Merge branch '4.0.0' into 3.6.0-tests

pitbulk · web-flow · commit f03b4f8120ba · 2021-02-18T15:19:57.000+01:00
diff --git a/CHANGELOG b/CHANGELOG
@@ -1,5 +1,8 @@
 CHANGELOG
 =========
+v4.0.0
+* Supports PHP 8.X
+
 v3.5.1
 * 3.5.0 packagist/github release due a confusion were using the master (2.X branch). I'm releasing 3.5.1 to fix this issue and go back to 3.X branch
 
diff --git a/README.md b/README.md
@@ -1,4 +1,4 @@
-# OneLogin's SAML PHP Toolkit Compatible with PHP 5.X & 7.X
+# OneLogin's SAML PHP Toolkit Compatible with PHP 7.X & 8.X
 
 [![Build Status](https://api.travis-ci.org/onelogin/php-saml.png?branch=master)](http://travis-ci.org/onelogin/php-saml) [![Coverage Status](https://coveralls.io/repos/onelogin/php-saml/badge.png)](https://coveralls.io/r/onelogin/php-saml) [![License](https://poser.pugx.org/onelogin/php-saml/license.png)](https://packagist.org/packages/onelogin/php-saml)
 
@@ -10,15 +10,7 @@ and supported by OneLogin Inc.
 Warning
 -------
 
-Version 3.4.0 introduces the 'rejectUnsolicitedResponsesWithInResponseTo' setting parameter, by default disabled, that will allow invalidate unsolicited SAMLResponse. This version as well will reject SAMLResponse if requestId was provided to the validator but the SAMLResponse does not contain a InResponseTo attribute. And an additional setting parameter 'destinationStrictlyMatches', by default disabled, that will force that the Destination URL should strictly match to the address that process the SAMLResponse.
-
-Version 3.3.1 updates xmlseclibs to 3.0.4 (CVE-2019-3465), but php-saml was not directly affected since it implements additional checks that prevent to exploit that vulnerability.
-
-Version 3.3.0 sets strict mode active by default
-
-Update php-saml to 3.1.0, this version includes a security patch related to XEE attacks.
-
-This version is compatible with PHP 7.X and does not include xmlseclibs (you will need to install it via composer, dependency described in composer.json)
+This version is compatible with PHP >7.1 and 8.X and does not include xmlseclibs (you will need to install it via composer, dependency described in composer.json)
 
 Security Guidelines
 -------------------
@@ -132,7 +124,9 @@ Your settings are at risk of being deleted when updating packages using `compose
 Compatibility
 -------------
 
-This 3.X.X supports PHP 7.X. but can be used with PHP >=5.4 as well  (5.6.24+ recommended for security reasons).
+This 4.X.X supports PHP >7.1 .
+
+It is not compatible with PHP5.6 or PHP7.0.
 
 Namespaces
 ----------
@@ -513,6 +507,17 @@ $advancedSettings = array(
         // Notice that sha1 is a deprecated algorithm and should not be used
         'digestAlgorithm' => 'http://www.w3.org/2001/04/xmlenc#sha256',
 
+        // Algorithm that the toolkit will use for encryption process. Options:
+        // 'http://www.w3.org/2001/04/xmlenc#tripledes-cbc'
+        // 'http://www.w3.org/2001/04/xmlenc#aes128-cbc'
+        // 'http://www.w3.org/2001/04/xmlenc#aes192-cbc'
+        // 'http://www.w3.org/2001/04/xmlenc#aes256-cbc'
+        // 'http://www.w3.org/2009/xmlenc11#aes128-gcm'
+        // 'http://www.w3.org/2009/xmlenc11#aes192-gcm'
+        // 'http://www.w3.org/2009/xmlenc11#aes256-gcm';
+        // Notice that aes-cbc are not consider secure anymore so should not be used
+        'encryption_algorithm' => 'http://www.w3.org/2009/xmlenc11#aes128-gcm',
+
         // ADFS URL-Encodes SAML data as lowercase, and the toolkit by default uses
         // uppercase. Turn it True for ADFS compatibility on signature verification
         'lowercaseUrlencoding' => false,
diff --git a/advanced_settings_example.php b/advanced_settings_example.php
@@ -116,6 +116,17 @@
         // Notice that sha1 is a deprecated algorithm and should not be used
         'digestAlgorithm' => 'http://www.w3.org/2001/04/xmlenc#sha256',
 
