Merge pull request #79 from miszobi/issue/78-avoid-response-signature-spoofing

fixes #78: make sure the correct Signature elements are  verified

Author: pitbulk

core/src/main/java/com/onelogin/saml2/authn/SamlResponse.java

@@ -160,6 +160,8 @@ public boolean isValid(String requestId) {
 
 			ArrayList<String> signedElements = processSignedElements();
 
+			final boolean hasSignedAssertion = signedElements.contains("Assertion");
+			final boolean hasSignedResponse = signedElements.contains("Response");
 			if (settings.isStrict()) {
 				if (settings.getWantXMLValidation()) {
 					if (!Util.validateXML(samlResponseDocument, SchemaFactory.SAML_SCHEMA_PROTOCOL_2_0)) {
@@ -244,11 +246,11 @@ public boolean isValid(String requestId) {
 
 				validateSubjectConfirmation(responseInResponseTo);
 
-                if (settings.getWantAssertionsSigned() && !signedElements.contains("Assertion")) {
+                if (settings.getWantAssertionsSigned() && !hasSignedAssertion) {
                     throw new Exception("The Assertion of the Response is not signed and the SP requires it");
                 }
 
-                if (settings.getWantMessagesSigned() && !signedElements.contains("Response")) {
+                if (settings.getWantMessagesSigned() && !hasSignedResponse) {
                     throw new Exception("The Message of the Response is not signed and the SP requires it");
                 }
 			}
@@ -260,18 +262,12 @@ public boolean isValid(String requestId) {
 				String fingerprint = settings.getIdpCertFingerprint();
 				String alg = settings.getIdpCertFingerprintAlgorithm();
 
-				Document documentToValidate;
-				if (signedElements.contains("Response")) {
-					documentToValidate = samlResponseDocument;
-				} else {
-					if (encrypted) {
-						documentToValidate = decryptedDocument;
-					} else {
-						documentToValidate = samlResponseDocument;
-					}
+				if (hasSignedResponse && !Util.validateSign(samlResponseDocument, cert, fingerprint, alg, Util.RESPONSE_SIGNATURE_XPATH)) {
+					throw new Exception("Signature validation failed. SAML Response rejected");
 				}
 
-				if (!Util.validateSign(documentToValidate, cert, fingerprint, alg)) {
+				final Document documentToCheckAssertion = encrypted ? decryptedDocument : samlResponseDocument;
+				if (hasSignedAssertion && !Util.validateSign(documentToCheckAssertion, cert, fingerprint, alg, Util.ASSERTION_SIGNATURE_XPATH)) {
 					throw new Exception("Signature validation failed. SAML Response rejected");
 				}
 			}
@@ -676,6 +672,22 @@ public ArrayList<String> processSignedElements() throws Exception {
 			if (!signedElement.equals("Response") && !signedElement.equals("Assertion")) {
 				throw new Exception("Invalid Signature Element " + signedElement + " SAML Response rejected");
 			}
+
+			// check that the signed elements found here, are the ones that will be verified
+			// by com.onelogin.saml2.util.Util.validateSign()
+			if (signedElement.equals("Response")) {
+				final NodeList expectedSignatureNode = query(Util.RESPONSE_SIGNATURE_XPATH, null);
+				if (expectedSignatureNode.getLength() != 1 || signedElements.contains(signedElement)) {
+					throw new Exception("Unexpected number of Response signatures found. SAML Response rejected.");
+				}
+			}
+
+			if (signedElement.equals("Assertion")) {
+				final NodeList expectedSignatureNode = query(Util.ASSERTION_SIGNATURE_XPATH, null);
+				if (expectedSignatureNode.getLength() != 1 || signedElements.contains(signedElement)) {
+					throw new Exception("Unexpected number of Response signatures found. SAML Response rejected.");
+				}
+			}
 
 			// Check that reference URI matches the parent ID and no duplicate References or IDs
 			Node idNode = signNode.getParentNode().getAttributes().getNamedItem("ID");
@@ -689,8 +701,8 @@ public ArrayList<String> processSignedElements() throws Exception {
 			}
 			verifiedIds.add(idValue);
 
