Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SAML2 new model validation: Signature #2961

Merged
merged 24 commits into from
Nov 8, 2024
Merged

SAML2 new model validation: Signature #2961

Show file tree
Hide file tree
Changes from 13 commits
Commits
Show all changes
24 commits
Select commit Hold shift + click to select a range
f92bafe
Added XmlValidationError. Added ValidationError property to XmlValida…
iNinja Oct 31, 2024
b141a1a
Added alternative versions using ValidationParameters to XML signatur…
iNinja Oct 31, 2024
9731a37
Added XmlValidationFailure to ValidationFailureType
iNinja Oct 31, 2024
5e106f7
Merge branch 'dev' into iinglese/new-model-validation-for-saml-signature
iNinja Oct 31, 2024
08a2f19
Added refactored ValidateSignature method to SamlSecurityTokenHandler.
iNinja Oct 31, 2024
5fee17a
Added tests to compare signature validation between the legacy and ne…
iNinja Oct 31, 2024
f9aeac7
Re-added API lost in merge to InternalAPI.Unshipped.txt
iNinja Oct 31, 2024
ccae551
Migrated refactored ValidateSignature from SamlSecurityTokenHandler t…
iNinja Nov 1, 2024
bdb6133
Updated Saml2SecurityTokenHandler's ValidateTokenAsync to validate si…
iNinja Nov 1, 2024
668eae3
Added tests
iNinja Nov 1, 2024
0b505f6
Merge branch 'dev' into iinglese/new-model-validation-for-saml2-signa…
iNinja Nov 1, 2024
0487e34
Merge branch 'dev' into iinglese/new-model-validation-for-saml2-signa…
iNinja Nov 2, 2024
0dd0f5b
Merge branch 'dev' into iinglese/new-model-validation-for-saml2-signa…
iNinja Nov 4, 2024
3f58a63
Merge branch 'dev' into iinglese/new-model-validation-for-saml2-signa…
iNinja Nov 4, 2024
0a7d1c4
Update src/Microsoft.IdentityModel.Tokens.Saml/Saml2/Saml2SecurityTok…
iNinja Nov 4, 2024
6bc69cd
Addressed PR feedback in both SAML and SAML2 signature validations to…
iNinja Nov 5, 2024
3560e15
Merge branch 'dev' into iinglese/new-model-validation-for-saml2-signa…
iNinja Nov 5, 2024
9c505b6
Optimised signature validation in SAML and SAML2 for the expected mos…
iNinja Nov 5, 2024
b00716c
Removed debug information
iNinja Nov 5, 2024
c95968b
Merge branch 'dev' into iinglese/new-model-validation-for-saml2-signa…
iNinja Nov 6, 2024
3eef64e
Addressed PR feedback
iNinja Nov 7, 2024
7116d24
Addressed PR feedback
iNinja Nov 8, 2024
2b86734
Merge branch 'dev' into iinglese/new-model-validation-for-saml2-signa…
iNinja Nov 8, 2024
e726b75
Merge branch 'dev' into iinglese/new-model-validation-for-saml2-signa…
iNinja Nov 8, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions src/Microsoft.IdentityModel.Tokens.Saml/InternalAPI.Unshipped.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,8 @@ static Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.StackFrame
static Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.StackFrames.IssuerValidationFailed -> System.Diagnostics.StackFrame
static Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.StackFrames.LifetimeValidationFailed -> System.Diagnostics.StackFrame
static Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.StackFrames.OneTimeUseValidationFailed -> System.Diagnostics.StackFrame
static Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.StackFrames.SignatureValidationFailed -> System.Diagnostics.StackFrame
static Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.StackFrames.TokenNull -> System.Diagnostics.StackFrame
static Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.StackFrames.TokenValidationParametersNull -> System.Diagnostics.StackFrame
static Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ValidateSignature(Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityToken samlToken, Microsoft.IdentityModel.Tokens.ValidationParameters validationParameters, Microsoft.IdentityModel.Tokens.CallContext callContext) -> Microsoft.IdentityModel.Tokens.ValidationResult<Microsoft.IdentityModel.Tokens.SecurityKey>
virtual Microsoft.IdentityModel.Tokens.Saml.SamlSecurityTokenHandler.ValidateConditions(Microsoft.IdentityModel.Tokens.Saml.SamlSecurityToken samlToken, Microsoft.IdentityModel.Tokens.ValidationParameters validationParameters, Microsoft.IdentityModel.Tokens.CallContext callContext) -> Microsoft.IdentityModel.Tokens.ValidationResult<Microsoft.IdentityModel.Tokens.Saml.SamlSecurityTokenHandler.ValidatedConditions>
168 changes: 168 additions & 0 deletions src/Microsoft.IdentityModel.Tokens.Saml/Saml2/Saml2SecurityTokenHandler.ValidateSignature.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,168 @@
// Copyright (c) Microsoft Corporation. All rights reserved.
// Licensed under the MIT License.

