Add support for specifying xenc:OAEPparams

timlegge · timlegge · commit 48713f6007bc · 2022-11-20T11:50:17.000-04:00
diff --git a/lib/XML/Enc.pm b/lib/XML/Enc.pm
@@ -147,6 +147,24 @@ Used in encryption.  Optional.  Default method: rsa-1_5
 
 =back
 
+=item B<oaep_method>
+
+Specify the Algorithm to be used for rsa-oaep.  Supported methods are:
+
+=over
+
+=item * L<mgf1sha1|http://www.w3.org/2009/xmlenc11#mgf1sha1>
+
+=item * L<mgf1sha224|http://www.w3.org/2009/xmlenc11#mgf1sha224>
+
+=item * L<mgf1sha265|http://www.w3.org/2009/xmlenc11#mgf1sha256>
+
+=item * L<mgf1sha384|http://www.w3.org/2009/xmlenc11#mgf1sha384>
+
+=item * L<mgf1sha512|http://www.w3.org/2009/xmlenc11#mgf1sha512>
+
+=back
+
 =back
 
 =cut
@@ -179,6 +197,8 @@ sub new {
     my $oaep_method = exists($params->{'oaep_method'}) ? $params->{'oaep_method'} : 'http://www.w3.org/2009/xmlenc11#mgf1sha1';
     $self->{'oaep_method'} = $self->_setOAEPAlgorithm($oaep_method);
 
+    $self->{'oaep_params'} = exists($params->{'oaep_params'}) ? $params->{'oaep_params'} : '';
+
     return $self;
 }
 
@@ -297,6 +317,11 @@ sub encrypt {
     my $base64_key  = encode_base64($key);
     my $base64_data = encode_base64($encrypteddata);
 
+    # Insert OAEPparams into the XML
+    if ($self->{oaep_params} ne '') {
+        $encrypted = $self->_setOAEPparams($encrypted, $xpc, encode_base64($self->{oaep_params}));
+    }
+
     # Insert Encrypted data into XML
     $encrypted = $self->_setEncryptedData($encrypted, $xpc, $base64_data);
 
@@ -339,6 +364,19 @@ sub _setEncryptionMethod {
     return exists($methods{$method}) ? $methods{$method} : $methods{'aes256-cbc'};
 }
 
+sub _setOAEPparams {
+    my $self         = shift;
+    my $context      = shift;
+    my $xpc          = shift;
+    my $oaep_params  = shift;
+
+    my $node = $xpc->findnodes('//xenc:EncryptedKey/xenc:EncryptionMethod/xenc:OAEPparams', $context);
+
+    $node->[0]->removeChildNodes();
+    $node->[0]->appendText($oaep_params);
+    return $context;
+}
+
 sub _setOAEPAlgorithm {
     my $self    = shift;
     my $method  = shift;
@@ -517,10 +555,10 @@ sub _EncryptKey {
         ${$key} = $rsa_pub->encrypt(${$key}, 'v1.5');
     }
     elsif ($keymethod eq 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p') {
-        ${$key} = $rsa_pub->encrypt(${$key}, 'oaep', 'SHA1');
+        ${$key} = $rsa_pub->encrypt(${$key}, 'oaep', 'SHA1', $self->{oaep_params});
     }
     elsif ($keymethod eq 'http://www.w3.org/2009/xmlenc11#rsa-oaep') {
-        ${$key} = $rsa_pub->encrypt(${$key}, 'oaep', $self->_getOAEPAlgorithm($self->{oaep_method}));
+        ${$key} = $rsa_pub->encrypt(${$key}, 'oaep', $self->_getOAEPAlgorithm($self->{oaep_method}), $self->{oaep_params});
     } else {
         die "Unsupported Key Encryption Method";
     }
@@ -865,6 +903,15 @@ sub _create_encrypted_data_xml {
                             }
                         );
 
