From ede56b343df52ef40e9c8b7b79559a6df779a64d Mon Sep 17 00:00:00 2001
From: Tim van Dijen <tvdijen@gmail.com>
Date: Sat, 5 Sep 2020 22:56:06 +0200
Subject: [PATCH] Configurable encryption algorithm
---
docs/simplesamlphp-reference-idp-remote.md | 11 ++++++++++-
docs/simplesamlphp-reference-sp-remote.md | 15 +++++++++++---
modules/saml/lib/IdP/SAML2.php | 7 ++++++-
modules/saml/lib/Message.php | 23 +++++++++++++++++++---
4 files changed, 48 insertions(+), 8 deletions(-)
diff --git a/docs/simplesamlphp-reference-idp-remote.md b/docs/simplesamlphp-reference-idp-remote.md
index db15941e9..eccba78c1 100644
--- a/docs/simplesamlphp-reference-idp-remote.md
+++ b/docs/simplesamlphp-reference-idp-remote.md
@@ -226,8 +226,17 @@ There are two modes of encryption supported by SimpleSAMLphp. One is symmetric e
: Note that this option overrides the option with the same name in the SP configuration.
`sharedkey`
-: Symmetric key which should be used for decryption. This should be a 128-bit key. If this option is not specified, public key encryption will be used instead.
+: Symmetric key which should be used for decryption. This should be a 128-bit, 192-bit or 256-bit key based on the algorithm used. If this option is not specified, public key encryption will be used instead.
+`sharedkey_algorithm`
+: Algorithm which should be used for decryption. Possible values are:
+
+ * http://www.w3.org/2001/04/xmlenc#aes128-cbc
+ * http://www.w3.org/2001/04/xmlenc#aes192-cbc
+ * http://www.w3.org/2001/04/xmlenc#aes256-cbc
+ * http://www.w3.org/2009/xmlenc11#aes128-gcm
+ * http://www.w3.org/2009/xmlenc11#aes192-gcm
+ * http://www.w3.org/2009/xmlenc11#aes256-gcm
### Fields for signing and validating messages
diff --git a/docs/simplesamlphp-reference-sp-remote.md b/docs/simplesamlphp-reference-sp-remote.md
index 345cf4cba..c24914512 100644
--- a/docs/simplesamlphp-reference-sp-remote.md
+++ b/docs/simplesamlphp-reference-sp-remote.md
@@ -336,9 +336,18 @@ of the SP.
`sharedkey`
: Symmetric key which should be used for encryption. This should be a
- 128-bit key. If this option is not specified, public key encryption
- will be used instead.
-
+ 128-bit, 192-bit or 256-bit key based on the algorithm used.
+ If this option is not specified, public key encryption will be used instead.
+
+`sharedkey_algorithm`
+: Algorithm which should be used for encryption. Possible values are:
+
+ * http://www.w3.org/2001/04/xmlenc#aes128-cbc
+ * http://www.w3.org/2001/04/xmlenc#aes192-cbc
+ * http://www.w3.org/2001/04/xmlenc#aes256-cbc
+ * http://www.w3.org/2009/xmlenc11#aes128-gcm
+ * http://www.w3.org/2009/xmlenc11#aes192-gcm
+ * http://www.w3.org/2009/xmlenc11#aes256-gcm
### Fields for signing and validating messages
diff --git a/modules/saml/lib/IdP/SAML2.php b/modules/saml/lib/IdP/SAML2.php
index 56026c04a..ec8179d03 100644
--- a/modules/saml/lib/IdP/SAML2.php
+++ b/modules/saml/lib/IdP/SAML2.php
@@ -1333,7 +1333,12 @@ class SAML2
$sharedKey = $spMetadata->getString('sharedkey', null);
if ($sharedKey !== null) {
- $key = new XMLSecurityKey(XMLSecurityKey::AES128_CBC);
+ $algo = $spMetadata->getString('sharedkey_algorithm', null);
+ if ($algo === null) {
+ $algo = $idpMetadata->getString('sharedkey_algorithm');
+ }
+
+ $key = new XMLSecurityKey($algo);
$key->loadKey($sharedKey);
} else {
$keys = $spMetadata->getPublicKeys('encryption', true);
diff --git a/modules/saml/lib/Message.php b/modules/saml/lib/Message.php
index 2513d14c0..7af3be74b 100644
--- a/modules/saml/lib/Message.php
+++ b/modules/saml/lib/Message.php
@@ -300,16 +300,28 @@ class Message
*
* @param \SimpleSAML\Configuration $srcMetadata The metadata of the sender (IdP).
* @param \SimpleSAML\Configuration $dstMetadata The metadata of the recipient (SP).
+ * @psalm-suppress UndefinedDocblockClass This can be removed after upgrading to saml2v5
+ * @param \SimpleSAML\SAML2\XML\xenc\EncryptionMethod|null $encryptionMethod The EncryptionMethod from the assertion.
*
* @return array Array of decryption keys.
*/
public static function getDecryptionKeys(
Configuration $srcMetadata,
- Configuration $dstMetadata
+ Configuration $dstMetadata,
+ $encryptionMethod = null
) {
$sharedKey = $srcMetadata->getString('sharedkey', null);
if ($sharedKey !== null) {
- $key = new XMLSecurityKey(XMLSecurityKey::AES128_CBC);
+ if ($encryptionMethod !== null) {
+ $algo = $encryptionMethod->getAlgorithm();
+ } else {
+ $algo = $srcMetadata->getString('sharedkey_algorithm', null);
+ if ($algo === null) {
+ $algo = $dstMetadata->getString('sharedkey_algorithm');
+ }
+ }
+
+ $key = new XMLSecurityKey($algo);
$key->loadKey($sharedKey);
return [$key];
}
@@ -400,7 +412,12 @@ class Message
}
try {
- $keys = self::getDecryptionKeys($srcMetadata, $dstMetadata);
+ // @todo Enable this code for saml2v5 to automatically determine encryption algorithm
+ //$encryptionMethod = $assertion->getEncryptedData()->getEncryptionMethod();
+ //$keys = self::getDecryptionKeys($srcMetadata, $dstMetadata, $encryptionMethod);
+
+ $encryptionMethod = null;
+ $keys = self::getDecryptionKeys($srcMetadata, $dstMetadata, $encryptionMethod);
} catch (\Exception $e) {
throw new SSP_Error\Exception('Error decrypting assertion: ' . $e->getMessage());
}
--
GitLab