Optionally allow expired signing certificates? #234
Labels
Comments
|
This is a tricky one. It offends my sense of right and wrong that we’d need to accommodate expired certificates, but the world is what it is. That said, If we need to, so be it. 🤷♀️ Architecturally, it is trickier. What do you think about a callback that allows you to modify how the certificate is validated, which you could replace with your own validation function? Maybe someone along the lines of what I’m proposing in #230 ? |
|
Sounds good to me. Just to make sure I understand: ServiceProvider's method validateSignature() would call this callback instead of the current call to validationContext.Validate(el)? The callback would be set in samlsp.Options? And by default of course we'd keep the current behaviour. |
|
Yes, that should about right. I think there are a few things people might want to do here, which I'd like to be able to support as generically as possible. Perhaps you want to override So, if we had an interface like this, I think it would cover all/most of those bases: I think I would prefer we add a field in ServiceProvider, but not add it to the samlsp options, which is already pretty crowded. You'd just modify the ServiceProvider instance after instantiating everything. |
|
OK. I'll try that and get back to you with a PR. Thanks! |
|
Sorry for the delay, see PR #237 |
crewjam
pushed a commit
that referenced
this issue
Dec 2, 2019
mattcobb
added a commit
to lightstep/saml
that referenced
this issue
Nov 30, 2021
* bugfix: New sometimes selected the wrong EntityDescriptor when parsing a metadata file with multiple EntityDescriptor's underneath a EntitiesDescriptor tag * Add syntax highlight * expose CookieMaxAge in samlsp Options * Enable persistent name id format (crewjam#107) * Enable persistent name id format * add ability to set the domain for the cookies (crewjam#95) * Fixed script hash to remove JS console errors when redirecting (crewjam#117) @RichardKnop PR#94 * saml{sp,idp}: add httpOnly and secure flag (conditionally) to cookies (crewjam#116) * Use dep package manager (crewjam#114) * use dep package manager * updated travis * Fix example code so that it compiles (crewjam#118) * expose ForceAuthn (crewjam#119) * fix validUntil in SPSSODescriptor fixes crewjam#123 * samlsp.Middleware.SecureCookie option (crewjam#128) * remove cruft * update README * fix some minor lint / style errors * samlsp: use current time for the JWT rather than the IssueInstant from the assertion (crewjam#130) fixes crewjam#122 jwt-go not support leeway parameter * travis cleanup: remove older go versions (crewjam#132) * samlsp: remove X-Saml headers in favor of attaching Claims to request context (crewjam#131) * samlsp: move the setting and reading of cookies into an interface (crewjam#133) We’ve had a bunch of changes requesting the ability to customize how cookies are set and it is getting a little messy. This change moves the code to setting and reading cookies into two interfaces which you can extend/customize. * add field to IdpAuthnRequest so you can externally control the “current” time (crewjam#136) The default is obviously the current time, but for various reasons you may wish to evaluate the response at a different reference time, for example processing a response that has been deferred. We can’t use the global TimeNow() thunk, which is designed for testing, because it isn’t safe to modify concurrently. * idp: handle assertions where no ACS url is specified (crewjam#139) * add test cases for SAML comment injection (crewjam#140) ref: CVE-2017-11427 ref: CVE-2017-11428 ref: CVE-2017-11429 ref: CVE-2017-11430 ref: CVE-2018-0489 ref: CVE-2018-7340 ref: https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations * Update PGP key in README.md * make MaxIssueDelay configurable at runtime (mini-hack) * Remove the default xmlns from the expected output because the encoder does not reset the default. Should resolve the test for issue 152. (crewjam#158) * Added Travis badge (crewjam#159) * Fixed some typos in the README.md file. (crewjam#160) * dep ensure [ch16254] (crewjam#156) * add the ability to use custom cookie names and domain * fix missing time on IDP-initiated IdpAuthnRequest (crewjam#147) * added godoc badge to README.md (crewjam#143) * made selected binding configureable (crewjam#144) * Fix AES decryption (crewjam#142) Fix AES decryption by decrypting the EncryptedKey from the response, and passing the decrypted key to the data encryption. * idp: Allow intermediates to be encoded in signature (crewjam#127) * idp: Make signature method configurable (crewjam#126) * Removed %s format for claims audience not matching Provider EntityID for crewjam#154 (crewjam#161) * add support for a logout URL binding * add stale integration ref: https://probot.github.io/apps/stale/ * add support for other external middleware (crewjam#184) Changed samlsp/middleware.go to move the request handling part of the RequireAccount method out into a separate public method attached to the middleware type which can be used as a stand alone HTTP RequestHandler. That way the Handler can be used with other middleware chains which provide their own http.Handler wrapper methods. * crewjam#192: Support multiple IdP signing certificates * crewjam#192: Account for Go/check changes. * Handle root URL's with trailing slash * crewjam#194: Properly default EncryptionMethod/DigestMethod when not present. * Allow AudienceRestriction to be missing re crewjam#198 * Don't include the port with the domain when setting the cookie (crewjam#202) * update value of UnspecifiedNameIDFormat and EmailAddressNameIDFormat (crewjam#217) * Don't require Destination attribute in response when response is not signed (crewjam#213) * Destination is checked only if this is a signed SAML request, as that is the only case in which a Destination attribute is required. * Check Destination when present, even if response unsigned * Replaces testshib.org with samltest.id in the README (crewjam#211) Fixes crewjam#201 * Set the default domain for cookies properly (crewjam#187) Fixes crewjam#186. * Separate response validation from the Middleware so that ServiceProvider can be used standalone to validate requests. Also fix IDPInitiated requestids bug since Standalone validation may not have possibleRequestIds. * Adding support for eduPersonScopedAffiliation * Add in actual attribute evaluation for eduPersonScopedAffiliation. * Fix typo for idp example path in readme (crewjam#170) * omit validUntil if empty (crewjam#190) * Prevent panic caused by IDP-initiated login (crewjam#183) * - Check if IDP-initiated login is allowed and if so assume that the RelayState is a deep-link. - Guard against an IDP-initiated request that may not have the request ID in the claims. - Attempt to retrieve a state value using the RelayState first before checking if IDP-initiated flow is allowed. * Only address the panic in IDP-initiated login (#1) This change undoes some of the changes made in 4908b26, to just address the panic for IDP-initiated logins. I'll file an issue in the `crewjam/saml` repo about the other issue blocking IDP-initiated logins, which is how to support relay states from the IDP. * SP: Add capability to provide intermediate certs (crewjam#178) * remove bad import * remove log junk * fix compile error * Gopkg -> go.mod * tests: convert from go-check to testify * lint with golangci-lint * lint with golangci-lint * fix go.mod * fix travis configuration * fix travis configuration * Use RS256 rather than HS256 Using HS256 with the RSA private key (serialised as ASN.1 according to PKCS1) as the secret is unconventional and perhaps dangerous. The string of bytes isn't entirely random given that it starts with the version number. The encoded RSA key will be larger than the block size of the underlying hash and so to create a secret, the RSA key will be hashed. A more important problem is that we should be able to validate a jwt issued by the middleware with just the RSA public key. By moving to RS256, we can validate jwts without sharing the private key. Fix randomBytes: should ensure that the entire buffer is full. * Add Single Logout data structure * Set session NameID based on email * update test expectations * removed mandatory check for validating embedded certificate for rsa * Rename validateRSAKey to validateRSAKeyIfPresent Now that the validation is optional, the previous name did not accurately reflected the intention. * Removes unused dependencies Ran go mod tidy to remove golangci-lint as that isn't actally needed for this project. Its inclusion result in a huge number of dependencies to be imported. * travis: pin golangci-lint version * Bump github.com/beevik/etree from 1.0.1 to 1.1.0 Bumps [github.com/beevik/etree](https://github.com/beevik/etree) from 1.0.1 to 1.1.0. - [Release notes](https://github.com/beevik/etree/releases) - [Changelog](https://github.com/beevik/etree/blob/master/RELEASE_NOTES.md) - [Commits](beevik/etree@v1.0.1...v1.1.0) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> * update test expectations * Return status code if not success * Make cert optional for ServiceProvider.Metadata() * Add test case from OneLogin This adds a test case provided by @fredipevcin in [crewjam#25 that makes sure we can parse cases where the assertion is signed rather than the whole message. This has been supported for a while, but it is nice to ensure that the compatibility at issue continues to work. * Remove 'Failing' from certificate missing check * (Add tests for) Destination is checked only if this is a signed SAML request, as that is the only case in which a Destination attribute is required. * update readme to reflect our inability to produce encrypted assertions re crewjam#179 * fix bad merge * golangci: require comments, add a few missing ones * golangci: require comments, add a few missing ones * update test expectations * schema: don't include empty Format attributes in samlp:NameIDPolicyElement fixes crewjam#177 * make ValidDuration configurable for IDP. (crewjam#235) * refactor samlsp package to be more modular (crewjam#230) This change splits the Middleware component into three interfaces (in addition to the saml.ServiceProvider): * RequestTracker which handles tracking pending authn requests. * Session which handles issuing session cookies. * OnError which handles reporting errors to both the user and any logging. The default implementations of RequestTracker and Session use http cookie to encode JWTs, but further delegate the encoding/verification of the JWTs to codec interfaces which allow further customization, again with default implementations. This should make the *samlsp* package easier to extend to fit more use cases. Fixes crewjam#231 * Add optional callback for signature verification (crewjam#237) Fixes crewjam#234 * AllowIDPInitiated=true allows both IDP-initiated and normal (crewjam#240) * Bump github.com/kr/pretty from 0.1.0 to 0.2.0 (crewjam#243) Bumps [github.com/kr/pretty](https://github.com/kr/pretty) from 0.1.0 to 0.2.0. - [Release notes](https://github.com/kr/pretty/releases) - [Commits](kr/pretty@v0.1.0...v0.2.0) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> * add HTTPOnly bool to CookieSessionProvider (crewjam#248) * feat(slo): add logout response request validation (crewjam#247) * fix(slo): fix SessionIndex attribute in LogoutRequest (crewjam#245) * clean up README about breaking changes * feat(slo): add Bytes() and Deflate() functions for LogoutRequest (crewjam#251) Bytes() is needed in for returning a byte array for POST Binding. Deflate() is needed for compressing using gzip algorithm a LogoutRequest byte array. * fix(sp): no check for InResponseTo for if IDPInitiated is true (crewjam#259) * Add EntityID (crewjam#258) * feat: add Post / Redirect methods for LogoutRequest (crewjam#260) * Update README.md (crewjam#261) * Bump github.com/stretchr/testify from 1.4.0 to 1.5.0 (crewjam#263) Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.4.0 to 1.5.0. - [Release notes](https://github.com/stretchr/testify/releases) - [Commits](stretchr/testify@v1.4.0...v1.5.0) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> * Bump github.com/stretchr/testify from 1.5.0 to 1.5.1 (crewjam#264) Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.5.0 to 1.5.1. - [Release notes](https://github.com/stretchr/testify/releases) - [Commits](stretchr/testify@v1.5.0...v1.5.1) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> * Include a path when clearing the cookie (crewjam#278) Some browsers will refuse to remove a cookie that doesn't include the path * SessionNotOnOrAfter is serialized to XML if set (crewjam#292) It is currently possible to set SessionNotOnOrAfter directly on the Go structure, but it is not serialized to or deserialized from XML. * Fixes handling signed response with encrypted assertions (crewjam#273) When the response is signed, the verification must happen before the assertion is decrypted since the encrypted XML is used in the signature digest. The response signature is sufficient unless the assertion is also signed in which case both must be valid. * Bump github.com/kr/pretty from 0.2.0 to 0.2.1 (crewjam#294) Bumps [github.com/kr/pretty](https://github.com/kr/pretty) from 0.2.0 to 0.2.1. - [Release notes](https://github.com/kr/pretty/releases) - [Commits](kr/pretty@v0.2.0...v0.2.1) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com> * Bump github.com/stretchr/testify from 1.5.1 to 1.6.1 (crewjam#288) Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.5.1 to 1.6.1. - [Release notes](https://github.com/stretchr/testify/releases) - [Commits](stretchr/testify@v1.5.1...v1.6.1) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com> * Add support for signed