POssible alternative to #17386 - adding SAML key size to env

Signed-off-by: snipe <snipe@snipe.net>
2025-10-29 11:21:21 +00:00 · 2025-08-21 11:27:50 +01:00 · 2025-08-21 11:27:50 +01:00 · 39e6223ff2
commit 39e6223ff2
parent 15f97b6cb9
3 changed files with 26 additions and 3 deletions
--- a/.env.example
+++ b/.env.example
@ -193,11 +193,17 @@ LDAP_TIME_LIM=600
 IMPORT_TIME_LIMIT=600
 IMPORT_MEMORY_LIMIT=500M
 REPORT_TIME_LIMIT=12000
-REQUIRE_SAML=false
 API_THROTTLE_PER_MINUTE=120
 CSV_ESCAPE_FORMULAS=true
 LIVEWIRE_URL_PREFIX=null

+
+# --------------------------------------------
+# OPTIONAL: SAML SETTINGS
+# --------------------------------------------
+REQUIRE_SAML=false
+SAML_KEY_SIZE=2048
+
 # --------------------------------------------
 # OPTIONAL: HASHING
 # --------------------------------------------
--- a/app/Http/Requests/SettingsSamlRequest.php
+++ b/app/Http/Requests/SettingsSamlRequest.php
@ -109,7 +109,7 @@ class SettingsSamlRequest extends FormRequest
                ];

                $pkey = openssl_pkey_new([
-                    'private_key_bits' => 2048,
+                    'private_key_bits' => config('app.saml_key_size'),
                    'private_key_type' => OPENSSL_KEYTYPE_RSA,
                ]);

--- a/config/app.php
+++ b/config/app.php
@ -207,7 +207,7 @@ return [

    /*
    |--------------------------------------------------------------------------
-    | Require SAML Login
+    |  Require SAML Login
    |--------------------------------------------------------------------------
    |
    | Disable the ability to login via form login, and disables the 'nosaml'
@ -220,6 +220,23 @@ return [

    'require_saml' => env('REQUIRE_SAML', false),

+    /*
+    |--------------------------------------------------------------------------
+    |  SAML KEYS
+    |--------------------------------------------------------------------------
+    |
+    | This is the size of the keys used by openssl_pkey_new for SAML authentication.
+    | The default is 2048 bits, but this can be changed to 3072 or 4096 bits
+    | for higher security. Note that this will increase the time it takes to
+    | generate the keys, so it is not recommended to set this to a very high value
+    | unless you have a specific need for it.
+    |
+    | The European Commission now requires at least 3072-bit keys for new SAML certificates
+    | @link https://github.com/grokability/snipe-it/issues/17386
+    */
+
+    'saml_key_size' => env('SAML_KEY_SIZE', 2048),
+

    /*
    |--------------------------------------------------------------------------