search

robrichards / xmlseclibs

A PHP library for XML Security
BSD 3-Clause "New" or "Revised" License
386 stars 180 forks source link

Getting the "openssl_x509_read(): supplied parameter cannot be coerced into an X509 certificate! in nextcloud server SAML auth. #251

Closed Shamri04 closed 1 year ago

Shamri04 commented 1 year ago

Hi I am getting the "openssl_x509_read(): supplied parameter cannot be coerced into an X509 certificate! while authentication the next cloud via SAML.Please help to resolve it.

{"reqId":"NfJcgjA9idr91KnSGG4w","level":3,"time":"July 14, 2023 08:36:49","remoteAddr":"172.20.16.152","user":"--","app":"PHP","method":"POST","url":"/index.php/apps/user_saml/saml/acs","message":"openssl_x509_read(): supplied parameter cannot be coerced into an X509 certificate! at /data/nextcloud/apps/user_saml/3rdparty/vendor/robrichards/xmlseclibs/src/XMLSecurityKey.php#363","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36","version":"23.0.12.2","exception":{"Exception":"Error","Message":"openssl_x509_read(): supplied parameter cannot be coerced into an X509 certificate! at /data/nextcloud/apps/user_saml/3rdparty/vendor/robrichards/xmlseclibs/src/XMLSecurityKey.php#363","Code":0,"Trace":[{"function":"onError","class":"OC\Log\ErrorHandler","type":"::"},{"file":"/data/nextcloud/apps/user_saml/3rdparty/vendor/robrichards/xmlseclibs/src/XMLSecurityKey.php","line":363,"function":"openssl_x509_read"},{"file":"/data/nextcloud/apps/user_saml/3rdparty/vendor/robrichards/xmlseclibs/src/XMLSecEnc.php","line":490,"function":"loadKey","class":"RobRichards\XMLSecLibs\XMLSecurityKey","type":"->"},{"file":"/data/nextcloud/apps/user_saml/3rdparty/vendor/onelogin/php-saml/src/Saml2/Utils.php","line":1484,"function":"staticLocateKeyInfo","class":"RobRichards\XMLSecLibs\XMLSecEnc","type":"::"},{"file":"/data/nextcloud/apps/user_saml/3rdparty/vendor/onelogin/php-saml/src/Saml2/Response.php","line":431,"function":"validateSign","class":"OneLogin\Saml2\Utils","type":"::"},{"file":"/data/nextcloud/apps/user_saml/3rdparty/vendor/onelogin/php-saml/src/Saml2/Auth.php","line":238,"function":"isValid","class":"OneLogin\Saml2\Response","type":"->"},{"file":"/data/nextcloud/apps/user_saml/lib/Controller/SAMLController.php","line":353,"function":"processResponse","class":"OneLogin\Saml2\Auth","type":"->"},{"file":"/data/nextcloud/lib/private/AppFramework/Http/Dispatcher.php","line":217,"function":"assertionConsumerService","class":"OCA\User_SAML\Controller\SAMLController","type":"->"},{"file":"/data/nextcloud/lib/private/AppFramework/Http/Dispatcher.php","line":126,"function":"executeController","class":"OC\AppFramework\Http\Dispatcher","type":"->"},{"file":"/data/nextcloud/lib/private/AppFramework/App.php","line":157,"function":"dispatch","class":"OC\AppFramework\Http\Dispatcher","type":"->"},{"file":"/data/nextcloud/lib/private/Route/Router.php","line":302,"function":"main","class":"OC\AppFramework\App","type":"::"},{"file":"/data/nextcloud/lib/base.php","line":1015,"function":"match","class":"OC\Route\Router","type":"->"},{"file":"/data/nextcloud/index.php","line":36,"function":"handleRequest","class":"OC","type":"::"}],"File":"/data/nextcloud/lib/private/Log/ErrorHandler.php","Line":92,"CustomMessage":"--"}}

tvdijen commented 1 year ago

Could it be that there are tabs inside your PEM-structure? It's the only whitespace that isn't being filtered by the code. @robrichards Please consider adding "\t" to this line: https://github.com/robrichards/xmlseclibs/blob/master/src/XMLSecEnc.php#L486

Shamri04 commented 1 year ago

Hi @tvdijen

I am quite new to the SAML auth and source codes, Kindly please let me know the exact path where I need to add the"\t".

tvdijen commented 1 year ago

Hi @Shamri04 My comment was not to you, but to the maintainer of this package.

robrichards commented 1 year ago

@tvdijen Had missed you message. Line doesn't seem to match to code. I assume you are referring to this line? $x509cert = str_replace(array("\r", "\n", " "), "", $x509cert);

I agree that it makes sense to add it.

tvdijen commented 1 year ago

Ah yes, something went wrong there, but that's the line I was talking about! https://github.com/robrichards/xmlseclibs/blob/master/src/XMLSecEnc.php#L488

I think this may help the OP with his issue.

From RFC7468:

[..], parsers SHOULD ignore whitespace and other non-base64 characters and MUST handle different newline conventions.

and

In this document, "whitespace" means any character or series of characters that represent horizontal or vertical space in typography. In US-ASCII, whitespace means HT (0x09), VT (0x0B), FF (0x0C), SP (0x20), CR (0x0D), and LF (0x0A); "blank" means HT and SP; lines are divided with CRLF, CR, or LF.

So technically we should add \t, \v and \f

Shamri04 commented 1 year ago

Hi @robrichards

After changing the codes as per your commit also, I am getting the same issue.

            case 'X509Data':
                if ($x509certNodes = $child->getElementsByTagName('X509Certificate')) {
                    if ($x509certNodes->length > 0) {
                        $x509cert = $x509certNodes->item(0)->textContent;
                        $x509cert = str_replace(array("\r", "\n", " ", "\t"), "", $x509cert);
                        $x509cert = "-----BEGIN CERTIFICATE-----\n".chunk_split($x509cert, 64, "\n")."-----END CERTIFICATE-----\n";
                        $objBaseKey->loadKey($x509cert, false, true);
                    }
                }

Still, I am getting the same error and the error is not showing in XMLSecEnc.php file , it is showing in

"message":"openssl_x509_read(): supplied parameter cannot be coerced into an X509 certificate! at /data/nextcloud/apps/user_saml/3rdparty/vendor/robrichards/xmlseclibs/src/XMLSecurityKey.php#365"

Complete log:

{"reqId":"e1IlOKfGirBubGcIZJaI","level":3,"time":"July 18, 2023 04:10:58","remoteAddr":"172.20.16.152","user":"--","app":"PHP","method":"POST","url":"/index.php/apps/user_saml/saml/acs","message":"openssl_x509_read(): supplied parameter cannot be coerced into an X509 certificate! at /data/nextcloud/apps/user_saml/3rdparty/vendor/robrichards/xmlseclibs/src/XMLSecurityKey.php#365","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36","version":"22.2.3.0","exception":{"Exception":"Error","Message":"openssl_x509_read(): supplied parameter cannot be coerced into an X509 certificate! at /data/nextcloud/apps/user_saml/3rdparty/vendor/robrichards/xmlseclibs/src/XMLSecurityKey.php#365","Code":0,"Trace":[{"function":"onError","class":"OC\Log\ErrorHandler","type":"::","args":[2,"openssl_x509_read(): supplied parameter cannot be coerced into an X509 certificate!","/data/nextcloud/apps/user_saml/3rdparty/vendor/robrichards/xmlseclibs/src/XMLSecurityKey.php",365,{"key":"-----BEGIN CERTIFICATE-----\n----BEGINCERTIFICATE----GxsHX-NSQERvLVXSJNcLVylt_G3106oXh3sOiMKq\n0lE\t----ENDCERITIFICATE----\n-----END CERTIFICATE-----\n","isFile":false,"isCert":true}]},{"file":"/data/nextcloud/apps/user_saml/3rdparty/vendor/robrichards/xmlseclibs/src/XMLSecurityKey.php","line":365,"function":"openssl_x509_read","args":["-----BEGIN CERTIFICATE-----\n----BEGINCERTIFICATE----GxsHX-NSQERvLVXSJNcLVylt_G3106oXh3sOiMKq\n0lE\t----ENDCERITIFICATE----\n-----END CERTIFICATE-----\n"]},{"file":"/data/nextcloud/apps/user_saml/3rdparty/vendor/onelogin/php-saml/src/Saml2/Utils.php","line":1501,"function":"loadKey","class":"RobRichards\XMLSecLibs\XMLSecurityKey","type":"->","args":["-----BEGIN CERTIFICATE-----\n----BEGINCERTIFICATE----GxsHX-NSQERvLVXSJNcLVylt_G3106oXh3sOiMKq\n0lE\t----ENDCERITIFICATE----\n-----END CERTIFICATE-----\n",false,true]},{"file":"/data/nextcloud/apps/user_saml/3rdparty/vendor/onelogin/php-saml/src/Saml2/Response.php","line":431,"function":"validateSign","class":"OneLogin\Saml2\Utils","type":"::","args":[{"class":"DOMDocument"},"-----BEGIN CERTIFICATE-----\n----BEGINCERTIFICATE----GxsHX-NSQERvLVXSJNcLVylt_G3106oXh3sOiMKq\n0lE\t----ENDCERITIFICATE----\n-----END CERTIFICATE-----\n","","sha1","/samlp:Response/ds:Signature",["-----BEGIN CERTIFICATE-----\n----BEGINCERTIFICATE----GxsHX-NSQERvLVXSJNcLVylt_G3106oXh3sOiMKq\n0lE\t----ENDCERITIFICATE----\n-----END CERTIFICATE-----\n"]]},{"file":"/data/nextcloud/apps/user_saml/3rdparty/vendor/onelogin/php-saml/src/Saml2/Auth.php","line":238,"function":"isValid","class":"OneLogin\Saml2\Response","type":"->","args":["ONELOGIN_e5a132a4100f85a37f09dfb9ea89052dc248f240"]},{"file":"/data/nextcloud/apps/user_saml/lib/Controller/SAMLController.php","line":353,"function":"processResponse","class":"OneLogin\Saml2\Auth","type":"->","args":["ONELOGIN_e5a132a4100f85a37f09dfb9ea89052dc248f240"]},{"file":"/data/nextcloud/lib/private/AppFramework/Http/Dispatcher.php","line":217,"function":"assertionConsumerService","class":"OCA\User_SAML\Controller\SAMLController","type":"->","args":[]},{"file":"/data/nextcloud/lib/private/AppFramework/Http/Dispatcher.php","line":126,"function":"executeController","class":"OC\AppFramework\Http\Dispatcher","type":"->","args":[{"class":"OCA\User_SAML\Controller\SAMLController"},"assertionConsumerService"]},{"file":"/data/nextcloud/lib/private/AppFramework/App.php","line":156,"function":"dispatch","class":"OC\AppFramework\Http\Dispatcher","type":"->","args":[{"class":"OCA\User_SAML\Controller\SAMLController"},"assertionConsumerService"]},{"file":"/data/nextcloud/lib/private/Route/Router.php","line":302,"function":"main","class":"OC\AppFramework\App","type":"::","args":["OCA\User_SAML\Controller\SAMLController","assertionConsumerService",{"class":"OC\AppFramework\DependencyInjection\DIContainer"},{"_route":"user_saml.SAML.assertionConsumerService"}]},{"file":"/data/nextcloud/lib/base.php","line":1006,"function":"match","class":"OC\Route\Router","type":"->","args":["/apps/user_saml/saml/acs"]},{"file":"/data/nextcloud/index.php","line":36,"function":"handleRequest","class":"OC","type":"::","args":[]}],"File":"/data/nextcloud/lib/private/Log/ErrorHandler.php","Line":92,"CustomMessage":"--"}} {"reqId":"e1IlOKfGirBubGcIZJaI","level":3,"time":"July 18, 2023 04:10:58","remoteAddr":"172.20.16.152","user":"--","app":"PHP","method":"POST","url":"/index.php/apps/user_saml/saml/acs","message":"openssl_x509_export(): cannot get cert from parameter 1 at /data/nextcloud/apps/user_saml/3rdparty/vendor/robrichards/xmlseclibs/src/XMLSecurityKey.php#366","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36","version":"22.2.3.0","exception":{"Exception":"Error","Message":"openssl_x509_export(): cannot get cert from parameter 1 at /data/nextcloud/apps/user_saml/3rdparty/vendor/robrichards/xmlseclibs/src/XMLSecurityKey.php#366","Code":0,"Trace":[{"function":"onError","class":"OC\Log\ErrorHandler","type":"::","args":[2,"openssl_x509_export(): cannot get cert from parameter 1","/data/nextcloud/apps/user_saml/3rdparty/vendor/robrichards/xmlseclibs/src/XMLSecurityKey.php",366,{"key":"-----BEGIN CERTIFICATE-----\n----BEGINCERTIFICATE----GxsHX-NSQERvLVXSJNcLVylt_G3106oXh3sOiMKq\n0lE\t----ENDCERITIFICATE----\n-----END CERTIFICATE-----\n","isFile":false,"isCert":true,"str_cert":null}]},{"file":"/data/nextcloud/apps/user_saml/3rdparty/vendor/robrichards/xmlseclibs/src/XMLSecurityKey.php","line":366,"function":"openssl_x509_export","args":[false,null]},{"file":"/data/nextcloud/apps/user_saml/3rdparty/vendor/onelogin/php-saml/src/Saml2/Utils.php","line":1501,"function":"loadKey","class":"RobRichards\XMLSecLibs\XMLSecurityKey","type":"->","args":["-----BEGIN CERTIFICATE-----\n----BEGINCERTIFICATE----GxsHX-NSQERvLVXSJNcLVylt_G3106oXh3sOiMKq\n0lE\t----ENDCERITIFICATE----\n-----END CERTIFICATE-----\n",false,true]},{"file":"/data/nextcloud/apps/user_saml/3rdparty/vendor/onelogin/php-saml/src/Saml2/Response.php","line":431,"function":"validateSign","class":"OneLogin\Saml2\Utils","type":"::","args":[{"class":"DOMDocument"},"-----BEGIN CERTIFICATE-----\n----BEGINCERTIFICATE----GxsHX-NSQERvLVXSJNcLVylt_G3106oXh3sOiMKq\n0lE\t----ENDCERITIFICATE----\n-----END CERTIFICATE-----\n","","sha1","/samlp:Response/ds:Signature",["-----BEGIN CERTIFICATE-----\n----BEGINCERTIFICATE----GxsHX-NSQERvLVXSJNcLVylt_G3106oXh3sOiMKq\n0lE\t----ENDCERITIFICATE----\n-----END CERTIFICATE-----\n"]]},{"file":"/data/nextcloud/apps/user_saml/3rdparty/vendor/onelogin/php-saml/src/Saml2/Auth.php","line":238,"function":"isValid","class":"OneLogin\Saml2\Response","type":"->","args":["ONELOGIN_e5a132a4100f85a37f09dfb9ea89052dc248f240"]},{"file":"/data/nextcloud/apps/user_saml/lib/Controller/SAMLController.php","line":353,"function":"processResponse","class":"OneLogin\Saml2\Auth","type":"->","args":["ONELOGIN_e5a132a4100f85a37f09dfb9ea89052dc248f240"]},{"file":"/data/nextcloud/lib/private/AppFramework/Http/Dispatcher.php","line":217,"function":"assertionConsumerService","class":"OCA\User_SAML\Controller\SAMLController","type":"->","args":[]},{"file":"/data/nextcloud/lib/private/AppFramework/Http/Dispatcher.php","line":126,"function":"executeController","class":"OC\AppFramework\Http\Dispatcher","type":"->","args":[{"class":"OCA\User_SAML\Controller\SAMLController"},"assertionConsumerService"]},{"file":"/data/nextcloud/lib/private/AppFramework/App.php","line":156,"function":"dispatch","class":"OC\AppFramework\Http\Dispatcher","type":"->","args":[{"class":"OCA\User_SAML\Controller\SAMLController"},"assertionConsumerService"]},{"file":"/data/nextcloud/lib/private/Route/Router.php","line":302,"function":"main","class":"OC\AppFramework\App","type":"::","args":["OCA\User_SAML\Controller\SAMLController","assertionConsumerService",{"class":"OC\AppFramework\DependencyInjection\DIContainer"},{"_route":"user_saml.SAML.assertionConsumerService"}]},{"file":"/data/nextcloud/lib/base.php","line":1006,"function":"match","class":"OC\Route\Router","type":"->","args":["/apps/user_saml/saml/acs"]},{"file":"/data/nextcloud/index.php","line":36,"function":"handleRequest","class":"OC","type":"::","args":[]}],"File":"/data/nextcloud/lib/private/Log/ErrorHandler.php","Line":92,"CustomMessage":"--"}} {"reqId":"e1IlOKfGirBubGcIZJaI","level":4,"time":"July 18, 2023 04:10:58","remoteAddr":"172.20.16.152","user":"--","app":"user_saml","method":"POST","url":"/index.php/apps/user_saml/saml/acs","message":"invalid_response","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36","version":"22.2.3.0"} {"reqId":"e1IlOKfGirBubGcIZJaI","level":4,"time":"July 18, 2023 04:10:58","remoteAddr":"172.20.16.152","user":"--","app":"user_saml","method":"POST","url":"/index.php/apps/user_saml/saml/acs","message":"Unable to extract public key","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36","version":"22.2.3.0"}

tvdijen commented 1 year ago

That is indeed not a valid X509 certificate... GxsHX-NSQERvLVXSJNcLVylt_G3106oXh3sOiMKq\n0lE\t is not base64 encoded string

Shamri04 commented 1 year ago

Hi @tvdijen

This was the key provided form the keycloak . Anyhow I tried configuring the public certificate . I am getting this error.

{"reqId":"ZWt5dKS3nWvx4f9GQNtu","level":4,"time":"July 18, 2023 08:01:48","remoteAddr":"172.20.16.152","user":"--","app":"user_saml","method":"POST","url":"/index.php/apps/user_saml/saml/acs","message":"invalid_response","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36","version":"22.2.3.0"} {"reqId":"ZWt5dKS3nWvx4f9GQNtu","level":4,"time":"July 18, 2023 08:01:48","remoteAddr":"172.20.16.152","user":"--","app":"user_saml","method":"POST","url":"/index.php/apps/user_saml/saml/acs","message":"Signature validation failed. SAML Response rejected","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36","version":"22.2.3.0"}

tvdijen commented 1 year ago

That's not an error generated by this library.