Uploaded image for project: 'SX Spring Security Extension'
  1. SX Spring Security Extension
  2. SES-51

Invalid signature does not result in failure

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Complete
    • Affects Version/s: None
    • Fix Version/s: saml-1.0.0.RC1
    • Component/s: saml
    • Labels:
      None

      Description

      In AbstractProfileBase, this method is used to verify the signature of a message:

      protected void verifySignature(Signature signature, String IDPEntityID) throws org.opensaml.xml.security.SecurityException, ValidationException {
      SAMLSignatureProfileValidator validator = new SAMLSignatureProfileValidator();
      validator.validate(signature);
      CriteriaSet criteriaSet = new CriteriaSet();
      criteriaSet.add(new EntityIDCriteria(IDPEntityID));
      criteriaSet.add(new MetadataCriteria(IDPSSODescriptor.DEFAULT_ELEMENT_NAME, SAMLConstants.SAML20P_NS));
      criteriaSet.add(new UsageCriteria(UsageType.SIGNING));
      log.debug("Verifying signature", signature);
      trustEngine.validate(signature, criteriaSet);
      }

      However, trustEngine.validate (SignatureTrustEngine.validate) returns "false" if the signature is invalid, rather than throwing a ValidationException as I believe this method is expecting. According to the javadoc for this method:

      • @return true if the signature was valid for the provided content
      • @throws SecurityException thrown if there is a problem attempting to verify the signature such as the signature
      • algorithim not being supported

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                vsch Vladimir Schäfer
                Reporter:
                philvarner Phil Varner
              • Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: