Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-17423

Invalid Base64 in SAML request signature ends on NullPointerException



    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 6.5.3
    • None
    • SAML


      Bug description

      If a SAML2 HTTP-binding request signature is not valid, it is reported as a invalidSignInRequest using a standard SAML2 response.

      However, if the SAML request signature is not even a valid Base64 string (e.g. because the padding characters are missing or somebody appended a character somewhere), the request just dies with a NullPointerException.

      How to reproduce the issue

      1. Prepare a SAML request using a HTTP-Redirect binding.
      2. Modify the request by e.g. removing a single character from the Signature parameter.
      3. Send the request to OpenAM.
      Expected behaviour

      OpenAM sends back a proper SAML2 Response indicating an invalid signature. (Honestly, I am not sure this is the correct behavior; maybe if the signature is invalid, we should not rely on the request being correct to be answered…? Dunno, but the behavior should definitely match in all variants of a signature being invalid.)

      Current behaviour

      An unhandled NullPointerException occurs.

      Code analysis

      The NullPointerException occurs inside java.security.Signature.verify, as QuerySignatureUtil.isValidSignature() happily passes the null signature value it received from verify() where the result of decoder.decode() is not checked for validity (the decoder just returns null for invalid input). Obviously, if the signature string is not valid Base64, verify() should immediately return false (or throw a SAML2Exception?).

      Caused by: java.lang.NullPointerException: null
      at sun.security.rsa.RSASignature.engineVerify(RSASignature.java:186)
      at java.security.Signature$Delegate.engineVerify(Signature.java:1219)
      at java.security.Signature.verify(Signature.java:652)
      at com.sun.identity.saml2.common.QuerySignatureUtil.isValidSignature(QuerySignatureUtil.java:316)
      at com.sun.identity.saml2.common.QuerySignatureUtil.verify(QuerySignatureUtil.java:305)
      at org.forgerock.openam.saml2.UtilProxySAMLAuthenticator.authenticate(UtilProxySAMLAuthenticator.java:167)
      at com.sun.identity.saml2.profile.IDPSSOFederate.process(IDPSSOFederate.java:238)
      at com.sun.identity.saml2.profile.IDPSSOFederate.doSSOFederate(IDPSSOFederate.java:144)
      at com.sun.identity.saml2.profile.IDPSSOFederate.doSSOFederate(IDPSSOFederate.java:104)
      at org.apache.jsp.saml2.jsp.idpSSOFederate_jsp._jspService(idpSSOFederate_jsp.java:202)
      at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
      at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:477)




            Unassigned Unassigned
            petr.kadlec Petr Kadlec
            0 Vote for this issue
            2 Start watching this issue