From 1e0b8633e1b4b281fea165e54b911ca627438cf0 Mon Sep 17 00:00:00 2001 From: Tom Reijnders Date: Sat, 20 Jun 2020 11:03:52 +0200 Subject: [PATCH] Update Saml2/onelogin code and fix setting NameIDFormat for SP records - Should chack upstream if there is a better fix to src/Saml2/IdPMetadataParser.php --- .../Xerte/Authentication/Saml2/composer.lock | 10 +-- .../Saml2/vendor/composer/ClassLoader.php | 2 +- .../Saml2/vendor/composer/installed.json | 12 ++-- .../php-saml/src/Saml2/IdPMetadataParser.php | 6 +- .../robrichards/xmlseclibs/CHANGELOG.txt | 11 ++++ .../robrichards/xmlseclibs/src/XMLSecEnc.php | 5 +- .../xmlseclibs/src/XMLSecurityDSig.php | 18 ++++- .../xmlseclibs/src/XMLSecurityKey.php | 65 +++++++++++++++++-- .../robrichards/xmlseclibs/xmlseclibs.php | 6 +- 9 files changed, 107 insertions(+), 28 deletions(-) diff --git a/library/Xerte/Authentication/Saml2/composer.lock b/library/Xerte/Authentication/Saml2/composer.lock index 5eb1164598..fa7eaa5ef5 100644 --- a/library/Xerte/Authentication/Saml2/composer.lock +++ b/library/Xerte/Authentication/Saml2/composer.lock @@ -58,16 +58,16 @@ }, { "name": "robrichards/xmlseclibs", - "version": "3.0.4", + "version": "3.1.0", "source": { "type": "git", "url": "https://github.com/robrichards/xmlseclibs.git", - "reference": "0a53d3c3aa87564910cae4ed01416441d3ae0db5" + "reference": "8d8e56ca7914440a8c60caff1a865e7dff1d9a5a" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/robrichards/xmlseclibs/zipball/0a53d3c3aa87564910cae4ed01416441d3ae0db5", - "reference": "0a53d3c3aa87564910cae4ed01416441d3ae0db5", + "url": "https://api.github.com/repos/robrichards/xmlseclibs/zipball/8d8e56ca7914440a8c60caff1a865e7dff1d9a5a", + "reference": "8d8e56ca7914440a8c60caff1a865e7dff1d9a5a", "shasum": "" }, "require": { @@ -92,7 +92,7 @@ "xml", "xmldsig" ], - "time": "2019-11-05T11:44:22+00:00" + "time": "2020-04-22T17:19:51+00:00" } ], "packages-dev": [], diff --git a/library/Xerte/Authentication/Saml2/vendor/composer/ClassLoader.php b/library/Xerte/Authentication/Saml2/vendor/composer/ClassLoader.php index fce8549f07..95f7e0978b 100644 --- a/library/Xerte/Authentication/Saml2/vendor/composer/ClassLoader.php +++ b/library/Xerte/Authentication/Saml2/vendor/composer/ClassLoader.php @@ -279,7 +279,7 @@ public function isClassMapAuthoritative() */ public function setApcuPrefix($apcuPrefix) { - $this->apcuPrefix = function_exists('apcu_fetch') && filter_var(ini_get('apc.enabled'), FILTER_VALIDATE_BOOLEAN) ? $apcuPrefix : null; + $this->apcuPrefix = function_exists('apcu_fetch') && ini_get('apc.enabled') ? $apcuPrefix : null; } /** diff --git a/library/Xerte/Authentication/Saml2/vendor/composer/installed.json b/library/Xerte/Authentication/Saml2/vendor/composer/installed.json index ada9cacca9..d01e8c4639 100644 --- a/library/Xerte/Authentication/Saml2/vendor/composer/installed.json +++ b/library/Xerte/Authentication/Saml2/vendor/composer/installed.json @@ -53,24 +53,24 @@ }, { "name": "robrichards/xmlseclibs", - "version": "3.0.4", - "version_normalized": "3.0.4.0", + "version": "3.1.0", + "version_normalized": "3.1.0.0", "source": { "type": "git", "url": "https://github.com/robrichards/xmlseclibs.git", - "reference": "0a53d3c3aa87564910cae4ed01416441d3ae0db5" + "reference": "8d8e56ca7914440a8c60caff1a865e7dff1d9a5a" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/robrichards/xmlseclibs/zipball/0a53d3c3aa87564910cae4ed01416441d3ae0db5", - "reference": "0a53d3c3aa87564910cae4ed01416441d3ae0db5", + "url": "https://api.github.com/repos/robrichards/xmlseclibs/zipball/8d8e56ca7914440a8c60caff1a865e7dff1d9a5a", + "reference": "8d8e56ca7914440a8c60caff1a865e7dff1d9a5a", "shasum": "" }, "require": { "ext-openssl": "*", "php": ">= 5.4" }, - "time": "2019-11-05T11:44:22+00:00", + "time": "2020-04-22T17:19:51+00:00", "type": "library", "installation-source": "dist", "autoload": { diff --git a/library/Xerte/Authentication/Saml2/vendor/onelogin/php-saml/src/Saml2/IdPMetadataParser.php b/library/Xerte/Authentication/Saml2/vendor/onelogin/php-saml/src/Saml2/IdPMetadataParser.php index 947d654887..305f4a40fa 100644 --- a/library/Xerte/Authentication/Saml2/vendor/onelogin/php-saml/src/Saml2/IdPMetadataParser.php +++ b/library/Xerte/Authentication/Saml2/vendor/onelogin/php-saml/src/Saml2/IdPMetadataParser.php @@ -237,7 +237,11 @@ public static function injectIntoSettings($settings, $metadataInfo) unset($settings['idp']['x509certMulti']); } } - + // unset $metadataInfo['sp']['NameIDFormat'] if it exists in $settings + if (isset($settings['sp']['NameIDFormat']) && !empty($settings['sp']['NameIDFormat']) && isset($metadataInfo['sp']['NameIDFormat'])) + { + unset($metadataInfo['sp']['NameIDFormat']); + } return array_replace_recursive($settings, $metadataInfo); } } diff --git a/library/Xerte/Authentication/Saml2/vendor/robrichards/xmlseclibs/CHANGELOG.txt b/library/Xerte/Authentication/Saml2/vendor/robrichards/xmlseclibs/CHANGELOG.txt index faaf61cf42..2c9355891b 100644 --- a/library/Xerte/Authentication/Saml2/vendor/robrichards/xmlseclibs/CHANGELOG.txt +++ b/library/Xerte/Authentication/Saml2/vendor/robrichards/xmlseclibs/CHANGELOG.txt @@ -1,5 +1,16 @@ xmlseclibs.php ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| +22, Apr 2020, 3.1.0 +Features: +- Support AES-GCM. Requires PHP 7.1. (François Kooman) + +Improvements: +- Fix Travis tests for older PHP versions. +- Use DOMElement interface to fix some IDEs reporting documentation errors + +Bug Fixes: +- FIX missing InclusiveNamespaces PrefixList from Java + Apache WSS4J. (njake) + 06, Nov 2019, 3.0.4 Security Improvements: - Insure only a single SignedInfo element exists within a signature during diff --git a/library/Xerte/Authentication/Saml2/vendor/robrichards/xmlseclibs/src/XMLSecEnc.php b/library/Xerte/Authentication/Saml2/vendor/robrichards/xmlseclibs/src/XMLSecEnc.php index f2b26796dd..b9df7611fd 100644 --- a/library/Xerte/Authentication/Saml2/vendor/robrichards/xmlseclibs/src/XMLSecEnc.php +++ b/library/Xerte/Authentication/Saml2/vendor/robrichards/xmlseclibs/src/XMLSecEnc.php @@ -2,6 +2,7 @@ namespace RobRichards\XMLSecLibs; use DOMDocument; +use DOMElement; use DOMNode; use DOMXPath; use Exception; @@ -10,7 +11,7 @@ /** * xmlseclibs.php * - * Copyright (c) 2007-2019, Robert Richards . + * Copyright (c) 2007-2020, Robert Richards . * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -43,7 +44,7 @@ * POSSIBILITY OF SUCH DAMAGE. * * @author Robert Richards - * @copyright 2007-2019 Robert Richards + * @copyright 2007-2020 Robert Richards * @license http://www.opensource.org/licenses/bsd-license.php BSD License */ diff --git a/library/Xerte/Authentication/Saml2/vendor/robrichards/xmlseclibs/src/XMLSecurityDSig.php b/library/Xerte/Authentication/Saml2/vendor/robrichards/xmlseclibs/src/XMLSecurityDSig.php index c9063d0f59..9986123e3a 100644 --- a/library/Xerte/Authentication/Saml2/vendor/robrichards/xmlseclibs/src/XMLSecurityDSig.php +++ b/library/Xerte/Authentication/Saml2/vendor/robrichards/xmlseclibs/src/XMLSecurityDSig.php @@ -11,7 +11,7 @@ /** * xmlseclibs.php * - * Copyright (c) 2007-2019, Robert Richards . + * Copyright (c) 2007-2020, Robert Richards . * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -44,7 +44,7 @@ * POSSIBILITY OF SUCH DAMAGE. * * @author Robert Richards - * @copyright 2007-2019 Robert Richards + * @copyright 2007-2020 Robert Richards * @license