Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14240

FMSigProvider.verify does not tell if certificates are provided

    XMLWordPrintable

    Details

    • Bug
    • Status: Resolved
    • Minor
    • Resolution: Fixed
    • 11.0.0, 11.0.1, 11.0.2, 11.0.3, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, 13.0.0, 13.5.0, 13.5.1, 13.5.2, 14.0.0, 14.1.0, 14.1.1, 14.5.0, 14.5.1, 5.5.1, 6.0.0, 6.0.0.1, 6.0.0.2, 6.0.0.3, 6.0.0.4, 6.0.0.5, 6.5.0, 6.0.0.6
    • 6.5.4, 8.0.0, 7.0.2
    • SAML
    • AM Sustaining Sprint 84
    • 3

      Description

      Bug description

      FMSigProvider signature verification is failing when no KeyInfo element is present and no verification certificates are provided. For the sake of troubleshooting it should be logged if certificates are provided to the verify method.

      Expected behaviour
      excerpt from Federation debug log
      libSAML2:01/14/2019 05:53:48:588 PM CET: Thread[main,5,main]: TransactionId[58ffb8aa-4099-4f52-9d68-f4b5fb9b9f9e-0]
      FMSigProvider.verify: No certificates provided - certificates have to be read from document
      libSAML2:01/14/2019 05:53:48:654 PM CET: Thread[main,5,main]: TransactionId[58ffb8aa-4099-4f52-9d68-f4b5fb9b9f9e-0]
      ERROR: FMSigProvider.verify: Signature verification failed.
       
      Current behaviour
      excerpt from Federation debug log
      libSAML2:01/14/2019 05:53:48:654 PM CET: Thread[main,5,main]: TransactionId[58ffb8aa-4099-4f52-9d68-f4b5fb9b9f9e-0]
      ERROR: FMSigProvider.verify: Signature verification failed.
      

      Code Analysis

      com.sun.identity.saml2.xmlsig.FMSigProvider.java
      ...
      
          @Override
          public boolean verify(String xmlString, String idAttribute, String idValue, Set<X509Certificate> verificationCerts)
                  throws SAML2Exception {
              Reject.ifNull(idAttribute);
              String classMethod = "FMSigProvider.verify: ";
              if (StringUtils.isEmpty(xmlString) || StringUtils.isEmpty(idValue)) {
                  SAML2SDKUtils.debug.error("{}Either input xmlString or idValue is null.", classMethod);
                  throw new SAML2Exception(SAML2SDKUtils.bundle.getString("nullInput"));
              }
              Document doc = XMLUtils.toDOMDocument(xmlString, SAML2SDKUtils.debug);
              if (doc == null) {
                  throw new SAML2Exception(SAML2SDKUtils.bundle.getString("errorObtainingElement"));
              }
              Element nscontext = org.apache.xml.security.utils.XMLUtils.createDSctx(doc, "ds", Constants.SignatureSpecNS);
              Element sigElement;
              try {
                  sigElement = (Element) XPathAPI.selectSingleNode(doc, "/*/ds:Signature", nscontext);
              } catch (XPathException te) {
                  throw new SAML2Exception(te);
              }
      ....
      

      should be changed as in the attached diff.

        Attachments

          Activity

            People

            kamal.sivanandam@forgerock.com Kamal Sivanandam
            bthalmayr Bernhard Thalmayr
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: