From 2502d79b6152b54aeb09a8a65d818cc9674f07fc Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 14 Feb 2019 13:40:30 +0100 Subject: update signature validation in SAML2 Redirect-Binding --- .../verification/PVPAuthRequestSignedRole.java | 23 +++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) (limited to 'eaaf_modules') diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/PVPAuthRequestSignedRole.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/PVPAuthRequestSignedRole.java index 6a5886a7..6d5fdff8 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/PVPAuthRequestSignedRole.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/PVPAuthRequestSignedRole.java @@ -26,6 +26,8 @@ *******************************************************************************/ package at.gv.egiz.eaaf.modules.pvp2.impl.verification; +import java.util.List; + import org.opensaml.common.binding.SAMLMessageContext; import org.opensaml.saml2.binding.security.SAML2AuthnRequestsSignedRule; import org.opensaml.ws.transport.http.HTTPInTransport; @@ -41,13 +43,24 @@ public class PVPAuthRequestSignedRole extends SAML2AuthnRequestsSignedRule { protected boolean isMessageSigned(SAMLMessageContext messageContext) { // This handles HTTP-Redirect and HTTP-POST-SimpleSign bindings. HTTPInTransport inTransport = (HTTPInTransport) messageContext.getInboundMessageTransport(); - String sigParam = inTransport.getParameterValue("Signature"); - boolean isSigned = !DatatypeHelper.isEmpty(sigParam); - String sigAlgParam = inTransport.getParameterValue("SigAlg"); - boolean isSigAlgExists = !DatatypeHelper.isEmpty(sigAlgParam); + //Check signature parameter exists only once and is not empty + List sigParam = inTransport.getParameterValues("Signature"); + boolean isValidSigned = sigParam.size() == 1 && !DatatypeHelper.isEmpty(sigParam.get(0)); + + //Check signature-algorithm parameter exists only once and is not empty + List sigAlgParam = inTransport.getParameterValues("SigAlg"); + boolean isValidSigAlgExists = sigAlgParam.size() == 1 && !DatatypeHelper.isEmpty(sigAlgParam.get(0)); + + //Check signature-content parameter exists only once and is not empty + List samlReqParam = inTransport.getParameterValues("SAMLRequest"); + List samlRespParam = inTransport.getParameterValues("SAMLResponse"); + boolean isValidContent = ( ( samlReqParam.size() == 1 && !DatatypeHelper.isEmpty(samlReqParam.get(0)) ) + || ( samlRespParam.size() == 1 && !DatatypeHelper.isEmpty(samlRespParam.get(0)) ) + ) && !(samlReqParam.size() == 1 && samlRespParam.size() == 1) + ; - return isSigned && isSigAlgExists; + return isValidSigned && isValidSigAlgExists && isValidContent; } } -- cgit v1.2.3