Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14240

FMSigProvider.verify does not tell if certificates are provided

    Details

    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 11.0.0, 11.0.1, 11.0.2, 11.0.3, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, 13.0.0, 13.5.0, 13.5.1, 13.5.2, 14.0.0, 14.1.0, 14.1.1, 14.5.0, 14.5.1, 5.5.1, 6.0.0, 6.0.0.1, 6.0.0.2, 6.0.0.3, 6.0.0.4, 6.0.0.5, 6.5.0, 6.0.0.6
    • Fix Version/s: None
    • Component/s: SAML
    • Labels:
    • Support Ticket IDs:

      Description

      Bug description

      FMSigProvider signature verification is failing when no KeyInfo element is present and no verification certificates are provided. For the sake of troubleshooting it should be logged if certificates are provided to the verify method.

      Expected behaviour
      excerpt from Federation debug log
      libSAML2:01/14/2019 05:53:48:588 PM CET: Thread[main,5,main]: TransactionId[58ffb8aa-4099-4f52-9d68-f4b5fb9b9f9e-0]
      FMSigProvider.verify: No certificates provided - certificates have to be read from document
      libSAML2:01/14/2019 05:53:48:654 PM CET: Thread[main,5,main]: TransactionId[58ffb8aa-4099-4f52-9d68-f4b5fb9b9f9e-0]
      ERROR: FMSigProvider.verify: Signature verification failed.
       
      Current behaviour
      excerpt from Federation debug log
      libSAML2:01/14/2019 05:53:48:654 PM CET: Thread[main,5,main]: TransactionId[58ffb8aa-4099-4f52-9d68-f4b5fb9b9f9e-0]
      ERROR: FMSigProvider.verify: Signature verification failed.
      

      Code Analysis

      com.sun.identity.saml2.xmlsig.FMSigProvider.java
      ...
      
          @Override
          public boolean verify(String xmlString, String idAttribute, String idValue, Set<X509Certificate> verificationCerts)
                  throws SAML2Exception {
              Reject.ifNull(idAttribute);
              String classMethod = "FMSigProvider.verify: ";
              if (StringUtils.isEmpty(xmlString) || StringUtils.isEmpty(idValue)) {
                  SAML2SDKUtils.debug.error("{}Either input xmlString or idValue is null.", classMethod);
                  throw new SAML2Exception(SAML2SDKUtils.bundle.getString("nullInput"));
              }
              Document doc = XMLUtils.toDOMDocument(xmlString, SAML2SDKUtils.debug);
              if (doc == null) {
                  throw new SAML2Exception(SAML2SDKUtils.bundle.getString("errorObtainingElement"));
              }
              Element nscontext = org.apache.xml.security.utils.XMLUtils.createDSctx(doc, "ds", Constants.SignatureSpecNS);
              Element sigElement;
              try {
                  sigElement = (Element) XPathAPI.selectSingleNode(doc, "/*/ds:Signature", nscontext);
              } catch (XPathException te) {
                  throw new SAML2Exception(te);
              }
      ....
      

      should be changed as in the attached diff.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              bthalmayr Bernhard Thalmayr
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: