Adding more test to #139. Modify how multiple cert support works. Now getIdpx509certMulti only returns the cert registered as Multi following the description that had the method. Add multiCert support on LogoutRequest and LogoutResponse

Author: pitbulk

core/src/main/java/com/onelogin/saml2/authn/SamlResponse.java

@@ -281,19 +281,30 @@ public boolean isValid(String requestId) {
 
 				validateSubjectConfirmation(responseInResponseTo);
 
-                if (settings.getWantAssertionsSigned() && !hasSignedAssertion) {
-                	throw new ValidationError("The Assertion of the Response is not signed and the SP requires it", ValidationError.NO_SIGNED_ASSERTION);
-                }
+				if (settings.getWantAssertionsSigned() && !hasSignedAssertion) {
+					throw new ValidationError("The Assertion of the Response is not signed and the SP requires it", ValidationError.NO_SIGNED_ASSERTION);
+				}
 
-                if (settings.getWantMessagesSigned() && !hasSignedResponse) {
-                	throw new ValidationError("The Message of the Response is not signed and the SP requires it", ValidationError.NO_SIGNED_MESSAGE);
-                }
+				if (settings.getWantMessagesSigned() && !hasSignedResponse) {
+					throw new ValidationError("The Message of the Response is not signed and the SP requires it", ValidationError.NO_SIGNED_MESSAGE);
+				}
 			}
 
 			if (signedElements.isEmpty() || (!hasSignedAssertion && !hasSignedResponse)) {
 				throw new ValidationError("No Signature found. SAML Response rejected", ValidationError.NO_SIGNATURE_FOUND);
 			} else {				 
-				List<X509Certificate> certList = settings.getIdpx509certMulti();
+				X509Certificate cert = settings.getIdpx509cert();
+				List<X509Certificate> certList = new ArrayList<X509Certificate>();
+				List<X509Certificate> multipleCertList = settings.getIdpx509certMulti();
+
+				if (multipleCertList != null && multipleCertList.size() != 0) {
+					certList = multipleCertList;
+				}
+
+				if (cert != null && !certList.contains(cert)) {
+					certList.add(0, cert);
+				}
+
 				String fingerprint = settings.getIdpCertFingerprint();
 				String alg = settings.getIdpCertFingerprintAlgorithm();
 

core/src/main/java/com/onelogin/saml2/logout/LogoutRequest.java

@@ -363,6 +363,16 @@ public Boolean isValid() throws Exception {
 					throw new SettingsException("In order to validate the sign on the Logout Request, the x509cert of the IdP is required", SettingsException.CERT_NOT_FOUND);
 				}
 
+				List<X509Certificate> certList = settings.getIdpx509certMulti();
+				if (certList != null) {
+					if (!certList.contains(cert)) {
+						certList.add(0, cert);
+					}
+				} else {
+					certList = new ArrayList<X509Certificate>();
+					certList.add(cert);
+				}
+
 				String signAlg = request.getParameter("SigAlg");
 				if (signAlg == null || signAlg.isEmpty()) {
 					signAlg = Constants.RSA_SHA1;
@@ -377,7 +387,7 @@ public Boolean isValid() throws Exception {
 
 				signedQuery += "&SigAlg=" + request.getEncodedParameter("SigAlg", signAlg);
 
-				if (!Util.validateBinarySignature(signedQuery, Util.base64decoder(signature), cert, signAlg)) {
+				if (!Util.validateBinarySignature(signedQuery, Util.base64decoder(signature), certList, signAlg)) {
 					throw new ValidationError("Signature validation failed. Logout Request rejected", ValidationError.INVALID_SIGNATURE);
 				}
 			}

core/src/main/java/com/onelogin/saml2/logout/LogoutResponse.java

@@ -3,8 +3,10 @@
 import java.io.IOException;
 import java.net.URL;
 import java.security.cert.X509Certificate;
+import java.util.ArrayList;
 import java.util.Calendar;
 import java.util.HashMap;
+import java.util.List;
 import java.util.Map;
 import java.util.Objects;
 
@@ -231,6 +233,17 @@ public Boolean isValid(String requestId) {
 					throw new SettingsException("In order to validate the sign on the Logout Response, the x509cert of the IdP is required", SettingsException.CERT_NOT_FOUND);
 				}
 
+				List<X509Certificate> certList = settings.getIdpx509certMulti();
+				if (certList != null) {
+					if (!certList.contains(cert)) {
+						certList.add(0, cert);
+					}
+				} else {
+					certList = new ArrayList<X509Certificate>();
+					certList.add(cert);
+				}
+
+
 				String signAlg = request.getParameter("SigAlg");
 				if (signAlg == null || signAlg.isEmpty()) {
 					signAlg = Constants.RSA_SHA1;
@@ -245,7 +258,7 @@ public Boolean isValid(String requestId) {
 
 				signedQuery += "&SigAlg=" + request.getEncodedParameter("SigAlg", signAlg);
 
-				if (!Util.validateBinarySignature(signedQuery, Util.base64decoder(signature), cert, signAlg)) {
+				if (!Util.validateBinarySignature(signedQuery, Util.base64decoder(signature), certList, signAlg)) {
 					throw new ValidationError("Signature validation failed. Logout Response rejected", ValidationError.INVALID_SIGNATURE);
 				}
 			}

core/src/main/java/com/onelogin/saml2/settings/SettingsBuilder.java

@@ -244,7 +244,6 @@ private void loadIdpSetting() {
 		X509Certificate idpX509cert = loadCertificateFromProp(IDP_X509CERT_PROPERTY_KEY);
 		if (idpX509cert != null) {
 			saml2Setting.setIdpx509cert(idpX509cert);
-			idpX509certMulti.add(0, idpX509cert);
 		}
 
 		String idpCertFingerprint = loadStringProperty(CERTFINGERPRINT_PROPERTY_KEY);

core/src/main/java/com/onelogin/saml2/util/Util.java

@@ -1219,6 +1219,47 @@ public static Boolean validateBinarySignature(String signedQuery, byte[] signatu
 		return valid;
 	}
 
+	/**
+	 * Validates signed binary data (Used to validate GET Signature).
+	 *
+	 * @param signedQuery
+	 * 				 The element we should validate
+	 * @param signature
+	 * 				 The signature that will be validate
+	 * @param certList
+	 * 				 The List of certificates
+	 * @param signAlg
+	 * 				 Signature Algorithm
+	 * 
+	 * @return the signed document in string format
+	 *
+	 * @throws NoSuchAlgorithmException
+	 * @throws NoSuchProviderException 
+	 * @throws InvalidKeyException 
+	 * @throws SignatureException 
+	 */
+	public static Boolean validateBinarySignature(String signedQuery, byte[] signature, List<X509Certificate> certList, String signAlg) throws NoSuchAlgorithmException, NoSuchProviderException, InvalidKeyException, SignatureException {
+		Boolean valid = false;
+
+		org.apache.xml.security.Init.init();
+		String convertedSigAlg = signatureAlgConversion(signAlg);
+		Signature sig = Signature.getInstance(convertedSigAlg); //, provider);
+
+		for (X509Certificate cert : certList) {
+			try {	
+				sig.initVerify(cert.getPublicKey());
+				sig.update(signedQuery.getBytes());
+				valid = sig.verify(signature);
+				if (valid) {
+					break;
+				}
+			} catch (Exception e) {
+				LOGGER.warn("Error executing validateSign: " + e.getMessage(), e);
+			}
+		}
+		return valid;
+	}
+
 	/**
 	 * Generates a nameID.
 	 *