Issues in EncryptedElementTrait.php (master) - Issues in master - simplesamlphp/xml-security - Measure and Improve Code Quality continuously with Scrutinizer

Issues (81)

src/XML/EncryptedElementTrait.php (3 issues)

Labels

Bug 1

Severity

<?php

declare(strict_types=1);

namespace SimpleSAML\XMLSecurity\XML;

use DOMElement;
use SimpleSAML\Assert\Assert;
use SimpleSAML\XML\AbstractElement;
use SimpleSAML\XMLSchema\Exception\{InvalidDOMElementException, TooManyElementsException};
use SimpleSAML\XMLSecurity\Alg\Encryption\{EncryptionAlgorithmFactory, EncryptionAlgorithmInterface};
use SimpleSAML\XMLSecurity\Backend\EncryptionBackend;
use SimpleSAML\XMLSecurity\Constants as C;
use SimpleSAML\XMLSecurity\Exception\{
    InvalidArgumentException,
    NoEncryptedDataException,
    OpenSSLException,
    RuntimeException,
};
use SimpleSAML\XMLSecurity\Key\SymmetricKey;
use SimpleSAML\XMLSecurity\XML\xenc\{EncryptedData, EncryptedKey};

use function strval;

/**
 * Trait aggregating functionality for encrypted elements.
 *
 * @package simplesamlphp/xml-security
 */
trait EncryptedElementTrait
{
    /** @var \SimpleSAML\XMLSecurity\XML\xenc\EncryptedKey[] */
    protected array $encryptedKey = [];


    /**
     * Constructor for encrypted elements.
     *
     * @param \SimpleSAML\XMLSecurity\XML\xenc\EncryptedData $encryptedData The EncryptedData object.
     */
    public function __construct(
        protected EncryptedData $encryptedData,
    ) {
        $keyInfo = $this->encryptedData->getKeyInfo();
        if ($keyInfo === null) {
            return;
        }

        foreach ($keyInfo->getInfo() as $info) {
            if ($info instanceof EncryptedKey) {
                $this->encryptedKey = [$info];
                break;
            }
        }
    }


    /**
     * Whether the encrypted object is accompanied by the decryption key or not.
     *
     * @return bool
     */
    public function hasDecryptionKey(): bool
    {
        return !empty($this->encryptedKey);
    }


    /**
     * Get the encrypted key used to encrypt the current element.
     *
     * @return \SimpleSAML\XMLSecurity\XML\xenc\EncryptedKey[]
     */
    public function getEncryptedKeys(): array
    {
        return $this->encryptedKey;
    }


    /**
     * Get the EncryptedData object.
     *
     * @return \SimpleSAML\XMLSecurity\XML\xenc\EncryptedData
     */
    public function getEncryptedData(): EncryptedData
    {
        return $this->encryptedData;
    }


    /**
     * Decrypt the data in any given element.
     *
     * Use this method to decrypt an EncryptedData XML element into a string. If the resulting plaintext represents
     * an XML document which has a corresponding implementation extending \SimpleSAML\XML\ElementInterface, you
     * can call this method to build an object from the resulting plaintext:
     *
     *     $data = $this->decryptData($decryptor);
     *     $xml = \SimpleSAML\XML\DOMDocumentFactory::fromString($data);
     *     $object = MyObject::fromXML($xml->documentElement);
     *
     * If the class using this trait implements \SimpleSAML\XMLSecurity\XML\EncryptedElementInterface, then the
     * decrypt() method will only need the proposed code and return the object.
     *
     * @param \SimpleSAML\XMLSecurity\Alg\Encryption\EncryptionAlgorithmInterface $decryptor The decryptor to use to
     * decrypt the object.
     *
     * @return string The decrypted data.
     */
    protected function decryptData(EncryptionAlgorithmInterface $decryptor): string
    {
        $encData = $this->getEncryptedData();
        if (!$encData instanceof EncryptedData) {

            throw new NoEncryptedDataException();
        }

        $algId = $decryptor->getAlgorithmId();
        $encMethod = $this->getEncryptedData()->getEncryptionMethod();
        if ($encMethod !== null) {
            $algId = $encMethod->getAlgorithm();
        }

        if (in_array($decryptor->getAlgorithmId(), C::$KEY_TRANSPORT_ALGORITHMS)) {
            // the decryptor uses a key transport algorithm, check if we have a session key
            if ($this->hasDecryptionKey() === null) {

                throw new RuntimeException('Cannot use a key transport algorithm to decrypt an object.');
            }

            if ($encMethod === null) {
                throw new RuntimeException('Cannot decrypt data with a session key and no EncryptionMethod.');
            }

            $factory = new EncryptionAlgorithmFactory(
                $this->getBlacklistedAlgorithms() ?? EncryptionAlgorithmFactory::DEFAULT_BLACKLIST,
            );

            $decryptionKey = null;
            foreach ($this->getEncryptedKeys() as $encryptedKey) {
                try {
                    $decryptionKey = $encryptedKey->decrypt($decryptor);
                } catch (OpenSSLException $e) {
                    continue;
                }
            }

            if ($decryptionKey === null) {
                throw new RuntimeException('Cannot decrypt the session key with any of the provided decryption keys.');
            }

            $decryptor = $factory->getAlgorithm(
                $encMethod->getAlgorithm()->getValue(),
                new SymmetricKey($decryptionKey),
            );
            $decryptor->setBackend($this->getEncryptionBackend());
        }

        if ($algId->getValue() !== $decryptor->getAlgorithmId()) {
            throw new InvalidArgumentException('Decryption algorithm does not match EncryptionMethod.');
        }

        return $decryptor->decrypt(
            base64_decode(strval($encData->getCipherData()->getCipherValue()->getContent()), true),
        );
    }


    /**
     * @inheritDoc
     *
     * @throws \SimpleSAML\XML\Exception\InvalidDOMElementException
     *   If the qualified name of the supplied element is wrong
     */
    public static function fromXML(DOMElement $xml): static
    {
        Assert::same(
            $xml->localName,
            AbstractElement::getClassName(static::class),
            InvalidDOMElementException::class,
        );
        Assert::same($xml->namespaceURI, static::NS, InvalidDOMElementException::class);


        $ed = EncryptedData::getChildrenOfClass($xml);
        Assert::count(
            $ed,
            1,
            sprintf(
                'No more or less than one EncryptedData element allowed in %s.',
                AbstractElement::getClassName(static::class),
            ),
            TooManyElementsException::class,
        );

        return new static($ed[0]);
    }


    /**
     * @inheritDoc
     */
    public function toXML(?DOMElement $parent = null): DOMElement
    {
        $e = $this->instantiateParentElement($parent);
        $this->encryptedData->toXML($e);
        return $e;
    }


    /**
     * Create a document structure for this element.
     *
     * The AbstractElement class implements this method. If your object inherits from that class, you will already
     * have this method out of the box.
     *
     * @param \DOMElement|null $parent The element we should append to.
     * @return \DOMElement
     */
    abstract public function instantiateParentElement(?DOMElement $parent = null): DOMElement;


    /**
     * Get the encryption backend to use for any encryption operation.
     *
     * @return \SimpleSAML\XMLSecurity\Backend\EncryptionBackend|null The encryption backend to use, or null if we
     * want to use the default.
     */
    abstract public function getEncryptionBackend(): ?EncryptionBackend;


    /**
     * Get the list of algorithms that are blacklisted for any encryption operation.
     *
     * @return string[]|null An array with all algorithm identifiers that are blacklisted, or null to use this
     * libraries default.
     */
    abstract public function getBlacklistedAlgorithms(): ?array;
}


1			<?php
2
3			declare(strict_types=1);
4
5			namespace SimpleSAML\XMLSecurity\XML;
6
7			use DOMElement;
8			use SimpleSAML\Assert\Assert;
9			use SimpleSAML\XML\AbstractElement;
10			use SimpleSAML\XMLSchema\Exception\{InvalidDOMElementException, TooManyElementsException};
11			use SimpleSAML\XMLSecurity\Alg\Encryption\{EncryptionAlgorithmFactory, EncryptionAlgorithmInterface};
12			use SimpleSAML\XMLSecurity\Backend\EncryptionBackend;
13			use SimpleSAML\XMLSecurity\Constants as C;
14			use SimpleSAML\XMLSecurity\Exception\{
15			InvalidArgumentException,
16			NoEncryptedDataException,
17			OpenSSLException,
18			RuntimeException,
19			};
20			use SimpleSAML\XMLSecurity\Key\SymmetricKey;
21			use SimpleSAML\XMLSecurity\XML\xenc\{EncryptedData, EncryptedKey};
22
23			use function strval;
24
25			/**
26			* Trait aggregating functionality for encrypted elements.
27			*
28			* @package simplesamlphp/xml-security
29			*/
30			trait EncryptedElementTrait
31			{
32			/** @var \SimpleSAML\XMLSecurity\XML\xenc\EncryptedKey[] */
33			protected array $encryptedKey = [];
34
35
36			/**
37			* Constructor for encrypted elements.
38			*
39			* @param \SimpleSAML\XMLSecurity\XML\xenc\EncryptedData $encryptedData The EncryptedData object.
40			*/
41			public function __construct(
42			protected EncryptedData $encryptedData,
43			) {
44			$keyInfo = $this->encryptedData->getKeyInfo();
45			if ($keyInfo === null) {
46			return;
47			}
48
49			foreach ($keyInfo->getInfo() as $info) {
50			if ($info instanceof EncryptedKey) {
51			$this->encryptedKey = [$info];
52			break;
53			}
54			}
55			}
56
57
58			/**
59			* Whether the encrypted object is accompanied by the decryption key or not.
60			*
61			* @return bool
62			*/
63			public function hasDecryptionKey(): bool
64			{
65			return !empty($this->encryptedKey);
66			}
67
68
69			/**
70			* Get the encrypted key used to encrypt the current element.
71			*
72			* @return \SimpleSAML\XMLSecurity\XML\xenc\EncryptedKey[]
73			*/
74			public function getEncryptedKeys(): array
75			{
76			return $this->encryptedKey;
77			}
78
79
80			/**
81			* Get the EncryptedData object.
82			*
83			* @return \SimpleSAML\XMLSecurity\XML\xenc\EncryptedData
84			*/
85			public function getEncryptedData(): EncryptedData
86			{
87			return $this->encryptedData;
88			}
89
90
91			/**
92			* Decrypt the data in any given element.
93			*
94			* Use this method to decrypt an EncryptedData XML element into a string. If the resulting plaintext represents
95			* an XML document which has a corresponding implementation extending \SimpleSAML\XML\ElementInterface, you
96			* can call this method to build an object from the resulting plaintext:
97			*
98			* $data = $this->decryptData($decryptor);
99			* $xml = \SimpleSAML\XML\DOMDocumentFactory::fromString($data);
100			* $object = MyObject::fromXML($xml->documentElement);
101			*
102			* If the class using this trait implements \SimpleSAML\XMLSecurity\XML\EncryptedElementInterface, then the
103			* decrypt() method will only need the proposed code and return the object.
104			*
105			* @param \SimpleSAML\XMLSecurity\Alg\Encryption\EncryptionAlgorithmInterface $decryptor The decryptor to use to
106			* decrypt the object.
107			*
108			* @return string The decrypted data.
109			*/
110			protected function decryptData(EncryptionAlgorithmInterface $decryptor): string
111			{
112			$encData = $this->getEncryptedData();
113			if (!$encData instanceof EncryptedData) {
			0 ignored issues – show introduced 2022-01-01 21:52 UTC by Report Bug Copy Issue Report Show Similar Issues like this `$encData` is always a sub-type of `SimpleSAML\XMLSecurity\XML\xenc\EncryptedData`. Loading history...
114			throw new NoEncryptedDataException();
115			}
116
117			$algId = $decryptor->getAlgorithmId();
118			$encMethod = $this->getEncryptedData()->getEncryptionMethod();
119			if ($encMethod !== null) {
120			$algId = $encMethod->getAlgorithm();
121			}
122
123			if (in_array($decryptor->getAlgorithmId(), C::$KEY_TRANSPORT_ALGORITHMS)) {
124			// the decryptor uses a key transport algorithm, check if we have a session key
125			if ($this->hasDecryptionKey() === null) {
			0 ignored issues – show introduced 2022-01-01 21:52 UTC by Report Bug Copy Issue Report Show Similar Issues like this The condition `$this->hasDecryptionKey() === null` is always `false`. Loading history...
126			throw new RuntimeException('Cannot use a key transport algorithm to decrypt an object.');
127			}
128
129			if ($encMethod === null) {
130			throw new RuntimeException('Cannot decrypt data with a session key and no EncryptionMethod.');
131			}
132
133			$factory = new EncryptionAlgorithmFactory(
134			$this->getBlacklistedAlgorithms() ?? EncryptionAlgorithmFactory::DEFAULT_BLACKLIST,
135			);
136
137			$decryptionKey = null;
138			foreach ($this->getEncryptedKeys() as $encryptedKey) {
139			try {
140			$decryptionKey = $encryptedKey->decrypt($decryptor);
141			} catch (OpenSSLException $e) {
142			continue;
143			}
144			}
145
146			if ($decryptionKey === null) {
147			throw new RuntimeException('Cannot decrypt the session key with any of the provided decryption keys.');
148			}
149
150			$decryptor = $factory->getAlgorithm(
151			$encMethod->getAlgorithm()->getValue(),
152			new SymmetricKey($decryptionKey),
153			);
154			$decryptor->setBackend($this->getEncryptionBackend());
155			}
156
157			if ($algId->getValue() !== $decryptor->getAlgorithmId()) {
158			throw new InvalidArgumentException('Decryption algorithm does not match EncryptionMethod.');
159			}
160
161			return $decryptor->decrypt(
162			base64_decode(strval($encData->getCipherData()->getCipherValue()->getContent()), true),
163			);
164			}
165
166
167			/**
168			* @inheritDoc
169			*
170			* @throws \SimpleSAML\XML\Exception\InvalidDOMElementException
171			* If the qualified name of the supplied element is wrong
172			*/
173			public static function fromXML(DOMElement $xml): static
174			{
175			Assert::same(
176			$xml->localName,
177			AbstractElement::getClassName(static::class),
178			InvalidDOMElementException::class,
179			);
180			Assert::same($xml->namespaceURI, static::NS, InvalidDOMElementException::class);
			0 ignored issues – show Bug introduced 2021-01-11 13:33 UTC by Report Bug Copy Issue Report Show Similar Issues like this The constant `SimpleSAML\XMLSecurity\X...cryptedElementTrait::NS` was not found. Maybe you did not declare it correctly or list all dependencies? Loading history...
181
182			$ed = EncryptedData::getChildrenOfClass($xml);
183			Assert::count(
184			$ed,
185			1,
186			sprintf(
187			'No more or less than one EncryptedData element allowed in %s.',
188			AbstractElement::getClassName(static::class),
189			),
190			TooManyElementsException::class,
191			);
192
193			return new static($ed[0]);
194			}
195
196
197			/**
198			* @inheritDoc
199			*/
200			public function toXML(?DOMElement $parent = null): DOMElement
201			{
202			$e = $this->instantiateParentElement($parent);
203			$this->encryptedData->toXML($e);
204			return $e;
205			}
206
207
208			/**
209			* Create a document structure for this element.
210			*
211			* The AbstractElement class implements this method. If your object inherits from that class, you will already
212			* have this method out of the box.
213			*
214			* @param \DOMElement\|null $parent The element we should append to.
215			* @return \DOMElement
216			*/
217			abstract public function instantiateParentElement(?DOMElement $parent = null): DOMElement;
218
219
220			/**
221			* Get the encryption backend to use for any encryption operation.
222			*
223			* @return \SimpleSAML\XMLSecurity\Backend\EncryptionBackend\|null The encryption backend to use, or null if we
224			* want to use the default.
225			*/
226			abstract public function getEncryptionBackend(): ?EncryptionBackend;
227
228
229			/**
230			* Get the list of algorithms that are blacklisted for any encryption operation.
231			*
232			* @return string[]\|null An array with all algorithm identifiers that are blacklisted, or null to use this
233			* libraries default.
234			*/
235			abstract public function getBlacklistedAlgorithms(): ?array;
236			}
237

simplesamlphp / xml-security

Issues (81)

src/XML/EncryptedElementTrait.php (3 issues)

Labels

Severity

Introduced By

Duplication Side-by-Side

Filter issues like