using System.Collections.Generic;
using System.Diagnostics;
using System.Text;
using Microsoft.IdentityModel.Tokens.Saml;
using Microsoft.IdentityModel.Xml;
using TokenLogMessages = Microsoft.IdentityModel.Tokens.LogMessages;

#nullable enable
namespace Microsoft.IdentityModel.Tokens.Saml2
{
public partial class Saml2SecurityTokenHandler : SecurityTokenHandler
{
internal static ValidationResult<SecurityKey> ValidateSignature(
Saml2SecurityToken samlToken,
ValidationParameters validationParameters,
#pragma warning disable CA1801 // Review unused parameters
CallContext callContext)
#pragma warning restore CA1801 // Review unused parameters
{
if (samlToken is null)
{
return ValidationError.NullParameter(
nameof(samlToken),
new StackFrame(true));
}

if (validationParameters is null)
{
return ValidationError.NullParameter(
nameof(validationParameters),
new StackFrame(true));
iNinja marked this conversation as resolved.
Show resolved Hide resolved
}

// Delegate is set by the user, we call it and return the result.
if (validationParameters.SignatureValidator is not null)
iNinja marked this conversation as resolved.
Show resolved Hide resolved
return validationParameters.SignatureValidator(samlToken, validationParameters, null, callContext);

// If the user wants to accept unsigned tokens, they must implement the delegate
iNinja marked this conversation as resolved.
Show resolved Hide resolved
if (samlToken.Assertion.Signature is null)
iNinja marked this conversation as resolved.
Show resolved Hide resolved
return new XmlValidationError(
new MessageDetail(
TokenLogMessages.IDX10504,
samlToken.Assertion.CanonicalString),
ValidationFailureType.SignatureValidationFailed,
iNinja marked this conversation as resolved.
Show resolved Hide resolved
typeof(SecurityTokenValidationException),
new StackFrame(true));

IList<SecurityKey>? keys = null;
brentschmaltz marked this conversation as resolved.
Show resolved Hide resolved
SecurityKey? resolvedKey = null;
bool keyMatched = false;

if (validationParameters.IssuerSigningKeyResolver is not null)
{
resolvedKey = validationParameters.IssuerSigningKeyResolver(
samlToken.Assertion.CanonicalString,
samlToken,
samlToken.Assertion.Signature.KeyInfo?.Id,
validationParameters,
null,
callContext);
}
else
iNinja marked this conversation as resolved.
Show resolved Hide resolved
{
resolvedKey = SamlTokenUtilities.ResolveTokenSigningKey(samlToken.Assertion.Signature.KeyInfo, validationParameters);
}

if (resolvedKey is null)
{
if (validationParameters.TryAllIssuerSigningKeys)
keys = validationParameters.IssuerSigningKeys;
}
else
{
keys = [resolvedKey];
iNinja marked this conversation as resolved.
Show resolved Hide resolved
keyMatched = true;
}

bool canMatchKey = samlToken.Assertion.Signature.KeyInfo != null;
List<ValidationError> errors = new();
iNinja marked this conversation as resolved.
Show resolved Hide resolved
StringBuilder keysAttempted = new();
iNinja marked this conversation as resolved.
Show resolved Hide resolved

if (keys is not null)
iNinja marked this conversation as resolved.
Show resolved Hide resolved
{
for (int i = 0; i < keys.Count; i++)
{
SecurityKey key = keys[i];
iNinja marked this conversation as resolved.
Show resolved Hide resolved
ValidationResult<string> algorithmValidationResult = validationParameters.AlgorithmValidator(
samlToken.Assertion.Signature.SignedInfo.SignatureMethod,
key,
samlToken,
validationParameters,
callContext);

