fix: Security improvements in script calls

BaranekD · vyskocilpavel · commit a6ce6043959b · 2021-07-28T12:35:46.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,7 @@ All notable changes to this project will be documented in this file.
 #### Changed
 - Improve WAYF searching by localized name and domain
 - Implemented filter EnsureVoMember
+- Security improvements in script calls
 
 #### Fixed
 - Detailed endpoint format when spaced in EndpointMapToArray 
diff --git a/lib/Auth/Process/UpdateUserExtSource.php b/lib/Auth/Process/UpdateUserExtSource.php
@@ -11,6 +11,7 @@
 use SimpleSAML\Error\Exception;
 use SimpleSAML\Logger;
 use SimpleSAML\Module;
+use SimpleSAML\Module\perun\ChallengeManager;
 use SimpleSAML\Module\perun\UpdateUESThread;
 
 /**
@@ -26,6 +27,7 @@ class UpdateUserExtSource extends ProcessingFilter
     private $attrMap;
     private $attrsToConversion;
     private $pathToKey;
+    private $signatureAlg;
 
     const SCRIPT_NAME = 'updateUes';
 
@@ -53,6 +55,12 @@ public function __construct($config, $reserved)
             $this->attrsToConversion = [];
         }
 
+        if (isset($config['signatureAlg'])) {
+            $this->signatureAlg = (array)$config['signatureAlg'];
+        } else {
+            $this->signatureAlg = 'RS512';
+        }
+
         $this->attrMap = (array)$config['attrMap'];
         $this->pathToKey = $config['pathToKey'];
     }
@@ -81,7 +89,11 @@ public function process(&$request)
         }
 
         $jwk = JWKFactory::createFromKeyFile($this->pathToKey);
-        $algorithmManager = new AlgorithmManager([new RS512()]);
+        $algorithmManager = new AlgorithmManager(
+            [
+                ChallengeManager::getAlgorithm('Signature\\Algorithm', $this->signatureAlg)
+            ]
+        );
         $jwsBuilder = new JWSBuilder($algorithmManager);
 
         $data = [
@@ -103,7 +115,7 @@ public function process(&$request)
         $jws = $jwsBuilder
             ->create()
             ->withPayload($payload)
-            ->addSignature($jwk, ['alg' => 'RS512'])
+            ->addSignature($jwk, ['alg' => $this->signatureAlg])
             ->build();
 
         $serializer = new CompactSerializer();
diff --git a/lib/ChallengeManager.php b/lib/ChallengeManager.php
@@ -76,4 +76,13 @@ public function deleteChallengeFromDb($id): bool
 
         return true;
     }
+
+    public static function getAlgorithm($path, $className)
+    {
+        $classPath = sprintf('Jose\\Component\\%s\\%s', $path, $className);
+        if (! class_exists($classPath)) {
+            throw new \Exception('Invalid algorithm specified: ' . $classPath);
+        }
+        return new $classPath();
+    }
 }
diff --git a/www/getChallenge.php b/www/getChallenge.php
@@ -1,5 +1,6 @@
 <?php
 
+use SimpleSAML\Configuration;
 use SimpleSAML\Logger;
 use SimpleSAML\Module\perun\ChallengeManager;
 
@@ -12,7 +13,7 @@
     exit;
 }
 
-if (empty($body['id'] || strlen($body['id']) > 30 || !ctype_print($body['id']))) {
+if (empty($body['id']) || strlen($body['id']) > 30 || !ctype_print($body['id'])) {
     Logger::error('Perun.getChallenge: Invalid id');
     http_response_code(400);
     exit;
@@ -24,14 +25,19 @@
     exit;
 }
 
+const CONFIG_FILE_NAME = 'challenges_config.php';
+const HASH_ALG = 'hashAlg';
+const CHALLENGE_LENGTH = 'challengeLength';
+
 $id = $body['id'];
 $scriptName = $body['scriptName'];
 
-const RANDOM_BYTES_LENGTH = 32;
-const TABLE_NAME = 'scriptChallenges';
+$config = Configuration::getConfig(CONFIG_FILE_NAME);
+$hashAlg = $config->getString(HASH_ALG, 'sha512');
+$challengeLength = $config->getInteger(CHALLENGE_LENGTH, 32);
 
 try {
-    $challenge = hash('sha256', random_bytes(RANDOM_BYTES_LENGTH));
+    $challenge = hash($hashAlg, random_bytes($challengeLength));
 } catch (Exception $ex) {
     Logger::error('Perun.getChallenge: Error while generating a challenge');
     http_response_code(500);
diff --git a/www/updateUes.php b/www/updateUes.php
@@ -38,20 +38,29 @@
 $id = null;
 
 const UES_ATTR_NMS = 'urn:perun:ues:attribute-def:def';
-const CONFIG_FILE_NAME = 'keys.php';
+const CONFIG_FILE_NAME = 'challenges_config.php';
 
 try {
     $config = Configuration::getConfig(CONFIG_FILE_NAME);
     $keyPub = $config->getString('updateUes');
+    $signatureAlg = $config->getString('signatureAlg', 'RS512');
 
-    $algorithmManager = new AlgorithmManager([new RS512()]);
+    $algorithmManager = new AlgorithmManager(
+        [
+            ChallengeManager::getAlgorithm('Signature\\Algorithm', $signatureAlg)
+        ]
+    );
     $jwsVerifier = new JWSVerifier($algorithmManager);
     $jwk = JWKFactory::createFromKeyFile($keyPub);
 
     $serializerManager = new JWSSerializerManager([new CompactSerializer()]);
     $jws = $serializerManager->unserialize($token);
 
-    $headerCheckerManager = new HeaderCheckerManager([new AlgorithmChecker(['RS512'])], [new JWSTokenSupport()]);
+    $headerCheckerManager = new HeaderCheckerManager(
+        [new AlgorithmChecker([$signatureAlg])],
+        [new JWSTokenSupport()]
+    );
+
     $headerCheckerManager->check($jws, 0);
 
     $isVerified = $jwsVerifier->verifyWithKey($jws, $jwk, 0);

Original file line number	Diff line number	Diff line change
`@@ -76,4 +76,13 @@ public function deleteChallengeFromDb($id): bool`
`76`	`76`
`77`	`77`	`return true;`
`78`	`78`	`}`
	`79`	`+`
	`80`	`+ public static function getAlgorithm($path, $className)`
	`81`	`+ {`
	`82`	`+ $classPath = sprintf('Jose\\Component\\%s\\%s', $path, $className);`
	`83`	`+ if (! class_exists($classPath)) {`
	`84`	`+ throw new \Exception('Invalid algorithm specified: ' . $classPath);`
	`85`	`+ }`
	`86`	`+ return new $classPath();`
	`87`	`+ }`
`79`	`88`	`}`