Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

connector/saml: fix validation bug with multiple Assertion elements #893

Merged
merged 2 commits into from Apr 4, 2017
Merged

connector/saml: fix validation bug with multiple Assertion elements #893

merged 2 commits into from Apr 4, 2017

Conversation

ericchiang
Copy link
Contributor

@ericchiang ericchiang commented Apr 4, 2017
edited

This diff is so big because the fix reworks the response signature validation. To ensure the refactors work, a new test framework using xmlsec1 was added, which includes a malicious test case that would previously have been accepted.

Eric Chiang added 2 commits April 4, 2017 11:11
connector/saml: fix validation bug with multiple Assertion elements
e0709dc 
When a SAML response provided multiple Assertion elements, only the
first one is checked for a valid signature. If the Assertion is
verified, the original Assertion is removed and the canonicalized
version is prepended to the Response. However, if there were
multiple assertions, the second assertion could end up first in the
list of Assertions, even if it was unsigned.

For example this:

    <Response>
      <!--
         Response unsigned. According to SAML spec must check
         assertion signature.
      -->
      <Assertion>
        <Signature>
          <!-- Correrctly signed assertion -->
        </Signature>
      </Assertion>

      <Assertion>
        <!-- Unsigned assertion inserted by attacker-->
      </Assertion>
    </Response>

could be verified then re-ordered to the following:

    <Response>
      <!--
         Response unsigned. According to SAML spec must check
         assertion signature.
      -->
      <Assertion>
        <!-- Unsigned assertion inserted by attacker-->
      </Assertion>

      <Assertion>
        <!-- Canonicalized, correrctly signed assertion -->
      </Assertion>
    </Response>

Fix this by removing all unverified child elements of the Response,
not just the original assertion.
connector/saml: refactor tests and add self-signed responses
a97cffc 
Introduces SAML tests which execute full response processing and
compare user attributes. tesdata now includes a full, self-signed
CA and documents signed using xmlsec1.

Adds deprication notices to existing tests, but don't remove them
since they still provide coverage.
rithujohn191
rithujohn191 approved these changes Apr 4, 2017
View reviewed changes
Copy link
Contributor

@rithujohn191 rithujohn191 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

Ran the unit tests. Merge on green

@ericchiang ericchiang merged commit 207d207 into dexidp:master Apr 4, 2017
@ericchiang ericchiang deleted the fix-saml-validation branch April 4, 2017 18:18
@ericchiang ericchiang mentioned this pull request Apr 4, 2017
Closed
mmrath pushed a commit to mmrath/dex that referenced this pull request Sep 2, 2019
@ericchiang
Merge pull request dexidp#893 from ericchiang/fix-saml-validation
9ab4bb7 
connector/saml: fix validation bug with multiple Assertion elements
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rithujohn191 rithujohn191 rithujohn191 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@ericchiang @rithujohn191