Closed yphoenix closed 1 year ago
openssl is a disaster when it comes to error handling.
See this comment: https://www.php.net/manual/en/function.openssl-error-string.php#119878
This library will only show you the last error, even when there's a whole stack of error messages. In your case you are probably just missing crucial information to properly debug this.
Yeah, already handled the error queue thing. Now working on a minimal reproducible example that works with 7.4 and fails with 8.1
Pinned it down, not an openssl error, wrong value is being passed as the data, will work out whether it is a xmlseclibs or a onelogin saml issue.
Are you using another saml-lib that uses this lib, or what? Just out of curiosity since I happen to manage one of the saml-lib around.
Using the OneLogin PHP SAML Library, https://github.com/SAML-Toolkits/php-saml Looks like the signature info inside the encrypted assertion is getting mangled:
<ds:Signature><ds:SignedInfo> .... translated to:
<ns3:Signature><ns3:SignedInfo> etc
But only on PHP 8.1, and only inside the assertion. Signature info on the response is left untouched.
still tracking down exactly where and why.
Decryption is fine....
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo>....
Amd something happens afterwards that I'll still tracking down....
That library seems pretty basic considering the huge saml2 protocol.. I wouldn't expect much of that tbh
It's been working fine so far, but maybe this will force us to change libraries, and it seems to be a 8.1 thing, and I suspect C14N, but we'll see.
Seems to be a DOMXPath::query issue with 8.x, more a OneLogin SAML Lib issue, or PHP issue.
Yeah PHP 8.0 has known issues that won't be fixed anymore. I've been having similar issues with my lib.
Thanks. Tracked down to: Utils::treeCopyReplace($encryptedAssertion, $decrypted); in OneLogin's Library. Closing this and moving over there.
FYI tracked it down to insertBefore() - https://github.com/SAML-Toolkits/php-saml/issues/562
From the PHP changelog:
Version 8.1.21
06 Jul 2023
DOM:
Fixed bug [#55294](http://bugs.php.net/55294) and #47530 and #47847 (various namespace reconciliation issues).
Could that be it? Are you on the latest dot-version?
Yes, latest dot version. Haven’t gone back to find out when it was introduced and maybe. libxml issue but for now I’m working around it.
Looking at the release log, lots of DOM fixes in 8.1.21, looks like it may have been introduced with this version.
Fix DOMElement::append() and DOMElement::prepend() hierarchy checks.
This one is driving me nuts. I have a SAML exchange that uses an encrypted and signed assertion in the response.
Under PHP 7.4 everything works great, the call to
openssl_verify($data, $signature, $this->key, $algo);
inverifyOpenSSL
works perfectly and returns 1Under PHP 8.1 everything fails, with exactly the same data being passed with the error.
The key is their public cert (this is a SAML response), the signature is sha256
Any tips appreciated, especially as to why the same code works with 7.4 and not 8.1