Download the PHP package webcoder31/ezxmldsig without Composer
On this page you can find all versions of the php package webcoder31/ezxmldsig. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Download webcoder31/ezxmldsig
More information about webcoder31/ezxmldsig
Files in webcoder31/ezxmldsig
Package ezxmldsig
Short Description An easy-to-use set of PHP classes for common use cases of XML Digital Signatures
License CeCILL-C
Homepage https://github.com/webcoder31/ezxmldsig
FAQ
Example:
In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
- Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
- To use Composer is sometimes complicated. Especially for beginners.
- Composer needs much resources. Sometimes they are not available on a simple webspace.
- If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
- Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Rated 5.00 based on 1 reviews
Informations about the package ezxmldsig
EZXMLDSIG: An easy-to-use set of PHP classes for common use cases of XML Digital Signatures
Built on the library xmlseclibs developed by Rob Richards (https://github.com/robrichards/xmlseclibs), the library ezxmldsig is designed to make it easy to use XML digital signatures for various purposes such as Single Sign On login, token based authentication, document electronic signature, data integrity guarantee, and so on.
The author of the ezxmldsig library is Thierry Thiers.
Requirements
The library ezxmldsig requires PHP version 5.6 or greater and the version 2.0.1 of the library xmlseclibs developed by Rob Richards.
How to Install?
The library ezxmldsig is available on www.pakagist.org and you can nstall it for your project with composer.phar.
NOTE: As long as the library ezxmldsig is still a BETA version you should indicate the desired version tag to avoid composer issues due to stability requirements on package installation:
You can also clone it (or download it as a ZIP archive) from its GitHub repositary and load it the way you want in your project. In this case, you will have to do the same from the xmlseclib GitHub repositary of Rob Richards.
What's in the box?
XMLDSigToken class
The XMLDSigToken class allows creating and analyzing enveloping XML Digital Signature containing timestamped user data that may also be encrypted, also called XML token. With such tokens, you may create your own Single Sign On solution. You can secure access to your Web Services, as with JSON Web Token. You can transmit data in a secure way without having SSL connection. Or anything you can think of that requires such kind of features.
The XMLDSigToken class offers the following features:
1) It build an XML token from a flat or multidimensional associative array representing the user data and retrieve it in the same way.
2) It allows chossing the various algorithms that should be used to build the XML Digital Signature. The ones used by default are the following:
- Algorithm used to canonalize data before signing is: http://www.w3.org/TR/2001/REC-xml-c14n-20010315.
- Algorithm used to generate the signature is: http://www.w3.org/2000/09/xmldsig#rsa-sha1.
- Algorithm used to compute the hash of contained data is: http://www.w3.org/2000/09/xmldsig#sha1.
- Algorithm used to encode user data values is: Base64.
3) It is also capable of encrypting / decrypting token data for safe use with an unsecured HTTP connection, providing the same level of security as an SSL connection. The class allows chosing the algorithms that should be used to perform data encryption. By default it uses the following ones:
- Algorithm used to encrypt data is: http://www.w3.org/2001/04/xmlenc#aes128-cbc (symmetric ciphering).
- Algorithm used to encrypt the session key that will be used to cypher data is: http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p (asymmetric ciphering).
4) It guarantees the integrity of the user data stored in the XMLDSig token by verifying that:
- The XML digital signature meets the XMLDSIG specifications.
- The algorithms used to construct the XML digital signature are those expected.
- The token contained in the XML digital signature has not been altered.
5) It is also able to verify with confidence that the token is not out of date because the token timestamp is signed too.
6) It may perform variuous checkings on the X.509 certificate included the XML Digital Signature:
- Ensure that the certificate is not out of date.
- Check the issuer of the certificate.
- Verify the origin of the certificate.
X509Cert class
The X509Cert class provides a set of convenient methods for extracting essential information contained in an X.509 certificate and for performing some useful checkings. In particular, it can verify the origin of the X.509 certificate by using the intermediate certificate used by the CA to perform its signature (CSR). This class is used internaly by the XMLDSigToken class.
Other classes coming soon...
More classes will be provided soon, in order to support other useful usages of XML Digital Signatures, i.e. signing an internet resource or a mail attachment.
How to use?
NOTE: The library ezxmldsig is designed to work with cryptographic material in PEM format.
XMLDSigToken: Creating a signed XML token
The example below shows basic usage of the XMLDSigToken class for creating a signed token enveloped in an XML Digital Signature.
To do so, the XMLDSigToken class requires an assymmetric cryptographic key pair:
- A private key the class will use to sign the token.
- The password that allows reading the private key (Optional - Depends on how the private key was created).
- The X.509 certificate related to the private key that will be included within the XML Digital Signature in order to allow the recipient verifying the token integrity.
Source code
Result
XMLDSigToken: Creating a signed XML token with encrypted user data
The example below shows how to use the XMLDSigToken class for creating a signed token whose user data will be encrypted.
To do so, the XMLDSigToken class requires another assymmetric cryptographic key pair in order to perform user data encryption:
- An X.509 certificate whose public key will be used by the class to encrypt a session key that will be used to cypher user data.
- The private key related to the certificate. This key will be used by the class only to verify that it has correctly cyphered the user data once encryption is done. The token recipient must have this key in order to decrypt the user data.
- The password that allows reading the private key (Optional - Depends on how the private key was created).
Source code
Result
XMLDSigToken: Checking an XML token
In the following example, we will assume that we will receive the XML digital signature (in a Base64 coded field of an HTTP POST request) from an approved source that we want to ensure is the issuer. We will extract the signature from the POST request and we will perform all checkings to make sure we can trust the received user data.
Source code
Examples
Similar examples are provided in the examples directory along with cryptographic material.
Simply visit the file index.html to see them in action (need to be hosted on an HTTP / PHP server).
NOTE: To work out of the box, theses examples require that you've installed the library ezxmldsig using composer.
Documentation
Online documentation is available here : EZXMLDSIG Documentation.
