COOl-13 Use externel AES/GCM lib, generate XML in AuthnRequest

The external lib is to support php versions < 7.1.

composer.json

@@ -21,7 +21,8 @@
         "ext-curl": "*",
         "ext-openssl": "*",
         "ext-dom": "*",
-        "ext-mcrypt": "*"
+        "ext-mcrypt": "*",
+        "spomky-labs/php-aes-gcm": "^1.2"
     },
     "require-dev": {
         "phpunit/phpunit": "4.8",

lib/Saml2/AuthnRequest.php

@@ -117,13 +117,29 @@ public function __construct(OneLogin_Saml2_Settings $settings, $forceAuthn = fal
             }
         }
 
-        $inlineLogin = '';
+        $inlineLoginStr = '';
         if (is_array($security['requestedAuthnContext'])
             && in_array(OneLogin_Saml2_Constants::AC_INLINE_LOGIN, $security['requestedAuthnContext'])
             && $username != null
             && $password != null
         ) {
-            $inlineLogin = (new OneLogin_Saml2_InlineLogin($security['inlineLoginKey'], $username, $password))->getXml();
+            $inlineLogin = new OneLogin_Saml2_InlineLogin($security['inlineLoginKey'], $username, $password);
+            $saveUsername = htmlspecialchars($username);
+            $encryptedPasswordBase64 = base64_encode($inlineLogin->getEncryptedPassword());
+            $ivBase64 = base64_encode($inlineLogin->getIv());
+
+            $inlineLoginStr = <<<INLINELOGIN
+    <md:Extensions xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
+        <onegini:InlineLogin
+            xmlns:onegini="urn:com:onegini:saml:InlineLogin"
+            IdpType="unp_idp">
+            <onegini:Credentials
+                Username="$saveUsername"
+                Password="$encryptedPasswordBase64"
+                EncryptionParameter="$ivBase64"/>
+        </onegini:InlineLogin>
+    </md:Extensions>
+INLINELOGIN;
         }
 
         $spEntityId = htmlspecialchars($spData['entityId'], ENT_QUOTES);
@@ -142,7 +158,7 @@ public function __construct(OneLogin_Saml2_Settings $settings, $forceAuthn = fal
     <saml:Issuer>{$spEntityId}</saml:Issuer>
 {$nameIdPolicyStr}
 {$requestedAuthnStr}
-{$inlineLogin}
+{$inlineLoginStr}
 </samlp:AuthnRequest>
 AUTHNREQUEST;
 

lib/Saml2/InlineLogin.php

@@ -1,5 +1,7 @@
 <?php
 
+use AESGCM\AESGCM;
+
 class OneLogin_Saml2_InlineLogin
 {
     const METHOD = 'aes-256-gcm';
@@ -17,42 +19,21 @@ public function __construct($key, $username, $password)
         $this->_iv = $iv;
     }
 
-    public function getXml()
+    public function getEncryptedPassword(): string
+    {
+        return $this->_encryptedPassword;
+    }
+
+    public function getIv()
     {
-        $saveUsername = htmlspecialchars($this->_username);
-        $encryptedPasswordBase64 = base64_encode($this->_encryptedPassword);
-        $ivBase64 = base64_encode($this->_iv);
-
-        $extensionXml = <<<EXTXML
-<md:Extensions xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
-  <onegini:InlineLogin xmlns:onegini="urn:com:onegini:saml:InlineLogin"
-                       IdpType="unp_idp">
-    <onegini:Credentials Username="$saveUsername"
-                         Password="$encryptedPasswordBase64"
-                         EncryptionParameter="$ivBase64"/>
-  </onegini:InlineLogin>
-</md:Extensions>
-EXTXML;
-
-        return $extensionXml;
+        return $this->_iv;
     }
 
     private function encrypt($plaintext, &$iv = null)
     {
         $iv = openssl_random_pseudo_bytes(16, $cstrong);
-        if (!$cstrong) {
-            throw new Exception("Could not generate secure random bytes");
-        }
-
-        if (!in_array(self::METHOD, openssl_get_cipher_methods())) {
-            throw new Exception("This system does not support the required encryption algorithm");
-        }
-
-        $ciphertext = openssl_encrypt($plaintext, self::METHOD, $this->_key, OPENSSL_RAW_DATA | OPENSSL_ZERO_PADDING, $iv, $tag);
-        if (!$ciphertext) {
-            throw new Exception("Could not encrypt plaintext");
-        }
+        $ciphertext = AESGCM::encryptAndAppendTag($this->_key, $iv, $plaintext);
 
-        return $ciphertext . $tag;
+        return $ciphertext;
     }
 }