Replace PrivateKey class with the one from xml-security

Author: tvdijen

src/Certificate/PrivateKey.php

@@ -4,31 +4,26 @@
 
 namespace SimpleSAML\SAML2\Certificate;
 
-use SimpleSAML\SAML2\Certificate\PrivateKey;
 use SimpleSAML\SAML2\Configuration\DecryptionProvider;
 use SimpleSAML\SAML2\Configuration\PrivateKey as PrivateKeyConfiguration;
-use SimpleSAML\SAML2\Constants as C;
 use SimpleSAML\SAML2\Utilities\ArrayCollection;
-use SimpleSAML\SAML2\Utilities\File;
-use SimpleSAML\XMLSecurity\XMLSecurityKey;
+use SimpleSAML\XMLSecurity\Key\PrivateKey;
+use SimpleSAML\XMLSecurity\Key\SymmetricKey;
 
 class PrivateKeyLoader
 {
     /**
      * Loads a private key based on the configuration given.
      *
      * @param \SimpleSAML\SAML2\Configuration\PrivateKey $key
-     * @return \SimpleSAML\SAML2\Certificate\PrivateKey
+     * @return \SimpleSAML\XMLSecurity\Key\PrivateKey
      */
     public function loadPrivateKey(PrivateKeyConfiguration $key): PrivateKey
     {
-        if ($key->isFile()) {
-            $privateKey = File::getFileContents($key->getFilePath());
-        } else {
-            $privateKey = $key->getContents();
-        }
-
-        return PrivateKey::create($privateKey, $key->getPassPhrase());
+        return PrivateKey::fromFile(
+            $key->isFile() ? $key->getFilePath() : $key->getContents(),
+            $key->getPassPhrase(),
+        );
     }
 
 
@@ -46,8 +41,7 @@ public function loadDecryptionKeys(
 
         $senderSharedKey = $identityProvider->getSharedKey();
         if ($senderSharedKey !== null) {
-            $key = new XMLSecurityKey(C::BLOCK_ENC_AES128);
-            $key->loadKey($senderSharedKey);
+            $key = new SymmetricKey($senderSharedKey);
             $decryptionKeys->add($key);
 
             return $decryptionKeys;
@@ -56,32 +50,13 @@ public function loadDecryptionKeys(
         $newPrivateKey = $serviceProvider->getPrivateKey(PrivateKeyConfiguration::NAME_NEW);
         if ($newPrivateKey instanceof PrivateKeyConfiguration) {
             $loadedKey = $this->loadPrivateKey($newPrivateKey);
-            $decryptionKeys->add($this->convertPrivateKeyToRsaKey($loadedKey));
+            $decryptionKeys->add($loadedKey);
         }
 
         $privateKey = $serviceProvider->getPrivateKey(PrivateKeyConfiguration::NAME_DEFAULT, true);
         $loadedKey  = $this->loadPrivateKey($privateKey);
-        $decryptionKeys->add($this->convertPrivateKeyToRsaKey($loadedKey));
+        $decryptionKeys->add($loadedKey);
 
         return $decryptionKeys;
     }
-
-
-    /**
-     * @param \SimpleSAML\SAML2\Certificate\PrivateKey $privateKey
-     * @throws \Exception
-     * @return \SimpleSAML\XMLSecurity\XMLSecurityKey
-     */
-    private function convertPrivateKeyToRsaKey(PrivateKey $privateKey): XMLSecurityKey
-    {
-        $key = new XMLSecurityKey(XMLSecurityKey::RSA_1_5, ['type' => 'private']);
-        $passphrase = $privateKey->getPassphrase();
-        if ($passphrase) {
-            $key->passphrase = $passphrase;
-        }
-
-        $key->loadKey($privateKey->getKeyAsString());
-
-        return $key;
-    }
 }

src/Certificate/PrivateKeyLoader.php

@@ -5,6 +5,7 @@
 namespace SimpleSAML\SAML2\Configuration;
 
 use RuntimeException;
+use SimpleSAML\XMLSecurity\Constants as C;
 
 use function array_filter;
 use function array_pop;
@@ -108,7 +109,7 @@ public function getPrivateKey(string $name, ?bool $required = null)
      */
     public function getBlacklistedAlgorithms(): ?array
     {
-        return $this->get('blacklistedEncryptionAlgorithms');
+        return $this->get('blacklistedEncryptionAlgorithms', [C::KEY_TRANSPORT_RSA_1_5]);
     }
 
 

src/Configuration/IdentityProvider.php

@@ -8,9 +8,9 @@
 use PHPUnit\Framework\Attributes\DataProvider;
 use PHPUnit\Framework\Attributes\Group;
 use PHPUnit\Framework\TestCase;
-use SimpleSAML\SAML2\Certificate\PrivateKey;
 use SimpleSAML\SAML2\Certificate\PrivateKeyLoader;
 use SimpleSAML\SAML2\Configuration\PrivateKey as ConfPrivateKey;
+use SimpleSAML\XMLSecurity\Key\PrivateKey;
 use SimpleSAML\XMLSecurity\TestUtils\PEMCertificatesMock;
 
 /**
@@ -42,11 +42,6 @@ public function testLoadingAConfiguredPrivateKeyReturnsACertificatePrivateKey(
         $resultingKey = self::$privateKeyLoader->loadPrivateKey($configuredKey);
 
         $this->assertInstanceOf(PrivateKey::class, $resultingKey);
-        $this->assertEquals(
-            trim($resultingKey->getKeyAsString()),
-            PEMCertificatesMock::loadPlainKeyFile(PEMCertificatesMock::BROKEN_PRIVATE_KEY),
-        );
-        $this->assertEquals($resultingKey->getPassphrase(), $configuredKey->getPassPhrase());
     }
 
 
@@ -58,24 +53,18 @@ public function testLoadingAConfiguredPrivateKeyReturnsACertificatePrivateKey(
     public static function privateKeyTestProvider(): array
     {
         return [
-            'no passphrase' => [
-                new ConfPrivateKey(
-                    PEMCertificatesMock::buildKeysPath(PEMCertificatesMock::BROKEN_PRIVATE_KEY),
-                    ConfPrivateKey::NAME_DEFAULT,
-                ),
-            ],
             'with passphrase' => [
                 new ConfPrivateKey(
-                    PEMCertificatesMock::buildKeysPath(PEMCertificatesMock::BROKEN_PRIVATE_KEY),
+                    PEMCertificatesMock::buildKeysPath(PEMCertificatesMock::PRIVATE_KEY),
                     ConfPrivateKey::NAME_DEFAULT,
-                    'foo bar baz',
+                    '1234',
                 ),
             ],
             'private key as contents' => [
                 new ConfPrivateKey(
-                    PEMCertificatesMock::loadPlainKeyFile(PEMCertificatesMock::BROKEN_PRIVATE_KEY),
+                    PEMCertificatesMock::loadPlainKeyFile(PEMCertificatesMock::PRIVATE_KEY),
                     ConfPrivateKey::NAME_DEFAULT,
-                    '',
+                    '1234',
                     false,
                 ),
             ],