diff --git a/docs/simplesamlphp-reference-idp-hosted.txt b/docs/simplesamlphp-reference-idp-hosted.txt
index e0b9a21bb3583af473f2d0b91c2a9c27997a1769..b2d14bab0a3f78b8fe2ce6740e386503e6ed8139 100644
--- a/docs/simplesamlphp-reference-idp-hosted.txt
+++ b/docs/simplesamlphp-reference-idp-hosted.txt
@@ -165,6 +165,11 @@ The following SAML 2.0 options are available:
: (This option was previously named `AttributeNameFormat`.)
+`encryption.blacklisted-algorithms`
+: Blacklisted encryption algorithms. This is an array containing the algorithm identifiers.
+
+: Note that this option can be set for each SP in the [SP-remote metadata](./simplesamlphp-reference-sp-remote).
+
`https.certificate`
: The certificate used by the webserver when handling connections.
This certificate will be added to the generated metadata of the IdP,
diff --git a/docs/simplesamlphp-reference-idp-remote.txt b/docs/simplesamlphp-reference-idp-remote.txt
index d39812cce1023f855d93c71634c442896f30d741..e8af4109a7246f7ea12e72955062c9480f0f82eb 100644
--- a/docs/simplesamlphp-reference-idp-remote.txt
+++ b/docs/simplesamlphp-reference-idp-remote.txt
@@ -98,6 +98,13 @@ SAML 2.0 options
The following SAML 2.0 options are available:
+`encryption.blacklisted-algorithms`
+: Blacklisted encryption algorithms. This is an array containing the algorithm identifiers.
+
+: Note that this option also exists in the SP configuration. This
+ entry in the IdP-remote metadata overrides the option in the
+ [SP configuration](./saml:sp).
+
`nameid.encryption`
: Whether NameIDs sent to this IdP should be encrypted. The default
value is `FALSE`.
diff --git a/docs/simplesamlphp-reference-sp-remote.txt b/docs/simplesamlphp-reference-sp-remote.txt
index 16b54b3583d664f89f764e15e8f6dcb13242518f..73eca20c8bd7ec699dd3ba16caa65392bad8a756 100644
--- a/docs/simplesamlphp-reference-sp-remote.txt
+++ b/docs/simplesamlphp-reference-sp-remote.txt
@@ -155,6 +155,13 @@ The following SAML 2.0 options are available:
: (This option was previously named `AttributeNameFormat`.)
+`encryption.blacklisted-algorithms`
+: Blacklisted encryption algorithms. This is an array containing the algorithm identifiers.
+
+: Note that this option also exists in the IdP-hosted metadata. This
+ entry in the SP-remote metadata overrides the option in the
+ [IdP-hosted metadata](./simplesamlphp-reference-idp-hosted).
+
`ForceAuthn`
: Set this `TRUE` to force the user to reauthenticate when the IdP
receives authentication requests from this SP. The default is
diff --git a/modules/saml/docs/sp.txt b/modules/saml/docs/sp.txt
index 673d69ca9e021dce7d9418e768b4974e66efc093..e536aac293aaf15200e0b020b51c5033f2d66818 100644
--- a/modules/saml/docs/sp.txt
+++ b/modules/saml/docs/sp.txt
@@ -227,6 +227,12 @@ Options
If this is unset, the IdP discovery service specified in the global option `idpdisco.url.{saml20|shib13}` in `config/config.php` will be used.
If that one is also unset, the builtin default discovery service will be used.
+`encryption.blacklisted-algorithms`
+: Blacklisted encryption algorithms. This is an array containing the algorithm identifiers.
+
+: Note that this option can be set for each IdP in the [IdP-remote metadata](./simplesamlphp-reference-idp-remote).
+
+: *Note*: SAML 2 specific.
`entityID`
: The entity ID this SP should use.
diff --git a/modules/saml/lib/Message.php b/modules/saml/lib/Message.php
index c5ad1b5b1991eb6c678ff9c7f7365a66a8fc8ae2..02eca94cc62ce328e0976a9ac38078b686d5155d 100644
--- a/modules/saml/lib/Message.php
+++ b/modules/saml/lib/Message.php
@@ -287,6 +287,26 @@ class sspmod_saml_Message {
}
+ /**
+ * Retrieve blacklisted algorithms.
+ *
+ * Remote configuration overrides local configuration.
+ *
+ * @param SimpleSAML_Configuration $srcMetadata The metadata of the sender.
+ * @param SimpleSAML_Configuration $dstMetadata The metadata of the recipient.
+ * @return array Array of blacklisted algorithms.
+ */
+ public static function getBlacklistedAlgorithms(SimpleSAML_Configuration $srcMetadata,
+ SimpleSAML_Configuration $dstMetadata) {
+
+ $blacklist = $srcMetadata->getArray('encryption.blacklisted-algorithms', NULL);
+ if ($blacklist === NULL) {
+ $blacklist = $dstMetadata->getArray('encryption.blacklisted-algorithms', array());
+ }
+ return $blacklist;
+ }
+
+
/**
* Decrypt an assertion.
*
@@ -322,10 +342,12 @@ class sspmod_saml_Message {
throw new SimpleSAML_Error_Exception('Error decrypting assertion: ' . $e->getMessage());
}
+ $blacklist = self::getBlacklistedAlgorithms($srcMetadata, $dstMetadata);
+
$lastException = NULL;
foreach ($keys as $i => $key) {
try {
- $ret = $assertion->getAssertion($key);
+ $ret = $assertion->getAssertion($key, $blacklist);
SimpleSAML_Logger::debug('Decryption with key #' . $i . ' succeeded.');
return $ret;
} catch (Exception $e) {
@@ -695,10 +717,12 @@ class sspmod_saml_Message {
throw new SimpleSAML_Error_Exception('Error decrypting NameID: ' . $e->getMessage());
}
+ $blacklist = self::getBlacklistedAlgorithms($idpMetadata, $spMetadata);
+
$lastException = NULL;
foreach ($keys as $i => $key) {
try {
- $assertion->decryptNameId($key);
+ $assertion->decryptNameId($key, $blacklist);
SimpleSAML_Logger::debug('Decryption with key #' . $i . ' succeeded.');
$lastException = NULL;
break;
diff --git a/modules/saml/www/sp/saml2-logout.php b/modules/saml/www/sp/saml2-logout.php
index c2e17b0f9cc4e1f49adb6f9080702fc38fd15d7c..caf09b046fa5fabeab4badbf143841b714dd698e 100644
--- a/modules/saml/www/sp/saml2-logout.php
+++ b/modules/saml/www/sp/saml2-logout.php
@@ -70,10 +70,12 @@ if ($message instanceof SAML2_LogoutResponse) {
throw new SimpleSAML_Error_Exception('Error decrypting NameID: ' . $e->getMessage());
}
+ $blacklist = sspmod_saml_Message::getBlacklistedAlgorithms($idpMetadata, $spMetadata);
+
$lastException = NULL;
foreach ($keys as $i => $key) {
try {
- $message->decryptNameId($key);
+ $message->decryptNameId($key, $blacklist);
SimpleSAML_Logger::debug('Decryption with key #' . $i . ' succeeded.');
$lastException = NULL;
break;