SigningMethod sha256-rsa-mgf1
Ahrens, Helge
Dear all,
I didn’t find any information about this:
Does simplasaml (I’m currently using v2.0.15) support SigningMethod sha256-rsa-mgf1 (RSASSA-PSS) and if so, where can I change the default? The national (German) IdP is switching from rsa-sha256 and when testing the new setting in our Dev-Environment I encountered this error:
***
simplesamlphp DEBUG […] Received SAML2 Response from 'https://int.id.bund.de/idp'.
simplesamlphp DEBUG […] Has 1 candidate keys for validation.
simplesamlphp DEBUG […] Validation with key #0 failed with exception: Unsupported signing algorithm.
SimpleSAML\Error\Error: UNHANDLEDEXCEPTION
Backtrace:
2 public/_include.php:31 (SimpleSAML_exception_handler)
1 …/vendor/symfony/error-handler/ErrorHandler.php:619 (Symfony\Component\ErrorHandler\ErrorHandler::handleException)
0 [builtin] (N/A)
Caused by: Exception: Unsupported signing algorithm.
Backtrace:
11 …/vendor/simplesamlphp/saml2/src/SAML2/Utils.php:140 (SAML2\Utils::castKey)
10 …/vendor/simplesamlphp/saml2/src/SAML2/Utils.php:191 (SAML2\Utils::validateSignature)
9 [builtin] (call_user_func)
8 …/vendor/simplesamlphp/saml2/src/SAML2/Message.php:263 (SAML2\Message::validate)
7 modules/saml/src/Message.php:168 (SimpleSAML\Module\saml\Message::checkSign)
6 modules/saml/src/Message.php:602 (SimpleSAML\Module\saml\Message::processResponse)
5 modules/saml/src/Controller/ServiceProvider.php:317 (SimpleSAML\Module\saml\Controller\ServiceProvider::assertionConsumerService)
4 …/vendor/symfony/http-kernel/HttpKernel.php:163 (Symfony\Component\HttpKernel\HttpKernel::handleRaw)
3 …/vendor/symfony/http-kernel/HttpKernel.php:75 (Symfony\Component\HttpKernel\HttpKernel::handle)
2 …/vendor/symfony/http-kernel/Kernel.php:202 (Symfony\Component\HttpKernel\Kernel::handle)
1 src/SimpleSAML/Module.php:234 (SimpleSAML\Module::process)
0 public/module.php:17 (N/A)
***
Best wishes and thank you for any hint to a solution!
Helge
Tim van Dijen
Ahrens, Helge
Dear Tim,
thank you for your fast reply. So I’ll be forced to change from php-based SAML to another solution? That is unfortunate.
Best wishes
Helge
--
This is a mailing list for users of SimpleSAMLphp, not a support service. If you are willing to buy commercial support, please take a look here:
https://simplesamlphp.org/support
Before sending your question, make sure it is related to SimpleSAMLphp, and not your web server's configuration or any other third-party software. This mailing list cannot help with software that uses SimpleSAMLphp, only regarding SimpleSAMLphp itself.
Make sure to read the documentation:
https://simplesamlphp.org/docs/stable/
If you have an issue with SimpleSAMLphp that you cannot resolve and reading the documentation doesn't help, you are more than welcome to ask here for help. Subscribe to the list and send an email with your question. However, you will be expected to comply with some minimum, common sense standards in your questions. Please read this carefully:
http://catb.org/~esr/faqs/smart-questions.html
---
You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/simplesamlphp/a495c7ab-ff42-4b34-bd2d-3bc247bf1a1bn%40googlegroups.com.
Tim van Dijen
The unfortunate part is that the crypto-library underneath SimpleSAMLphp is tightly coupled to the openssl extension and therefore cannot support it.
We will at some point migrate to a better crypto-library, but with current resources for the project this is going to take a _really_ long time :(
Ahrens, Helge
Dear Tim,
thank you for the insight! Do you have an overview of the parts that would need change? Because either I’ll try and changing it in my simplesaml installation and maybe that can help your effort for migration as well or I’ll have to migrate to another backend (not sure how much work that might be).
To view this discussion visit https://groups.google.com/d/msgid/simplesamlphp/313a3715-fe0f-4854-83c4-656ab9581a1bn%40googlegroups.com.
Tim van Dijen
That one by itself is finished, but not yet in use by SimpleSAMLphp because the API was changed completely.
It has support for multiple back-ends, with one back-end implemented (openssl), but it could also have a backend for phpseclib.
So two steps that need to be done:
- Add backend for phpseclib into the xml-security library
It will be quite a lot of work, I think, but we would really appreciate your help!
- Tim
Ahrens, Helge
Dear Tim,
I’ll take a look at the code, however I have a tight schedule (the change must be completed by the end of June). Depending on how we estimate the effort in the team, we may have to change the backend.
.
To view this discussion visit https://groups.google.com/d/msgid/simplesamlphp/4ffd7369-17b7-42f2-9a8f-1bb3bc955934n%40googlegroups.com.
Ahrens, Helge
Dear Tim,
are there already issues/tasks in the simplesamlphp and xml-security repositories where we could start working on?
I’m a little lost where I should start, except that I would start by trying to integrate phpseclib directly in a local simplesamlphp instance to see if I can get it working. From there I could try integrating it in xml-security. Or should I first try to integrate xml-security in simplesamlphp?
Best wishes
Helge
To view this discussion visit https://groups.google.com/d/msgid/simplesamlphp/e4edf2a3d55d49d2bd7e8616a470c437%40ulb.hhu.de.
Peter Schober
v7.2, so no new dendency added.
The main reason I could think of why this wouldn't work is (in
the words of some older paragonie.com article[1]):
"Stringent requirements to maintain interoperability with weak
cryptography."
Best,
-peter
[1] https://paragonie.com/blog/2015/09/how-to-safely-implement-cryptography-in-any-application
Tim van Dijen
Peter Schober
> still have to install ext-sodium manually on my distro.
> As of PHP 7.2.0 this extension is bundled with PHP.
Best,
-peter
[1] https://www.php.net/manual/en/sodium.installation.php