authnRequest (crewjam#296) * Fixes handling signed response with encrypted assertions When the response is signed, the verification must happen before the assertion is decrypted since the encrypted XML is used in the signature digest. The response signature is sufficient unless the assertion is also signed in which case both must be valid. * Add support for signed authnRequests * Update metadata.go (crewjam#297) Renamed LocalizedName & LocalizedURI Lang attributes -> `xml:"http://www.w3.org/XML/1998/namespace lang,attr"` fixes crewjam#295 * Allows configuring SameSite for session cookie (crewjam#276) Fixes crewjam#275 * fix lint errors & update test expectations * update README re: security issues * fix test expectation for go 1.15 * remove output cruft from xmlenc test * [SECURITY] bump version of goxmldsig [CVE-2020-15216] There was a signature validation bypass in goxmldsig, which saml uses to authenticate assertions. This change increments the dependent version of goxmldsig to a version that is no longer affected. For more information: GHSA-q547-gmf8-8jr7 * Merge pull request from GHSA-4hq8-gmxx-h6w9 This change validates that the XML input we receive is safe to parse before passing it to the standard library's XML parsing functions or the etree DOM parsing functions. This validation mitigates critical vulnerabilities in `encoding/xml` - CVE-2020-29509, CVE-2020-29510, and CVE-2020-29511. TODO: is there going to be a go.mod version assigned to this on release? * fix version of xml-roundtrip-validator in go.mod * add SignLogoutResponse SignLogoutRequest MakeLogoutResponse * add SessionIndex to claims Attributes * Include a domain when clearing the cookie * identity_provider: extend session with CustomAttributes (crewjam#310) * add xUserId and xAccountId for session * add CustomAttributes for idp session content * fix: logout response element Response -> LogoutResponse (crewjam#305) * Spread the use of option SameSite to tracking cookies (crewjam#302) * fix formatting * travis -> github actions * fix typo in README * update test expectations * Stop validating InResponseTo when AllowIDPInitiated is set With this change we no longer validate InResponseTo when AllowIDPInitiated is set. Here's why: The SAML specification does not provide clear guidance for handling InResponseTo for IDP-initiated requests where there is no request to be in response to. The specification says: InResponseTo [Optional] The ID of a SAML protocol message in response to which an attesting entity can present the assertion. For example, this attribute might be used to correlate the assertion to a SAML request that resulted in its presentation. The initial thought was that we should specify a single empty string in possibleRequestIDs for IDP-initiated requests so that we would ensure that an InResponseTo was *not* provided in those cases where it wasn't expected. Even that turns out to be frustrating for users. And in practice some IDPs (e.g. Rippling) set a specific non-empty value for InResponseTo in IDP-initiated requests. Finally, it is unclear that there is significant security value in checking InResponseTo when we allow IDP initiated assertions. This issue has been reported quite a few times, including: Fixes crewjam#291 crewjam#286 crewjam#300 crewjam#301 crewjam#286 * set cookie domain when clearing request tracker cookie (crewjam#321) * samlsp: make middleware endpoints public (crewjam#323) * samlsp: remove deprecated fields (crewjam#324) * remove deprecated fields * update readme * add test that we can marshal an AuthnStatement without SessionNotOnOrAfter being set re crewjam#312 * samlsp: fix validating response with no issuer element (crewjam#328) * in tests, replace long strings with files we read from testdata/ * replace testify (which is more or less unmaintained) with gotest.tools * remove redundant []byte conversions * explicitly copy loop iterator variables This silences a warning from golangci-lint * fix spelling of test data file * add maintainer action to update dependencies * adjust maintainer action to update dependencies * Update go.mod * upgrade github.com/crewjam/httperr from v0.0.0-20190612203328-a946449404da to v0.2.0 * upgrade github.com/dchest/uniuri from v0.0.0-20160212164326-8902c56451e9 to v0.0.0-20200228104902-7aecb25e1fe5 * upgrade github.com/mattermost/xml-roundtrip-validator from v0.0.0-20201213122252-bcd7e1b9601e to v0.0.0-20201219040909-8fd2afad43d1 * upgrade github.com/zenazn/goji from v0.9.1-0.20160507202103-64eb34159fe5 to v1.0.1 * upgrade golang.org/x/crypto from v0.0.0-20200622213623-75b288015ac9 