Hi All,
I'm connecting a SSPHP SP website to an ADFS IDP (Windows something - not sure of the version).
My client is running 5.2.something PHP, and ADFS defaults to SHA256 signatures.
If the other contractor setting up the ADFS "relying party" doesn't change the signature algorithm to SHA1, I get an error message "Unable to verify signature", and or openssl_verify argument 4 was a string, expected long.
Now that I know that this is the error message that configuration gives, it won't be much of a problem for me when this happens again, but it would be nice to be able to give future victims a little more to go on.
The php.net page suggests that I need php 5.4.8 to get SHA256 sigs working, but on here I've seen people refer to getting things going with php 5.3.x, can anyone explain this disparity?
The patch that I applied that led to me saying "Aahh!" is below, but I'm sure that this won't be the best place to handle things, and definetly isn't the best message.
Ideally I would have liked a message like:
"Signature algorithm SHA256 is not supported by your version of PHP. You either need to upgrade php to 5.x.y, or ask your IDP to change the signature algorithim to SHA1"
Thoughts?
Thanks for SimpleSamlPHP btw, it's awesome
Peter
diff --git a/lib/xmlseclibs.php b/lib/xmlseclibs.php
index 75de0b6..5ca7483 100644
--- a/lib/xmlseclibs.php
+++ b/lib/xmlseclibs.php
@@ -511,6 +511,9 @@ class XMLSecurityKey {
if (! empty($this->cryptParams['digest'])) {
$algo = $this->cryptParams['digest'];
}
+ if (is_string($algo)) {
+ throw new Exception("algo is a string $algo");
+ }
return openssl_verify ($data, $signature, $this->key, $algo);
}
The trick is to make sure the certificate used by SimpleSAMLphp (for signing and encryption) supports the SHA256 algorithm. Is it the case in your setup ?
On 27 Feb 2013, at 15:17, "Sebastien B." <tch...@gmail.com> wrote:The trick is to make sure the certificate used by SimpleSAMLphp (for signing and encryption) supports the SHA256 algorithm. Is it the case in your setup ?Can you explain what you mean here? Other than a couple of really arcane edge cases[1], I can't think of a way in which a certificate could *not* support the use of SHA-256 in digital signatures. It's certainly not related to the digest algorithm used in the certifying signature.
The idea that particular versions of PHP, on particular OS versions, might not support SHA-256 seems far more likely. Which is to say, if the algorithm isn't available on any given platform it could be either the PHP version or the OS version.
We are using PHP's openssl interface to compute signatures, and openssl supports the SHA2 family,
I mentioned this point because the tool I use to generate test certificates allows me to select the signing algorithm for a particular certificate.
I also had to make some slight modifications to some PHP files to add the support for SHA-256.
Hi Jaime,I think i had made the modifications prior to when it was supported by simpleSAMLphp.I just checked SSP's latest version and in short, I did the same thing :-)