blai-cartera
commented
4 years ago @Skywalker-11 have you found any alternatives to simplesamlphp or a way to include 3rd party support of aes-gcm for simplesamlphp users?
Closed Skywalker-11 closed 3 years ago
blai-cartera
commented
4 years ago @Skywalker-11 have you found any alternatives to simplesamlphp or a way to include 3rd party support of aes-gcm for simplesamlphp users?
Skywalker-11
commented
4 years ago I am not using simplesaml myself but noticed the error when interacting with 3rd party SPs
melanger
commented
4 years ago AES-GCM is the default in Shibboleth 4.0, so missing support breaks compatibility of SimpleSAMLphp with a growing number of IdPs.
tvdijen
commented
4 years ago @melanger The issue here is not SimpleSAMLphp, but two dependency-levels down in the xmlseclibs library.. So, unless you can open up a can of crypto-savvy PHP developers, this is really out of our control.
melanger
commented
4 years ago @tvdijen There is an open issue in the library as well, https://github.com/robrichards/xmlseclibs/issues/134, but it seems that the support was actually added in 3.1 https://github.com/robrichards/xmlseclibs/releases/tag/3.1.0
melanger
commented
4 years ago Requires PHP 7.1+, but SimpleSAML already requires 7.2+ on master
jaimeperez
commented
4 years ago I might be mistaken here, but I would say this is just a matter of updating the xmlseclibs dependency, since 3.1.0 implements support for AES-GCM.
IlariExove
commented
4 years ago I see Shibboleth 4.0 IdPs using http://www.w3.org/2009/xmlenc11#aes128-gcm algorithm for encryption. This is a rising concern as 4.0 went GA in March. IdPs are rolling out v4 to production soon.
tvdijen
commented
4 years ago If you're using SimpleSAMLphp:
composer require robrichards/xmlseclibs:^3.1.If you're using this library directly:
s0rin
commented
4 years ago The workaround in SSP 1.18.7 to install manually xmlseclibs 3.1.0 over the existent 3.0.8 didn't work for me, the error "Failed to decrypt XML element" still occur. How to check the xmlseclibs installed version?
tvdijen
commented
4 years ago You can check the installed version in the composer.lock file Also, what's your PHP-version? xmlseclibs will not process aes-128-gcm on PHP <7.1
s0rin
commented
4 years ago The PHP version is right:
# php -v
PHP 7.2.33 (cli) (built: Sep 1 2020 05:35:29) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies
with Zend OPcache v7.2.33, Copyright (c) 1999-2018, by Zend Technologiesbut the xmlseclibs is not:
# cat /var/simplesamlphp/composer.lock | grep xmlseclibs
"robrichards/xmlseclibs": "^3.0.4",Note. With the newer SSP 1.18.8 is no change :-(
In conclusion the workaround for 1.18.x to install xmlseclibs with composer manually is not working (maybe some steps are missing, i.e. to edit composer.lock?). I will rather wait for 1.19...
tvdijen
commented
4 years ago 1.18.8 has the right one; https://github.com/simplesamlphp/simplesamlphp/blob/simplesamlphp-1.18/composer.lock#L419
So it must be something else...
s0rin
commented
4 years ago tvdijen
commented
4 years ago That one's not relevant.. The one I tagged is the one actually installed & packaged... I'll see if I can run a few tests with aes-gcm encrypted assertions this weekend. and see if I can figure this out.. Reopening this so I won't forget
s0rin
commented
4 years ago I've retested 1.18.8 today and AES-GCM is still not working :-(
tvdijen
commented
4 years ago That doesn't surprise me, because nothing has changed in SimpleSAMLphp or the saml2 library.. I just need to find the time to work out a test-setup with AES-GCM encrypted assertions so I can reproduce your issue and see what changes we may need to get this working..
tvdijen
commented
4 years ago Well, the good news is that I can reproduce the issue, but the bad news is that I have no idea how to solve this...
First, there is this bug in xmlseclibs that needs to be taken care of; https://github.com/robrichards/xmlseclibs/pull/213 Then, I found a bug in saml2 that I fixed: https://github.com/simplesamlphp/saml2/commit/1f0c32fca12a625ba24eb55fe3c08f6565bc6e6a I then ended up with an algorithm mismatch due to some hardcoded stuff in SSP, which for the test I manually changed to AES-GCM-128: https://github.com/simplesamlphp/simplesamlphp/blob/e4246a2a0286e553f7544e20f0fd246aeea3d5df/modules/saml/lib/Message.php#L336 for the SP and https://github.com/simplesamlphp/simplesamlphp/blob/e4246a2a0286e553f7544e20f0fd246aeea3d5df/modules/saml/lib/IdP/SAML2.php#L1353 for the IDP
After the above I ended up with the following traceback:
Caused by: Exception: Failure decrypting Data (openssl symmetric) - error:0607A082:digital envelope routines:EVP_CIPHER_CTX_set_key_length:invalid key length
Backtrace:
11 /apps/installation/simplesamlphp/simplesamlphp-1.19/vendor/robrichards/xmlseclibs/src/XMLSecurityKey.php:472 (RobRichards\XMLSecLibs\XMLSecurityKey::decryptSymmetric)
10 /apps/installation/simplesamlphp/simplesamlphp-1.19/vendor/robrichards/xmlseclibs/src/XMLSecurityKey.php:612 (RobRichards\XMLSecLibs\XMLSecurityKey::decryptData)
9 /apps/installation/simplesamlphp/simplesamlphp-1.19/vendor/robrichards/xmlseclibs/src/XMLSecEnc.php:263 (RobRichards\XMLSecLibs\XMLSecEnc::decryptNode)
8 /apps/installation/simplesamlphp/simplesamlphp-1.19/vendor/simplesamlphp/saml2/src/SAML2/Utils.php:463 (SAML2\Utils::doDecryptElement)
7 /apps/installation/simplesamlphp/simplesamlphp-1.19/vendor/simplesamlphp/saml2/src/SAML2/Utils.php:498 (SAML2\Utils::decryptElement)
6 /apps/installation/simplesamlphp/simplesamlphp-1.19/vendor/simplesamlphp/saml2/src/SAML2/EncryptedAssertion.php:122 (SAML2\EncryptedAssertion::getAssertion)
5 /apps/installation/simplesamlphp/simplesamlphp-1.19/modules/saml/lib/Message.php:413 (SimpleSAML\Module\saml\Message::decryptAssertion)
4 /apps/installation/simplesamlphp/simplesamlphp-1.19/modules/saml/lib/Message.php:674 (SimpleSAML\Module\saml\Message::processAssertion)
3 /apps/installation/simplesamlphp/simplesamlphp-1.19/modules/saml/lib/Message.php:642 (SimpleSAML\Module\saml\Message::processResponse)
2 /apps/installation/simplesamlphp/simplesamlphp-1.19/modules/saml/www/sp/saml2-acs.php:145 (require)
1 /apps/installation/simplesamlphp/simplesamlphp-1.19/lib/SimpleSAML/Module.php:266 (SimpleSAML\Module::process)
0 /apps/installation/simplesamlphp/simplesamlphp-1.19/www/module.php:10 (N/A)OK, I got it working now.. I got off on the wrong foot last night a bit..
You need: robrichards/xmlseclibs#213 and 1f0c32f And then in SimpleSAMLphp set https://github.com/simplesamlphp/simplesamlphp/blob/e4246a2a0286e553f7544e20f0fd246aeea3d5df/modules/saml/lib/Message.php#L312 to the right algo and you're all set!
I don't think it makes much sense to tag a new saml2-release until xmlseclibs is fixed, so I'm keeping this open and in the meanwhile I can try and work on making the algorithm configurable in SSP. I've also asked Rob for a bugfix release on xmlsec and that's about as much as I can for you do right now
s0rin
commented
4 years ago Retesting with 1.19-rc1 but still not working.
SimpleSAML\Error\Error: UNHANDLEDEXCEPTION
Backtrace:
1 www/_include.php:17 (SimpleSAML_exception_handler)
0 [builtin] (N/A)
Caused by: Exception: Failed to decrypt XML element.
Backtrace:
7 vendor/simplesamlphp/saml2/src/SAML2/Utils.php:537 (SAML2\Utils::decryptElement)
6 vendor/simplesamlphp/saml2/src/SAML2/EncryptedAssertion.php:119 (SAML2\EncryptedAssertion::getAssertion)
5 modules/saml/lib/Message.php:413 (SimpleSAML\Module\saml\Message::decryptAssertion)
4 modules/saml/lib/Message.php:674 (SimpleSAML\Module\saml\Message::processAssertion)
3 modules/saml/lib/Message.php:642 (SimpleSAML\Module\saml\Message::processResponse)
2 modules/saml/www/sp/saml2-acs.php:145 (require)
1 lib/SimpleSAML/Module.php:266 (SimpleSAML\Module::process)
0 www/module.php:10 (N/A)Maybe because 1.19-rc1 is ten days old and I got it working only 9 days ago? For it to work, you still need the manual changes as I described..
back-2-95
commented
4 years ago Seems that robrichards/xmlseclibs 3.1.1 includes the needed change: https://github.com/robrichards/xmlseclibs/compare/3.1.0...3.1.1
And when updating with Composer:
composer update --with-dependencies simplesamlphp/simplesamlphp
it updates robrichards/xmlseclibs to 3.1.1
SimpleSAMLphp also seems to have this change https://github.com/simplesamlphp/simplesamlphp/blob/e4246a2a0286e553f7544e20f0fd246aeea3d5df/modules/saml/lib/Message.php#L312 in https://github.com/simplesamlphp/simplesamlphp/blob/v1.18.8/modules/saml/lib/Message.php#L310.
tvdijen
commented
4 years ago There's one PR for that which will land in 1.19; https://github.com/simplesamlphp/simplesamlphp/pull/1377
back-2-95
commented
4 years ago I just got word from my university contact handling the Shibboleth 4:
Changing encryption from GCM (default in Shibboleth 4) to CBC made it work with both:
JanOppolzer
commented
3 years ago I can confirm that SimpleSAMLphp 1.18.8 with updated xmlseclibs to 3.1.1 and updates to EncryptedAssertion.php and Message.php according to https://github.com/simplesamlphp/saml2/issues/179#issuecomment-687597903 makes it working with an Shibboleth IdP 4.0.1 using AES-GCM encryption.
Looking forward to see AES-GCM support in 1.19 out of the box.
tvdijen
commented
3 years ago Thanks @JanOppolzer ! There's some discussion on the changes to SSP 1.19, but the next RC should ease all of your problems.
simplsamlphp currently does not support AES in GCM mode.
If an IDP uses AES-GCM for encryption of the ssertions eg:
this creates an error in form of the following message on a SP running simplesamlphp:
Depending on change in library xmlseclibs (https://github.com/robrichards/xmlseclibs/issues/134)