to v0.0.0-20201221181555-eec23a3978ad * Fix AuthN Request signing for HTTP-Redirect binding (crewjam#339) * Fix signing for HTTP-Redirect binding The currently implemented behavior for signing AuthN Requests where an enveloped signature is added in the XML Document, is appropriate only when the HTTP-POST binding is used. Signing for authentication requests when the HTTP-Redirect binding is in use, is described in http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf section 3.4.4.1 and involves generating a signature of the deflated form of the AuthN request along with some other URL parameters, mainly because of URL length considerations. This commit implements proper AuthNRequest signing support according to the specification. * Add comment for function * linter is picky :) * SplitHostPort on DeleteSession (crewjam#335) * Add explicit tests for XSW (crewjam#338) XML Signature Wrapping attacks are unfortunately still very common in SAML implementations. crewjam/saml is not vulnerable to any XSW attacks as goxmldsig and this library's use of goxmldsig are safe. This commit adds a number of tests against common XSW attacks, so that these can serve as verification of the current safe state, prevent future regressions in crewjam/saml and detect possible future regressions in goxmldsig The numbering of the permutations of the XSW attack follows that of https://github.com/CompassSecurity/SAMLRaider and a visual depiction is available in https://github.com/CompassSecurity/SAMLRaider/blob/5b9eace70e88d0af17b86c26c2cad1178b08c7d0/src/main/resources/xswlist.png * Custom relayState generator (crewjam#337) * Update go.mod (crewjam#331) * upgrade github.com/mattermost/xml-roundtrip-validator from v0.0.0-20201219040909-8fd2afad43d1 to v0.1.0 * upgrade golang.org/x/crypto from v0.0.0-20201221181555-eec23a3978ad to v0.0.0-20210317152858-513c2a44f670 Co-authored-by: Github Actions <noreply@github.com> * Bump github.com/google/go-cmp from 0.5.4 to 0.5.5 (crewjam#336) * Bump github.com/google/go-cmp from 0.5.4 to 0.5.5 Bumps [github.com/google/go-cmp](https://github.com/google/go-cmp) from 0.5.4 to 0.5.5. - [Release notes](https://github.com/google/go-cmp/releases) - [Commits](google/go-cmp@v0.5.4...v0.5.5) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com> Co-authored-by: Ross Kinder <ross@kndr.org> * update README (crewjam#340) fixes crewjam#333 * Update go.mod (crewjam#342) * upgrade golang.org/x/crypto from v0.0.0-20210317152858-513c2a44f670 to v0.0.0-20210322153248-0c34fe9e7dc2 Co-authored-by: Github Actions <noreply@github.com> * Update go.mod (crewjam#343) Co-authored-by: crewjam <crewjam@users.noreply.github.com> * Change dgrijalva/jwt-go imported module to form3tech-oss/jwt-go. (crewjam#344) * Change dgrijalva/jwt-go imported module to form3tech-oss/jwt-go. dgrijalva/jwt-go is abandoned (dgrijalva/jwt-go#457) with an outstanding security vulnerability (dgrijalva/jwt-go#422). form3tech-oss/jwt-go is a fork that has fixed the vulnerability. * Upgrade to GitHub-native Dependabot (crewjam#346) Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com> * Make SP check more certs in IDP metadata (crewjam#353) From https://www.oasis-open.org/committees/download.php/56785/sstc-saml-metadata-errata-2.0-wd-05.pdf ``` [E62]A use value of "signing" means that the contained key information is applicable to both signing and TLS/SSL operations performed by the entity when acting in the enclosing role. A use value of "encryption" means that the contained key information is suitable for use in wrapping encryption keys for use by the entity when acting in the enclosing role. If the use attribute is omitted, then the contained key information is applicable to both of the above uses. ``` We need to include certificates both when they have a "use" attribute of "signing" as well as when the "use" attribute is missing. Fixes crewjam#352 SAML input from @simmel. * bring monorepo lightstep/saml changes into lightstep forked saml repo #LS-26157 * Fix merge problems * Fix valid until tests * req.now may not be initialized in MakeResponse() so use Now() * use TimeNow() * req.now not guaranteed to be defined. Use TimeNow() in IdpAuthnRequest() and MakeAssertion() * Remove old code from comments, remove commented out Skip(broken) * use upstream's new validateDestination, but modify it to use urlsMatchModuloPortNumbers(). Add clock kew to notOnOrAfter Co-authored-by: Donald Hoelle <donald@restlessbandit.com> Co-authored-by: Umayr Shahid <umayr.shahid@gmail.com> Co-authored-by: Dustin Decker <sevoma@gmail.com> Co-authored-by: Ross