diff --git a/docs/simplesamlphp-changelog.txt b/docs/simplesamlphp-changelog.txt index ac6b2fe40b03ffac223784874d42e7a798e3cac5..12919f9fc8dcd17330b84fadaad29d59dd0713e0 100644 --- a/docs/simplesamlphp-changelog.txt +++ b/docs/simplesamlphp-changelog.txt @@ -15,11 +15,16 @@ Released TBD. * Clean up executable-permissions on files. * Change encryption to use the rsa-oaep-mgf1p key padding instead of PKCS 1.5. * Update translations. + * Add support for RSA-SHA256, RSA-SHA384 and RSA-SHA512 signature algorithms. ### `core` * `core:UserPass(Org)Base`: Add "remember username" option. +### `papi` + + * New authentication module supporting PAPI protocol. + ### `radius` * New feature to configure multiple radius servers. diff --git a/lib/SAML2/Utils.php b/lib/SAML2/Utils.php index 00e5a33905d839dde73a8218eeb3ae94736c04df..79576a2b6b998ad756ad3e454d10303e541cf6c4 100644 --- a/lib/SAML2/Utils.php +++ b/lib/SAML2/Utils.php @@ -133,8 +133,18 @@ class SAML2_Utils { } $algo = $sigMethod->getAttribute('Algorithm'); - if ($key->type === XMLSecurityKey::RSA_SHA1 && $algo === XMLSecurityKey::RSA_SHA256) { - $key = self::castKey($key, XMLSecurityKey::RSA_SHA256); + if ($key->type === XMLSecurityKey::RSA_SHA1) { + switch ($algo) { + case XMLSecurityKey::RSA_SHA256: + $key = self::castKey($key, XMLSecurityKey::RSA_SHA256); + break; + case XMLSecurityKey::RSA_SHA384: + $key = self::castKey($key, XMLSecurityKey::RSA_SHA384); + break; + case XMLSecurityKey::RSA_SHA512: + $key = self::castKey($key, XMLSecurityKey::RSA_SHA512); + break; + } } /* Check the signature. */ @@ -314,9 +324,23 @@ class SAML2_Utils { $objXMLSecDSig = new XMLSecurityDSig(); $objXMLSecDSig->setCanonicalMethod(XMLSecurityDSig::EXC_C14N); + switch ($key->type) { + case XMLSecurityKey::RSA_SHA256: + $type = XMLSecurityDSig::SHA256; + break; + case XMLSecurityKey::RSA_SHA384: + $type = XMLSecurityDSig::SHA384; + break; + case XMLSecurityKey::RSA_SHA512: + $type = XMLSecurityDSig::SHA512; + break; + default: + $type = XMLSecurityDSig::SHA1; + } + $objXMLSecDSig->addReferenceList( array($root), - XMLSecurityDSig::SHA1, + $type, array('http://www.w3.org/2000/09/xmldsig#enveloped-signature', XMLSecurityDSig::EXC_C14N), array('id_name' => 'ID', 'overwrite' => FALSE) ); diff --git a/lib/xmlseclibs.php b/lib/xmlseclibs.php index fc328d4a03987daea4ffedcd51fb84645b98284d..75de0b64f0a1eb641001f2488380f208a9146bbc 100644 --- a/lib/xmlseclibs.php +++ b/lib/xmlseclibs.php @@ -180,6 +180,8 @@ class XMLSecurityKey { const DSA_SHA1 = 'http://www.w3.org/2000/09/xmldsig#dsa-sha1'; const RSA_SHA1 = 'http://www.w3.org/2000/09/xmldsig#rsa-sha1'; const RSA_SHA256 = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'; + const RSA_SHA384 = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384'; + const RSA_SHA512 = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512'; private $cryptParams = array(); public $type = 0; @@ -282,6 +284,28 @@ class XMLSecurityKey { } throw new Exception('Certificate "type" (private/public) must be passed via parameters'); break; + case (XMLSecurityKey::RSA_SHA384): + $this->cryptParams['library'] = 'openssl'; + $this->cryptParams['method'] = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384'; + $this->cryptParams['padding'] = OPENSSL_PKCS1_PADDING; + $this->cryptParams['digest'] = 'SHA384'; + if (is_array($params) && ! empty($params['type'])) { + if ($params['type'] == 'public' || $params['type'] == 'private') { + $this->cryptParams['type'] = $params['type']; + break; + } + } + case (XMLSecurityKey::RSA_SHA512): + $this->cryptParams['library'] = 'openssl'; + $this->cryptParams['method'] = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512'; + $this->cryptParams['padding'] = OPENSSL_PKCS1_PADDING; + $this->cryptParams['digest'] = 'SHA512'; + if (is_array($params) && ! empty($params['type'])) { + if ($params['type'] == 'public' || $params['type'] == 'private') { + $this->cryptParams['type'] = $params['type']; + break; + } + } default: throw new Exception('Invalid Key Type'); return; @@ -632,6 +656,7 @@ class XMLSecurityDSig { const XMLDSIGNS = 'http://www.w3.org/2000/09/xmldsig#'; const SHA1 = 'http://www.w3.org/2000/09/xmldsig#sha1'; const SHA256 = 'http://www.w3.org/2001/04/xmlenc#sha256'; + const SHA384 = 'http://www.w3.org/2001/04/xmldsig-more#sha384'; const SHA512 = 'http://www.w3.org/2001/04/xmlenc#sha512'; const RIPEMD160 = 'http://www.w3.org/2001/04/xmlenc#ripemd160'; @@ -799,6 +824,9 @@ class XMLSecurityDSig { case XMLSecurityDSig::SHA256: $alg = 'sha256'; break; + case XMLSecurityDSig::SHA384: + $alg = 'sha384'; + break; case XMLSecurityDSig::SHA512: $alg = 'sha512'; break; diff --git a/modules/saml/lib/Message.php b/modules/saml/lib/Message.php index 02eca94cc62ce328e0976a9ac38078b686d5155d..bbe6bea3258d57d3feccab144e73bd37b38b7805 100644 --- a/modules/saml/lib/Message.php +++ b/modules/saml/lib/Message.php @@ -21,8 +21,9 @@ class sspmod_saml_Message { $keyArray = SimpleSAML_Utilities::loadPrivateKey($srcMetadata, TRUE); $certArray = SimpleSAML_Utilities::loadPublicKey($srcMetadata, FALSE); + $ = $srcMetadata->getString('signature.algorithm', XMLSecurityKey::RSA_SHA1); - $privateKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type' => 'private')); + $privateKey = new XMLSecurityKey($algo, array('type' => 'private')); if (array_key_exists('password', $keyArray)) { $privateKey->passphrase = $keyArray['password']; }