+        // Algorithm that the toolkit will use for encryption process. Options:
+        // 'http://www.w3.org/2001/04/xmlenc#tripledes-cbc'
+        // 'http://www.w3.org/2001/04/xmlenc#aes128-cbc'
+        // 'http://www.w3.org/2001/04/xmlenc#aes192-cbc'
+        // 'http://www.w3.org/2001/04/xmlenc#aes256-cbc'
+        // 'http://www.w3.org/2009/xmlenc11#aes128-gcm'
+        // 'http://www.w3.org/2009/xmlenc11#aes192-gcm'
+        // 'http://www.w3.org/2009/xmlenc11#aes256-gcm';
+        // Notice that aes-cbc are not consider secure anymore so should not be used
+        'encryption_algorithm' => 'http://www.w3.org/2009/xmlenc11#aes128-gcm',
+
         // ADFS URL-Encodes SAML data as lowercase, and the toolkit by default uses
         // uppercase. Turn it True for ADFS compatibility on signature verification
         'lowercaseUrlencoding' => false,
diff --git a/composer.json b/composer.json
@@ -17,18 +17,19 @@
     "require": {
         "php": ">=7.1",
         "robrichards/xmlseclibs": ">=3.1.1",
-        "phpunit/phpunit": "7.5.17 || ^9.5"
+        "phpunit/phpunit": "^7.5.20 || ^9.5"
     },
     "require-dev": {
-        "php-coveralls/php-coveralls": "^1.0.2 || ^2.0",
-        "sebastian/phpcpd": "^2.0 || ^3.0 || ^4.0",
-        "phploc/phploc": "^2.1 || ^3.0 || ^4.0 || ^7.0",
-        "pdepend/pdepend": "^2.5.0",
-        "squizlabs/php_codesniffer": "^3.1.1"
+        "php-coveralls/php-coveralls": "^2.0",
+        "sebastian/phpcpd": "^4.0 || ^5.0 || ^6.0 ",
+        "phploc/phploc": "^4.0 || ^5.0 || ^6.0 || ^7.0",
+        "pdepend/pdepend": "^2.8.0",
+        "squizlabs/php_codesniffer": "^3.5.8"
     },
     "suggest": {
         "ext-openssl": "Install openssl lib in order to handle with x509 certs (require to support sign and encryption)",
         "ext-curl": "Install curl lib to be able to use the IdPMetadataParser for parsing remote XMLs",
-        "ext-gettext": "Install gettext and php5-gettext libs to handle translations"
+        "ext-dom": "Install xml lib",
+        "ext-zlib": "Install zlib"
     }
 }
diff --git a/demo1/index.php b/demo1/index.php
@@ -77,6 +77,9 @@
 
     if (!empty($errors)) {
         echo '<p>' . implode(', ', $errors) . '</p>';
+        if ($auth->getSettings()->isDebugActive()) {
+            echo '<p>'.$auth->getLastErrorReason().'</p>';
+        }
     }
 
     if (!$auth->isAuthenticated()) {
@@ -108,6 +111,9 @@
         echo '<p>Sucessfully logged out</p>';
     } else {
         echo '<p>' . implode(', ', $errors) . '</p>';
+        if ($auth->getSettings()->isDebugActive()) {
+            echo '<p>'.$auth->getLastErrorReason().'</p>';
+        }
     }
 }
 
diff --git a/src/Saml2/LogoutRequest.php b/src/Saml2/LogoutRequest.php
@@ -122,7 +122,8 @@ public function __construct(\OneLogin\Saml2\Settings $settings, $request = null,
                 $nameIdSPNameQualifier,
                 $nameIdFormat,
                 $cert,
-                $nameIdNameQualifier
+                $nameIdNameQualifier,
+                $security['encryption_algorithm']
             );
 
             $sessionIndexStr = isset($sessionIndex) ? "<samlp:SessionIndex>{$sessionIndex}</samlp:SessionIndex>" : "";
diff --git a/src/Saml2/Settings.php b/src/Saml2/Settings.php
@@ -430,6 +430,11 @@ private function _addDefaultValues()
             $this->_security['digestAlgorithm'] = XMLSecurityDSig::SHA256;
         }
 
+        // EncryptionAlgorithm
+        if (!isset($this->_security['encryption_algorithm'])) {
+            $this->_security['encryption_algorithm'] = XMLSecurityKey::AES128_CBC;
+        }
+
         if (!isset($this->_security['lowercaseUrlencoding'])) {
             $this->_security['lowercaseUrlencoding'] = false;
         }
diff --git a/src/Saml2/Utils.php b/src/Saml2/Utils.php
@@ -1056,12 +1056,13 @@ public static function formatFingerPrint($fingerprint)
      * @param string|null $format SP Format
      * @param string|null $cert   IdP Public cert to encrypt the nameID
      * @param string|null $nq     IdP Name Qualifier
+     * @param string|null $enc_alg Encryption algorithm
      *
      * @return string $nameIDElement DOMElement | XMLSec nameID
      *
      * @throws Exception
      */
-    public static function generateNameId($value, $spnq, $format = null, $cert = null, $nq = null)
+    public static function generateNameId($value, $spnq, $format = null, $cert = null, $nq = null, $enc_alg = XMLSecurityKey::AES128_CBC)
     {
 
         $doc = new DOMDocument();
@@ -1081,14 +1082,18 @@ public static function generateNameId($value, $spnq, $format = null, $cert = nul
         $doc->appendChild($nameId);
 
         if (!empty($cert)) {
-            $seckey = new XMLSecurityKey(XMLSecurityKey::RSA_1_5, array('type'=>'public'));
+            if ($enc_alg == XMLSecurityKey::AES128_CBC) {
+                $seckey = new XMLSecurityKey(XMLSecurityKey::RSA_1_5, array('type'=>'public'));
+            } else {
+                $seckey = new XMLSecurityKey(XMLSecurityKey::RSA_OAEP_MGF1P, array('type'=>'public'));
+            }
             $seckey->loadKey($cert);
 
             $enc = new XMLSecEnc();
             $enc->setNode($nameId);
             $enc->type = XMLSecEnc::Element;
 
-            $symmetricKey = new XMLSecurityKey(XMLSecurityKey::AES128_CBC);
+            $symmetricKey = new XMLSecurityKey($enc_alg);
             $symmetricKey->generateSessionKey();
             $enc->encryptKey($seckey, $symmetricKey);
 
diff --git a/tests/src/OneLogin/Saml2/UtilsTest.php b/tests/src/OneLogin/Saml2/UtilsTest.php
@@ -852,6 +852,21 @@ public function testGenerateNameIdWithSPNameQualifier()
         );
 
         $nameidExpectedEnc = '<saml:EncryptedID><xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" Type="http://www.w3.org/2001/04/xmlenc#Element"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/><dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><xenc:EncryptedKey><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/><xenc:CipherData><xenc:CipherValue>';
+
+        $this->assertStringContainsString($nameidExpectedEnc, $nameIdEnc);
+
+        // Check AES128_GCM support
+
+        $nameidExpectedEnc = '<saml:EncryptedID><xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" Type="http://www.w3.org/2001/04/xmlenc#Element"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes128-gcm"/><dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><xenc:EncryptedKey><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/><xenc:CipherData><xenc:CipherValue>';
+
+        $nameIdEnc = Utils::generateNameId(
+            $nameIdValue,
+            $entityId,
+            $nameIDFormat,
+            $key,
+            null,
+            XMLSecurityKey::AES128_GCM
+        );
         $this->assertStringContainsString($nameidExpectedEnc, $nameIdEnc);
     }
 

Original file line number	Diff line number	Diff line change
`@@ -77,6 +77,9 @@`
`77`	`77`
`78`	`78`	`if (!empty($errors)) {`
`79`	`79`	`echo '<p>' . implode(', ', $errors) . '</p>';`
	`80`	`+ if ($auth->getSettings()->isDebugActive()) {`
	`81`	`+ echo '<p>'.$auth->getLastErrorReason().'</p>';`
	`82`	`+ }`
`80`	`83`	`}`
`81`	`84`
`82`	`85`	`if (!$auth->isAuthenticated()) {`
`@@ -108,6 +111,9 @@`
`108`	`111`	`echo '<p>Sucessfully logged out</p>';`
`109`	`112`	`} else {`
`110`	`113`	`echo '<p>' . implode(', ', $errors) . '</p>';`
	`114`	`+ if ($auth->getSettings()->isDebugActive()) {`
	`115`	`+ echo '<p>'.$auth->getLastErrorReason().'</p>';`
	`116`	`+ }`
`111`	`117`	`}`
`112`	`118`	`}`
`113`	`119`
Original file line number	Diff line number	Diff line change
`@@ -430,6 +430,11 @@ private function _addDefaultValues()`
`430`	`430`	`$this->_security['digestAlgorithm'] = XMLSecurityDSig::SHA256;`
`431`	`431`	`}`
`432`	`432`
	`433`	`+ // EncryptionAlgorithm`
	`434`	`+ if (!isset($this->_security['encryption_algorithm'])) {`
	`435`	`+ $this->_security['encryption_algorithm'] = XMLSecurityKey::AES128_CBC;`
	`436`	`+ }`
	`437`	`+`
`433`	`438`	`if (!isset($this->_security['lowercaseUrlencoding'])) {`
`434`	`439`	`$this->_security['lowercaseUrlencoding'] = false;`
`435`	`440`	`}`