GHSL-2023-143, GHSL-2023-144, deny unsigned SAML response (#624)

OpenIdentityPlatform · Jul 18, 2023 · 7c18543 · 7c18543
1 parent 46bce7d
commit 7c18543
Showing 1 changed file with 10 additions and 6 deletions.
diff --git a/...ation/openam-federation-library/src/main/java/com/sun/identity/saml/common/SAMLUtils.java b/...ation/openam-federation-library/src/main/java/com/sun/identity/saml/common/SAMLUtils.java
@@ -951,6 +951,10 @@ public static Response getResponse(byte [] bytes) {
      */
     public static boolean verifyResponse(Response response,
     String requestUrl, HttpServletRequest request) {
+        if(!response.isSigned()) {
+            debug.message("verifyResponse: Response is not signed");
+            return false;
+        }
         if (!response.isSignatureValid()) {
             debug.message("verifyResponse: Response's signature is invalid.");
             return false;
@@ -1585,13 +1589,13 @@ public static Map processResponse(Response samlResponse, String target)
         List assertions = null;    
         SAMLServiceManager.SOAPEntry partnerdest = null;
         Subject assertionSubject = null;
-        if (samlResponse.isSigned()) {
-            // verify the signature
-            boolean isSignedandValid = verifySignature(samlResponse);
-            if (!isSignedandValid) {
-                throw new SAMLException(bundle.getString("invalidResponse"));
-            }
+
+        // verify the signature
+        boolean isSignedandValid = verifySignature(samlResponse);
+        if (!isSignedandValid) {
+            throw new SAMLException(bundle.getString("invalidResponse"));
         }
+
         // check Assertion and get back a Map of relevant data including,
         // Subject, SOAPEntry for the partner and the List of Assertions.
         Map ssMap = verifyAssertionAndGetSSMap(samlResponse);