsig 的示例可以在这里找到：https://github.com/robrichards/xmlseclibs/blob/master/tests/xmlsec-verify.phpt。这个库还验证了 的摘要值，我在上面省略了一个步骤。Signature -> SignedInfo -> Reference

我建议你使用 https://github.com/lightSAML/lightSAML。它使用 xmlseclibs 并实现了完整的 SAML SSO SP 配置文件。从 HTTP POST 轻松接收 SAML 响应并验证其签名示例是否在 LightSAML 说明书中给出 http://www.lightsaml.com/LightSAML-Core/Cookbook/How-to-receive-SAML-message/ 和 http://www.lightsaml.com/LightSAML-Core/Cookbook/How-to-verify-signature-of-SAML-message/，整个代码将如下所示

$request = \Symfony\Component\HttpFoundation\Request::createFromGlobals();

$bindingFactory = new \LightSaml\Binding\BindingFactory();
$binding = $bindingFactory->getBindingByRequest($request);

$messageContext = new \LightSaml\Context\Profile\MessageContext();
/** @var \LightSaml\Model\Protocol\Response $response */
$response = $binding->receive($request, $messageContext);

$key = \LightSaml\Credential\KeyHelper::createPublicKey(
    \LightSaml\Credential\X509Certificate::fromFile(__DIR__.'/../web/sp/saml.crt')
);

/** @var \LightSaml\Model\XmlDSig\SignatureXmlReader $signatureReader */
$signatureReader = $authnRequest->getSignature();

try {
    $ok = $signatureReader->validate($key);

    if ($ok) {
        print "Signaure OK\n";
    } else {
        print "Signature not validated";
    }
} catch (\Exception $ex) {
    print "Signature validation failed\n";
}

通过完整的 SAML SSO 配置文件特定操作处理响应的操作远不止于此，对于这些详细信息，您可以在 https://github.com/lightSAML/lightSAML/blob/master/web/sp/acs.php 中检查示例，或者如果您使用的是 Symfony https://github.com/lightSAML/SpBundle