From 08833e38ed139ad6894f1a568d967da410785587 Mon Sep 17 00:00:00 2001 From: Scott Cantor Date: Fri, 2 Mar 2012 18:13:03 +0000 Subject: [PATCH] Add option to reject unauthenticated ciphers --- saml/saml2/core/Assertions.h | 12 +++++++++++- saml/saml2/core/impl/Assertions.cpp | 6 ++++-- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/saml/saml2/core/Assertions.h b/saml/saml2/core/Assertions.h index 7474992..c878449 100644 --- a/saml/saml2/core/Assertions.h +++ b/saml/saml2/core/Assertions.h @@ -133,13 +133,23 @@ namespace opensaml { *

The object returned will be unmarshalled around the decrypted DOM element in a * new Document owned by the object. * + *

The final boolean parameter is used to enforce a requirement for an authenticated cipher + * suite such as AES-GCM or similar. These ciphers include an HMAC or equivalent step that + * prevents tampering. Newer applications should set this parameter to true unless the ciphertext + * has been independently authenticated, and even in such a case, it is rarely possible to prevent + * chosen ciphertext attacks by trusted signers. + * * @param credResolver locked resolver supplying decryption keys * @param recipient identifier naming the recipient (the entity performing the decryption) * @param criteria optional external criteria to use with resolver + * @param requireAuthenticatedCipher true iff the bulk data encryption algorithm must be an authenticated cipher * @return the decrypted and unmarshalled object */ virtual xmltooling::XMLObject* decrypt( - const xmltooling::CredentialResolver& credResolver, const XMLCh* recipient, xmltooling::CredentialCriteria* criteria=nullptr + const xmltooling::CredentialResolver& credResolver, + const XMLCh* recipient, + xmltooling::CredentialCriteria* criteria=nullptr, + bool requireAuthenticatedCipher=false ) const; END_XMLOBJECT; diff --git a/saml/saml2/core/impl/Assertions.cpp b/saml/saml2/core/impl/Assertions.cpp index 4ed2efd..4a163d5 100644 --- a/saml/saml2/core/impl/Assertions.cpp +++ b/saml/saml2/core/impl/Assertions.cpp @@ -241,12 +241,14 @@ void EncryptedElementType::encrypt( } } -XMLObject* EncryptedElementType::decrypt(const CredentialResolver& credResolver, const XMLCh* recipient, CredentialCriteria* criteria) const +XMLObject* EncryptedElementType::decrypt( + const CredentialResolver& credResolver, const XMLCh* recipient, CredentialCriteria* criteria, bool requireAuthenticatedCipher + ) const { if (!getEncryptedData()) throw DecryptionException("No encrypted data present."); opensaml::EncryptedKeyResolver ekr(*this); - Decrypter decrypter(&credResolver, criteria, &ekr); + Decrypter decrypter(&credResolver, criteria, &ekr, requireAuthenticatedCipher); DOMDocumentFragment* frag = decrypter.decryptData(*getEncryptedData(), recipient); if (frag->hasChildNodes() && frag->getFirstChild()==frag->getLastChild()) { DOMNode* plaintext=frag->getFirstChild(); -- 2.1.4