From 5c1e247f480ba10bcc410f86643e50dba5daaeb2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julius=20Tu=CC=88rich?= Date: Wed, 11 Sep 2024 01:15:21 +0200 Subject: [PATCH 1/6] Add check if assertion contains decrypted name id and decrypt it Remove validation error when document contains a decrypted name id --- src/Saml2/Response.php | 41 ++++++++++++++++++++++------------------- 1 file changed, 22 insertions(+), 19 deletions(-) diff --git a/src/Saml2/Response.php b/src/Saml2/Response.php index b987ca44..ef2eca4a 100644 --- a/src/Saml2/Response.php +++ b/src/Saml2/Response.php @@ -61,6 +61,13 @@ class Response */ public $encrypted = false; + /** + * The response contains an encrypted nameId in the assertion. + * + * @var bool + */ + public $encryptedNameId = false; + /** * After validation, if it fail this var has the cause of the problem * @@ -227,14 +234,11 @@ public function isValid($requestId = null) ); } - if ($security['wantNameIdEncrypted']) { - $encryptedIdNodes = $this->_queryAssertion('/saml:Subject/saml:EncryptedID/xenc:EncryptedData'); - if ($encryptedIdNodes->length != 1) { - throw new ValidationError( - "The NameID of the Response is not encrypted and the SP requires it", - ValidationError::NO_ENCRYPTED_NAMEID - ); - } + if (!$this->encryptedNameId && $security['wantNameIdEncrypted']) { + throw new ValidationError( + "The NameID of the Response is not encrypted and the SP requires it", + ValidationError::NO_ENCRYPTED_NAMEID + ); } // Validate Conditions element exists @@ -394,17 +398,6 @@ public function isValid($requestId = null) } } - // Detect case not supported - if ($this->encrypted) { - $encryptedIDNodes = Utils::query($this->decryptedDocument, '/samlp:Response/saml:Assertion/saml:Subject/saml:EncryptedID'); - if ($encryptedIDNodes->length > 0) { - throw new ValidationError( - 'SAML Response that contains an encrypted Assertion with encrypted nameId is not supported.', - ValidationError::NOT_SUPPORTED - ); - } - } - if (empty($signedElements) || (!$hasSignedResponse && !$hasSignedAssertion)) { throw new ValidationError( 'No Signature found. SAML Response rejected', @@ -1168,6 +1161,16 @@ protected function decryptAssertion(\DomNode $dom) if ($check === false) { throw new Exception('Error: string from decrypted assertion could not be loaded into a XML document'); } + + // check if the decrypted assertion contains an encryptedID + $encryptedID = $decrypted->getElementsByTagName('EncryptedID')->item(0); + + if($encryptedID) { + // decrypt the encryptedID + $this->encryptedNameId = true; + $this->decryptAssertion($encryptedID); + } + if ($encData->parentNode instanceof DOMDocument) { return $decrypted; } else { From e61e9917330433900a3b5948ccd34cc421e1ff1e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julius=20Tu=CC=88rich?= Date: Wed, 11 Sep 2024 01:16:18 +0200 Subject: [PATCH 2/6] Add testing saml response with encrypted assertion and encrypted name id --- .../response_encrypted_nameid_encrypted_assertion.xml.base64 | 1 + 1 file changed, 1 insertion(+) create mode 100644 tests/data/responses/response_encrypted_nameid_encrypted_assertion.xml.base64 diff --git a/tests/data/responses/response_encrypted_nameid_encrypted_assertion.xml.base64 b/tests/data/responses/response_encrypted_nameid_encrypted_assertion.xml.base64 new file mode 100644 index 00000000..dee2b425 --- /dev/null +++ b/tests/data/responses/response_encrypted_nameid_encrypted_assertion.xml.base64 @@ -0,0 +1 @@ +PD94bWwgdmVyc2lvbj0iMS4wIj8+CjxzYW1scDpSZXNwb25zZSB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIiBJRD0iX3Jlc3BvbnNlX2lkIiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAyNC0wOS0wOVQxMjowMDowMFoiIERlc3RpbmF0aW9uPSJodHRwczovL3NwLmV4YW1wbGUuY29tL2FjcyIgSW5SZXNwb25zZVRvPSJfcmVxdWVzdF9pZCI+CiAgICA8c2FtbDpJc3N1ZXI+aHR0cHM6Ly9pZHAuZXhhbXBsZS5jb20vPC9zYW1sOklzc3Vlcj4KICAgIDxzYW1scDpTdGF0dXM+CiAgICAgICAgPHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPgogICAgPC9zYW1scDpTdGF0dXM+CiAgICA8c2FtbDpFbmNyeXB0ZWRBc3NlcnRpb24geG1sbnM6eGVuYz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjIj48eGVuYzpFbmNyeXB0ZWREYXRhIHhtbG5zOnhlbmM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jIyIgVHlwZT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjRWxlbWVudCI+PHhlbmM6RW5jcnlwdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDkveG1sZW5jMTEjYWVzMjU2LWdjbSIvPgogICA8eGVuYzpDaXBoZXJEYXRhPgogICAgICA8eGVuYzpDaXBoZXJWYWx1ZT5jM1JGaXp1UWQwV3ZiajdyQ1M5ZXV0QTFJMk1FNFBQYUdvSlpsUWhQNS9yUTFRWFJtWU9rZEd5VXpNY2UzMnI3eGN4S216cGppb1NsNlZ4clY1SDh4MnBKNTJVVVhSMlc1M0pvdHJlWlpGYTZFVnhSbzkxdXdXNTV3WitJdjBnaUJiMzdUckxNWW80QWw5SnhPWUZXVmVUU1BLRC9kRndrSEpiRm9Na3JjczNCZ0hYdnA2a3ZRU3hscFNPVDZXZWgyVkJLSi9lVFR5RlZsZ0VDSS9IVENVb2lSZ2puaTM1SzE1Q1ptZUwwUTFscFFUc3EwUnhPZnFrVXExSVBUSUdwSk1SMzBJcUR2SDFJbUF6YkREYjU0WWVOQ0RQUFlXL1pJQWtGdWlJd0FNcStKRVJmRzJVeXNmOWZwUVBVOEx0WnBFT0FETHdZTzNVa3ZQbTNkNGJSQTk3V2tOa2pHT2VPL2ZMZHRyWFVBZXM3bURuZHBmY3liZHdpMVdWNmc5YjZWeEhFOEoxazdndmZ2YnhNQ0NRVGQvazdkRU9qRmZnTTNyaWJVaWI1M1BGQ2NtWHFwZU5DUWtYZkl1MHBVcjZjSGIrYndWem96NmxUaUdVd2Q3Vm9HdG9JRDZIekVYOUhGUE16WlQyOWhXS3RoMGtKamJQb3h4bFo5RTJXd3BjSzZPem5RamUrVXpmSWdwU0JOL0RXNndFUWhBTm9YQkp5cTRyWExjN2RJajNMUU1LbWpkN2JINDM1eHYvblkvZiszRmJ5c2pGdHFWMGYwNFRWVTJ6d3JteW1PNUwweS82MzN1SGdCeVBGYXYzUHhWWEpGUlBUYWRtTVVETGlNTzBCQUk5dFJXU050dzNSV3l3RGl0aE1EaVJXWFY0NTBlajc2WU5xZW5DQXVVQzB3L09LaFViN3lVM09YVEhtYWRwOU12YnhiV2g0YW1kRHFDVnM0cU9vTkNlU3U2aDdOSGpnVjJwaEVBaE5ldTF3N2hjQmxGdVlOcEdzYmQrQ3ZMTU9HVjNQcjRwZCthNDlETXVRK0RXaGI5Wk1saFc4RlZ0NXpGRmN3cXh6Y1J2R2ZSTjF4K29hL29PQnhGcVdQcnJWNzE4bWdJQTVwbGdxS0E0eGFEY3ZyNWFkZEs0K1JhTWtSalQ4NzNXajBRVzNkOHZiaDA2akZVZ1dEVlJRdVdla0J4TmlOZ2VyVmxIUmppNW1URDlVOGpueUNaV2Y5R2Q2aThCMENFUjBLbW9EMUluZUozTVh5TUNsSU16VWJhTVJaanMya3MxS3MvMStCa0F1MlA0cStiMUlwbDUwU1pCSkx4WVgyWjBkTUd6bms0bEVLUzNzdGNvamxQVG8weGkrcytWMHdjT2RkUzdiazc3c0tIaFpNRngzVmtCTFlwdHNrY1hBdThRV2VoNTlvSkptZGsxeGdTNkRadWdhUCs5YzdwVlUxMEpqTEVCR0pNMUJXV0RtOHVLeGRwdXJ5dUw5TlNDajhOeDFwNHUwOWNvalpwU05oUjZ2TDBOV0F3Ull3MzBQWWUyZmNNWmh6OEhEWG45eHJLVkQwOFlZYWdQbFNEeS9Ca3Zwc3FSTm9JUHU0WDNZT0c0WitWOFZ3MzlhM0t4Z0I3SFBGbjVvRFEzUHViNFNuc0RhZ2xJbG5sMGhEVndTVDZja1IzSWZiR3FmRnVGQ2xqWktxRUlxNGJnbHlNSTltbHFXQ3JRbWlQempQai9Mcy80aFpHM2N3c0ZVOE1nYjdYSndxNXdJeHBBdWFkR2tha3VDY1lhaFVXVExpYTZVSFIwR1BYZEk0TGZodG1lMm1tSXlubzBteENRY3lYTVdtTjNVZUg3TGNDaVhGOWQyR1dxUEV4TmMzSWJaVzlyMCtUMysrMExnN3VDY2FhaGlrdTdCNDNpOTRLcVFOUzZ1bHIwV21kcnliZHhpZ3ZRVHdENXZkNTN6cjN2UTBWKzJFZktMKzdCbXluYUUzMXhTT2o4SVZCcUJGeHpxdktWRHltTUhqeHk1TFRIVzMvaFBjandCZzM4SnFyR1cxTGxpVi81THlCcTAvRm9SUDZtTDFCZEhNZXBSQ1VnZndqUUZBZXNycjM0dDl2blk4V09xcE16U3hrTTM1aFNoY3JNNDhvV0xzYnE3VE1wUmFKU0JvR0lOTWNxejFXYUZEQT09PC94ZW5jOkNpcGhlclZhbHVlPgogICA8L3hlbmM6Q2lwaGVyRGF0YT4KPC94ZW5jOkVuY3J5cHRlZERhdGE+PC9zYW1sOkVuY3J5cHRlZEFzc2VydGlvbj4KPGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+CiAgPGRzOlNpZ25lZEluZm8+PGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz4KICAgIDxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGRzaWctbW9yZSNyc2Etc2hhMjU2Ii8+CiAgPGRzOlJlZmVyZW5jZSBVUkk9IiNfcmVzcG9uc2VfaWQiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjc2hhMjU2Ii8+PGRzOkRpZ2VzdFZhbHVlPi9RYkFoRzNISGNKZUtsWXhib2RDQk9FMlB3QWdmZHFkejZ0TlRiQnQ1OXc9PC9kczpEaWdlc3RWYWx1ZT48L2RzOlJlZmVyZW5jZT48L2RzOlNpZ25lZEluZm8+PGRzOlNpZ25hdHVyZVZhbHVlPkczTGZ2QnhJRW5yREpPVXRPalZBRE5OYU52NnRBZVd5Nit4QXFkbmJYZEtVZUwzZGllaDljcGRac1E5RTRJL21uZ3FjQ2FyQzdhbkFuTGZLUlgyZHB3eEV4QWxFVndtdHNPT1AveHZKdlluYS9yZlRNV1VqWXFpQk94bVZzT0FsYkE3b3l5d0sxeWUvYS9GSnFuQnFpQk5NWDg1bVhyMi9ObUNVZjEvK002RT08L2RzOlNpZ25hdHVyZVZhbHVlPgo8L2RzOlNpZ25hdHVyZT48L3NhbWxwOlJlc3BvbnNlPgo= From 844820539073685442af05cea0beed8ea6cf237c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julius=20Tu=CC=88rich?= Date: Wed, 11 Sep 2024 10:19:28 +0200 Subject: [PATCH 3/6] add missing namespace in assertion --- .../response_encrypted_nameid_encrypted_assertion.xml.base64 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/data/responses/response_encrypted_nameid_encrypted_assertion.xml.base64 b/tests/data/responses/response_encrypted_nameid_encrypted_assertion.xml.base64 index dee2b425..135c5c49 100644 --- a/tests/data/responses/response_encrypted_nameid_encrypted_assertion.xml.base64 +++ b/tests/data/responses/response_encrypted_nameid_encrypted_assertion.xml.base64 @@ -1 +1 @@ -PD94bWwgdmVyc2lvbj0iMS4wIj8+CjxzYW1scDpSZXNwb25zZSB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIiBJRD0iX3Jlc3BvbnNlX2lkIiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAyNC0wOS0wOVQxMjowMDowMFoiIERlc3RpbmF0aW9uPSJodHRwczovL3NwLmV4YW1wbGUuY29tL2FjcyIgSW5SZXNwb25zZVRvPSJfcmVxdWVzdF9pZCI+CiAgICA8c2FtbDpJc3N1ZXI+aHR0cHM6Ly9pZHAuZXhhbXBsZS5jb20vPC9zYW1sOklzc3Vlcj4KICAgIDxzYW1scDpTdGF0dXM+CiAgICAgICAgPHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPgogICAgPC9zYW1scDpTdGF0dXM+CiAgICA8c2FtbDpFbmNyeXB0ZWRBc3NlcnRpb24geG1sbnM6eGVuYz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjIj48eGVuYzpFbmNyeXB0ZWREYXRhIHhtbG5zOnhlbmM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jIyIgVHlwZT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjRWxlbWVudCI+PHhlbmM6RW5jcnlwdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDkveG1sZW5jMTEjYWVzMjU2LWdjbSIvPgogICA8eGVuYzpDaXBoZXJEYXRhPgogICAgICA8eGVuYzpDaXBoZXJWYWx1ZT5jM1JGaXp1UWQwV3ZiajdyQ1M5ZXV0QTFJMk1FNFBQYUdvSlpsUWhQNS9yUTFRWFJtWU9rZEd5VXpNY2UzMnI3eGN4S216cGppb1NsNlZ4clY1SDh4MnBKNTJVVVhSMlc1M0pvdHJlWlpGYTZFVnhSbzkxdXdXNTV3WitJdjBnaUJiMzdUckxNWW80QWw5SnhPWUZXVmVUU1BLRC9kRndrSEpiRm9Na3JjczNCZ0hYdnA2a3ZRU3hscFNPVDZXZWgyVkJLSi9lVFR5RlZsZ0VDSS9IVENVb2lSZ2puaTM1SzE1Q1ptZUwwUTFscFFUc3EwUnhPZnFrVXExSVBUSUdwSk1SMzBJcUR2SDFJbUF6YkREYjU0WWVOQ0RQUFlXL1pJQWtGdWlJd0FNcStKRVJmRzJVeXNmOWZwUVBVOEx0WnBFT0FETHdZTzNVa3ZQbTNkNGJSQTk3