Fix #232 Make Fingerprint check case insensitive

pitbulk · pitbulk · commit fd80067b0d77 · 2019-11-26T10:01:59.000+01:00
diff --git a/core/src/main/java/com/onelogin/saml2/util/Util.java b/core/src/main/java/com/onelogin/saml2/util/Util.java
@@ -1014,7 +1014,7 @@ public static Boolean validateSignNode(Node signNode, X509Certificate cert, Stri
 					X509Certificate providedCert = keyInfo.getX509Certificate();
 					String calculatedFingerprint = calculateX509Fingerprint(providedCert, alg);
 					for (String fingerprintStr : fingerprint.split(",")) {
-						if (calculatedFingerprint.equals(fingerprintStr.trim())) {
+						if (calculatedFingerprint.equalsIgnoreCase(fingerprintStr.trim())) {
 							res = signature.checkSignatureValue(providedCert);
 						}
 					}
diff --git a/core/src/test/java/com/onelogin/saml2/test/util/UtilsTest.java b/core/src/test/java/com/onelogin/saml2/test/util/UtilsTest.java
@@ -1092,6 +1092,8 @@ public void testValidateSign() throws URISyntaxException, IOException, Certifica
 		X509Certificate cert = Util.loadCert(certString);
 		String fingerprint_sha1 = "afe71c28ef740bc87425be13a2263d37971da1f9";
 		String fingerprint_sha256 = "c51cfa06c7a49767f6eab18238eae1c56708e29264da3d11f538a12cd2c357ba";
+		String fingerprint_sha1_uppercase = "AFE71C28EF740BC87425BE13A2263D37971DA1F9";
+		String fingerprint_sha256_uppercase = "C51CFA06C7A49767F6EAB18238EAE1C56708E29264DA3D11F538A12CD2C357BA";
 
 		// Signed Response
 		String signedResponseStr = Util.getFileAsString("data/responses/signed_message_response.xml.base64");
@@ -1102,6 +1104,8 @@ public void testValidateSign() throws URISyntaxException, IOException, Certifica
 		assertTrue(Util.validateSign(samlSignedResponseDocument, (X509Certificate) null, fingerprint_sha1, null, RESPONSE_SIGNATURE_XPATH));
 		assertTrue(Util.validateSign(samlSignedResponseDocument, (X509Certificate) null, fingerprint_sha1, "SHA-1", RESPONSE_SIGNATURE_XPATH));
 		assertTrue(Util.validateSign(samlSignedResponseDocument, (X509Certificate) null, fingerprint_sha256, "SHA-256", RESPONSE_SIGNATURE_XPATH));
+		assertTrue(Util.validateSign(samlSignedResponseDocument, (X509Certificate) null, fingerprint_sha1_uppercase, "SHA-1", RESPONSE_SIGNATURE_XPATH));
+		assertTrue(Util.validateSign(samlSignedResponseDocument, (X509Certificate) null, fingerprint_sha256_uppercase, "SHA-256", RESPONSE_SIGNATURE_XPATH));
 		assertFalse(Util.validateSign(samlSignedResponseDocument, (X509Certificate) null, fingerprint_sha256, "SHA-256", ASSERTION_SIGNATURE_XPATH));
 		assertFalse(Util.validateSign(samlSignedResponseDocument, cert, null, null, ""));
 		assertFalse(Util.validateSign(samlSignedResponseDocument, (X509Certificate) null, null, null, ""));
@@ -1114,6 +1118,7 @@ public void testValidateSign() throws URISyntaxException, IOException, Certifica
 		assertTrue(Util.validateSign(samlSignedAssertionDocument, cert, null, null, ASSERTION_SIGNATURE_XPATH));
 		assertTrue(Util.validateSign(samlSignedAssertionDocument, (X509Certificate) null, fingerprint_sha1, null, ASSERTION_SIGNATURE_XPATH));
 		assertTrue(Util.validateSign(samlSignedAssertionDocument, (X509Certificate) null, fingerprint_sha1, "SHA-1", ASSERTION_SIGNATURE_XPATH));
+		assertTrue(Util.validateSign(samlSignedAssertionDocument, (X509Certificate) null, fingerprint_sha1_uppercase, "SHA-1", ASSERTION_SIGNATURE_XPATH));
 		assertFalse(Util.validateSign(samlSignedAssertionDocument, (X509Certificate) null, fingerprint_sha1, "SHA-1", RESPONSE_SIGNATURE_XPATH));
 
 		// Double Signed Response
@@ -1127,8 +1132,12 @@ public void testValidateSign() throws URISyntaxException, IOException, Certifica
 		assertTrue(Util.validateSign(samlDoubleSignedResponseDocument, (X509Certificate) null, fingerprint_sha1, null, RESPONSE_SIGNATURE_XPATH));
 		assertTrue(Util.validateSign(samlDoubleSignedResponseDocument, (X509Certificate) null, fingerprint_sha1, "SHA-1", ASSERTION_SIGNATURE_XPATH));
 		assertTrue(Util.validateSign(samlDoubleSignedResponseDocument, (X509Certificate) null, fingerprint_sha1, "SHA-1", RESPONSE_SIGNATURE_XPATH));
+		assertTrue(Util.validateSign(samlDoubleSignedResponseDocument, (X509Certificate) null, fingerprint_sha1_uppercase, "SHA-1", ASSERTION_SIGNATURE_XPATH));
+		assertTrue(Util.validateSign(samlDoubleSignedResponseDocument, (X509Certificate) null, fingerprint_sha1_uppercase, "SHA-1", RESPONSE_SIGNATURE_XPATH));
 		assertTrue(Util.validateSign(samlDoubleSignedResponseDocument, (X509Certificate) null, fingerprint_sha256, "SHA-256", ASSERTION_SIGNATURE_XPATH));
 		assertTrue(Util.validateSign(samlDoubleSignedResponseDocument, (X509Certificate) null, fingerprint_sha256, "SHA-256", RESPONSE_SIGNATURE_XPATH));
+		assertTrue(Util.validateSign(samlDoubleSignedResponseDocument, (X509Certificate) null, fingerprint_sha256_uppercase, "SHA-256", ASSERTION_SIGNATURE_XPATH));
+		assertTrue(Util.validateSign(samlDoubleSignedResponseDocument, (X509Certificate) null, fingerprint_sha256_uppercase, "SHA-256", RESPONSE_SIGNATURE_XPATH));
 	}
 
 	/**

Original file line number	Diff line number	Diff line change
`@@ -1014,7 +1014,7 @@ public static Boolean validateSignNode(Node signNode, X509Certificate cert, Stri`
`1014`	`1014`	`X509Certificate providedCert = keyInfo.getX509Certificate();`
`1015`	`1015`	`String calculatedFingerprint = calculateX509Fingerprint(providedCert, alg);`
`1016`	`1016`	`for (String fingerprintStr : fingerprint.split(",")) {`
`1017`		`- if (calculatedFingerprint.equals(fingerprintStr.trim())) {`
	`1017`	`+ if (calculatedFingerprint.equalsIgnoreCase(fingerprintStr.trim())) {`
`1018`	`1018`	`res = signature.checkSignatureValue(providedCert);`
`1019`	`1019`	`}`
`1020`	`1020`	`}`