http://www.opensource.org/licenses/bsd-license.php BSD License */ @@ -314,10 +314,22 @@ public function canonicalizeSignedInfo() if ($signInfoNode = $nodeset->item(0)) { $query = "./secdsig:CanonicalizationMethod"; $nodeset = $xpath->query($query, $signInfoNode); + $prefixList = null; if ($canonNode = $nodeset->item(0)) { $canonicalmethod = $canonNode->getAttribute('Algorithm'); + foreach ($canonNode->childNodes as $node) + { + if ($node->localName == 'InclusiveNamespaces') { + if ($pfx = $node->getAttribute('PrefixList')) { + $arpfx = array_filter(explode(' ', $pfx)); + if (count($arpfx) > 0) { + $prefixList = array_merge($prefixList ? $prefixList : array(), $arpfx); + } + } + } + } } - $this->signedInfo = $this->canonicalizeData($signInfoNode, $canonicalmethod); + $this->signedInfo = $this->canonicalizeData($signInfoNode, $canonicalmethod, null, $prefixList); return $this->signedInfo; } } diff --git a/library/Xerte/Authentication/Saml2/vendor/robrichards/xmlseclibs/src/XMLSecurityKey.php b/library/Xerte/Authentication/Saml2/vendor/robrichards/xmlseclibs/src/XMLSecurityKey.php index 6c01f0cc7a..90665c959c 100644 --- a/library/Xerte/Authentication/Saml2/vendor/robrichards/xmlseclibs/src/XMLSecurityKey.php +++ b/library/Xerte/Authentication/Saml2/vendor/robrichards/xmlseclibs/src/XMLSecurityKey.php @@ -7,7 +7,7 @@ /** * xmlseclibs.php * - * Copyright (c) 2007-2019, Robert Richards . + * Copyright (c) 2007-2020, Robert Richards . * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -40,7 +40,7 @@ * POSSIBILITY OF SUCH DAMAGE. * * @author Robert Richards - * @copyright 2007-2019 Robert Richards + * @copyright 2007-2020 Robert Richards * @license http://www.opensource.org/licenses/bsd-license.php BSD License */ @@ -50,6 +50,9 @@ class XMLSecurityKey const AES128_CBC = 'http://www.w3.org/2001/04/xmlenc#aes128-cbc'; const AES192_CBC = 'http://www.w3.org/2001/04/xmlenc#aes192-cbc'; const AES256_CBC = 'http://www.w3.org/2001/04/xmlenc#aes256-cbc'; + const AES128_GCM = 'http://www.w3.org/2009/xmlenc11#aes128-gcm'; + const AES192_GCM = 'http://www.w3.org/2009/xmlenc11#aes192-gcm'; + const AES256_GCM = 'http://www.w3.org/2009/xmlenc11#aes256-gcm'; const RSA_1_5 = 'http://www.w3.org/2001/04/xmlenc#rsa-1_5'; const RSA_OAEP_MGF1P = 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p'; const DSA_SHA1 = 'http://www.w3.org/2000/09/xmldsig#dsa-sha1'; @@ -58,6 +61,7 @@ class XMLSecurityKey const RSA_SHA384 = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384'; const RSA_SHA512 = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512'; const HMAC_SHA1 = 'http://www.w3.org/2000/09/xmldsig#hmac-sha1'; + const AUTHTAG_LENGTH = 16; /** @var array */ private $cryptParams = array(); @@ -142,6 +146,30 @@ public function __construct($type, $params=null) $this->cryptParams['keysize'] = 32; $this->cryptParams['blocksize'] = 16; break; + case (self::AES128_GCM): + $this->cryptParams['library'] = 'openssl'; + $this->cryptParams['cipher'] = 'aes-128-gcm'; + $this->cryptParams['type'] = 'symmetric'; + $this->cryptParams['method'] = 'http://www.w3.org/2009/xmlenc11#aes128-gcm'; + $this->cryptParams['keysize'] = 32; + $this->cryptParams['blocksize'] = 16; + break; + case (self::AES192_GCM): + $this->cryptParams['library'] = 'openssl'; + $this->cryptParams['cipher'] = 'aes-192-gcm'; + $this->cryptParams['type'] = 'symmetric'; + $this->cryptParams['method'] = 'http://www.w3.org/2009/xmlenc11#aes192-gcm'; + $this->cryptParams['keysize'] = 32; + $this->cryptParams['blocksize'] = 16; + break; + case (self::AES256_GCM): + $this->cryptParams['library'] = 'openssl'; + $this->cryptParams['cipher'] = 'aes-256-gcm'; + $this->cryptParams['type'] = 