V2tOa2pHT2VPL2ZMZHRyWFVBZXM3bURuZHBmY3liZHdpMVdWNmc5YjZWeEhFOEoxazdndmZ2YnhNQ0NRVGQvazdkRU9qRmZnTTNyaWJVaWI1M1BGQ2NtWHFwZU5DUWtYZkl1MHBVcjZjSGIrYndWem96NmxUaUdVd2Q3Vm9HdG9JRDZIekVYOUhGUE16WlQyOWhXS3RoMGtKamJQb3h4bFo5RTJXd3BjSzZPem5RamUrVXpmSWdwU0JOL0RXNndFUWhBTm9YQkp5cTRyWExjN2RJajNMUU1LbWpkN2JINDM1eHYvblkvZiszRmJ5c2pGdHFWMGYwNFRWVTJ6d3JteW1PNUwweS82MzN1SGdCeVBGYXYzUHhWWEpGUlBUYWRtTVVETGlNTzBCQUk5dFJXU050dzNSV3l3RGl0aE1EaVJXWFY0NTBlajc2WU5xZW5DQXVVQzB3L09LaFViN3lVM09YVEhtYWRwOU12YnhiV2g0YW1kRHFDVnM0cU9vTkNlU3U2aDdOSGpnVjJwaEVBaE5ldTF3N2hjQmxGdVlOcEdzYmQrQ3ZMTU9HVjNQcjRwZCthNDlETXVRK0RXaGI5Wk1saFc4RlZ0NXpGRmN3cXh6Y1J2R2ZSTjF4K29hL29PQnhGcVdQcnJWNzE4bWdJQTVwbGdxS0E0eGFEY3ZyNWFkZEs0K1JhTWtSalQ4NzNXajBRVzNkOHZiaDA2akZVZ1dEVlJRdVdla0J4TmlOZ2VyVmxIUmppNW1URDlVOGpueUNaV2Y5R2Q2aThCMENFUjBLbW9EMUluZUozTVh5TUNsSU16VWJhTVJaanMya3MxS3MvMStCa0F1MlA0cStiMUlwbDUwU1pCSkx4WVgyWjBkTUd6bms0bEVLUzNzdGNvamxQVG8weGkrcytWMHdjT2RkUzdiazc3c0tIaFpNRngzVmtCTFlwdHNrY1hBdThRV2VoNTlvSkptZGsxeGdTNkRadWdhUCs5YzdwVlUxMEpqTEVCR0pNMUJXV0RtOHVLeGRwdXJ5dUw5TlNDajhOeDFwNHUwOWNvalpwU05oUjZ2TDBOV0F3Ull3MzBQWWUyZmNNWmh6OEhEWG45eHJLVkQwOFlZYWdQbFNEeS9Ca3Zwc3FSTm9JUHU0WDNZT0c0WitWOFZ3MzlhM0t4Z0I3SFBGbjVvRFEzUHViNFNuc0RhZ2xJbG5sMGhEVndTVDZja1IzSWZiR3FmRnVGQ2xqWktxRUlxNGJnbHlNSTltbHFXQ3JRbWlQempQai9Mcy80aFpHM2N3c0ZVOE1nYjdYSndxNXdJeHBBdWFkR2tha3VDY1lhaFVXVExpYTZVSFIwR1BYZEk0TGZodG1lMm1tSXlubzBteENRY3lYTVdtTjNVZUg3TGNDaVhGOWQyR1dxUEV4TmMzSWJaVzlyMCtUMysrMExnN3VDY2FhaGlrdTdCNDNpOTRLcVFOUzZ1bHIwV21kcnliZHhpZ3ZRVHdENXZkNTN6cjN2UTBWKzJFZktMKzdCbXluYUUzMXhTT2o4SVZCcUJGeHpxdktWRHltTUhqeHk1TFRIVzMvaFBjandCZzM4SnFyR1cxTGxpVi81THlCcTAvRm9SUDZtTDFCZEhNZXBSQ1VnZndqUUZBZXNycjM0dDl2blk4V09xcE16U3hrTTM1aFNoY3JNNDhvV0xzYnE3VE1wUmFKU0JvR0lOTWNxejFXYUZEQT09PC94ZW5jOkNpcGhlclZhbHVlPgogICA8L3hlbmM6Q2lwaGVyRGF0YT4KPC94ZW5jOkVuY3J5cHRlZERhdGE+PC9zYW1sOkVuY3J5cHRlZEFzc2VydGlvbj4KPGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+CiAgPGRzOlNpZ25lZEluZm8+PGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz4KICAgIDxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGRzaWctbW9yZSNyc2Etc2hhMjU2Ii8+CiAgPGRzOlJlZmVyZW5jZSBVUkk9IiNfcmVzcG9uc2VfaWQiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjc2hhMjU2Ii8+PGRzOkRpZ2VzdFZhbHVlPi9RYkFoRzNISGNKZUtsWXhib2RDQk9FMlB3QWdmZHFkejZ0TlRiQnQ1OXc9PC9kczpEaWdlc3RWYWx1ZT48L2RzOlJlZmVyZW5jZT48L2RzOlNpZ25lZEluZm8+PGRzOlNpZ25hdHVyZVZhbHVlPkczTGZ2QnhJRW5yREpPVXRPalZBRE5OYU52NnRBZVd5Nit4QXFkbmJYZEtVZUwzZGllaDljcGRac1E5RTRJL21uZ3FjQ2FyQzdhbkFuTGZLUlgyZHB3eEV4QWxFVndtdHNPT1AveHZKdlluYS9yZlRNV1VqWXFpQk94bVZzT0FsYkE3b3l5d0sxeWUvYS9GSnFuQnFpQk5NWDg1bVhyMi9ObUNVZjEvK002RT08L2RzOlNpZ25hdHVyZVZhbHVlPgo8L2RzOlNpZ25hdHVyZT48L3NhbWxwOlJlc3BvbnNlPgo= +PD94bWwgdmVyc2lvbj0iMS4wIj8+CjxzYW1scDpSZXNwb25zZSB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIiBJRD0iX3Jlc3BvbnNlX2lkIiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAyNC0wOS0wOVQxMjowMDowMFoiIERlc3RpbmF0aW9uPSJodHRwczovL3NwLmV4YW1wbGUuY29tL2FjcyIgSW5SZXNwb25zZVRvPSJfcmVxdWVzdF9pZCI+CiAgICA8c2FtbDpJc3N1ZXI+aHR0cHM6Ly9pZHAuZXhhbXBsZS5jb20vPC9zYW1sOklzc3Vlcj4KICAgIDxzYW1scDpTdGF0dXM+CiAgICAgICAgPHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPgogICAgPC9zYW1scDpTdGF0dXM+CiAgICA8c2FtbDpFbmNyeXB0ZWRBc3NlcnRpb24geG1sbnM6eGVuYz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjIj48eGVuYzpFbmNyeXB0ZWREYXRhIHhtbG5zOnhlbmM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jIyIgVHlwZT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjRWxlbWVudCI+PHhlbmM6RW5jcnlwdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDkveG1sZW5jMTEjYWVzMjU2LWdjbSIvPgogICA8eGVuYzpDaXBoZXJEYXRhPgogICAgICA8eGVuYzpDaXBoZXJWYWx1ZT5oVi9lSmhMWVJrd0FTckhWbUNkNElaRm40bHIyd3FuM1pidDk4bldBVFFqb2FaNWxHSEQ4aFkvaXNQVjkxSU5pU0lYai9yZnZMNzVrL29Bb3NZY2xqUzJPaFVZUk1iMFN4OHU1Ui9Cc2Z6cFdTNm9senRnWnVVNWZ5TSsrTnVYWVVGTlJJM2RocTRFZnI5ejNHU2V4bnFlbGtOUVdHN3dCNzRjM2dlZHYwTWpxcjIxZXVkN3Y3MHdkVFZxTHpDMlJkd3paaS85czZyVytPY2l0NWVJS0YrRW1kWHpMVzFIZmZIMHBxVUw4bUJVdVpzQ05wMFhuMVdaOEp0WEJqWVFhdkJuMzhtSXZ0WXYzS0N0aytzSkVOWTZob3ZRZG83YUVHZG9SUlg0OGVSYWlxazVUUkdSenBsc0t2VHQyR01MUVBvKzYxWWI5RVk4L3puWE5RQldwVHJUZlpIcDF3djZmNExJbHlPRm05VnNxZWlpS2pUeFFycjdQYktRNHh6YWozZDViZjBtbFlEcEJ4VFRNUzBUY0FPbmNrby9qUmpiU0g5ZmYrUVR4dHRaSldFdS9ndXc0K3JDd29UZ2lldVhuM2tRMVFZSFRaSnhqWVJhSDd0YlRiRnFnaDJEMVZsWnNweFU0cHE4ckorOFp2bklVUUh2TEtNanhuK2k3KzY1TitEN1F0bXVFRUw3d0M3YmFiKzlxdnFRQnNGNHIrQmlDOEhNbGJRQmUzR3lCSFJ1YTJYZ3FOVW43WURVNEFTZlBVRmpmMkE1Z2k3d1c2c1hpWlhGeUpaQmpIOVpUOXNuRmdOUXVueHg5d0VYeXNkdGtVUGlvOHB5WHloc1lmRG5RM2k4Y1c1aFV4OXE1K05TMVNzeCtxTFZEaEFxcDJhZHJGUDFCZW02aUtaWFNkbnpWYkt0K242dVM0aHVOTm42RE02dkhnaEpyWW43dUZrWWJnR1VUN1Z5K1lGaDVLWit2N3hzbTRhNEVYN014Q0tzd0U1empjT1VGMDN2cDJkTlB4RGdmRnluR20xT1N3V2N2L3kxMytNOUsvZnhiNFlZajFWekR5Y212OVdyN1JzVUhnZ3BQcS9VR09PUHJ0cnNlMlZHM0llbHB3ZEFOTWlzNldhTjFYWWU0K3JHRXp3WHl5VnV5TWNza0V5RlNTb1VHNFcwMWNGbHA3blhIUGtZbUJKSHA5MTBWTW1PWEdyTC9TYW9ubUVkOU93YUIyUW1td0dmd1o5dU5pK3F0Wlg2b00rQ2tWSFhDdUFTdXVzalRtTVF0REtta0NUVUhtcDFveXBBcnU5OUFXMUlWRDRHV01ZVlJMNGFrd3dReldMU3pCQWJDbk1hUGp6MTJIaWNTd3RjMTJnNjFtZ2JlYVM0SlF3c2xxbmwza0FKcHVkTUszZGY2bUFLeW5nUFdNeFNBWU9PVkRPVkxCZTJMRnpieHZ2NzluNUwrWmFlcmRUVHpoTnVxT0ptZzJZOStKQWpsd0UvWHNjVmRXQVlITHdOUjhDYXc1eW1hOUFQdFpjclB0VjZuMTYycTdnWGV5QTkvTTAxaXdSSkY5dzE2UklZMWNJNWhsQys0YXRxci9MK29ZTnROWmtlUEdzZ2pNbjY2bUFYMHgwRlBEb2xLRHpVOXgyV2xOL0JQeWR0a0hpV3BsKzNKWGlpR1dWRzdnUkZKYnRqWmR4UGUvam1uRlIwK015RUl4MklpLyt5emVWYlppanIxNmp2c2pKS2hia2x1cXF6YURybEhDaFFicEVWNlBWSTlnS2dCcnloS3l4ZGJMYWthQ0xPcW5POHFEMVNJajA3NmpqeVJlZzE4MU0va2xTU3gvK1hFdzRpTjhxUkl1aEpGMDFLM0VsZ043SkJWZzAva2p2SHdiNyt5d3IrK1FUVnEzUmpEMkV0eVczTG85dTIzOG9KTGhwOE9PVWNnd3FPOWdncWsrNGI1TS9BV0dEcHZlZStqOUpseDRWMUZuTncxZUQvQkdFd2p6a3lRckRIVDRDT01hOWZLVkhhL0pPN1o3emI5azdiWTlvbWhwOHBmU1V0bTJjNmVwY0h4R0s4SFI4cG9mTVJwaUw4WXNmRUg0dEV2OC9PaVozS3AyZ0JEVmthU2dQTXhwdzRIVjJmL1BmbWJMQmlubHZzbmNyNjhFNDF3LzJGN2hHWVU3OGM3Y2UxYVBIU2haU1k3MmFPOHBEOUxrMTRqV1lMY2w4QThINHZ1STVjYjY3am9qbHlHQjNwYTRxakh6RnRRZjdxdlFsdjZvYTJWRzlDSEJIUFdOazNxRm4xbGwwS3RjaDVtd2VBTldBMlZWSVVSa0o2QXROY3p2TXhIMUlZeXJQNXplaE0vdTI2ekJHQzNZa3F1M1ZZZXhRZ3Q3djRUZDFPWXFxVU9HSXhCaGtYcnMzdHNIZz09PC94ZW5jOkNpcGhlclZhbHVlPgogICA8L3hlbmM6Q2lwaGVyRGF0YT4KPC94ZW5jOkVuY3J5cHRlZERhdGE+PC9zYW1sOkVuY3J5cHRlZEFzc2VydGlvbj4KPGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+CiAgPGRzOlNpZ25lZEluZm8+PGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz4KICAgIDxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGRzaWctbW9yZSNyc2Etc2hhMjU2Ii8+CiAgPGRzOlJlZmVyZW5jZSBVUkk9IiNfcmVzcG9uc2VfaWQiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjc2hhMjU2Ii8+PGRzOkRpZ2VzdFZhbHVlPi9iVnZlU1JLL1pVdUlza1pFeTdZZ3Nub1lQMjJ1U0FJQWtGRnlpQTk5Y2c9PC9kczpEaWdlc3RWYWx1ZT48L2RzOlJlZmVyZW5jZT48L2RzOlNpZ25lZEluZm8+PGRzOlNpZ25hdHVyZVZhbHVlPmFXSUllOFF1cTI4NHRrOUpBN3d1dXZNaHdnckJNczVhUm1xUUxXRnlzdFV6dWlpcFZUYUE2TElyZ05Gd21ocm1EZmZ3ZVZRWGREK245OGxSNXhSTitsTEs4Vy9IREVGL0NYNmlEekg3UmxQSEhsQ0k0alB2TGtyeTkwZ1J3VHM4ZXZ4Qy9kTlYwYW84WEFJMm5XMkZuYWJjRUhuNXE3ZkNkaXUxWlZkMzQycz08L2RzOlNpZ25hdHVyZVZhbHVlPgo8L2RzOlNpZ25hdHVyZT48L3NhbWxwOlJlc3BvbnNlPgo= From 748293e2879865592d274e4741190d61d7622b5c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julius=20Tu=CC=88rich?