Not signing AuthnRequest and not expecting AuthnRequest to be signed. Furthermore, if an AuthnRequest is signed the signature is not verified.

Revsgaard · Revsgaard · commit 0c60bb5744af · 2016-10-10T17:02:48.000+02:00
diff --git a/src/ITfoxtec.Identity.Saml2/Bindings/Saml2PostBinding.cs b/src/ITfoxtec.Identity.Saml2/Bindings/Saml2PostBinding.cs
@@ -32,7 +32,7 @@ protected override Saml2PostBinding BindInternal(Saml2Request saml2RequestRespon
         {
             BindInternal(saml2RequestResponse);
 
-            if (saml2RequestResponse.Config.SigningCertificate != null)
+            if (!(saml2RequestResponse is Saml2AuthnRequest) && saml2RequestResponse.Config.SigningCertificate != null)
             {
                 Cryptography.SignatureAlgorithm.ValidateAlgorithm(saml2RequestResponse.Config.SignatureAlgorithm);
                 XmlDocument = XmlDocument.SignDocument(saml2RequestResponse.Config.SigningCertificate, saml2RequestResponse.Config.SignatureAlgorithm, CertificateIncludeOption, saml2RequestResponse.Id.Value);
@@ -66,7 +66,7 @@ you must press the Continue button once to proceed.
             yield return string.Format(
 @"<input type=""hidden"" name=""{0}"" value=""{1}""/>", messageName, Convert.ToBase64String(Encoding.UTF8.GetBytes(XmlDocument.OuterXml)));
 
-            if(!string.IsNullOrWhiteSpace(RelayState))
+            if (!string.IsNullOrWhiteSpace(RelayState))
             {
                 yield return string.Format(
 @"<input type=""hidden"" name=""{0}"" value=""{1}""/>", Saml2Constants.Message.RelayState, RelayState);
diff --git a/src/ITfoxtec.Identity.Saml2/Bindings/Saml2RedirectBinding.cs b/src/ITfoxtec.Identity.Saml2/Bindings/Saml2RedirectBinding.cs
@@ -24,14 +24,14 @@ protected override Saml2RedirectBinding BindInternal(Saml2Request saml2RequestRe
         {
             base.BindInternal(saml2RequestResponse);
 
-            if (saml2RequestResponse.Config.SigningCertificate != null)
+            if (!(saml2RequestResponse is Saml2AuthnRequest) && saml2RequestResponse.Config.SigningCertificate != null)
             {
                 Cryptography.SignatureAlgorithm.ValidateAlgorithm(saml2RequestResponse.Config.SignatureAlgorithm);
                 SignatureAlgorithm = saml2RequestResponse.Config.SignatureAlgorithm;
             }
 
-            var requestQueryString = string.Join("&", RequestQueryString(saml2RequestResponse.Config.SigningCertificate, messageName));
-            if (saml2RequestResponse.Config.SigningCertificate != null)
+            var requestQueryString = string.Join("&", RequestQueryString(saml2RequestResponse, messageName));
+            if (!(saml2RequestResponse is Saml2AuthnRequest) && saml2RequestResponse.Config.SigningCertificate != null)
             {
                 requestQueryString = SigneQueryString(requestQueryString, saml2RequestResponse.Config.SigningCertificate);
             }
@@ -40,7 +40,7 @@ protected override Saml2RedirectBinding BindInternal(Saml2Request saml2RequestRe
 
             return this;
         }
-        
+
         private string SigneQueryString(string queryString, X509Certificate2 signingCertificate)
         {
             var saml2Signed = new Saml2SignedText(signingCertificate, SignatureAlgorithm);
@@ -49,7 +49,7 @@ private string SigneQueryString(string queryString, X509Certificate2 signingCert
             return string.Join("&", queryString, string.Join("=", Saml2Constants.Message.Signature, Uri.EscapeDataString(Signature)));
         }
 
-        private IEnumerable<string> RequestQueryString(X509Certificate2 signingCertificate, string messageName)
+        private IEnumerable<string> RequestQueryString(Saml2Request saml2RequestResponse, string messageName)
         {
             yield return string.Join("=", messageName, Uri.EscapeDataString(CompressRequest()));
 
@@ -58,7 +58,7 @@ private IEnumerable<string> RequestQueryString(X509Certificate2 signingCertifica
                 yield return string.Join("=", Saml2Constants.Message.RelayState, Uri.EscapeDataString(RelayState));
             }
 
-            if(signingCertificate != null)
+            if (!(saml2RequestResponse is Saml2AuthnRequest) && saml2RequestResponse.Config.SigningCertificate != null)
             {
                 yield return string.Join("=", Saml2Constants.Message.SigAlg, Uri.EscapeDataString(SignatureAlgorithm));
             }
@@ -88,12 +88,13 @@ protected override Saml2Request UnbindInternal(HttpRequest request, Saml2Request
             if (!request.Query.AllKeys.Contains(messageName))
                 throw new Saml2BindingException("HTTP Query String does not contain " + messageName);
 
-            if (saml2RequestResponse.Config.SignatureValidationCertificates != null && saml2RequestResponse.Config.SignatureValidationCertificates.Count() > 0)
+            if (!(saml2RequestResponse is Saml2AuthnRequest) &&
+                saml2RequestResponse.Config.SignatureValidationCertificates != null && saml2RequestResponse.Config.SignatureValidationCertificates.Count() > 0)
             {
-                if(!request.Query.AllKeys.Contains(Saml2Constants.Message.Signature))
+                if (!request.Query.AllKeys.Contains(Saml2Constants.Message.Signature))
                     throw new Saml2BindingException("HTTP Query String does not contain " + Saml2Constants.Message.Signature);
 
-                if(!request.Query.AllKeys.Contains(Saml2Constants.Message.SigAlg))
+                if (!request.Query.AllKeys.Contains(Saml2Constants.Message.SigAlg))
                     throw new Saml2BindingException("HTTP Query String does not contain " + Saml2Constants.Message.SigAlg);
             }
 
@@ -102,7 +103,8 @@ protected override Saml2Request UnbindInternal(HttpRequest request, Saml2Request
                 RelayState = request.Query[Saml2Constants.Message.RelayState];
             }
 
-            if (saml2RequestResponse.Config.SignatureValidationCertificates != null && saml2RequestResponse.Config.SignatureValidationCertificates.Count() > 0)
+            if (!(saml2RequestResponse is Saml2AuthnRequest) &&
+                saml2RequestResponse.Config.SignatureValidationCertificates != null && saml2RequestResponse.Config.SignatureValidationCertificates.Count() > 0)
             {
                 var actualAignatureAlgorithm = request.Query[Saml2Constants.Message.SigAlg];
                 if (saml2RequestResponse.Config.SignatureAlgorithm == null)
diff --git a/src/ITfoxtec.Identity.Saml2/Request/Saml2Request.cs b/src/ITfoxtec.Identity.Saml2/Request/Saml2Request.cs
@@ -17,7 +17,7 @@ namespace ITfoxtec.Identity.Saml2
     /// Generic Saml2 Request.
     /// </summary>
     public abstract class Saml2Request
-    {        
+    {
         public Saml2Configuration Config { get; protected set; }
 
         public XmlDocument XmlDocument { get; protected set; }
@@ -105,7 +105,7 @@ public string IdAsString
 
         public IEnumerable<X509Certificate2> SignatureValidationCertificates { get; set; }
 
-        public string SignatureAlgorithm { get; set; }     
+        public string SignatureAlgorithm { get; set; }
 
         internal IdentityConfiguration IdentityConfiguration { get; private set; }
 
@@ -151,7 +151,7 @@ protected virtual IEnumerable<XObject> GetXContent()
             if (Extensions != null)
             {
                 yield return Extensions.ToXElement();
-            }            
+            }
         }
 
         public abstract XmlDocument ToXml();
@@ -161,7 +161,7 @@ protected internal virtual void Read(string xml, bool validateXmlSignature)
 #if DEBUG
             Debug.WriteLine("Saml2P: " + xml);
 #endif
-            
+
             XmlDocument = xml.ToXmlDocument();
 
             if (XmlDocument.DocumentElement.NamespaceURI != Saml2Constants.ProtocolNamespace.OriginalString)
@@ -186,14 +186,14 @@ protected internal virtual void Read(string xml, bool validateXmlSignature)
             Destination = XmlDocument.DocumentElement.Attributes[Saml2Constants.Message.Destination].GetValueOrNull<Uri>();
 
             var extensionsData = XmlDocument.DocumentElement[Saml2Constants.Message.Extensions, Saml2Constants.ProtocolNamespace.OriginalString].GetValueOrNull<string>();
-            if(extensionsData != null)
+            if (extensionsData != null)
             {
                 Extensions = new Schemas.Extensions { Data = extensionsData };
             }
 
             DecryptMessage();
 
-            if (validateXmlSignature)
+            if (!(this is Saml2AuthnRequest) && validateXmlSignature)
             {
                 ValidateXmlSignature();
             }
@@ -212,25 +212,25 @@ protected virtual XmlElement GetAssertionElement()
         private void ValidateXmlSignature()
         {
             var assertionElement = GetAssertionElement();
-            if(assertionElement == null)
+            if (assertionElement == null)
             {
                 if (ValidateXmlSignature(XmlDocument.DocumentElement) != SignatureValidation.Valid)
-                    throw new Saml2RequestException("Signature is invalid.");                
+                    throw new Saml2RequestException("Signature is invalid.");
             }
             else
             {
                 var documentValidationResult = ValidateXmlSignature(XmlDocument.DocumentElement);
                 var assertionValidationResult = ValidateXmlSignature(assertionElement);
-                if (documentValidationResult == SignatureValidation.Invalid || assertionValidationResult == SignatureValidation.Invalid || 
+                if (documentValidationResult == SignatureValidation.Invalid || assertionValidationResult == SignatureValidation.Invalid ||
                     !(documentValidationResult == SignatureValidation.Valid || assertionValidationResult == SignatureValidation.Valid))
                     throw new Saml2RequestException("Signature is invalid.");
-            }            
+            }
         }
 
         protected SignatureValidation ValidateXmlSignature(XmlElement xmlElement)
         {
             var xmlSignatures = xmlElement.SelectNodes($"*[local-name()='{Saml2Constants.Message.Signature}' and namespace-uri()='{Saml2SignedXml.XmlDsigNamespaceUrl}']");
-            if(xmlSignatures.Count == 0)
+            if (xmlSignatures.Count == 0)
             {
                 return SignatureValidation.NotPresent;
             }