+    if ($self->{'oaep_params'} ne '') {
+        my $oaep_params = $self->_create_node(
+                            $doc,
+                            $xencns,
+                            $kencmethod,
+                            'xenc:OAEPparams',
+                        );
+    };
+
     if ($self->{key_transport} eq 'http://www.w3.org/2009/xmlenc11#rsa-oaep') {
         my $oaepmethod = $self->_create_node(
                             $doc,
diff --git a/t/08-support-oaepparams.t b/t/08-support-oaepparams.t
@@ -0,0 +1,95 @@
+use strict;
+use warnings;
+use Test::More tests => 5;
+use XML::Enc;
+use MIME::Base64 qw/decode_base64/;
+use File::Which;
+use File::Slurper qw/read_text/;
+
+my $xml = <<'ENDXML';
+<?xml version="1.0" encoding="UTF-8"?>
+<PaymentInfo xmlns="http://example.org/paymentv2">
+  <Name>John Smith</Name>
+  <CreditCard Currency="USD" Limit="5,000"><EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#" Id="ED" Type="http://www.w3.org/2001/04/xmlenc#Content">
+          <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
+        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+          <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#" Id="EK">
+             <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
+                <ds:DigestMethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+                        <OAEPparams>MTIzNDU2Nzg=</OAEPparams>
+                    </EncryptionMethod>
+            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+                  <ds:KeyName>my-rsa-key</ds:KeyName>
+                   </ds:KeyInfo>
+                   <CipherData>
+                     <CipherValue>qkGLaEkRFs+wAbz/zXl50nI7w8+b0NUxYXQu84lJz4iXeKj5/si2lgADR9bGVQ6N
+iSQGxMF9cra8zlzaB6hqxcL3u4A161ajA4iMn88kdkda/ZgVANaombU1HPn+Mqzo
+3/F/hfGSJ0CpzXv5Pi3zqe2J3Sii9NQBiyRkd0lbm41gCXLuRNkZH9x/LhOlrHEC
+Vj/7fi8sYTFuqz4MeCbIdNOzxOR5g/L+VTeAcTZfT6wfkfc7jFa2CqkwBqMvNrtD
+o+A0MmK0fb0/kJLxNx91PVXNti4l/SrbmGZhKIIgmY9DKtAJjTK60zWkiamfqA/N
+WbrcIZjGje5oRXC7GLyBJfHuLo4sQIN7UvbZCcz16OVcgOC2B/hG7CQCXGwiZV+U
+rTLjBaijbx/j0+zbMs+PkmD2Ba3DgrwzsGJ2sPq6oTW28ZJebcjSxNEundodNuFv
+RcohqiMFOlVJRKU/x15HsthnXrMDvYpIrKT4NJKQJHnPEeTZ+Bd6PR8jTL30p2Ea
+6yH3F189AVgQf8t6ZB+GSBb/zO2aKIrA6iiViz+MJDiiD3XY3T3beaDH/u09izRs
+bBqDCnFkkxajyENT8r5C1tS0PNAmaisXqPhkYSsWUBHYPgIxUasDy2oJBafF1JW0
+02N7Bvg9oVFDY+Xc4hWsmaC31txPEds6ZdxhBclCMu0=</CipherValue>
+                   </CipherData>
+                 </EncryptedKey>
+               </ds:KeyInfo>
+               <CipherData>
+                 <CipherValue>ecIQfyygbLDMHLKCLO31g3Y4Q+2eJZ15hyt/kiLekdBWHZRFUBzEf/3W5H66tCL2
+/fsWY+Y2Zim64WuXJfPdYmy4UtSexpwTEHr0I5LR6Ykw2A61akDEh/zXKWpHsLrn
+so/amlIwRtEYJTQdER7+6kkMa40M2Jf2Hk6BIXfOSCggh0KpnCnuc1+NACE0VUh6</CipherValue>
+               </CipherData>
+</EncryptedData></CreditCard>
+</PaymentInfo>
+ENDXML
+
+my $decrypter = XML::Enc->new(
+    {
+        key                 => 't/xmlsec-key.pem',
+        no_xml_declaration  => 1
+    }
+);
+
+ok($decrypter->decrypt($xml) =~ /4019 2445 0277 5567/, "Successfully Decrypted xmlsec1 xml using OAEPparams");
+
+$xml = <<'XML';
+<?xml version="1.0"?>
+<foo ID="XML-SIG_1">
+    <bar>123</bar>
+</foo>
+XML
+
+my $encrypter = XML::Enc->new(
+    {
+        key                 => 't/sign-private.pem',
+        cert                => 't/sign-certonly.pem',
+        oaep_params         => '123456789',
+        no_xml_declaration  => 1
+    }
+);
+
+my $encrypted = $encrypter->encrypt($xml);
+ok($encrypted =~ /CipherData/, "Successfully Encrypted with XML::Enc using OAEPparams");
+
+ok($encrypter->decrypt($encrypted) =~ /<bar>123<\/bar>/, "Successfully Decrypted with XML::Enc using OAEPparams");
+
+$decrypter = XML::Enc->new(
+    {
+        key                 => 't/sign-private.pem',
+        cert                => 't/sign-certonly.pem',
+        oaep_params         => '123789',
+        no_xml_declaration  => 1
+    }
+);
+$encrypted =~ s/MTIzNDU2Nzg5/MTIzNzg5Cg==/mg;
+
+my $ret;
+eval {
+    $ret = $decrypter->decrypt($encrypted);
+};
+ok($@ =~ /FATAL: rsa_decrypt_key_ex/,"XML::Enc Unable to decrypt if XML includes incorrect OAEPparams");
+ok(!$ret);
+
+done_testing;
diff --git a/t/xmlsec-key.pem b/t/xmlsec-key.pem
@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDzYfk2VK5dF2gb
+GCgkck45Xb8gF8h8IFn7o0LkLLcNbZd+4Zu6WcPn6GT/djVY4JD6KxOSX7q3f1Ql
+bs7NG6N4kjQxf53cgGE8cmltuDWo+B8DbOXXQVMkhIpycDziOYvscJ3Tzy4I9gWA
+rzaP7Y7v31AzlFgVj4fEtGU9odEjAGpnNWAGWL1DioZSKfSh4V9/WW7KSngWndoE
+2WHUo+ppcn8bqv/IB1ETUME+fZv3cNy6XZSpK6zqVuA8f12R772CJfI36yzZrbfd
+PryGeq+Jj/kyXpzQQQyMt4ReKelP/LVc9PmCMrk17YQKMiMytaSxyMWgFrV3jSGP
+U4DEoaRl7q8KhB00MOMHNc4Wjml7tyGRVibC1z95DuCyd6XKYIgVMI9lqo+dn9BQ
+PSqbT2HKQxm5aVgbmHdDQh4IfDBYUtSz69GinijdG5b9+Sj9dtjskSHRjUJM9QVw
+LtK7msXI4XddTl/Cq5/AdVERbuprDtS8k96klePSUlesdMWm5aKUP9hDDkKMda0M
+adGojudJdys4r8msQ3cnkIIdYuYxoBsXvn5jLCnsGz1LUjnseir8SC+9ztkfIQL7
+LG7ZQBTFas4gvAzkroc10tpf25VQ8+PtLJOtQluvZf74SwrcYH/dSDiI0Pykqvxf
+B5fPrrdDPYfrvlHj8YwfY0MpJIyUIwIDAQABAoICAEeS02An7RMRVBtLslpthxWV