Kinder <ross@kndr.org> Co-authored-by: Bryce Fisher <bryce.fisher@live.com> Co-authored-by: Sevki <s@sevki.org> Co-authored-by: Paul Tötterman <ptman@users.noreply.github.com> Co-authored-by: Lucas <subandroid@users.noreply.github.com> Co-authored-by: Beyang Liu <beyang@sourcegraph.com> Co-authored-by: Nao YONASHIRO <owan.orisano@gmail.com> Co-authored-by: Darrel Herbst <dherbst@gmail.com> Co-authored-by: Neha Malviya <neha0912@gmail.com> Co-authored-by: Josh Silvas <joshua.silvas@rackspace.com> Co-authored-by: ☃ Elliot Shepherd <elliot@identitii.com> Co-authored-by: Christoph Hack <tux21b@users.noreply.github.com> Co-authored-by: Volkan Gürel <volkangurel@users.noreply.github.com> Co-authored-by: Andrew Pilloud <apilloud@users.noreply.github.com> Co-authored-by: jb <jdbrokaw@gmail.com> Co-authored-by: Stephen Kress <stephen.kress@rstudio.com> Co-authored-by: Geoff Bourne <geoff.bourne@rackspace.com> Co-authored-by: Robin Wood <robin@digi.ninja> Co-authored-by: Noval Agung Prayogo <novalagung@users.noreply.github.com> Co-authored-by: Chris Vermilion <christopher.vermilion@gmail.com> Co-authored-by: Joe Siltberg <joe@joesiltberg.se> Co-authored-by: Daniel Cormier <dcormier@users.noreply.github.com> Co-authored-by: Tom Bruno <24335+tebruno99@users.noreply.github.com> Co-authored-by: Shane Jeffery <sjeffery@treetopllc.com> Co-authored-by: ferhat elmas <elmas.ferhat@gmail.com> Co-authored-by: Christopher Goulet <christophergoulet@outlook.com> Co-authored-by: Praneet Loke <1466314+praneetloke@users.noreply.github.com> Co-authored-by: Benjamin Schubert <brm.schubert@gmail.com> Co-authored-by: Stevie Johnstone <stevie@jazznetworks.com> Co-authored-by: Ryan Zhang <ryan.zhang@docker.com> Co-authored-by: Grace Noah <gracenoahgh@gmail.com> Co-authored-by: Jon Gyllensward <jon.gyllensward@grafana.com> Co-authored-by: gotjosh <josue@grafana.com> Co-authored-by: Leonard Gram <leo@xlson.com> Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com> Co-authored-by: Michael Rauh <michael.rauh@ecsec.de> Co-authored-by: Matthew Steffen <msteffen@pachyderm.io> Co-authored-by: Bryce Fisher <bfisher-sub@novetta.com> Co-authored-by: Jan Szumiec <jan.szumiec@gmail.com> Co-authored-by: aspeteRakete <fdubrownik@gmail.com> Co-authored-by: Joe Siltberg <git@joesiltberg.se> Co-authored-by: David Goeke <github@waygate.org> Co-authored-by: Daniel Hochman <danielhochman@users.noreply.github.com> Co-authored-by: Mathieu Mailhos <mathieumailhos@gmail.com> Co-authored-by: miketonks <miketonks99@gmail.com> Co-authored-by: (0x794E6).toString(36) <andypeng2010@gmail.com> Co-authored-by: Andreas Fritzler <afritzler@users.noreply.github.com> Co-authored-by: Ron Kuris <swcafe@gmail.com> Co-authored-by: Andy Lindeman <andy@lindeman.io> Co-authored-by: Ricardo Andrade <ricardofandrade@users.noreply.github.com> Co-authored-by: bstrueb <bstrueb@gmail.com> Co-authored-by: Ross Kinder <ross@grooveid.com> Co-authored-by: neilli-sable <omprand.serbei@gmail.com> Co-authored-by: Alex Yan <yanhao1991@gmail.com> Co-authored-by: Alan Shreve <alan@inconshreveable.com> Co-authored-by: AlekseyZolotuhin <5293057+sly-roar@users.noreply.github.com> Co-authored-by: Alexander Zobnin <alexanderzobnin@gmail.com> Co-authored-by: Github Actions <noreply@github.com> Co-authored-by: Ioannis Kakavas <ikakavas@protonmail.com> Co-authored-by: yuki2006 <yagfair@gmail.com> Co-authored-by: Harold Alcala <harold.dev@gmail.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: crewjam <crewjam@users.noreply.github.com> Co-authored-by: Bay Grabowski <baygrabowski@gmail.com> Co-authored-by: Patrik Lundin <patrik@sigterm.se>
atezet
pushed a commit
to atezet/saml
that referenced
this issue
Jul 9, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I'm not sure if this is a good idea or not, and if it's something that would be done in this project or goxmldsig (or both). If you think it's a valid feature that would be accepted into master I might be able to help out with a PR.
My SP needs to work with an IdP with an expired certificate. They claim this is common and many service providers accept their expired certificate.
I'm thinking that if the certificate found in Signature matches one we trust from the IdP metadata, we could optionally skip checking the cert's NotBefore/NotAfter when validating the signature.
Looking at the code it seems like it would need to be done both in this project and goxmldsig, unless we send in a faked Clock when asking goxmldsig to validate the signature but that seems ugly.
What do you think?
The text was updated successfully, but these errors were encountered: