Improve parsing of base64-encoded strings

src/CryptoEncoding/PEM.php

@@ -91,7 +91,7 @@ public static function fromString(string $str): self
 
         $payload = preg_replace('/\s+/', '', $match[2]);
         $data = base64_decode($payload, true);
-        if ($data === false) {
+        if (empty($data)) {
             throw new UnexpectedValueException('Failed to decode PEM data.');
         }
 

src/CryptoEncoding/PEMBundle.php

@@ -8,6 +8,7 @@
 use Countable;
 use IteratorAggregate;
 use LogicException;
+use SimpleSAML\Assert\Assert;
 use SimpleSAML\XMLSecurity\Exception\IOException;
 use UnexpectedValueException;
 
@@ -76,8 +77,10 @@ public static function fromString(string $str): self
         $pems = array_map(
             function ($match) {
                 $payload = preg_replace('/\s+/', '', $match[2]);
+                Assert::stringPlausibleBase64($payload);
+
                 $data = base64_decode($payload, true);
-                if (false === $data) {
+                if (empty($data)) {
                     throw new UnexpectedValueException(
                         'Failed to decode PEM data.'
                     );

src/XML/EncryptedElementTrait.php

@@ -140,7 +140,7 @@ protected function decryptData(EncryptionAlgorithmInterface $decryptor): string
             throw new InvalidArgumentException('Decryption algorithm does not match EncryptionMethod.');
         }
 
-        return $decryptor->decrypt(base64_decode($encData->getCipherData()->getCipherValue()->getContent()));
+        return $decryptor->decrypt(base64_decode($encData->getCipherData()->getCipherValue()->getContent(), true));
     }
 
 

src/XML/SignedElementTrait.php

@@ -151,7 +151,7 @@ private function validateReference(SignedInfo $signedInfo): SignedElementInterfa
         $data = XML::processTransforms($reference->getTransforms(), $xml);
         $digest = Security::hash($reference->getDigestMethod()->getAlgorithm(), $data, false);
 
-        if (Security::compareStrings($digest, base64_decode($reference->getDigestValue()->getRawContent())) !== true) {
+        if (Security::compareStrings($digest, base64_decode($reference->getDigestValue()->getRawContent(), true)) !== true) {
             throw new SignatureVerificationFailedException('Failed to verify signature.');
         }
 
@@ -187,7 +187,7 @@ private function verifyInternal(SignatureAlgorithmInterface $verifier): SignedEl
         if (
             $verifier?->verify(
                 $c14nSignedInfo, // the canonicalized ds:SignedInfo element (plaintext)
-                base64_decode($this->signature->getSignatureValue()->getRawContent()), // the actual signature
+                base64_decode($this->signature->getSignatureValue()->getRawContent(), true), // the actual signature
             )
         ) {
             /*

src/XML/xenc/EncryptedKey.php

@@ -108,7 +108,7 @@ public function decrypt(EncryptionAlgorithmInterface $decryptor): string
             InvalidArgumentException::class,
         );
 
-        return $decryptor->decrypt(base64_decode($cipherValue->getContent()));
+        return $decryptor->decrypt(base64_decode($cipherValue->getContent(), true));
     }
 
 

tests/Alg/Encryption/AESEncryptionTest.php

@@ -52,7 +52,7 @@ public function testEncrypt(): void
     public function testDecrypt(): void
     {
         $ciphertext = "r0YRkEixBnAKU032/ux7avHcVTH1CIIyKaPA2qr4KlIs0LVZp5CuwQKRRi6lji4cnaFbH4jETtJhMSEfbpSdvg==";
-        $plaintext = self::$algo->decrypt(base64_decode($ciphertext));
+        $plaintext = self::$algo->decrypt(base64_decode($ciphertext, true));
         $this->assertEquals("\n  <Value>\n\tHello, World!\n  </Value>\n", $plaintext);
     }
 }

tests/Alg/Encryption/TripleDesEncryptionTest.php

@@ -52,7 +52,7 @@ public function testEncrypt(): void
     public function testDecrypt(): void
     {
         $ciphertext = "D+3dKq7MFK7U+8bqdlyRcvO12JV5Lahl5ALhF5eJXSfi+cbYKRbkRjvJsMKPp2Mk";
-        $plaintext = self::$algo->decrypt(base64_decode($ciphertext));
+        $plaintext = self::$algo->decrypt(base64_decode($ciphertext, true));
         $this->assertEquals("\n  <Value>\n\tHello, World!\n  </Value>\n", $plaintext);
     }
 }

tests/Alg/KeyTransport/RSAKeyTransportTest.php

@@ -80,20 +80,20 @@ public function testDecrypt(): void
                       "A6fgclGb/keGZOtjSkHZnZEZvXEOQItFjS6MbQc+TzNmRd6FSkuPUmwQ1V+NwxTPCIwXSSd0Aj" .
                       "7oHb7xRdBhoFuDrSbYAvATQ=";
         $rsa = self::$factory->getAlgorithm(C::KEY_TRANSPORT_OAEP_MGF1P, self::$privateKey);
-        $plaintext = $rsa->decrypt(base64_decode($ciphertext));
+        $plaintext = $rsa->decrypt(base64_decode($ciphertext, true));
         $this->assertEquals(self::PLAINTEXT, $plaintext);
 
         // test RSA-OAEP (should behave the same as MGF1P)
         $rsa = self::$factory->getAlgorithm(C::KEY_TRANSPORT_OAEP, self::$privateKey);
-        $plaintext = $rsa->decrypt(base64_decode($ciphertext));
+        $plaintext = $rsa->decrypt(base64_decode($ciphertext, true));
         $this->assertEquals(self::PLAINTEXT, $plaintext);
 
         // test RSA-1.5
         $ciphertext = "ZAnYBqqM5T/kg+P8fb3UfDU1gyUIpndpqQN2qpmJso2z6His6WOkh5JFVN/wz+agvyR54kMmII" .
                       "afiDsy5izSk6+QZ5kMOgRLrmnh+RYZXjvCL6i1NXzaLw8yZLBvlP01SNMv/BBq640yzbG9U2ZN" .
                       "nxBLDvBmbJBxzt6XCowXQS8=";
         $rsa = self::$factory->getAlgorithm(C::KEY_TRANSPORT_RSA_1_5, self::$privateKey);
-        $plaintext = $rsa->decrypt(base64_decode($ciphertext));
+        $plaintext = $rsa->decrypt(base64_decode($ciphertext, true));
         $this->assertEquals(self::PLAINTEXT, $plaintext);
     }
 }