Original file line number	Diff line number	Diff line change
`@@ -32,7 +32,7 @@ protected override Saml2PostBinding BindInternal(Saml2Request saml2RequestRespon`
`32`	`32`	`{`
`33`	`33`	`BindInternal(saml2RequestResponse);`
`34`	`34`
`35`		`- if (saml2RequestResponse.Config.SigningCertificate != null)`
	`35`	`+ if (!(saml2RequestResponse is Saml2AuthnRequest) && saml2RequestResponse.Config.SigningCertificate != null)`
`36`	`36`	`{`
`37`	`37`	`Cryptography.SignatureAlgorithm.ValidateAlgorithm(saml2RequestResponse.Config.SignatureAlgorithm);`
`38`	`38`	`XmlDocument = XmlDocument.SignDocument(saml2RequestResponse.Config.SigningCertificate, saml2RequestResponse.Config.SignatureAlgorithm, CertificateIncludeOption, saml2RequestResponse.Id.Value);`
`@@ -66,7 +66,7 @@ you must press the Continue button once to proceed.`
`66`	`66`	`yield return string.Format(`
`67`	`67`	`@"<input type=""hidden"" name=""{0}"" value=""{1}""/>", messageName, Convert.ToBase64String(Encoding.UTF8.GetBytes(XmlDocument.OuterXml)));`
`68`	`68`
`69`		`- if(!string.IsNullOrWhiteSpace(RelayState))`
	`69`	`+ if (!string.IsNullOrWhiteSpace(RelayState))`
`70`	`70`	`{`
`71`	`71`	`yield return string.Format(`
`72`	`72`	`@"<input type=""hidden"" name=""{0}"" value=""{1}""/>", Saml2Constants.Message.RelayState, RelayState);`
Original file line number	Diff line number	Diff line change
`@@ -24,14 +24,14 @@ protected override Saml2RedirectBinding BindInternal(Saml2Request saml2RequestRe`
`24`	`24`	`{`
`25`	`25`	`base.BindInternal(saml2RequestResponse);`
`26`	`26`
`27`		`- if (saml2RequestResponse.Config.SigningCertificate != null)`
	`27`	`+ if (!(saml2RequestResponse is Saml2AuthnRequest) && saml2RequestResponse.Config.SigningCertificate != null)`
`28`	`28`	`{`
`29`	`29`	`Cryptography.SignatureAlgorithm.ValidateAlgorithm(saml2RequestResponse.Config.SignatureAlgorithm);`
`30`	`30`	`SignatureAlgorithm = saml2RequestResponse.Config.SignatureAlgorithm;`
`31`	`31`	`}`
`32`	`32`
`33`		`- var requestQueryString = string.Join("&", RequestQueryString(saml2RequestResponse.Config.SigningCertificate, messageName));`
`34`		`- if (saml2RequestResponse.Config.SigningCertificate != null)`
	`33`	`+ var requestQueryString = string.Join("&", RequestQueryString(saml2RequestResponse, messageName));`
	`34`	`+ if (!(saml2RequestResponse is Saml2AuthnRequest) && saml2RequestResponse.Config.SigningCertificate != null)`
`35`	`35`	`{`
`36`	`36`	`requestQueryString = SigneQueryString(requestQueryString, saml2RequestResponse.Config.SigningCertificate);`
`37`	`37`	`}`
`@@ -40,7 +40,7 @@ protected override Saml2RedirectBinding BindInternal(Saml2Request saml2RequestRe`
`40`	`40`
`41`	`41`	`return this;`
`42`	`42`	`}`
`43`		`-`
	`43`	`+`
`44`	`44`	`private string SigneQueryString(string queryString, X509Certificate2 signingCertificate)`
`45`	`45`	`{`
`46`	`46`	`var saml2Signed = new Saml2SignedText(signingCertificate, SignatureAlgorithm);`
`@@ -49,7 +49,7 @@ private string SigneQueryString(string queryString, X509Certificate2 signingCert`
`49`	`49`	`return string.Join("&", queryString, string.Join("=", Saml2Constants.Message.Signature, Uri.EscapeDataString(Signature)));`
`50`	`50`	`}`
`51`	`51`
`52`		`- private IEnumerable<string> RequestQueryString(X509Certificate2 signingCertificate, string messageName)`
	`52`	`+ private IEnumerable<string> RequestQueryString(Saml2Request saml2RequestResponse, string messageName)`
`53`	`53`	`{`
`54`	`54`	`yield return string.Join("=", messageName, Uri.EscapeDataString(CompressRequest()));`
`55`	`55`
`@@ -58,7 +58,7 @@ private IEnumerable<string> RequestQueryString(X509Certificate2 signingCertifica`
`58`	`58`	`yield return string.Join("=", Saml2Constants.Message.RelayState, Uri.EscapeDataString(RelayState));`
`59`	`59`	`}`
`60`	`60`
`61`		`- if(signingCertificate != null)`
	`61`	`+ if (!(saml2RequestResponse is Saml2AuthnRequest) && saml2RequestResponse.Config.SigningCertificate != null)`
`62`	`62`	`{`
`63`	`63`	`yield return string.Join("=", Saml2Constants.Message.SigAlg, Uri.EscapeDataString(SignatureAlgorithm));`
`64`	`64`	`}`
`@@ -88,12 +88,13 @@ protected override Saml2Request UnbindInternal(HttpRequest request, Saml2Request`
`88`	`88`	`if (!request.Query.AllKeys.Contains(messageName))`
`89`	`89`	`throw new Saml2BindingException("HTTP Query String does not contain " + messageName);`
`90`	`90`
`91`		`- if (saml2RequestResponse.Config.SignatureValidationCertificates != null && saml2RequestResponse.Config.SignatureValidationCertificates.Count() > 0)`
	`91`	`+ if (!(saml2RequestResponse is Saml2AuthnRequest) &&`
	`92`	`+ saml2RequestResponse.Config.SignatureValidationCertificates != null && saml2RequestResponse.Config.SignatureValidationCertificates.Count() > 0)`
`92`	`93`	`{`
`93`		`- if(!request.Query.AllKeys.Contains(Saml2Constants.Message.Signature))`
	`94`	`+ if (!request.Query.AllKeys.Contains(Saml2Constants.Message.Signature))`
`94`	`95`	`throw new Saml2BindingException("HTTP Query String does not contain " + Saml2Constants.Message.Signature);`
`95`	`96`
`96`		`- if(!request.Query.AllKeys.Contains(Saml2Constants.Message.SigAlg))`
	`97`	`+ if (!request.Query.AllKeys.Contains(Saml2Constants.Message.SigAlg))`
`97`	`98`	`throw new Saml2BindingException("HTTP Query String does not contain " + Saml2Constants.Message.SigAlg);`
`98`	`99`	`}`
`99`	`100`
`@@ -102,7 +103,8 @@ protected override Saml2Request UnbindInternal(HttpRequest request, Saml2Request`
`102`	`103`	`RelayState = request.Query[Saml2Constants.Message.RelayState];`
`103`	`104`	`}`
`104`	`105`
`105`		`- if (saml2RequestResponse.Config.SignatureValidationCertificates != null && saml2RequestResponse.Config.SignatureValidationCertificates.Count() > 0)`
	`106`	`+ if (!(saml2RequestResponse is Saml2AuthnRequest) &&`
	`107`	`+ saml2RequestResponse.Config.SignatureValidationCertificates != null && saml2RequestResponse.Config.SignatureValidationCertificates.Count() > 0)`
`106`	`108`	`{`
`107`	`109`	`var actualAignatureAlgorithm = request.Query[Saml2Constants.Message.SigAlg];`
`108`	`110`	`if (saml2RequestResponse.Config.SignatureAlgorithm == null)`
Original file line number	Diff line number	Diff line change
`@@ -17,7 +17,7 @@ namespace ITfoxtec.Identity.Saml2`
`17`	`17`	`/// Generic Saml2 Request.`
`18`	`18`	`/// </summary>`
`19`	`19`	`public abstract class Saml2Request`
`20`		`- {`
	`20`	`+ {`
`21`	`21`	`public Saml2Configuration Config { get; protected set; }`
`22`	`22`
`23`	`23`	`public XmlDocument XmlDocument { get; protected set; }`
`@@ -105,7 +105,7 @@ public string IdAsString`
`105`	`105`
`106`	`106`	`public IEnumerable<X509Certificate2> SignatureValidationCertificates { get; set; }`
`107`	`107`
`108`		`- public string SignatureAlgorithm { get; set; }`
	`108`	`+ public string SignatureAlgorithm { get; set; }`
`109`	`109`
`110`	`110`	`internal IdentityConfiguration IdentityConfiguration { get; private set; }`
`111`	`111`
`@@ -151,7 +151,7 @@ protected virtual IEnumerable<XObject> GetXContent()`
`151`	`151`	`if (Extensions != null)`
`152`	`152`	`{`
`153`	`153`	`yield return Extensions.ToXElement();`
`154`		`- }`
	`154`	`+ }`
`155`	`155`	`}`
`156`	`156`
`157`	`157`	`public abstract XmlDocument ToXml();`
`@@ -161,7 +161,7 @@ protected internal virtual void Read(string xml, bool validateXmlSignature)`
`161`	`161`	`#if DEBUG`
`162`	`162`	`Debug.WriteLine("Saml2P: " + xml);`
`163`	`163`	`#endif`
`164`		`-`
	`164`	`+`
`165`	`165`	`XmlDocument = xml.ToXmlDocument();`
`166`	`166`
`167`	`167`	`if (XmlDocument.DocumentElement.NamespaceURI != Saml2Constants.ProtocolNamespace.OriginalString)`
`@@ -186,14 +186,14 @@ protected internal virtual void Read(string xml, bool validateXmlSignature)`
`186`	`186`	`Destination = XmlDocument.DocumentElement.Attributes[Saml2Constants.Message.Destination].GetValueOrNull<Uri>();`
`187`	`187`
`188`	`188`	`var extensionsData = XmlDocument.DocumentElement[Saml2Constants.Message.Extensions, Saml2Constants.ProtocolNamespace.OriginalString].GetValueOrNull<string>();`
`189`		`- if(extensionsData != null)`
	`189`	`+ if (extensionsData != null)`
`190`	`190`	`{`
`191`	`191`	`Extensions = new Schemas.Extensions { Data = extensionsData };`
`192`	`192`	`}`
`193`	`193`
`194`	`194`	`DecryptMessage();`
`195`	`195`
`196`		`- if (validateXmlSignature)`
	`196`	`+ if (!(this is Saml2AuthnRequest) && validateXmlSignature)`
`197`	`197`	`{`
`198`	`198`	`ValidateXmlSignature();`
`199`	`199`	`}`
`@@ -212,25 +212,25 @@ protected virtual XmlElement GetAssertionElement()`
`212`	`212`	`private void ValidateXmlSignature()`
`213`	`213`	`{`
`214`	`214`	`var assertionElement = GetAssertionElement();`
`215`		`- if(assertionElement == null)`
	`215`	`+ if (assertionElement == null)`
`216`	`216`	`{`
`217`	`217`	`if (ValidateXmlSignature(XmlDocument.DocumentElement) != SignatureValidation.Valid)`
`218`		`- throw new Saml2RequestException("Signature is invalid.");`
	`218`	`+ throw new Saml2RequestException("Signature is invalid.");`
`219`	`219`	`}`
`220`	`220`	`else`
`221`	`221`	`{`
`222`	`222`	`var documentValidationResult = ValidateXmlSignature(XmlDocument.DocumentElement);`
`223`	`223`	`var assertionValidationResult = ValidateXmlSignature(assertionElement);`
`224`		`- if (documentValidationResult == SignatureValidation.Invalid \|\| assertionValidationResult == SignatureValidation.Invalid \|\|`
	`224`	`+ if (documentValidationResult == SignatureValidation.Invalid \|\| assertionValidationResult == SignatureValidation.Invalid \|\|`
`225`	`225`	`!(documentValidationResult == SignatureValidation.Valid \|\| assertionValidationResult == SignatureValidation.Valid))`
`226`	`226`	`throw new Saml2RequestException("Signature is invalid.");`
`227`		`- }`
	`227`	`+ }`
`228`	`228`	`}`
`229`	`229`
`230`	`230`	`protected SignatureValidation ValidateXmlSignature(XmlElement xmlElement)`
`231`	`231`	`{`
`232`	`232`	`var xmlSignatures = xmlElement.SelectNodes($"*[local-name()='{Saml2Constants.Message.Signature}' and namespace-uri()='{Saml2SignedXml.XmlDsigNamespaceUrl}']");`
`233`		`- if(xmlSignatures.Count == 0)`
	`233`	`+ if (xmlSignatures.Count == 0)`
`234`	`234`	`{`
`235`	`235`	`return SignatureValidation.NotPresent;`
`236`	`236`	`}`