#78: simplified validateSign, made sure always checks the right document

- validateSign now simpler, takes an xpath for the Signature to verify
- added some tests for encrypted assertions, that require either the
  Response and/or Message sign, to verify

Author: miszobi

core/src/main/java/com/onelogin/saml2/authn/SamlResponse.java

@@ -160,6 +160,8 @@ public boolean isValid(String requestId) {
 
 			ArrayList<String> signedElements = processSignedElements();
 
+			final boolean hasSignedAssertion = signedElements.contains("Assertion");
+			final boolean hasSignedResponse = signedElements.contains("Response");
 			if (settings.isStrict()) {
 				if (settings.getWantXMLValidation()) {
 					if (!Util.validateXML(samlResponseDocument, SchemaFactory.SAML_SCHEMA_PROTOCOL_2_0)) {
@@ -244,11 +246,11 @@ public boolean isValid(String requestId) {
 
 				validateSubjectConfirmation(responseInResponseTo);
 
-                if (settings.getWantAssertionsSigned() && !signedElements.contains("Assertion")) {
+                if (settings.getWantAssertionsSigned() && !hasSignedAssertion) {
                     throw new Exception("The Assertion of the Response is not signed and the SP requires it");
                 }
 
-                if (settings.getWantMessagesSigned() && !signedElements.contains("Response")) {
+                if (settings.getWantMessagesSigned() && !hasSignedResponse) {
                     throw new Exception("The Message of the Response is not signed and the SP requires it");
                 }
 			}
@@ -260,18 +262,12 @@ public boolean isValid(String requestId) {
 				String fingerprint = settings.getIdpCertFingerprint();
 				String alg = settings.getIdpCertFingerprintAlgorithm();
 
-				Document documentToValidate;
-				if (signedElements.contains("Response")) {
-					documentToValidate = samlResponseDocument;
-				} else {
-					if (encrypted) {
-						documentToValidate = decryptedDocument;
-					} else {
-						documentToValidate = samlResponseDocument;
-					}
+				if (hasSignedResponse && !Util.validateSign(samlResponseDocument, cert, fingerprint, alg, Util.RESPONSE_SIGNATURE_XPATH)) {
+					throw new Exception("Signature validation failed. SAML Response rejected");
 				}
 
-				if (!Util.validateSign(documentToValidate, cert, fingerprint, alg, settings.getWantMessagesSigned(), settings.getWantAssertionsSigned())) {
+				final Document documentToCheckAssertion = encrypted ? decryptedDocument : samlResponseDocument;
+				if (hasSignedAssertion && !Util.validateSign(documentToCheckAssertion, cert, fingerprint, alg, Util.ASSERTION_SIGNATURE_XPATH)) {
 					throw new Exception("Signature validation failed. SAML Response rejected");
 				}
 			}

core/src/main/java/com/onelogin/saml2/util/Util.java

@@ -782,52 +782,26 @@ public static String signatureAlgConversion(String sign) {
 		return convertedSignatureAlg;
 	}
 
-    /**
-     * Validate signature (Message or Assertion).
-     *
-     * @param doc
-     *               The document we should validate
-     * @param cert
-     *               The public certificate
-     * @param fingerprint
-     *               The fingerprint of the public certificate
-     * @param alg
-     *               The signature algorithm method
-     * @param wantAssertionSigned whether the caller requires assertions to be signed
-     * @param wantResponseSigned whether the caller requires responses to be signed
-     *
-     * @return True if the required signatures are present and the present signatures are valid, false otherwise.
-     */
-    public static Boolean validateSign(Document doc, X509Certificate cert, String fingerprint, String alg,
-									   boolean wantResponseSigned, boolean wantAssertionSigned) {
+	/**
+	 * Validate the signature pointed to by the xpath
+	 *
+	 * @param doc The document we should validate
+	 * @param cert The public certificate
+	 * @param fingerprint The fingerprint of the public certificate
+	 * @param alg The signature algorithm method
+	 * @param xpath the xpath of the ds:Signture node to validate
+	 *
+	 * @return True if the signature exists and is valid, false otherwise.
+	 */
+	public static boolean validateSign(final Document doc, final X509Certificate cert, final String fingerprint,
+									   final String alg, final String xpath) {
 		try {
-			boolean validResponseSignature = checkSignature(doc, cert, fingerprint, alg, wantResponseSigned, RESPONSE_SIGNATURE_XPATH);
-			boolean validAssertionSignature = checkSignature(doc, cert, fingerprint, alg, wantAssertionSigned, ASSERTION_SIGNATURE_XPATH);
-
-			return validResponseSignature && validAssertionSignature;
+			final NodeList signatures = query(doc, xpath);
+			return signatures.getLength() == 1 && validateSignNode(signatures.item(0), cert, fingerprint, alg);
 		} catch (XPathExpressionException e) {
 			log.warn("Failed to find signature nodes", e);
-		}
-		return false;
-    }
-
-	private static boolean checkSignature(Document doc, X509Certificate cert, String fingerprint, String alg, boolean required, final String xpath) throws XPathExpressionException {
-		final NodeList responseSignature = query(doc, xpath);
-		final int signatureCount = responseSignature.getLength();
-		if (signatureCount > 1) {
-			log.warn("Unexpected number of signatures found matching " + xpath + ": " + signatureCount);
 			return false;
 		}
-
-		if (signatureCount == 0) {
-			if (required) {
-				log.warn("No signature matching " + xpath + ", found but was required");
-				return false;
-			}
-			return true;
-		}
-
-		return validateSignNode(responseSignature.item(0), cert, fingerprint, alg);
 	}
 
 	/**

core/src/test/java/com/onelogin/saml2/test/authn/AuthnResponseTest.java

@@ -1449,39 +1449,44 @@ public void testIsValid2() throws Exception {
 	 * @see com.onelogin.saml2.authn.SamlResponse#isValid
 	 */
 	@Test
-	public void testIsValidEnc() throws Exception {
+	public void testIsValid_doubleSignedEncrypted() throws Exception {
 		Saml2Settings settings = new SettingsBuilder().fromFile("config/config.my.properties").build();
-		settings.setWantAssertionsSigned(false);
-		settings.setWantMessagesSigned(false);
+		settings.setWantAssertionsSigned(true);
+		settings.setWantMessagesSigned(true);
 		String samlResponseEncoded = Util.getFileAsString("data/responses/double_signed_encrypted_assertion.xml.base64");
 
-		settings.setStrict(false);
-		SamlResponse samlResponse = new SamlResponse(settings, newHttpRequest(samlResponseEncoded));
-		assertTrue(samlResponse.isValid());
-
-		settings.setStrict(true);
-		samlResponse = new SamlResponse(settings, newHttpRequest(samlResponseEncoded));
-		assertTrue(samlResponse.isValid());
+		assertResponseValid(settings, samlResponseEncoded, false, true, null);
+		assertResponseValid(settings, samlResponseEncoded, true, true, null);
+	}
 
-		samlResponseEncoded = Util.getFileAsString("data/responses/signed_message_encrypted_assertion.xml.base64");
+	@Test
+	public void testIsValid_signedResponseEncryptedAssertion() throws Exception {
+		Saml2Settings settings = new SettingsBuilder().fromFile("config/config.my.properties").build();
+		settings.setWantAssertionsSigned(false);
+		settings.setWantMessagesSigned(true);
 
-		settings.setStrict(false);
-		samlResponse = new SamlResponse(settings, newHttpRequest(samlResponseEncoded));
-		assertTrue(samlResponse.isValid());
+		String samlResponseEncoded = Util.getFileAsString("data/responses/signed_message_encrypted_assertion.xml.base64");
 
-		settings.setStrict(true);
-		samlResponse = new SamlResponse(settings, newHttpRequest(samlResponseEncoded));
-		assertTrue(samlResponse.isValid());
+		assertResponseValid(settings, samlResponseEncoded, false, true, null);
+		assertResponseValid(settings, samlResponseEncoded, true, true, null);
+		settings.setWantAssertionsSigned(true);
+		assertResponseValid(settings, samlResponseEncoded, false, true, null);
+		assertResponseValid(settings, samlResponseEncoded, true, false, "The Assertion of the Response is not signed and the SP requires it");
+	}
 
-		samlResponseEncoded = Util.getFileAsString("data/responses/signed_encrypted_assertion.xml.base64");
+	@Test
+	public void testIsValid_signedEncryptedAssertion() throws Exception {
+		Saml2Settings settings = new SettingsBuilder().fromFile("config/config.my.properties").build();
+		settings.setWantAssertionsSigned(true);
+		settings.setWantMessagesSigned(false);
 
-		settings.setStrict(false);
-		samlResponse = new SamlResponse(settings, newHttpRequest(samlResponseEncoded));
-		assertTrue(samlResponse.isValid());
+		String samlResponseEncoded = Util.getFileAsString("data/responses/signed_encrypted_assertion.xml.base64");
 
-		settings.setStrict(true);
-		samlResponse = new SamlResponse(settings, newHttpRequest(samlResponseEncoded));
-		assertTrue(samlResponse.isValid());
+		assertResponseValid(settings, samlResponseEncoded, false, true, null);
+		assertResponseValid(settings, samlResponseEncoded, true, true, null);
+		settings.setWantMessagesSigned(true);
+		assertResponseValid(settings, samlResponseEncoded, false, true, null);
+		assertResponseValid(settings, samlResponseEncoded, true, false, "The Message of the Response is not signed and the SP requires it");
 	}
 
 	/**