From 91671f7592f831c05ccc2bc74fac5a8df04248f7 Mon Sep 17 00:00:00 2001 From: eva Date: Wed, 10 Jul 2024 11:50:48 +0200 Subject: [PATCH] Fixed problems in decryption --- build_request.go | 2 +- decode_response.go | 6 ++++++ saml.go | 7 ++++--- types/response.go | 2 ++ 4 files changed, 13 insertions(+), 4 deletions(-) diff --git a/build_request.go b/build_request.go index 0885c1c..4fe6f34 100644 --- a/build_request.go +++ b/build_request.go @@ -171,7 +171,7 @@ func (sp *SAMLServiceProvider) buildAuthURLFromDocument(relayState, binding stri qs.Add("RelayState", relayState) } - if sp.SignAuthnRequests && binding == BindingHttpRedirect { + if ((sp.SignAuthnRequests && binding == BindingHttpRedirect) || sp.IncludeSignatureParameters) { // Sign URL encoded query (see Section 3.4.4.1 DEFLATE Encoding of saml-bindings-2.0-os.pdf) ctx := sp.SigningContext() qs.Add("SigAlg", ctx.GetSignatureMethodIdentifier()) diff --git a/decode_response.go b/decode_response.go index b3258a0..eff28ac 100644 --- a/decode_response.go +++ b/decode_response.go @@ -102,6 +102,9 @@ func xmlUnmarshalElement(el *etree.Element, obj interface{}) error { } return nil } +func (sp *SAMLServiceProvider) GetDecryptCertificate() (*tls.Certificate, error) { + return sp.getDecryptCert() +} func (sp *SAMLServiceProvider) getDecryptCert() (*tls.Certificate, error) { if sp.SPKeyStore == nil { @@ -289,6 +292,8 @@ func (sp *SAMLServiceProvider) ValidateEncodedResponse(encodedResponse string) ( return nil, err } + decrypted := etree.NewDocument() + decrypted.SetRoot(el.Copy()) var assertionSignaturesValidated bool if !sp.SkipSignatureValidation { err = sp.validateAssertionSignatures(el) @@ -304,6 +309,7 @@ func (sp *SAMLServiceProvider) ValidateEncodedResponse(encodedResponse string) ( } decodedResponse := &types.Response{} + decodedResponse.Document = decrypted err = xmlUnmarshalElement(el, decodedResponse) if err != nil { return nil, fmt.Errorf("unable to unmarshal response: %v", err) diff --git a/saml.go b/saml.go index 49a2fb8..ac619e0 100644 --- a/saml.go +++ b/saml.go @@ -4,14 +4,13 @@ // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // -// https://www.apache.org/licenses/LICENSE-2.0 +// https://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. - package saml2 import ( @@ -60,7 +59,9 @@ type SAMLServiceProvider struct { // IsPassive attribute in authentication request requires that the identity provider and the // user agent itself MUST NOT visibly take control of the user interface from the requester // and interact with the presenter in a noticeable fashion. - IsPassive bool + IsPassive bool + IncludeSignatureParameters bool + // RequestedAuthnContext allows service providers to require that the identity // provider use specific authentication mechanisms. Leaving this unset will // permit the identity provider to choose the auth method. To maximize compatibility diff --git a/types/response.go b/types/response.go index 1e9474a..09e9f82 100644 --- a/types/response.go +++ b/types/response.go @@ -16,6 +16,7 @@ package types import ( "encoding/xml" + "github.com/beevik/etree" "time" ) @@ -45,6 +46,7 @@ type Response struct { Assertions []Assertion `xml:"Assertion"` EncryptedAssertions []EncryptedAssertion `xml:"EncryptedAssertion"` SignatureValidated bool `xml:"-"` // not read, not dumped + Document *etree.Document `xml:"-"` // not read, not dumped } type LogoutResponse struct {