Revision: 3138
Author: olavmrk
Date: Thu Aug 2 03:48:28 2012
Log: SAML2: Add algorithm blacklist support.
http://code.google.com/p/simplesamlphp/source/detail?r=3138
Modified:
/trunk/lib/SAML2/Assertion.php
/trunk/lib/SAML2/EncryptedAssertion.php
/trunk/lib/SAML2/LogoutRequest.php
/trunk/lib/SAML2/Utils.php
=======================================
--- /trunk/lib/SAML2/Assertion.php Thu Nov 3 05:41:34 2011
+++ /trunk/lib/SAML2/Assertion.php Thu Aug 2 03:48:28 2012
@@ -645,15 +645,16 @@
* Decrypt the NameId of the subject in the assertion.
*
* @param XMLSecurityKey $key The decryption key.
+ * @param array $blacklist Blacklisted decryption algorithms.
*/
- public function decryptNameId(XMLSecurityKey $key) {
+ public function decryptNameId(XMLSecurityKey $key, array $blacklist =
array()) {
if ($this->encryptedNameId === NULL) {
/* No NameID to decrypt. */
return;
}
- $nameId = SAML2_Utils::decryptElement($this->encryptedNameId,
$key);
+ $nameId = SAML2_Utils::decryptElement($this->encryptedNameId, $key,
$blacklist);
SimpleSAML_Utilities::debugMessage($nameId, 'decrypt');
$this->nameId = SAML2_Utils::parseNameId($nameId);
@@ -661,14 +662,14 @@
}
- public function decryptAttributes($key){
+ public function decryptAttributes($key, array $blacklist = array()){
if($this->encryptedAttribute === null){
return;
}
$attributes = $this->encryptedAttribute;
foreach ($attributes as $attributeEnc) {
/*Decrypt node <EncryptedAttribute>*/
- $attribute =
SAML2_Utils::decryptElement($attributeEnc->getElementsByTagName('EncryptedData')->item(0),
$key);
+ $attribute =
SAML2_Utils::decryptElement($attributeEnc->getElementsByTagName('EncryptedData')->item(0),
$key, $blacklist);
if (!$attribute->hasAttribute('Name')) {
throw new Exception('Missing name on
<saml:Attribute> element.');
=======================================
--- /trunk/lib/SAML2/EncryptedAssertion.php Mon Sep 13 00:27:53 2010
+++ /trunk/lib/SAML2/EncryptedAssertion.php Thu Aug 2 03:48:28 2012
@@ -81,11 +81,12 @@
* Retrieve the assertion.
*
* @param XMLSecurityKey $key The key we should use to decrypt the
assertion.
+ * @param array $blacklist Blacklisted decryption algorithms.
* @return SAML2_Assertion The decrypted assertion.
*/
- public function getAssertion(XMLSecurityKey $inputKey) {
-
- $assertionXML = SAML2_Utils::decryptElement($this->encryptedData,
$inputKey);
+ public function getAssertion(XMLSecurityKey $inputKey, array $blacklist =
array()) {
+
+ $assertionXML = SAML2_Utils::decryptElement($this->encryptedData,
$inputKey, $blacklist);
SimpleSAML_Utilities::debugMessage($assertionXML, 'decrypt');
=======================================
--- /trunk/lib/SAML2/LogoutRequest.php Mon Mar 7 05:25:41 2011
+++ /trunk/lib/SAML2/LogoutRequest.php Thu Aug 2 03:48:28 2012
@@ -153,15 +153,16 @@
* Decrypt the NameID in the LogoutRequest.
*
* @param XMLSecurityKey $key The decryption key.
+ * @param array $blacklist Blacklisted decryption algorithms.
*/
- public function decryptNameId(XMLSecurityKey $key) {
+ public function decryptNameId(XMLSecurityKey $key, array $blacklist =
array()) {
if ($this->encryptedNameId === NULL) {
/* No NameID to decrypt. */
return;
}
- $nameId = SAML2_Utils::decryptElement($this->encryptedNameId,
$key);
+ $nameId = SAML2_Utils::decryptElement($this->encryptedNameId, $key,
$blacklist);
SimpleSAML_Utilities::debugMessage($nameId, 'decrypt');
$this->nameId = SAML2_Utils::parseNameId($nameId);
=======================================
--- /trunk/lib/SAML2/Utils.php Wed Aug 1 23:21:11 2012
+++ /trunk/lib/SAML2/Utils.php Thu Aug 2 03:48:28 2012
@@ -339,9 +339,10 @@
*
* @param DOMElement $encryptedData The encrypted data.
* @param XMLSecurityKey $inputKey The decryption key.
+ * @param array &$blacklist Blacklisted decryption algorithms.
* @return DOMElement The decrypted element.
*/
- private static function _decryptElement(DOMElement $encryptedData,
XMLSecurityKey $inputKey) {
+ private static function _decryptElement(DOMElement $encryptedData,
XMLSecurityKey $inputKey, array &$blacklist) {
$enc = new XMLSecEnc();
@@ -362,6 +363,10 @@
if ($symmetricKeyInfo->isEncrypted) {
$symKeyInfoAlgo = $symmetricKeyInfo->getAlgorith();
+ if (in_array($symKeyInfoAlgo, $blacklist, TRUE)) {
+ throw new Exception('Algorithm disabled: ' .
var_export($symKeyInfoAlgo, TRUE));
+ }
+
if ($symKeyInfoAlgo === XMLSecurityKey::RSA_OAEP_MGF1P && $inputKeyAlgo
=== XMLSecurityKey::RSA_1_5) {
/*
* The RSA key formats are equal, so loading an
RSA_1_5 key
@@ -425,6 +430,11 @@
}
$symmetricKey = $inputKey;
}
+
+ $algorithm = $symmetricKey->getAlgorith();
+ if (in_array($algorithm, $blacklist, TRUE)) {
+ throw new Exception('Algorithm disabled: ' . var_export($algorithm,
TRUE));
+ }
$decrypted = $enc->decryptNode($symmetricKey, FALSE);
@@ -456,12 +466,13 @@
*
* @param DOMElement $encryptedData The encrypted data.
* @param XMLSecurityKey $inputKey The decryption key.
+ * @param array $blacklist Blacklisted decryption algorithms.
* @return DOMElement The decrypted element.
*/
- public static function decryptElement(DOMElement $encryptedData,
XMLSecurityKey $inputKey) {
+ public static function decryptElement(DOMElement $encryptedData,
XMLSecurityKey $inputKey, array $blacklist = array()) {
try {
- return self::_decryptElement($encryptedData, $inputKey);
+ return self::_decryptElement($encryptedData, $inputKey,
$blacklist);
} catch (Exception $e) {
/*
* Something went wrong during decryption, but for
security
--
You received this message because you are subscribed to the Google Groups
"simpleSAMLphp commits" group.
To post to this group, send email to simplesamlphp-commits@googlegroups.com.
To unsubscribe from this group, send email to
simplesamlphp-commits+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/simplesamlphp-commits?hl=en.