'symmetric'; + $this->cryptParams['method'] = 'http://www.w3.org/2009/xmlenc11#aes256-gcm'; + $this->cryptParams['keysize'] = 32; + $this->cryptParams['blocksize'] = 16; + break; case (self::RSA_1_5): $this->cryptParams['library'] = 'openssl'; $this->cryptParams['padding'] = OPENSSL_PKCS1_PADDING; @@ -397,12 +425,22 @@ private function unpadISO10126($data) private function encryptSymmetric($data) { $this->iv = openssl_random_pseudo_bytes(openssl_cipher_iv_length($this->cryptParams['cipher'])); - $data = $this->padISO10126($data, $this->cryptParams['blocksize']); - $encrypted = openssl_encrypt($data, $this->cryptParams['cipher'], $this->key, OPENSSL_RAW_DATA | OPENSSL_ZERO_PADDING, $this->iv); + $authTag = null; + if(in_array($this->cryptParams['cipher'], ['aes-128-gcm', 'aes-192-gcm', 'aes-256-gcm'])) { + if (version_compare(PHP_VERSION, '7.1.0') < 0) { + throw new Exception('PHP 7.1.0 is required to use AES GCM algorithms'); + } + $authTag = openssl_random_pseudo_bytes(self::AUTHTAG_LENGTH); + $encrypted = openssl_encrypt($data, $this->cryptParams['cipher'], $this->key, OPENSSL_RAW_DATA, $this->iv, $authTag); + } else { + $data = $this->padISO10126($data, $this->cryptParams['blocksize']); + $encrypted = openssl_encrypt($data, $this->cryptParams['cipher'], $this->key, OPENSSL_RAW_DATA | OPENSSL_ZERO_PADDING, $this->iv); + } + if (false === $encrypted) { throw new Exception('Failure encrypting Data (openssl symmetric) - ' . openssl_error_string()); } - return $this->iv . $encrypted; + return $this->iv . $encrypted . $authTag; } /** @@ -416,11 +454,24 @@ private function decryptSymmetric($data) $iv_length = openssl_cipher_iv_length($this->cryptParams['cipher']); $this->iv = substr($data, 0, $iv_length); $data = substr($data, $iv_length); - $decrypted = openssl_decrypt($data, $this->cryptParams['cipher'], $this->key, OPENSSL_RAW_DATA | OPENSSL_ZERO_PADDING, $this->iv); + $authTag = null; + if(in_array($this->cryptParams['cipher'], ['aes-128-gcm', 'aes-192-gcm', 'aes-256-gcm'])) { + if (version_compare(PHP_VERSION, '7.1.0') < 0) { + throw new Exception('PHP 7.1.0 is required to use AES GCM algorithms'); + } + // obtain and remove the authentication tag + $offset = 0 - self::AUTHTAG_LENGTH; + $authTag = substr($data, $offset); + $data = substr($data, 0, $offset); + $decrypted = openssl_decrypt($data, $this->cryptParams['cipher'], $this->key, OPENSSL_RAW_DATA, $this->iv, $authTag); + } else { + $decrypted = openssl_decrypt($data, $this->cryptParams['cipher'], $this->key, OPENSSL_RAW_DATA | OPENSSL_ZERO_PADDING, $this->iv); + } + if (false === $decrypted) { throw new Exception('Failure decrypting Data (openssl symmetric) - ' . openssl_error_string()); } - return $this->unpadISO10126($decrypted); + return null !== $authTag ? $decrypted : $this->unpadISO10126($decrypted); } /** diff --git a/library/Xerte/Authentication/Saml2/vendor/robrichards/xmlseclibs/xmlseclibs.php b/library/Xerte/Authentication/Saml2/vendor/robrichards/xmlseclibs/xmlseclibs.php index 4470dab269..1859bc23ee 100644 --- a/library/Xerte/Authentication/Saml2/vendor/robrichards/xmlseclibs/xmlseclibs.php +++ b/library/Xerte/Authentication/Saml2/vendor/robrichards/xmlseclibs/xmlseclibs.php @@ -2,7 +2,7 @@ /** * xmlseclibs.php * - * Copyright (c) 2007-2019, Robert Richards . + * Copyright (c) 2007-2020, Robert Richards . * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -35,9 +35,9 @@ * POSSIBILITY OF SUCH DAMAGE. * * @author Robert Richards - * @copyright 2007-2019 Robert Richards + * @copyright 2007-2020 Robert Richards * @license http://www.opensource.org/licenses/bsd-license.php BSD License - * @version 3.0.4 + * @version 3.1.0 */ $xmlseclibs_srcdir = dirname(__FILE__) . '/src/';