if (!algorithmValidationResult.IsValid)
{
errors.Add(algorithmValidationResult.UnwrapError());
}
else
{
var validationError = samlToken.Assertion.Signature.Verify(
iNinja marked this conversation as resolved.
Show resolved Hide resolved
key,
validationParameters.CryptoProviderFactory ?? key.CryptoProviderFactory,
callContext);

if (validationError is null)
{
samlToken.SigningKey = key;

return key;
}
else
{
errors.Add(validationError.AddStackFrame(new StackFrame()));
iNinja marked this conversation as resolved.
Show resolved Hide resolved
}
}

keysAttempted.Append(key.ToString());
if (canMatchKey && !keyMatched && key.KeyId is not null && samlToken.Assertion.Signature.KeyInfo is not null)
keyMatched = samlToken.Assertion.Signature.KeyInfo.MatchesKey(key);
}
}

if (canMatchKey && keyMatched)
msbw2 marked this conversation as resolved.
Show resolved Hide resolved
return new XmlValidationError(
new MessageDetail(
TokenLogMessages.IDX10514,
keysAttempted.ToString(),
samlToken.Assertion.Signature.KeyInfo,
GetErrorStrings(errors),
samlToken),
ValidationFailureType.SignatureValidationFailed,
typeof(SecurityTokenInvalidSignatureException),
new StackFrame(true));

if (keysAttempted.Length > 0)
msbw2 marked this conversation as resolved.
Show resolved Hide resolved
return new XmlValidationError(
new MessageDetail(
TokenLogMessages.IDX10512,
keysAttempted.ToString(),
GetErrorStrings(errors),
samlToken),
ValidationFailureType.SignatureValidationFailed,
typeof(SecurityTokenSignatureKeyNotFoundException),
new StackFrame(true));

return new XmlValidationError(
new MessageDetail(TokenLogMessages.IDX10500),
ValidationFailureType.SignatureValidationFailed,
typeof(SecurityTokenSignatureKeyNotFoundException),
new StackFrame(true));
}

private static string GetErrorStrings(List<ValidationError> errors)
{
StringBuilder sb = new();
iNinja marked this conversation as resolved.
Show resolved Hide resolved
for (int i = 0; i < errors.Count; i++)
{
sb.AppendLine(errors[i].ToString());
}

return sb.ToString();
}
}
}
#nullable restore
7 changes: 7 additions & 0 deletions ...osoft.IdentityModel.Tokens.Saml/Saml2/Saml2SecurityTokenHandler.ValidateToken.Internal.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,13 @@ internal async Task<ValidationResult<ValidatedToken>> ValidateTokenAsync(
return validatedIssuerResult.UnwrapError().AddStackFrame(StackFrames.IssuerValidationFailed);
}

var signatureValidationResult = ValidateSignature(samlToken, validationParameters, callContext);
if (!signatureValidationResult.IsValid)
{
StackFrames.SignatureValidationFailed ??= new StackFrame(true);
iNinja marked this conversation as resolved.
Show resolved Hide resolved
return signatureValidationResult.UnwrapError().AddStackFrame(StackFrames.SignatureValidationFailed);
}

return new ValidatedToken(samlToken, this, validationParameters);
}

Expand Down
3 changes: 2 additions & 1 deletion ...ft.IdentityModel.Tokens.Saml/Saml2/Saml2SecurityTokenHandler.ValidateToken.StackFrames.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,12 +14,13 @@ internal static class StackFrames
// Stack frames from ValidateTokenAsync using SecurityToken
internal static StackFrame? TokenNull;
internal static StackFrame? TokenValidationParametersNull;
internal static StackFrame? IssuerValidationFailed;
internal static StackFrame? SignatureValidationFailed;

// Stack frames from ValidateConditions
internal static StackFrame? AudienceValidationFailed;
internal static StackFrame? AssertionNull;
internal static StackFrame? AssertionConditionsNull;
internal static StackFrame? IssuerValidationFailed;
internal static StackFrame? AssertionConditionsValidationFailed;
internal static StackFrame? LifetimeValidationFailed;
internal static StackFrame? OneTimeUseValidationFailed;
Expand Down
Loading
Loading