-			NodeList refNodes = Util.query(null, ".//ds:Reference", signNode);
-			if (refNodes.getLength() > 0) {
+			NodeList refNodes = Util.query(null, "ds:SignedInfo/ds:Reference", signNode);
+			if (refNodes.getLength() == 1) {
 				Node refNode = refNodes.item(0);
 				Node seiNode = refNode.getAttributes().getNamedItem("URI");
 				if (seiNode != null && seiNode.getNodeValue() != null && !seiNode.getNodeValue().isEmpty()) {
@@ -704,6 +716,10 @@ public ArrayList<String> processSignedElements() throws Exception {
 					}
 					verifiedSeis.add(sei);
 				}
+			} else {
+				// Signatures MUST contain a single <ds:Reference> containing a same-document reference to the ID
+				// attribute value of the root element of the assertion or protocol message being signed
+				throw new Exception("Unexpected number of Reference nodes found for signature. SAML Response rejected.");
 			}
 
 			signedElements.add(signedElement);
@@ -809,13 +825,10 @@ public String getError() {
 	 *
 	 */
 	private NodeList queryAssertion(String assertionXpath) throws XPathExpressionException {
-        String assertionExpr;
-
-        assertionExpr = "/saml:Assertion";
-
-        String signatureExpr = "ds:Signature/ds:SignedInfo/ds:Reference";
+        final String assertionExpr = "/saml:Assertion";
+        final String signatureExpr = "ds:Signature/ds:SignedInfo/ds:Reference";
 
-        String nameQuery = "";
+        String nameQuery;
         String signedAssertionQuery = "/samlp:Response" + assertionExpr + "/" + signatureExpr;
         NodeList nodeList = query(signedAssertionQuery, null);
         if (nodeList.getLength() == 0 ) {
@@ -835,19 +848,6 @@ private NodeList queryAssertion(String assertionXpath) throws XPathExpressionExc
                 // On this case there is no element signed, the query will work but
                 // the response validation will throw and error.
             	nameQuery = "/samlp:Response";
-            	
-            	// If we want to change this behaviour, uncomment this block.
-            	// but test should be updated then.
-            	
-            	// Trick in order to return empty NodeList (not instanciable)
-            	/*
-            	XPath xpath = XPathFactory.newInstance().newXPath();
-            	NodeList noresult = null;
-				try {
-					noresult = (NodeList) xpath.evaluate("/noresult", Util.convertStringToDocument("<null></null>"), XPathConstants.NODESET);
-				} catch (ParserConfigurationException | SAXException | IOException e) {}
-            	return noresult;
-            	*/
             }
             nameQuery += assertionExpr;
         } else {  // there is a signed assertion

core/src/main/java/com/onelogin/saml2/util/Util.java

@@ -96,6 +96,10 @@ public final class Util {
     private static final DateTimeFormatter DATE_TIME_FORMAT = DateTimeFormat.forPattern("yyyy-MM-dd'T'HH:mm:ss'Z'").withZone(DateTimeZone.UTC);
 	private static final DateTimeFormatter DATE_TIME_FORMAT_MILLS = DateTimeFormat.forPattern("yyyy-MM-dd'T'HH:mm:ss.SSS'Z'").withZone(DateTimeZone.UTC);
 	public static final String UNIQUE_ID_PREFIX = "ONELOGIN_";
+	public static final String RESPONSE_SIGNATURE_XPATH = "/samlp:Response/ds:Signature";
+	public static final String ASSERTION_SIGNATURE_XPATH = "/samlp:Response/saml:Assertion/ds:Signature";
+
+	private static final Logger log = LoggerFactory.getLogger(Util.class);
 
 	/**
 	 * This function load an XML string in a save way. Prevent XEE/XXE Attacks
@@ -220,9 +224,13 @@ public static boolean validateXML(Document xmlDocument, URL schemaUrl) throws Ex
 			Source xmlSource = new DOMSource(xmlDocument);
 			validator.validate(xmlSource);
 
-			return !errorAcumulator.hasError();
+			final boolean isValid = !errorAcumulator.hasError();
+			if (!isValid) {
+				LOGGER.warn("Errors found when validating SAML response with schema: " + errorAcumulator.getErrorXML());
+			}
+			return isValid;
 		} catch (Exception e) {
-			LOGGER.debug("Error executing validateXML: " + e.getMessage(), e);
+			LOGGER.warn("Error executing validateXML: " + e.getMessage(), e);
 			return false;
 		}
 	}
@@ -774,36 +782,29 @@ public static String signatureAlgConversion(String sign) {
 		return convertedSignatureAlg;
 	}
 
