Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-12408

insufficient debug logging to troubleshoot signature validation issues

    Details

    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 11.0.0, 11.0.1, 11.0.2, 11.0.3, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, 13.0.0, 13.5.0, 13.5.1, 14.0.0, 14.1.0, 14.1.1, 14.5.0, 14.5.1, 5.5.1
    • Fix Version/s: None
    • Component/s: SAML
    • Labels:
    • Target Version/s:
    • Sprint:
      AM Sustaining Sprint 51, AM Sustaining Sprint 52, AM Sustaining Sprint 53, AM Sustaining Sprint 54, AM Sustaining Sprint 55, AM Sustaining Sprint 56, AM Sustaining Sprint 57, AM Sustaining Sprint 58, AM Sustaining Sprint 59, AM Sustaining Sprint 60, AM Sustaining Sprint 61, AM Sustaining Sprint 62, AM Sustaining Sprint 63, AM Sustaining Sprint 64, AM Sustaining Sprint 65, AM Sustaining Sprint 66, AM Sustaining Sprint 67, AM Sustaining Sprint 68, AM Sustaining Sprint 69, AM Sustaining Sprint 70, AM Sustaining Sprint 71, AM Sustaining Sprint 72, AM Sustaining Sprint 73, AM Sustaining Sprint 74, AM Sustaining Sprint 75, AM Sustaining Sprint 76, AM Sustaining Sprint 77, AM Sustaining Sprint 78, AM Sustaining Sprint 79, AM Sustaining Sprint 80, AM Sustaining Sprint 81
    • Story Points:
      1
    • Support Ticket IDs:

      Description

      Bug description

      AM does not log which certificate (subjectDN + serial number) is used to verify a signature

      How to reproduce the issue

      1. setup AM as hosted SAML IdP
      2. setup some SAML SP
      3. craft SAML SP meta data to include several KeyDescriptors according to SAMLv2 interoperability profile
      4. configure the AuthnRequest signing
      5. perform SP initiated SSO using HTTP Redirect binding and also HTTP POST binding
      Expected behaviour
      Federation debug log should reveal which certificate is used to verify the signature when debug level ist set to 'message'
      
      Current behaviour
      Information about certificate being used is not revealed.
      

      Code analysis

      for HTTP redirect binding

      com.sun.identity.saml2.common.QuerySignatureUtil.java
      ...
          private static boolean isValidSignature(Signature sig, Set<X509Certificate> certificates, byte[] queryString,
                  byte[] signature) throws SAML2Exception {
              final String classMethod = "QuerySignatureUtil.isValidSignature: ";
              Exception firstException = null;
              for (X509Certificate certificate : certificates) {
                  try {
                      sig.initVerify(certificate);
                      sig.update(queryString);
                      if (sig.verify(signature)) {
                          return true;
                      }
                  } catch (InvalidKeyException | SignatureException ex) {
                      SAML2Utils.debug.warning(classMethod + "Signature validation failed due to " + ex);
                      if (firstException == null) {
                          firstException = ex;
                      }
                  }
              }
              if (firstException != null) {
                  throw new SAML2Exception(firstException);
              }
      
              return false;
          }
      ...
      

      for HTTP POST Binding

      com.sun.identity.saml2.xmlsig.FMSigProvider.java
      ...
      
          private boolean isValidSignature(XMLSignature signature, Set<X509Certificate> certificates) throws SAML2Exception {
              final String classMethod = "FMSigProvider.isValidSignature: ";
              XMLSignatureException firstException = null;
              for (X509Certificate certificate : certificates) {
                  if (!SAML2Utils.validateCertificate(certificate)) {
                      SAML2SDKUtils.debug.error(classMethod + "Signing Certificate is validated as bad.");
                  } else {
                      try {
                          if (signature.checkSignatureValue(certificate)) {
                              return true;
                          }
                      } catch (XMLSignatureException xse) {
                          SAML2SDKUtils.debug.warning(classMethod + "XML signature validation failed due to " + xse);
                          if (firstException == null) {
                              firstException = xse;
                          }
                      }
                  }
              }
              if (firstException != null) {
                  throw new SAML2Exception(firstException);
              }
      
              return false;
          }
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                bthalmayr Bernhard Thalmayr
                Reporter:
                bthalmayr Bernhard Thalmayr
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated: