#237. Set RSA_SHA256 and SHA256 as default signatureAlgorithm and digestAlgorithm values

pitbulk · pitbulk · commit 28a495fec21a · 2017-07-21T10:15:37.000+02:00
diff --git a/README.md b/README.md
@@ -496,14 +496,14 @@ $advancedSettings = array (
         //    'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
         //    'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384'
         //    'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512'
-        'signatureAlgorithm' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1',
+        'signatureAlgorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
 
         // Algorithm that the toolkit will use on digest process. Options:
         //    'http://www.w3.org/2000/09/xmldsig#sha1'
         //    'http://www.w3.org/2001/04/xmlenc#sha256'
         //    'http://www.w3.org/2001/04/xmldsig-more#sha384'
         //    'http://www.w3.org/2001/04/xmlenc#sha512'
-        'digestAlgorithm' => 'http://www.w3.org/2000/09/xmldsig#sha1',
+        'digestAlgorithm' => 'http://www.w3.org/2001/04/xmlenc#sha256',
 
         // ADFS URL-Encodes SAML data as lowercase, and the toolkit by default uses
         // uppercase. Turn it True for ADFS compatibility on signature verification
diff --git a/advanced_settings_example.php b/advanced_settings_example.php
@@ -87,14 +87,14 @@
         //    'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
         //    'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384'
         //    'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512'
-        'signatureAlgorithm' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1',
+        'signatureAlgorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
 
         // Algorithm that the toolkit will use on digest process. Options:
         //    'http://www.w3.org/2000/09/xmldsig#sha1'
         //    'http://www.w3.org/2001/04/xmlenc#sha256'
         //    'http://www.w3.org/2001/04/xmldsig-more#sha384'
         //    'http://www.w3.org/2001/04/xmlenc#sha512'
-        'digestAlgorithm' => 'http://www.w3.org/2000/09/xmldsig#sha1',
+        'digestAlgorithm' => 'http://www.w3.org/2001/04/xmlenc#sha256',
 
         // ADFS URL-Encodes SAML data as lowercase, and the toolkit by default uses
         // uppercase. Turn it True for ADFS compatibility on signature verification
diff --git a/lib/Saml2/Auth.php b/lib/Saml2/Auth.php
@@ -540,7 +540,7 @@ public function getLastRequestID()
      * @throws Exception
      * @throws OneLogin_Saml2_Error
      */
-    public function buildRequestSignature($samlRequest, $relayState, $signAlgorithm = XMLSecurityKey::RSA_SHA1)
+    public function buildRequestSignature($samlRequest, $relayState, $signAlgorithm = XMLSecurityKey::RSA_SHA256)
     {
         $key = $this->_settings->getSPkey();
         if (empty($key)) {
@@ -585,7 +585,7 @@ public function buildRequestSignature($samlRequest, $relayState, $signAlgorithm
      * @throws Exception
      * @throws OneLogin_Saml2_Error
      */
-    public function buildResponseSignature($samlResponse, $relayState, $signAlgorithm = XMLSecurityKey::RSA_SHA1)
+    public function buildResponseSignature($samlResponse, $relayState, $signAlgorithm = XMLSecurityKey::RSA_SHA256)
     {
         $key = $this->_settings->getSPkey();
         if (empty($key)) {
diff --git a/lib/Saml2/Metadata.php b/lib/Saml2/Metadata.php
@@ -183,7 +183,7 @@ public static function builder($sp, $authnsign = false, $wsign = false, $validUn
      *
      * @return string Signed Metadata
      */
-    public static function signMetadata($metadata, $key, $cert, $signAlgorithm = XMLSecurityKey::RSA_SHA1, $digestAlgorithm = XMLSecurityDSig::SHA1)
+    public static function signMetadata($metadata, $key, $cert, $signAlgorithm = XMLSecurityKey::RSA_SHA256, $digestAlgorithm = XMLSecurityDSig::SHA256)
     {
         return OneLogin_Saml2_Utils::addSign($metadata, $key, $cert, $signAlgorithm, $digestAlgorithm);
     }
diff --git a/lib/Saml2/Settings.php b/lib/Saml2/Settings.php
@@ -382,12 +382,12 @@ private function _addDefaultValues()
 
         // SignatureAlgorithm
         if (!isset($this->_security['signatureAlgorithm'])) {
-            $this->_security['signatureAlgorithm'] = XMLSecurityKey::RSA_SHA1;
+            $this->_security['signatureAlgorithm'] = XMLSecurityKey::RSA_SHA256;
         }
 
         // DigestAlgorithm
         if (!isset($this->_security['digestAlgorithm'])) {
-            $this->_security['digestAlgorithm'] = XMLSecurityDSig::SHA1;
+            $this->_security['digestAlgorithm'] = XMLSecurityDSig::SHA256;
         }
 
         if (!isset($this->_security['lowercaseUrlencoding'])) {
diff --git a/lib/Saml2/Utils.php b/lib/Saml2/Utils.php
@@ -1208,7 +1208,7 @@ public static function castKey(XMLSecurityKey $key, $algorithm, $type = 'public'
      *
      * @throws Exception
      */
-    public static function addSign($xml, $key, $cert, $signAlgorithm = XMLSecurityKey::RSA_SHA1, $digestAlgorithm = XMLSecurityDSig::SHA1)
+    public static function addSign($xml, $key, $cert, $signAlgorithm = XMLSecurityKey::RSA_SHA256, $digestAlgorithm = XMLSecurityDSig::SHA256)
     {
         if ($xml instanceof DOMDocument) {
             $dom = $xml;

Original file line number	Diff line number	Diff line change
`@@ -183,7 +183,7 @@ public static function builder($sp, $authnsign = false, $wsign = false, $validUn`
`183`	`183`	`*`
`184`	`184`	`* @return string Signed Metadata`
`185`	`185`	`*/`
`186`		`- public static function signMetadata($metadata, $key, $cert, $signAlgorithm = XMLSecurityKey::RSA_SHA1, $digestAlgorithm = XMLSecurityDSig::SHA1)`
	`186`	`+ public static function signMetadata($metadata, $key, $cert, $signAlgorithm = XMLSecurityKey::RSA_SHA256, $digestAlgorithm = XMLSecurityDSig::SHA256)`
`187`	`187`	`{`
`188`	`188`	`return OneLogin_Saml2_Utils::addSign($metadata, $key, $cert, $signAlgorithm, $digestAlgorithm);`
`189`	`189`	`}`
Original file line number	Diff line number	Diff line change
`@@ -382,12 +382,12 @@ private function _addDefaultValues()`
`382`	`382`
`383`	`383`	`// SignatureAlgorithm`
`384`	`384`	`if (!isset($this->_security['signatureAlgorithm'])) {`
`385`		`- $this->_security['signatureAlgorithm'] = XMLSecurityKey::RSA_SHA1;`
	`385`	`+ $this->_security['signatureAlgorithm'] = XMLSecurityKey::RSA_SHA256;`
`386`	`386`	`}`
`387`	`387`
`388`	`388`	`// DigestAlgorithm`
`389`	`389`	`if (!isset($this->_security['digestAlgorithm'])) {`
`390`		`- $this->_security['digestAlgorithm'] = XMLSecurityDSig::SHA1;`
	`390`	`+ $this->_security['digestAlgorithm'] = XMLSecurityDSig::SHA256;`
`391`	`391`	`}`
`392`	`392`
`393`	`393`	`if (!isset($this->_security['lowercaseUrlencoding'])) {`
Original file line number	Diff line number	Diff line change
`@@ -1208,7 +1208,7 @@ public static function castKey(XMLSecurityKey $key, $algorithm, $type = 'public'`
`1208`	`1208`	`*`
`1209`	`1209`	`* @throws Exception`
`1210`	`1210`	`*/`
`1211`		`- public static function addSign($xml, $key, $cert, $signAlgorithm = XMLSecurityKey::RSA_SHA1, $digestAlgorithm = XMLSecurityDSig::SHA1)`
	`1211`	`+ public static function addSign($xml, $key, $cert, $signAlgorithm = XMLSecurityKey::RSA_SHA256, $digestAlgorithm = XMLSecurityDSig::SHA256)`
`1212`	`1212`	`{`
`1213`	`1213`	`if ($xml instanceof DOMDocument) {`
`1214`	`1214`	`$dom = $xml;`