Update Saml2/onelogin code and fix setting NameIDFormat for SP records

- Should chack upstream if there is a better fix to src/Saml2/IdPMetadataParser.php
thexerteproject · Jun 20, 2020 · 1e0b863 · 1e0b863
1 parent 7901f24
commit 1e0b863
Show file tree

Hide file tree

Showing 9 changed files with 107 additions and 28 deletions.
diff --git a/library/Xerte/Authentication/Saml2/composer.lock b/library/Xerte/Authentication/Saml2/composer.lock
diff --git a/library/Xerte/Authentication/Saml2/vendor/composer/ClassLoader.php b/library/Xerte/Authentication/Saml2/vendor/composer/ClassLoader.php
@@ -279,7 +279,7 @@ public function isClassMapAuthoritative()
      */
     public function setApcuPrefix($apcuPrefix)
     {
-        $this->apcuPrefix = function_exists('apcu_fetch') && filter_var(ini_get('apc.enabled'), FILTER_VALIDATE_BOOLEAN) ? $apcuPrefix : null;
+        $this->apcuPrefix = function_exists('apcu_fetch') && ini_get('apc.enabled') ? $apcuPrefix : null;
     }
 
     /**

diff --git a/library/Xerte/Authentication/Saml2/vendor/composer/installed.json b/library/Xerte/Authentication/Saml2/vendor/composer/installed.json
@@ -53,24 +53,24 @@
     },
     {
         "name": "robrichards/xmlseclibs",
-        "version": "3.0.4",
-        "version_normalized": "3.0.4.0",
+        "version": "3.1.0",
+        "version_normalized": "3.1.0.0",
         "source": {
             "type": "git",
             "url": "https://github.com/robrichards/xmlseclibs.git",
-            "reference": "0a53d3c3aa87564910cae4ed01416441d3ae0db5"
+            "reference": "8d8e56ca7914440a8c60caff1a865e7dff1d9a5a"
         },
         "dist": {
             "type": "zip",
-            "url": "https://api.github.com/repos/robrichards/xmlseclibs/zipball/0a53d3c3aa87564910cae4ed01416441d3ae0db5",
-            "reference": "0a53d3c3aa87564910cae4ed01416441d3ae0db5",
+            "url": "https://api.github.com/repos/robrichards/xmlseclibs/zipball/8d8e56ca7914440a8c60caff1a865e7dff1d9a5a",
+            "reference": "8d8e56ca7914440a8c60caff1a865e7dff1d9a5a",
             "shasum": ""
         },
         "require": {
             "ext-openssl": "*",
             "php": ">= 5.4"
         },
-        "time": "2019-11-05T11:44:22+00:00",
+        "time": "2020-04-22T17:19:51+00:00",
         "type": "library",
         "installation-source": "dist",
         "autoload": {

diff --git a/library/Xerte/Authentication/Saml2/vendor/onelogin/php-saml/src/Saml2/IdPMetadataParser.php b/library/Xerte/Authentication/Saml2/vendor/onelogin/php-saml/src/Saml2/IdPMetadataParser.php
@@ -237,7 +237,11 @@ public static function injectIntoSettings($settings, $metadataInfo)
                 unset($settings['idp']['x509certMulti']);
             }
         }
-
+        // unset $metadataInfo['sp']['NameIDFormat'] if it exists in $settings
+        if (isset($settings['sp']['NameIDFormat']) && !empty($settings['sp']['NameIDFormat']) && isset($metadataInfo['sp']['NameIDFormat']))
+        {
+            unset($metadataInfo['sp']['NameIDFormat']);
+        }
         return array_replace_recursive($settings, $metadataInfo);
     }
 }
diff --git a/library/Xerte/Authentication/Saml2/vendor/robrichards/xmlseclibs/CHANGELOG.txt b/library/Xerte/Authentication/Saml2/vendor/robrichards/xmlseclibs/CHANGELOG.txt
@@ -1,5 +1,16 @@
 xmlseclibs.php
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+22, Apr 2020, 3.1.0
+Features:
+- Support AES-GCM. Requires PHP 7.1. (François Kooman)
+
+Improvements:
+- Fix Travis tests for older PHP versions.
+- Use DOMElement interface to fix some IDEs reporting documentation errors
+
+Bug Fixes:
+- FIX missing InclusiveNamespaces PrefixList from Java + Apache WSS4J. (njake)
+
 06, Nov 2019, 3.0.4
 Security Improvements:
 - Insure only a single SignedInfo element exists within a signature during 

diff --git a/library/Xerte/Authentication/Saml2/vendor/robrichards/xmlseclibs/src/XMLSecEnc.php b/library/Xerte/Authentication/Saml2/vendor/robrichards/xmlseclibs/src/XMLSecEnc.php
@@ -2,6 +2,7 @@
 namespace RobRichards\XMLSecLibs;
 
 use DOMDocument;
+use DOMElement;
 use DOMNode;
 use DOMXPath;
 use Exception;
@@ -10,7 +11,7 @@
 /**
  * xmlseclibs.php
  *
- * Copyright (c) 2007-2019, Robert Richards <rrichards@cdatazone.org>.
+ * Copyright (c) 2007-2020, Robert Richards <rrichards@cdatazone.org>.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -43,7 +44,7 @@
  * POSSIBILITY OF SUCH DAMAGE.
  *
  * @author    Robert Richards <rrichards@cdatazone.org>
- * @copyright 2007-2019 Robert Richards <rrichards@cdatazone.org>
+ * @copyright 2007-2020 Robert Richards <rrichards@cdatazone.org>
  * @license   http://www.opensource.org/licenses/bsd-license.php  BSD License
  */
 

diff --git a/library/Xerte/Authentication/Saml2/vendor/robrichards/xmlseclibs/src/XMLSecurityDSig.php b/library/Xerte/Authentication/Saml2/vendor/robrichards/xmlseclibs/src/XMLSecurityDSig.php
@@ -11,7 +11,7 @@
 /**
  * xmlseclibs.php
  *
- * Copyright (c) 2007-2019, Robert Richards <rrichards@cdatazone.org>.
+ * Copyright (c) 2007-2020, Robert Richards <rrichards@cdatazone.org>.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -44,7 +44,7 @@
  * POSSIBILITY OF SUCH DAMAGE.
  *
  * @author    Robert Richards <rrichards@cdatazone.org>
- * @copyright 2007-2019 Robert Richards <rrichards@cdatazone.org>
+ * @copyright 2007-2020 Robert Richards <rrichards@cdatazone.org>
  * @license   http://www.opensource.org/licenses/bsd-license.php  BSD License
  */
 
@@ -314,10 +314,22 @@ public function canonicalizeSignedInfo()
             if ($signInfoNode = $nodeset->item(0)) {
                 $query = "./secdsig:CanonicalizationMethod";
                 $nodeset = $xpath->query($query, $signInfoNode);
+                $prefixList = null;
                 if ($canonNode = $nodeset->item(0)) {
                     $canonicalmethod = $canonNode->getAttribute('Algorithm');
+                    foreach ($canonNode->childNodes as $node)
+                    {
+                        if ($node->localName == 'InclusiveNamespaces') {
+                            if ($pfx = $node->getAttribute('PrefixList')) {
+                                $arpfx = array_filter(explode(' ', $pfx));
+                                if (count($arpfx) > 0) {
+                                    $prefixList = array_merge($prefixList ? $prefixList : array(), $arpfx);
+                                }
+                            }
+                        }
+                    }
                 }
-                $this->signedInfo = $this->canonicalizeData($signInfoNode, $canonicalmethod);
+                $this->signedInfo = $this->canonicalizeData($signInfoNode, $canonicalmethod, null, $prefixList);
                 return $this->signedInfo;
             }
         }