-    /**
-     * Validate signature (Message or Assertion).
-     *
-     * @param doc
-     *               The document we should validate
-     * @param cert
-     *               The public certificate
-     * @param fingerprint
-     *               The fingerprint of the public certificate
-     * @param alg
-     *               The signature algorithm method
-     *
-     * @return True if the sign is valid, false otherwise.
-     */
-    public static Boolean validateSign(Document doc, X509Certificate cert, String fingerprint, String alg) {
-        NodeList signNodesToValidate;
+	/**
+	 * Validate the signature pointed to by the xpath
+	 *
+	 * @param doc The document we should validate
+	 * @param cert The public certificate
+	 * @param fingerprint The fingerprint of the public certificate
+	 * @param alg The signature algorithm method
+	 * @param xpath the xpath of the ds:Signture node to validate
+	 *
+	 * @return True if the signature exists and is valid, false otherwise.
+	 */
+	public static boolean validateSign(final Document doc, final X509Certificate cert, final String fingerprint,
+									   final String alg, final String xpath) {
 		try {
-			signNodesToValidate = query(doc, "/samlp:Response/ds:Signature");
-			if (signNodesToValidate.getLength() == 0) {
-				signNodesToValidate = query(doc, "/samlp:Response/saml:Assertion/ds:Signature");
-			}
-
-			if (signNodesToValidate.getLength() == 1) {
-				return validateSignNode(signNodesToValidate.item(0), cert, fingerprint, alg);
-			}
-		} catch (XPathExpressionException e) {}
-		return false;
-    }
+			final NodeList signatures = query(doc, xpath);
+			return signatures.getLength() == 1 && validateSignNode(signatures.item(0), cert, fingerprint, alg);
+		} catch (XPathExpressionException e) {
+			log.warn("Failed to find signature nodes", e);
+			return false;
+		}
+	}
 
-    /**
+	/**
      * Validate signature (Metadata).
      *
      * @param doc

core/src/test/java/com/onelogin/saml2/test/authn/AuthnResponseTest.java

@@ -609,6 +609,23 @@ public void testDoesNotAllowSignatureWrappingAttack4() throws Exception {
 		assertEquals("someone@example.org", samlResponse.getNameId());
 	}
 
+	@Test
+	public void testValidatesTheExpectedSignatures() throws Exception {
+		// having
+		Saml2Settings settings = new SettingsBuilder().fromFile("config/config.my.properties").build();
+		settings.setWantAssertionsSigned(true);
+		settings.setWantMessagesSigned(true);
+
+		String samlResponseEncoded = Util.base64encoder(Util.getFileAsString("data/responses/invalids/attacks/response_with_spoofed_response_signature.xml"));
+
+		// when
+		SamlResponse samlResponse = new SamlResponse(settings, newHttpRequest(samlResponseEncoded));
+
+		// then
+		assertFalse(samlResponse.isValid());
+		assertEquals("Unexpected number of Response signatures found. SAML Response rejected.", samlResponse.getError());
+	}
+
 	/**
 	 * Tests the getSessionNotOnOrAfter method of SamlResponse
 	 *
@@ -851,6 +868,7 @@ public void testIsValidWrongEncryptedID() throws Exception {
 		Saml2Settings settings = new SettingsBuilder().fromFile("config/config.my.properties").build();
 		String samlResponseEncoded = Util.getFileAsString("data/responses/invalids/response_encrypted_subconfirm_as_nameid.xml.base64");
 		settings.setStrict(false);
+		settings.setWantAssertionsSigned(false);
 		SamlResponse samlResponse = new SamlResponse(settings, newHttpRequest(samlResponseEncoded));
 		assertTrue(samlResponse.isValid());
 		String nameId = samlResponse.getNameId();
@@ -1431,39 +1449,44 @@ public void testIsValid2() throws Exception {
 	 * @see com.onelogin.saml2.authn.SamlResponse#isValid
 	 */
 	@Test
-	public void testIsValidEnc() throws Exception {
+	public void testIsValid_doubleSignedEncrypted() throws Exception {
 		Saml2Settings settings = new SettingsBuilder().fromFile("config/config.my.properties").build();
-		settings.setWantAssertionsSigned(false);
-		settings.setWantMessagesSigned(false);
+		settings.setWantAssertionsSigned(true);
+		settings.setWantMessagesSigned(true);
 		String samlResponseEncoded = Util.getFileAsString("data/responses/double_signed_encrypted_assertion.xml.base64");
 
-		settings.setStrict(false);
-		SamlResponse samlResponse = new SamlResponse(settings, newHttpRequest(samlResponseEncoded));
-		assertTrue(samlResponse.isValid());
-
-		settings.setStrict(true);
-		samlResponse = new SamlResponse(settings, newHttpRequest(samlResponseEncoded));
-		assertTrue(samlResponse.isValid());
+		assertResponseValid(settings, samlResponseEncoded, false, true, null);
+		assertResponseValid(settings, samlResponseEncoded, true, true, null);
+	}
 