+vSQp+lqOhQfcjkpd4ANB7GBy5oIZ7ePgUvtRfwTBHcGEM4BDSLy35D4R5R0qeJt3
+m4PG/NygoHfPSbPrjVRAi5ZNSxZPbqz5kWFwImeA9uY0hCWK8wXNm/apEEmpWfSu
+3n4crP7CM/Ij/vXuBXvenmv1pWSYaihXr4KwNfH5PkVMPqmc1s4H49qzNvL6tXAH
+LNwtIIVpqW0dvYasF9bfyPnBlXtejb5oiA8igZjuQPPqRt4s+gaV8NFOptCBeefh
+gC5Q5prT1mX3fiTW/Hb6YTeSD2I7mn4CeGcrMXCzPFjQK1YV943N4kWtD9xDkP2a
+JwxpNUH3PKLNquRcaAc6idy4hUFWBXyLuABjHFxHaOwOHJKhRdwgwVbHExVHrp3H
+6ArgVQH8Y5fbo0xy+PQWCNCRRYKgMqK9RKL0KWAfb+vxsVL6c0Sha4nbcupQ7Yu0
+YMXXPY9dKzxJVR3ZI9MeOWcnqdIVuu2t+TAYxSi/9CLMifsYfQgZQkJTlFmrdVSz
+lJ0mqvsaXPzKOdsVpxN9Ktd1suMPu2gU4Ty004msAojuYGEf0uydDgTRFGOlf/oa
+jNU7rF940VYqzHihxnRPvBGNLBvo+L+VV/n1VnBeAjrswkDw/HowgZQOQ846jref
+X9mzhhjc+XuooA4avz3xAoIBAQD/UHw76qKBdtNxcIASSZCKaFAOWvKUG6e5xZMo
+8s0Ut3WqIDACXH2QNUcfQZX+XGoQqH1ubTTo46oekRjA6gcVZ9evSFfj4Urzp8jx
+IJnxM9sxZiTHvnrvIDCX2njia/fAdvC5UKwSjJBLkQoJ9w4v+ksXs7IMwxZoc0vH
+bgL6DstGmKb83JQ9CNPGZEFfit37ioUEgofUqxqf7uub/LNjdVkK3AvOopCe2w4+
+t1g7S89imrmWJ4iNKzPa/u4Vr5CAdVpq6lRRgQre2kQp8tL6Is0DVoSaaVV+QVze
+pZ5HvLxIU31N50FUsaDqDCNnWR/lijhl+B8VT/Rea4vSD8mbAoIBAQD0CUkrBQG0
+wR5q4hjTSA0J1BU3WjGwKvFryScMwNaX0Q4oSmgDqKV6lE6zOXGPt6N0UHEeqcjS
+HhTrIuKawMH4s4DxQu8iFNg5ZXYUgD/Ol/B6Pfh1ycDhCIzsKzrfPqvzhzclL4RU
+vXfNmg0F2ZPOwsgTLjtKq/xc/VXMjbiZn60tTotdfnSSPiKJs+sWB9iQDXOx+H9q
+ZjWEFeS0CPi284wj2y6DLenLWI+Wm75RfdbudtTMjrptm0OC4uzNBaRZ8zDCQcAF
+ByM757p8opV70/8p0IfdxfPdhMrdkr18hYmMhIXKZLzB32jvSIj0dP7T93hMR3yW
+Y6mrVUKrZewZAoIBADQW/LHQxkT5tFwRot+YSLgkXij/nzxehBLf341cNEFEyOnj
+1Ue2DRwt8ovK+spBmpY5ehXcjA3z3RKNcepyFO3mGNg3P09L+NnLYrDngOD4PoFO
+oLRsBXLiM2fX+A/iDVMkMSrt7Z1/NjVkqxKraCabv1RfojT+XIUE+PIAXPUdrZWC
+sZcnfcsSEPsKG1hd4bpfYZIw+3uFSVJWEZXqscLZ/0e662HGQxFWCgr7pzG53t70
+SGb9O9vpc5P7rSGZhzbeOotTsc5LMKeVCpEwbKECFqfWsAk88mdm+IaobamfNR7g
+gdEyHF8mOnll7pc4VMylLaqIO/dCL85PzOAXvn8CggEABFtOFRiHyURRWLMkolD8
++pnwrwZLMMvzd2sl6VJgAmHXEN0TMk2GdsPDC+wQnPI4VtFA071QOoAS+4ep5/1c
++SWrPaNmRYN9wLiQ/Ri1Cuknf+cvUlsBuILAkU7MREQIKdbWIzHP+PtQ8ji31szl
+mKFdlQoUQOcFIFvddkNpckSpgM+QKWEij6HQWAkAP2pwcVHsKNc43xtoBS2m4Zfv
+aMS8Ub+N+wWM0PaJybSKF0ZZ2fQBJI2/wkktUV7fv2FEZ96xliY6WVyhQmaGq8bz
+SDymp4ZzhoAMNH40aPQ/scNoizuqb8yQmh108CCpYUPdcMdQPHxiOwUYeFiTUiAF
+sQKCAQEA6x798jTopyhDcBEdRX3xSxMF/gJ4vJ2UCR2jImQn50ioWapEuY3M6iV/
+N8QmSn5g719TopTn6YXY9TEZxTpCFQ6TYvMMXkBEV5lI1npSasV2bdAaQEcTu76J
+EGMeGtHzQ+MTSpgztWOqD0vWTiGv3txyuP201FISo+1HtcDpB8DHdEGUl9BcCbAt
+5K4YLpKHRDnlRiEd6A3YhuUVxh2jFivry4OkynKl1yBsKUoFrEIi9wq9s+LOIewB
+TZVmcuYI4DroKyq/RPD8iNSimzkR6AgnotPb1CxeB2/cT9ZvrJAX29LQtFYGMTLf
+8VHBrGzppyqyV8FPdApAxKMMANMIqg==
+-----END PRIVATE KEY-----
