Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

in Assertions, AttributeValues containing EncryptedID are not decrypted/processed #1811

Open
maartendictu opened this issue May 25, 2023 · 3 comments
Open

in Assertions, AttributeValues containing EncryptedID are not decrypted/processed #1811

maartendictu opened this issue May 25, 2023 · 3 comments

Comments

@maartendictu
Copy link

maartendictu commented May 25, 2023
edited

I have a setup where my SP receives assertions from an IdP with an AttributeValue that contains an EncryptedID.
This attribute (urn:nl-eid-gdi:1.0:ActingSubjectID) shows up empty in the SAML 2.0 SP Demo Example page.

This is the relevant part of the Assertion with the Attribute

[...]
   <saml:AttributeStatement xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema">
            <saml:Attribute Name="urn:nl-eid-gdi:1.0:ActingSubjectID">
              <saml:AttributeValue>
                <saml2:EncryptedID xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
                  <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="_e65a959c943c5dc2c5bf10c2ad46ddca-1" Type="http://www.w3.org/2001/04/xmlenc#Element">
                    <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
                    <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                      <ds:RetrievalMethod Type="http://www.w3.org/2001/04/xmlenc#EncryptedKey" URI="#_76d04791b343af830ac4d4a3b01abb1f-1"/>
                    </ds:KeyInfo>
                    <xenc:CipherData>
                   <xenc:CipherValue>XXXXXXX...</xenc:CipherValue>
                    </xenc:CipherData>
                  </xenc:EncryptedData>
                  <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="_76d04791b343af830ac4d4a3b01abb1f-1" Recipient="urn:nl-eid-gdi:1.0:DV:00000004113624762000:entities:9000">
                    <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
                      <ds:DigestMethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                    </xenc:EncryptionMethod>
                    <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                      <ds:KeyName>XXXX...</ds:KeyName>
                    </ds:KeyInfo>
                    <xenc:CipherData>
                      <xenc:CipherValue>XXXXXXX...</xenc:CipherValue>
                    </xenc:CipherData>
                    <xenc:ReferenceList>
                      <xenc:DataReference URI="#_e65a959c943c5dc2c5bf10c2ad46ddca-1"/>
                    </xenc:ReferenceList>
                  </xenc:EncryptedKey>
                </saml2:EncryptedID>
              </saml:AttributeValue>
            </saml:Attribute>
         [...]

I inspected the code to see if I could fix this. i tried to add some code to decrypt the attribute and add the value to php object Assertion->attributes. Decryption works and I see the correct decrypted attribute value show up in the debugger, but the Demo page then gives an error:
SimpleSAML_exception_handler( $exception = class TypeError { protected $message = 'htmlspecialchars(): Argument #1 ($string) must be of type string, DOMNodeList given'; private ${Error}string = ''; protected $code = 0; protected $file = '/var/www/html/vendor/simplesamlphp/simplesamlphp/templates/includes/attributes.php'; protected $line = 30;

So my code is not quite right.

I will put my code in a MR for you to review but I'm not sure I'm on the right track. Do you maintainers have any thoughts on how to approach this?

Expected behavior
I would expect attributes that contain EncryptedID values to be processed correctly and their values to show up in the SP demo page.

Screenshots or logs
Attached is a SOAP ArtifactResponse that contains an AttributeValue with an encryptedID.
assertion.xml.txt
@tvdijen
Copy link
Member

tvdijen commented May 26, 2023

Hello co-worker ;)

This is hard for me to troubleshoot because I don't have an IdP with the capabilities to send an EncryptedID available.
It appears you are coding against a 1.1x version on SimpleSAMLphp, so my first question would be if this is still reproducible in v2. A lot has changed between those versions and the troublesome includes/attributes.php file no longer exists.

@maartendictu
Copy link
Author

We’re using Simplesamlphp from Drupal, which is not compatible with simplesamlphp 2.x yet. I will investigate further and get back on this

@tvdijen
Copy link
Member

tvdijen commented May 26, 2023

Ah yes, I tried to contribute to Drupal and get their plugin compatible with SSP 2.0, but for some reason they blocked my account and didn't bother to respond to my emails 🤷🏻‍♂️

I suspect our code is not aware of anything other than a saml:NameID element as an attribute value, so hopefully all we have to do is decrypt the EncryptedID before displaying it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tvdijen @maartendictu