From f590142333410fad9e7eb893a273b490012c8100 Mon Sep 17 00:00:00 2001 From: Tim van Dijen Date: Fri, 10 May 2024 11:09:45 +0200 Subject: [PATCH] Remove unnecessary utility-class --- src/Backend/HMAC.php | 4 +- src/Utils/Security.php | 64 -------------------------------- src/XML/SignableElementTrait.php | 5 ++- src/XML/SignedElementTrait.php | 14 +++++-- tests/Utils/SecurityTest.php | 31 ---------------- 5 files changed, 16 insertions(+), 102 deletions(-) delete mode 100644 src/Utils/Security.php delete mode 100644 tests/Utils/SecurityTest.php diff --git a/src/Backend/HMAC.php b/src/Backend/HMAC.php index 2df3d3bc..bb4f40eb 100644 --- a/src/Backend/HMAC.php +++ b/src/Backend/HMAC.php @@ -8,8 +8,8 @@ use SimpleSAML\XMLSecurity\Constants as C; use SimpleSAML\XMLSecurity\Exception\InvalidArgumentException; use SimpleSAML\XMLSecurity\Key\KeyInterface; -use SimpleSAML\XMLSecurity\Utils\Security; +use function hash_equals; use function hash_hmac; /** @@ -77,6 +77,6 @@ public function sign(KeyInterface $key, string $plaintext): string */ public function verify(KeyInterface $key, string $plaintext, string $signature): bool { - return Security::compareStrings(hash_hmac($this->digest, $plaintext, $key->getMaterial(), true), $signature); + return hash_equals(hash_hmac($this->digest, $plaintext, $key->getMaterial(), true), $signature); } } diff --git a/src/Utils/Security.php b/src/Utils/Security.php deleted file mode 100644 index 5860a341..00000000 --- a/src/Utils/Security.php +++ /dev/null @@ -1,64 +0,0 @@ -removeChild($sigNode[0]); $data = XML::processTransforms($reference->getTransforms(), $xml); - $digest = Security::hash($reference->getDigestMethod()->getAlgorithm(), $data, false); + $algo = $reference->getDigestMethod()->getAlgorithm(); + Assert::keyExists( + C::$DIGEST_ALGORITHMS, + $algo, + 'Unsupported digest method "' . $algo . '"', + InvalidArgumentException::class, + ); - if (Security::compareStrings($digest, base64_decode($reference->getDigestValue()->getRawContent(), true)) !== true) { + $digest = hash(C::$DIGEST_ALGORITHMS[$algo], $data, true); + if (hash_equals($digest, base64_decode($reference->getDigestValue()->getRawContent(), true)) !== true) { throw new SignatureVerificationFailedException('Failed to verify signature.'); } diff --git a/tests/Utils/SecurityTest.php b/tests/Utils/SecurityTest.php deleted file mode 100644 index d32695e1..00000000 --- a/tests/Utils/SecurityTest.php +++ /dev/null @@ -1,31 +0,0 @@ -assertTrue(Security::compareStrings('random string', 'random string')); - - // test that two different, equal-length strings fail to compare - $this->assertFalse(Security::compareStrings('random string', 'string random')); - - // test that two different-length strings fail to compare - $this->assertFalse(Security::compareStrings('one string', 'one string ')); - } -}