-		samlResponseEncoded = Util.getFileAsString("data/responses/signed_message_encrypted_assertion.xml.base64");
+	@Test
+	public void testIsValid_signedResponseEncryptedAssertion() throws Exception {
+		Saml2Settings settings = new SettingsBuilder().fromFile("config/config.my.properties").build();
+		settings.setWantAssertionsSigned(false);
+		settings.setWantMessagesSigned(true);
 
-		settings.setStrict(false);
-		samlResponse = new SamlResponse(settings, newHttpRequest(samlResponseEncoded));
-		assertTrue(samlResponse.isValid());
+		String samlResponseEncoded = Util.getFileAsString("data/responses/signed_message_encrypted_assertion.xml.base64");
 
-		settings.setStrict(true);
-		samlResponse = new SamlResponse(settings, newHttpRequest(samlResponseEncoded));
-		assertTrue(samlResponse.isValid());
+		assertResponseValid(settings, samlResponseEncoded, false, true, null);
+		assertResponseValid(settings, samlResponseEncoded, true, true, null);
+		settings.setWantAssertionsSigned(true);
+		assertResponseValid(settings, samlResponseEncoded, false, true, null);
+		assertResponseValid(settings, samlResponseEncoded, true, false, "The Assertion of the Response is not signed and the SP requires it");
+	}
 
-		samlResponseEncoded = Util.getFileAsString("data/responses/signed_encrypted_assertion.xml.base64");
+	@Test
+	public void testIsValid_signedEncryptedAssertion() throws Exception {
+		Saml2Settings settings = new SettingsBuilder().fromFile("config/config.my.properties").build();
+		settings.setWantAssertionsSigned(true);
+		settings.setWantMessagesSigned(false);
 
-		settings.setStrict(false);
-		samlResponse = new SamlResponse(settings, newHttpRequest(samlResponseEncoded));
-		assertTrue(samlResponse.isValid());
+		String samlResponseEncoded = Util.getFileAsString("data/responses/signed_encrypted_assertion.xml.base64");
 
-		settings.setStrict(true);
-		samlResponse = new SamlResponse(settings, newHttpRequest(samlResponseEncoded));
-		assertTrue(samlResponse.isValid());
+		assertResponseValid(settings, samlResponseEncoded, false, true, null);
+		assertResponseValid(settings, samlResponseEncoded, true, true, null);
+		settings.setWantMessagesSigned(true);
+		assertResponseValid(settings, samlResponseEncoded, false, true, null);
+		assertResponseValid(settings, samlResponseEncoded, true, false, "The Message of the Response is not signed and the SP requires it");
 	}
 
 	/**
@@ -1630,17 +1653,17 @@ public void testIsInValidSign() throws Exception {
 		samlResponseEncoded = Util.getFileAsString("data/responses/invalids/triple_signed_response.xml.base64");
 		samlResponse = new SamlResponse(settings, newHttpRequest(samlResponseEncoded));
 		assertFalse(samlResponse.isValid());
-		assertEquals("Duplicated ID. SAML Response rejected", samlResponse.getError());
+		assertEquals("Unexpected number of Response signatures found. SAML Response rejected.", samlResponse.getError());
 
 		samlResponseEncoded = Util.getFileAsString("data/responses/invalids/signed_assertion_response_with_2signatures.xml.base64");
 		samlResponse = new SamlResponse(settings, newHttpRequest(samlResponseEncoded));
 		assertFalse(samlResponse.isValid());
-		assertEquals("Duplicated ID. SAML Response rejected", samlResponse.getError());
+		assertEquals("Unexpected number of Response signatures found. SAML Response rejected.", samlResponse.getError());
 
 		samlResponseEncoded = Util.getFileAsString("data/responses/invalids/signed_message_response_with_2signatures.xml.base64");
 		samlResponse = new SamlResponse(settings, newHttpRequest(samlResponseEncoded));
 		assertFalse(samlResponse.isValid());
-		assertEquals("Duplicated ID. SAML Response rejected", samlResponse.getError());
+		assertEquals("Unexpected number of Response signatures found. SAML Response rejected.", samlResponse.getError());
 
 		samlResponseEncoded = Util.getFileAsString("data/responses/invalids/wrong_signed_element.xml.base64");
 		samlResponse = new SamlResponse(settings, newHttpRequest(samlResponseEncoded));