This repository has been archived by the owner on Nov 29, 2022. It is now read-only.
SES-51: Invalid signature does not result in failure #57
Labels
in: core
An issue in spring-security-saml-core
type: bug
A general bug
type: jira
An issue that was migrated from JIRA
Milestone
Phil Varner (Migrated from SES-51) said:
In AbstractProfileBase, this method is used to verify the signature of a message:
protected void verifySignature(Signature signature, String IDPEntityID) throws org.opensaml.xml.security.SecurityException, ValidationException {
SAMLSignatureProfileValidator validator = new SAMLSignatureProfileValidator();
validator.validate(signature);
CriteriaSet criteriaSet = new CriteriaSet();
criteriaSet.add(new EntityIDCriteria(IDPEntityID));
criteriaSet.add(new MetadataCriteria(IDPSSODescriptor.DEFAULT_ELEMENT_NAME, SAMLConstants.SAML20P_NS));
criteriaSet.add(new UsageCriteria(UsageType.SIGNING));
log.debug("Verifying signature", signature);
trustEngine.validate(signature, criteriaSet);
}
However, trustEngine.validate (SignatureTrustEngine.validate) returns "false" if the signature is invalid, rather than throwing a ValidationException as I believe this method is expecting. According to the javadoc for this method:
The text was updated successfully, but these errors were encountered: