Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support signing SAML metadata #14916

Merged
merged 1 commit into from
May 31, 2024
Merged

Support signing SAML metadata #14916

merged 1 commit into from
May 31, 2024
+344 −2

Conversation

CrazyParanoid
Copy link

Closes gh-14801

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Apr 17, 2024
jzheaux
jzheaux requested changes Apr 17, 2024
View reviewed changes
Copy link
Contributor

@jzheaux jzheaux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, @CrazyParanoid! I've left some feedback inline.

...a/org/springframework/security/saml2/provider/service/metadata/OpenSamlMetadataResolver.java Show resolved Hide resolved
...a/org/springframework/security/saml2/provider/service/metadata/OpenSamlMetadataResolver.java Outdated Show resolved Hide resolved
...a/org/springframework/security/saml2/provider/service/metadata/OpenSamlMetadataResolver.java Outdated Show resolved Hide resolved
@jzheaux jzheaux changed the title Add support sign SAML metadata Add signing SAML metadata Apr 17, 2024
@jzheaux jzheaux changed the title Add signing SAML metadata Support signing SAML metadata Apr 17, 2024
@CrazyParanoid
Copy link
Author

Hi @jzheaux ! Thanks for your feedback. All your comments have been resolved.

@jzheaux jzheaux added this to the 6.4.0-M1 milestone Apr 18, 2024
@jzheaux jzheaux added type: enhancement A general enhancement in: saml2 An issue in SAML2 modules and removed status: waiting-for-triage An issue we've not yet triaged labels Apr 18, 2024
@longgt
Copy link

longgt commented May 2, 2024

@CrazyParanoid thanks for your contribution.
Regarding to Signing with OpenSAML here, the final hash should be computed right after we did marshal the EntityDescriptor at below method

spring-security/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/metadata/OpenSamlMetadataResolver.java

Line 215 in e92dd02

private String serialize(EntityDescriptor entityDescriptor) {

If we sign EntityDescriptor before calling OpenSamlMetadataResolver.serialize, the marshaller in there will create a brand new XMLSignature object.
It causes the 2 signature elements in below serialized with empty content

<ds:DigestValue/>
<ds:SignatureValue/>

Where it should be

<ds:DigestValue>digest signature</ds:DigestValue>
<ds:SignatureValue>signature value</ds:SignatureValue>

https://github.com/alexo/SAML-2.0/blob/96363df652cff76cd7a04f200a7f58b988b7bfe7/java-opensaml/opensaml-xmlsec-impl/src/main/java/org/opensaml/xml/signature/impl/SignatureMarshaller.java#L99

Beside that, the test case is check only whether DigestValue and SignatureValue is existing or not.
It's better to check whether it contains value or not, in my opinion.

I noted all debug steps at my environment (with Spring Security 6.2.2) here
#13661 (comment)

Please correct if I misunderstood this situation.
Thanks.

@CrazyParanoid
Copy link
Author

Hi @longgt ! In the resolveWhenRelyingPartyAndSignMetadataSetThenMetadataMatches test the xml is serialized with:

<ds:DigestValue>K411jmOwS83oyZ5LDpixHzwmvi6dbmd/GAT2sW2Pdyc=</ds:DigestValue>
<ds:SignatureValue>
DQfd3Gl+04LYqDYEk3O7zwuDbA940PAA3F+BVQxSF+7QdmIEykaSL5Kj+kg3DGtpUgbQPwC7SyRz&#13;
hkTZ78v9JzNu1SP8rx5DxyrdRNS51LOQLQP1qFMeSjzEi1TXlHtp0Z35qF2dAycnIty4oZFk2zNk&#13;
Uvm2N1DkAtC5XSqKssI=
</ds:SignatureValue>

I can add a value check to the test, but apparently there is no problem here.

@jzheaux jzheaux merged commit 801e808 into spring-projects:main May 31, 2024
3 checks passed
@jzheaux
Copy link
Contributor

jzheaux commented May 31, 2024

Thanks, @CrazyParanoid! This is now merged into main and will go out in the next milestone release.

@jzheaux
Copy link
Contributor

jzheaux commented May 31, 2024

Because I think this may become the default in the future, I made a polish of 6695784 to notify that metadata is unsigned.

@jzheaux jzheaux mentioned this pull request May 31, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jzheaux jzheaux jzheaux approved these changes

Assignees

@jzheaux jzheaux

Labels
in: saml2 An issue in SAML2 modules type: enhancement A general enhancement
Projects
None yet
Milestone
6.4.0-M1
Development

Successfully merging this pull request may close these issues.

Sign SP Metadata
4 participants
@CrazyParanoid @longgt @jzheaux @spring-projects-issues