= Date: Wed, 11 Sep 2024 10:20:29 +0200 Subject: [PATCH 4/6] Add test case for encrypted name id in encrypted assertion --- tests/src/OneLogin/Saml2/ResponseTest.php | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/tests/src/OneLogin/Saml2/ResponseTest.php b/tests/src/OneLogin/Saml2/ResponseTest.php index 258313a6..e8b4f065 100644 --- a/tests/src/OneLogin/Saml2/ResponseTest.php +++ b/tests/src/OneLogin/Saml2/ResponseTest.php @@ -1823,4 +1823,12 @@ public function testIsValidSignUsingX509certMulti() $response = new Response($settings, $xml); $this->assertTrue($response->isValid()); } + + public function testCanGetEncryptedNameIdInEncryptedAssertion() + { + $xml = file_get_contents(TEST_ROOT . '/data/responses/response_encrypted_nameid_encrypted_assertion.xml.base64'); + $response = new Response($this->_settings, $xml); + $this->assertTrue($response->isValid()); + $this->assertSame('user@example.com', $response->getNameId()); + } } From 5e84cc5e24b63f20333ba1912d1ad779a35713bc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julius=20Tu=CC=88rich?= Date: Wed, 11 Sep 2024 10:30:02 +0200 Subject: [PATCH 5/6] Add missing check for encrypted name id in non encrypted assertions --- src/Saml2/Response.php | 1 + 1 file changed, 1 insertion(+) diff --git a/src/Saml2/Response.php b/src/Saml2/Response.php index ef2eca4a..d716ca5d 100644 --- a/src/Saml2/Response.php +++ b/src/Saml2/Response.php @@ -234,6 +234,7 @@ public function isValid($requestId = null) ); } + $this->encryptedNameId = $this->encryptedNameId || $this->_queryAssertion('/saml:Subject/saml:EncryptedID/xenc:EncryptedData')->length > 0; if (!$this->encryptedNameId && $security['wantNameIdEncrypted']) { throw new ValidationError( "The NameID of the Response is not encrypted and the SP requires it", From 2b361231a046425a7456fd195373d46c56afaf91 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julius=20Tu=CC=88rich?= Date: Fri, 13 Sep 2024 14:03:44 +0200 Subject: [PATCH 6/6] Fix lint error --- src/Saml2/Response.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Saml2/Response.php b/src/Saml2/Response.php index d716ca5d..8c45b30e 100644 --- a/src/Saml2/Response.php +++ b/src/Saml2/Response.php @@ -1166,7 +1166,7 @@ protected function decryptAssertion(\DomNode $dom) // check if the decrypted assertion contains an encryptedID $encryptedID = $decrypted->getElementsByTagName('EncryptedID')->item(0); - if($encryptedID) { + if ($encryptedID) { // decrypt the encryptedID $this->encryptedNameId = true; $this->decryptAssertion($encryptedID);