diff --git a/library/Xerte/Authentication/Saml2/vendor/robrichards/xmlseclibs/src/XMLSecurityKey.php b/library/Xerte/Authentication/Saml2/vendor/robrichards/xmlseclibs/src/XMLSecurityKey.php
@@ -7,7 +7,7 @@
 /**
  * xmlseclibs.php
  *
- * Copyright (c) 2007-2019, Robert Richards <rrichards@cdatazone.org>.
+ * Copyright (c) 2007-2020, Robert Richards <rrichards@cdatazone.org>.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -40,7 +40,7 @@
  * POSSIBILITY OF SUCH DAMAGE.
  *
  * @author    Robert Richards <rrichards@cdatazone.org>
- * @copyright 2007-2019 Robert Richards <rrichards@cdatazone.org>
+ * @copyright 2007-2020 Robert Richards <rrichards@cdatazone.org>
  * @license   http://www.opensource.org/licenses/bsd-license.php  BSD License
  */
 
@@ -50,6 +50,9 @@ class XMLSecurityKey
     const AES128_CBC = 'http://www.w3.org/2001/04/xmlenc#aes128-cbc';
     const AES192_CBC = 'http://www.w3.org/2001/04/xmlenc#aes192-cbc';
     const AES256_CBC = 'http://www.w3.org/2001/04/xmlenc#aes256-cbc';
+    const AES128_GCM = 'http://www.w3.org/2009/xmlenc11#aes128-gcm';
+    const AES192_GCM = 'http://www.w3.org/2009/xmlenc11#aes192-gcm';
+    const AES256_GCM = 'http://www.w3.org/2009/xmlenc11#aes256-gcm';
     const RSA_1_5 = 'http://www.w3.org/2001/04/xmlenc#rsa-1_5';
     const RSA_OAEP_MGF1P = 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p';
     const DSA_SHA1 = 'http://www.w3.org/2000/09/xmldsig#dsa-sha1';
@@ -58,6 +61,7 @@ class XMLSecurityKey
     const RSA_SHA384 = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384';
     const RSA_SHA512 = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512';
     const HMAC_SHA1 = 'http://www.w3.org/2000/09/xmldsig#hmac-sha1';
+    const AUTHTAG_LENGTH = 16;
 
     /** @var array */
     private $cryptParams = array();
@@ -142,6 +146,30 @@ public function __construct($type, $params=null)
                 $this->cryptParams['keysize'] = 32;
                 $this->cryptParams['blocksize'] = 16;
                 break;
+            case (self::AES128_GCM):
+                $this->cryptParams['library'] = 'openssl';
+                $this->cryptParams['cipher'] = 'aes-128-gcm';
+                $this->cryptParams['type'] = 'symmetric';
+                $this->cryptParams['method'] = 'http://www.w3.org/2009/xmlenc11#aes128-gcm';
+                $this->cryptParams['keysize'] = 32;
+                $this->cryptParams['blocksize'] = 16;
+                break;
+            case (self::AES192_GCM):
+                $this->cryptParams['library'] = 'openssl';
+                $this->cryptParams['cipher'] = 'aes-192-gcm';
+                $this->cryptParams['type'] = 'symmetric';
+                $this->cryptParams['method'] = 'http://www.w3.org/2009/xmlenc11#aes192-gcm';
+                $this->cryptParams['keysize'] = 32;
+                $this->cryptParams['blocksize'] = 16;
+                break;
+            case (self::AES256_GCM):
+                $this->cryptParams['library'] = 'openssl';
+                $this->cryptParams['cipher'] = 'aes-256-gcm';
+                $this->cryptParams['type'] = 'symmetric';
+                $this->cryptParams['method'] = 'http://www.w3.org/2009/xmlenc11#aes256-gcm';
+                $this->cryptParams['keysize'] = 32;
+                $this->cryptParams['blocksize'] = 16;
+                break;
             case (self::RSA_1_5):
                 $this->cryptParams['library'] = 'openssl';
                 $this->cryptParams['padding'] = OPENSSL_PKCS1_PADDING;
@@ -397,12 +425,22 @@ private function unpadISO10126($data)
     private function encryptSymmetric($data)
     {
         $this->iv = openssl_random_pseudo_bytes(openssl_cipher_iv_length($this->cryptParams['cipher']));
-        $data = $this->padISO10126($data, $this->cryptParams['blocksize']);
-        $encrypted = openssl_encrypt($data, $this->cryptParams['cipher'], $this->key, OPENSSL_RAW_DATA | OPENSSL_ZERO_PADDING, $this->iv);
+        $authTag = null;
+        if(in_array($this->cryptParams['cipher'], ['aes-128-gcm', 'aes-192-gcm', 'aes-256-gcm'])) {
+            if (version_compare(PHP_VERSION, '7.1.0') < 0) {
+                throw new Exception('PHP 7.1.0 is required to use AES GCM algorithms');
+            }
+            $authTag = openssl_random_pseudo_bytes(self::AUTHTAG_LENGTH);
+            $encrypted = openssl_encrypt($data, $this->cryptParams['cipher'], $this->key, OPENSSL_RAW_DATA, $this->iv, $authTag);
+        } else {
+            $data = $this->padISO10126($data, $this->cryptParams['blocksize']);
+            $encrypted = openssl_encrypt($data, $this->cryptParams['cipher'], $this->key, OPENSSL_RAW_DATA | OPENSSL_ZERO_PADDING, $this->iv);
+        }
+
         if (false === $encrypted) {
             throw new Exception('Failure encrypting Data (openssl symmetric) - ' . openssl_error_string());
         }
-        return $this->iv . $encrypted;
+        return $this->iv . $encrypted . $authTag;
     }
 
     /**
@@ -416,11 +454,24 @@ private function decryptSymmetric($data)
         $iv_length = openssl_cipher_iv_length($this->cryptParams['cipher']);
         $this->iv = substr($data, 0, $iv_length);
         $data = substr($data, $iv_length);
-        $decrypted = openssl_decrypt($data, $this->cryptParams['cipher'], $this->key, OPENSSL_RAW_DATA | OPENSSL_ZERO_PADDING, $this->iv);
+        $authTag = null;
+        if(in_array($this->cryptParams['cipher'], ['aes-128-gcm', 'aes-192-gcm', 'aes-256-gcm'])) {
+            if (version_compare(PHP_VERSION, '7.1.0') < 0) {
+                throw new Exception('PHP 7.1.0 is required to use AES GCM algorithms');
+            }
+            // obtain and remove the authentication tag
+            $offset = 0 - self::AUTHTAG_LENGTH;
+            $authTag = substr($data, $offset);
+            $data = substr($data, 0, $offset);
+            $decrypted = openssl_decrypt($data, $this->cryptParams['cipher'], $this->key, OPENSSL_RAW_DATA, $this->iv, $authTag);
+        } else {
+            $decrypted = openssl_decrypt($data, $this->cryptParams['cipher'], $this->key, OPENSSL_RAW_DATA | OPENSSL_ZERO_PADDING, $this->iv);
+        }
+
         if (false === $decrypted) {
             throw new Exception('Failure decrypting Data (openssl symmetric) - ' . openssl_error_string());
         }
-        return $this->unpadISO10126($decrypted);
+        return null !== $authTag ? $decrypted : $this->unpadISO10126($decrypted);
     }
 
     /**

diff --git a/library/Xerte/Authentication/Saml2/vendor/robrichards/xmlseclibs/xmlseclibs.php b/library/Xerte/Authentication/Saml2/vendor/robrichards/xmlseclibs/xmlseclibs.php
@@ -2,7 +2,7 @@
 /**
  * xmlseclibs.php
  *
- * Copyright (c) 2007-2019, Robert Richards <rrichards@cdatazone.org>.
+ * Copyright (c) 2007-2020, Robert Richards <rrichards@cdatazone.org>.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -35,9 +35,9 @@
  * POSSIBILITY OF SUCH DAMAGE.
  *
  * @author    Robert Richards <rrichards@cdatazone.org>
- * @copyright 2007-2019 Robert Richards <rrichards@cdatazone.org>
+ * @copyright 2007-2020 Robert Richards <rrichards@cdatazone.org>
  * @license   http://www.opensource.org/licenses/bsd-license.php  BSD License
- * @version   3.0.4
+ * @version   3.1.0
  */
 
 $xmlseclibs_srcdir = dirname(__FILE__) . '/src/';