Support multiple decryption keys

Author: tvdijen

src/XML/EncryptedElementInterface.php

@@ -33,11 +33,11 @@ public function hasDecryptionKey(): bool;
 
 
     /**
-     * Get the encrypted key used to encrypt the current element.
+     * Get the encrypted keys used to encrypt the current element.
      *
-     * @return \SimpleSAML\XMLSecurity\XML\xenc\EncryptedKey|null
+     * @return \SimpleSAML\XMLSecurity\XML\xenc\EncryptedKey[]
      */
-    public function getEncryptedKey(): ?EncryptedKey;
+    public function getEncryptedKeys(): array;
 
     /**
      * Get the EncryptedData object.

src/XML/EncryptedElementTrait.php

@@ -11,7 +11,12 @@
 use SimpleSAML\XMLSecurity\Alg\Encryption\{EncryptionAlgorithmFactory, EncryptionAlgorithmInterface};
 use SimpleSAML\XMLSecurity\Backend\EncryptionBackend;
 use SimpleSAML\XMLSecurity\Constants as C;
-use SimpleSAML\XMLSecurity\Exception\{InvalidArgumentException, NoEncryptedDataException, RuntimeException};
+use SimpleSAML\XMLSecurity\Exception\{
+    InvalidArgumentException,
+    NoEncryptedDataException,
+    OpenSSLException,
+    RuntimeException,
+};
 use SimpleSAML\XMLSecurity\Key\SymmetricKey;
 use SimpleSAML\XMLSecurity\XML\xenc\{EncryptedData, EncryptedKey};
 
@@ -24,8 +29,8 @@
  */
 trait EncryptedElementTrait
 {
-    /** @var \SimpleSAML\XMLSecurity\XML\xenc\EncryptedKey|null */
-    protected ?EncryptedKey $encryptedKey = null;
+    /** @var \SimpleSAML\XMLSecurity\XML\xenc\EncryptedKey[] */
+    protected array $encryptedKey = [];
 
 
     /**
@@ -43,7 +48,7 @@ public function __construct(
 
         foreach ($keyInfo->getInfo() as $info) {
             if ($info instanceof EncryptedKey) {
-                $this->encryptedKey = $info;
+                $this->encryptedKey = [$info];
                 break;
             }
         }
@@ -57,16 +62,16 @@ public function __construct(
      */
     public function hasDecryptionKey(): bool
     {
-        return $this->encryptedKey !== null;
+        return !empty($this->encryptedKey);
     }
 
 
     /**
      * Get the encrypted key used to encrypt the current element.
      *
-     * @return \SimpleSAML\XMLSecurity\XML\xenc\EncryptedKey|null
+     * @return \SimpleSAML\XMLSecurity\XML\xenc\EncryptedKey[]
      */
-    public function getEncryptedKey(): ?EncryptedKey
+    public function getEncryptedKeys(): array
     {
         return $this->encryptedKey;
     }
@@ -86,7 +91,7 @@ public function getEncryptedData(): EncryptedData
     /**
      * Decrypt the data in any given element.
      *
-     * Use this method to decrypt an EncryptedData XML elemento into a string. If the resulting plaintext represents
+     * Use this method to decrypt an EncryptedData XML element into a string. If the resulting plaintext represents
      * an XML document which has a corresponding implementation extending \SimpleSAML\XML\ElementInterface, you
      * can call this method to build an object from the resulting plaintext:
      *
@@ -125,12 +130,23 @@ protected function decryptData(EncryptionAlgorithmInterface $decryptor): string
                 throw new RuntimeException('Cannot decrypt data with a session key and no EncryptionMethod.');
             }
 
-            $encryptedKey = $this->getEncryptedKey();
-            $decryptionKey = $encryptedKey->decrypt($decryptor);
-
             $factory = new EncryptionAlgorithmFactory(
                 $this->getBlacklistedAlgorithms() ?? EncryptionAlgorithmFactory::DEFAULT_BLACKLIST,
             );
+
+            $decryptionKey = null;
+            foreach ($this->getEncryptedKeys() as $encryptedKey) {
+                try {
+                    $decryptionKey = $encryptedKey->decrypt($decryptor);
+                } catch (OpenSSLException $e) {
+                    continue;
+                }
+            }
+
+            if ($decryptionKey === null) {
+                throw new RuntimeException('Cannot decrypt the session key with any of the provided decryption keys.');
+            }
+
             $decryptor = $factory->getAlgorithm(
                 $encMethod->getAlgorithm()->getValue(),
                 new SymmetricKey($decryptionKey),

tests/XML/EncryptedCustom.php

@@ -154,8 +154,8 @@ public function decryptWithSessionKey(EncryptionAlgorithmInterface $decryptor):
         }
 
         // decrypt the encryption key with the decryptor we were provided
-        $encryptedKey = $this->getEncryptedKey();
-        $decryptionKey = $encryptedKey->decrypt($decryptor);
+        $encryptedKey = $this->getEncryptedKeys();
+        $decryptionKey = $encryptedKey[0]->decrypt($decryptor);
 
         /*
          * Instantiate a new decryptor with the blacklisted algorithms and encryption backend given. This decryptor

tests/XML/ds/TransformsTest.php

@@ -9,7 +9,6 @@
 use SimpleSAML\XML\DOMDocumentFactory;
 use SimpleSAML\XML\TestUtils\{SchemaValidationTestTrait, SerializableElementTestTrait};
 use SimpleSAML\XMLSchema\Type\{AnyURIValue, StringValue};
-use SimpleSAML\XMLSecurity\Constants as C;
 use SimpleSAML\XMLSecurity\XML\ds\{AbstractDsElement, Transform, Transforms, XPath};
 use SimpleSAML\XPath\Constants as XPATH_C;
 

tests/XML/xenc/CipherReferenceTest.php

@@ -9,7 +9,6 @@
 use SimpleSAML\XML\DOMDocumentFactory;
 use SimpleSAML\XML\TestUtils\{SchemaValidationTestTrait, SerializableElementTestTrait};
 use SimpleSAML\XMLSchema\Type\{AnyURIValue, StringValue};
-use SimpleSAML\XMLSecurity\Constants as C;
 use SimpleSAML\XMLSecurity\XML\ds\{Transform, XPath};
 use SimpleSAML\XMLSecurity\XML\xenc\{AbstractReference, AbstractXencElement, CipherReference, Transforms};
 use SimpleSAML\XPath\Constants as XPATH_C;

tests/XML/xenc/DataReferenceTest.php

@@ -9,7 +9,6 @@
 use SimpleSAML\XML\DOMDocumentFactory;
 use SimpleSAML\XML\TestUtils\SerializableElementTestTrait;
 use SimpleSAML\XMLSchema\Type\{AnyURIValue, StringValue};
-use SimpleSAML\XMLSecurity\Constants as C;
 use SimpleSAML\XMLSecurity\XML\ds\{Transform, Transforms, XPath};
 use SimpleSAML\XMLSecurity\XML\xenc\{AbstractReference, AbstractXencElement, DataReference};
 use SimpleSAML\XPath\Constants as XPATH_C;

tests/XML/xenc/KeyReferenceTest.php

@@ -9,7 +9,6 @@
 use SimpleSAML\XML\DOMDocumentFactory;
 use SimpleSAML\XML\TestUtils\SerializableElementTestTrait;
 use SimpleSAML\XMLSchema\Type\{AnyURIValue, StringValue};
-use SimpleSAML\XMLSecurity\Constants as C;
 use SimpleSAML\XMLSecurity\XML\ds\{Transform, Transforms, XPath};
 use SimpleSAML\XMLSecurity\XML\xenc\{AbstractReference, AbstractXencElement, KeyReference};
 use SimpleSAML\XPath\Constants as XPATH_C;

tests/XML/xenc/ReferenceListTest.php

@@ -9,7 +9,6 @@
 use SimpleSAML\XML\DOMDocumentFactory;
 use SimpleSAML\XML\TestUtils\{SchemaValidationTestTrait, SerializableElementTestTrait};
 use SimpleSAML\XMLSchema\Type\{AnyURIValue, StringValue};
-use SimpleSAML\XMLSecurity\Constants as C;
 use SimpleSAML\XMLSecurity\XML\ds\{Transform, Transforms, XPath};
 use SimpleSAML\XMLSecurity\XML\xenc\{AbstractXencElement, DataReference, KeyReference, ReferenceList};
 use SimpleSAML\XPath\Constants as XPATH_C;

tests/XML/xenc/TransformsTest.php

@@ -9,7 +9,6 @@
 use SimpleSAML\XML\DOMDocumentFactory;
 use SimpleSAML\XML\TestUtils\SerializableElementTestTrait;
 use SimpleSAML\XMLSchema\Type\{AnyURIValue, StringValue};
-use SimpleSAML\XMLSecurity\Constants as C;
 use SimpleSAML\XMLSecurity\XML\ds\{Transform, XPath};
 use SimpleSAML\XMLSecurity\XML\xenc\{AbstractXencElement, Transforms};
 use SimpleSAML\XPath\Constants as XPATH_C;