3030 *
3131 * @package SimpleSAML\XMLSecurity\Backend
3232 */
33- final class OpenSSL implements EncryptionBackend, SignatureBackend
33+ final class OpenSSL implements EncryptionBackend, SignatureBackend, SignaturePadding
3434{
3535 public const int AUTH_TAG_LEN = 16 ;
3636
3737
3838 // digital signature options
3939 protected string $ digest ;
4040
41+ // signature padding method
42+ protected int $ sig_padding = OPENSSL_PKCS1_PADDING ;
43+
4144 // asymmetric encryption options
42- protected int $ padding = OPENSSL_PKCS1_OAEP_PADDING ;
45+ protected int $ enc_padding = OPENSSL_PKCS1_OAEP_PADDING ;
4346
4447 // symmetric encryption options
4548 protected string $ cipher ;
@@ -83,7 +86,7 @@ public function encrypt(
8386 }
8487
8588 $ ciphertext = '' ;
86- if (!$ fn ($ plaintext , $ ciphertext , $ key ->getMaterial (), $ this ->padding )) {
89+ if (!$ fn ($ plaintext , $ ciphertext , $ key ->getMaterial (), $ this ->enc_padding )) {
8790 throw new OpenSSLException ('Cannot encrypt data ' );
8891 }
8992 return $ ciphertext ;
@@ -139,7 +142,7 @@ public function decrypt(
139142 }
140143
141144 $ plaintext = '' ;
142- if (!$ fn ($ ciphertext , $ plaintext , $ key ->getMaterial (), $ this ->padding )) {
145+ if (!$ fn ($ ciphertext , $ plaintext , $ key ->getMaterial (), $ this ->enc_padding )) {
143146 throw new OpenSSLException ('Cannot decrypt data ' );
144147 }
145148 return $ plaintext ;
@@ -192,7 +195,7 @@ public function sign(
192195 KeyInterface $ key ,
193196 string $ plaintext ,
194197 ): string {
195- if (!openssl_sign ($ plaintext , $ signature , $ key ->getMaterial (), $ this ->digest )) {
198+ if (!openssl_sign ($ plaintext , $ signature , $ key ->getMaterial (), $ this ->digest , $ this -> sig_padding )) {
196199 throw new OpenSSLException ('Cannot sign data ' );
197200 }
198201 return $ signature ;
@@ -214,7 +217,7 @@ public function verify(
214217 string $ plaintext ,
215218 string $ signature ,
216219 ): bool {
217- return openssl_verify ($ plaintext , $ signature , $ key ->getMaterial (), $ this ->digest ) === 1 ;
220+ return openssl_verify ($ plaintext , $ signature , $ key ->getMaterial (), $ this ->digest , $ this -> sig_padding ) === 1 ;
218221 }
219222
220223
@@ -236,11 +239,11 @@ public function setCipher(string $cipher): void
236239 $ this ->cipher = $ cipher ;
237240 switch ($ cipher ) {
238241 case C::KEY_TRANSPORT_RSA_1_5 :
239- $ this ->padding = OPENSSL_PKCS1_PADDING ;
242+ $ this ->enc_padding = OPENSSL_PKCS1_PADDING ;
240243 break ;
241244 case C::KEY_TRANSPORT_OAEP :
242245 case C::KEY_TRANSPORT_OAEP_MGF1P :
243- $ this ->padding = OPENSSL_PKCS1_OAEP_PADDING ;
246+ $ this ->enc_padding = OPENSSL_PKCS1_OAEP_PADDING ;
244247 break ;
245248 case C::BLOCK_ENC_AES128_GCM :
246249 case C::BLOCK_ENC_AES192_GCM :
@@ -255,6 +258,27 @@ public function setCipher(string $cipher): void
255258 }
256259
257260
261+ /**
262+ * Set the padding method to be used by this backend.
263+ *
264+ * @param string $algId The identifier of the signature algorithm.
265+ */
266+ public function setSignaturePadding (string $ algId ): void
267+ {
268+ $ padding = match ($ algId ) {
269+ C::SIG_RSA_PSS_SHA1 => OPENSSL_PKCS1_PSS_PADDING ,
270+ C::SIG_RSA_PSS_SHA224 => OPENSSL_PKCS1_PSS_PADDING ,
271+ C::SIG_RSA_PSS_SHA256 => OPENSSL_PKCS1_PSS_PADDING ,
272+ C::SIG_RSA_PSS_SHA384 => OPENSSL_PKCS1_PSS_PADDING ,
273+ C::SIG_RSA_PSS_SHA512 => OPENSSL_PKCS1_PSS_PADDING ,
274+
275+ default => OPENSSL_PKCS1_PADDING ,
276+ };
277+
278+ $ this ->sig_padding = $ padding ;
279+ }
280+
281+
258282 /**
259283 * Set the digest algorithm to be used by this backend.
260284 *
0 commit comments