Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dmm/add invalid sig errors #86

Open
wants to merge 9 commits into
base: main
Choose a base branch
from
Open

Dmm/add invalid sig errors #86

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
dd1a559
Add service provider tests
Sgtpluck Nov 24, 2023
75eb33f
Update valid_signature? to use find method
Sgtpluck Nov 24, 2023
873c646
Update request.rb to allow hard validation errors
Sgtpluck Nov 24, 2023
3bf439c
Standardize quote marks
Sgtpluck Nov 24, 2023
0d555da
Updates based on PR feedback
Sgtpluck Nov 24, 2023
b1bd75b
Update ValidationError class to have an error_code
Sgtpluck Nov 27, 2023
c27da1c
Add ValidationError if the SignatureAlgorithm does not have SHA256
Sgtpluck Nov 27, 2023
061b51b
Fix typo
Sgtpluck Nov 27, 2023
59d17eb
Only raise request errors
Sgtpluck Nov 28, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion lib/saml_idp.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,8 +75,9 @@ def options_have_signature(options)
private :options_have_signature

def valid_signature?(fingerprint, options = {})
soft_fail = options[:soft].nil? ? true : options[:soft]
(signed? || options_have_signature(options)) &&
signed_document.validate(fingerprint, :soft, options)
signed_document.validate(fingerprint, soft_fail, options)
end

def signed_document
Expand Down
19 changes: 13 additions & 6 deletions lib/saml_idp/request.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -141,7 +141,8 @@ def valid?
end

unless authn_request? || logout_request?
log "One and only one of authnrequest and logout request is required. authnrequest: #{authn_request?} logout_request: #{logout_request?} "
log 'One and only one of authnrequest and logout request is required. '
+ "authnrequest: #{authn_request?} logout_request: #{logout_request?} "
errors.push(:no_auth_or_logout_request)
end

Expand All @@ -150,10 +151,15 @@ def valid?
errors.push(:no_response_url)
end

unless service_provider? && valid_signature?
log "Signature is invalid in #{raw_xml}"
# TODO: We should get more specific errors
errors.push(:invalid_signature)
if service_provider?
begin
unless valid_signature?
log "Signature is invalid in #{raw_xml}"
errors.push(:invalid_signature)
end
rescue SamlIdp::XMLSecurity::SignedDocument::ValidationError => e
errors.push(e.error_code)
end
end

errors.blank?
Expand All @@ -166,7 +172,7 @@ def signed?
def valid_signature?
# Force signatures for logout requests because there is no other
# protection against a cross-site DoS.
service_provider.valid_signature?(document, logout_request?, options)
service_provider.valid_signature?(document, logout_request?, options.merge(soft: false))
Sgtpluck marked this conversation as resolved.
Show resolved Hide resolved
end

def service_provider?
Expand Down Expand Up @@ -262,5 +268,6 @@ def service_provider_finder
config.service_provider.finder
end
private :service_provider_finder

Sgtpluck marked this conversation as resolved.
Show resolved Hide resolved
end
end
14 changes: 10 additions & 4 deletions lib/saml_idp/service_provider.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,13 +21,19 @@ def valid?
end

def valid_signature?(doc, require_signature = false, options = {})
Array(certs).any? do |cert|
if doc.valid_signature?(fingerprint_cert(cert), options.merge(cert: cert))
@matching_cert = cert
end
@matching_cert = Array(certs).find do |cert|
doc.valid_signature?(fingerprint_cert(cert), options.merge(cert: cert))
end

no_raising_errors = options[:soft].nil? ? true : options[:soft]

if require_signature || should_validate_signature?
if certs.blank? && !no_raising_errors
raise SamlIdp::XMLSecurity::SignedDocument::ValidationError.new(
'No certificate registered',
:no_cert_registered
)
end
!!@matching_cert
else
true
Expand Down
45 changes: 37 additions & 8 deletions lib/saml_idp/xml_security.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,15 @@
module SamlIdp
module XMLSecurity
class SignedDocument < REXML::Document
ValidationError = Class.new(StandardError)
class ValidationError < StandardError
attr_reader :error_code

def initialize(msg=nil, error_code=nil)
@error_code = error_code
super(msg)
end
end

C14N = "http://www.w3.org/2001/10/xml-exc-c14n#"
DSIG = "http://www.w3.org/2000/09/xmldsig#"

Expand All @@ -51,7 +59,10 @@ def validate(idp_cert_fingerprint, soft = true, options = {})
begin
OpenSSL::X509::Certificate.new(cert_text)
rescue OpenSSL::X509::CertificateError => e
return soft ? false : (raise ValidationError.new("Invalid certificate"))
return soft ? false : (raise ValidationError.new(
'Invalid certificate',
:invalid_certificate
))
end

# check cert matches registered idp cert
Expand All @@ -60,7 +71,10 @@ def validate(idp_cert_fingerprint, soft = true, options = {})
plain_idp_cert_fingerprint = idp_cert_fingerprint.gsub(/[^a-zA-Z0-9]/,"").downcase

if fingerprint != plain_idp_cert_fingerprint && sha1_fingerprint != plain_idp_cert_fingerprint
return soft ? false : (raise ValidationError.new("Fingerprint mismatch"))
return soft ? false : (raise ValidationError.new(
'Fingerprint mismatch',
:fingerprint_mismatch
))
end

validate_doc(base64_cert, soft, options)
Expand Down Expand Up @@ -100,17 +114,25 @@ def find_base64_cert(options)
if cert_element
return cert_element.text unless cert_element.text.blank?

raise ValidationError.new("Certificate element present in response (ds:X509Certificate) but evaluating to nil")
raise ValidationError.new(
"Certificate element present in response (ds:X509Certificate) but evaluating to nil",
:present_but_nil
)
elsif options[:cert]
if options[:cert].is_a?(String)
options[:cert]
elsif options[:cert].is_a?(OpenSSL::X509::Certificate)
Base64.encode64(options[:cert].to_pem)
else
raise ValidationError.new("options[:cert] must be Base64-encoded String or OpenSSL::X509::Certificate")
raise ValidationError.new(
'options[:cert] must be Base64-encoded String or OpenSSL::X509::Certificate',
:not_base64_or_cert
)
end
else
raise ValidationError.new("Certificate element missing in response (ds:X509Certificate) and not provided in options[:cert]")
raise ValidationError.new(
'Certificate element missing in response (ds:X509Certificate) and not provided in options[:cert]',
:cert_missing)
Sgtpluck marked this conversation as resolved.
Show resolved Hide resolved
end
end

Expand Down Expand Up @@ -178,7 +200,11 @@ def validate_doc_embedded_signature(base64_cert, soft = true)
digest_value = Base64.decode64(REXML::XPath.first(ref, "//ds:DigestValue", sig_namespace_hash).text)

unless digests_match?(hash, digest_value)
return soft ? false : (raise ValidationError.new("Digest mismatch"))
return soft ? false : (raise ValidationError.new(
"Digest mismatch",
:digest_mismatch
))

end
end

Expand All @@ -196,7 +222,10 @@ def verify_signature(base64_cert, sig_alg, signature, canon_string, soft)
signature_algorithm = algorithm(sig_alg)

unless cert.public_key.verify(signature_algorithm.new, signature, canon_string)
return soft ? false : (raise ValidationError.new("Key validation error"))
return soft ? false : (raise ValidationError.new(
'Key validation error',
:key_validation_error
))
end

return true
Expand Down
Loading