samlify icon indicating copy to clipboard operation
samlify copied to clipboard

Published 20 hours ago verified publisher icon tngan

Missing namespaces and other namespaces are modified

Open slimm609 opened this issue 6 years ago • 2 comments

We are seeing an issue where the namespaces are getting changed after decryption but before signature validation.

before validation -- after decryption

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:enc="http://www.w3.org/2001/04/xmlenc#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Destination="https://api.com/api/v1/sso/" ID="id-Zy6dhSrJ5C8AaQ1AJ5O3OELc-EaOuPLgoQ8W35BJ" IssueInstant="2018-05-01T19:14:17Z" Version="2.0">
  <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://hub.com/oam/</saml:Issuer>
  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </samlp:Status>
  <saml:Assertion xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:enc="http://www.w3.org/2001/04/xmlenc#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="id-nAiP4UttghJMBdMc4B7xM-iDp6WSMqsldldlIXUS" IssueInstant="2018-05-01T19:14:17Z" Version="2.0">
    <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://hub.com/oam/</saml:Issuer>
    <saml:Subject>
      <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="https://hub.com/oam/" SPNameQualifier="api.questis.com">id-9J07SAgKA4dksNlHBABh46ZG-EqYLAK7DA0lfAw-</saml:NameID>
      <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml:SubjectConfirmationData NotOnOrAfter="2018-05-01T19:15:17Z" Recipient="https://api.com/api/v1/sso/"/>
      </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotBefore="2018-05-01T19:14:17Z" NotOnOrAfter="2018-05-01T19:15:17Z">
      <saml:AudienceRestriction>
        <saml:Audience>api.com</saml:Audience>
      </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:AuthnStatement AuthnInstant="2018-05-01T19:13:56Z" SessionIndex="id-YA-vbXS6dYfLKkYIYgRFbQMmbUjF-bXunz784657" SessionNotOnOrAfter="2018-05-01T20:14:17Z">
      <saml:AuthnContext>
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
      </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement>
      <saml:Attribute Name="lastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">7019</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="proxyGUID" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">C043</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="planID" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">AAAA</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="emailAddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">[email protected]</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="firstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">JOHN</saml:AttributeValue>
      </saml:Attribute>
    </saml:AttributeStatement>
  </saml:Assertion>
</samlp:Response>

during validation

  <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://hub.com/oam/</saml:Issuer>
  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </samlp:Status>
  <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="id-nAiP4UttghJMBdMc4B7xM-iDp6WSMqsldldlIXUS" IssueInstant="2018-05-01T19:14:17Z" Version="2.0">
    <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://hub.com/oam/</saml:Issuer>
    <saml:Subject>
      <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="https://hub.com/oam/" SPNameQualifier="api.com">id-9J07SAgKA4dksNlHBABh46ZG-EqYLAK7DA0lfAw-</saml:NameID>
      <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml:SubjectConfirmationData NotOnOrAfter="2018-05-01T19:15:17Z" Recipient="https://api.com/api/v1/sso/"/>
      </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotBefore="2018-05-01T19:14:17Z" NotOnOrAfter="2018-05-01T19:15:17Z">
      <saml:AudienceRestriction>
        <saml:Audience>api.com</saml:Audience>
      </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:AuthnStatement AuthnInstant="2018-05-01T19:13:56Z" SessionIndex="id-YA-vbXS6dYfLKkYIYgRFbQMmbUjF-bXunz784657" SessionNotOnOrAfter="2018-05-01T20:14:17Z">
      <saml:AuthnContext>
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
      </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement>
      <saml:Attribute Name="lastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">7019</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="proxyGUID" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">C043</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="planID" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">AAAD</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="emailAddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">[email protected]</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="firstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">JOHN</saml:AttributeValue>
      </saml:Attribute>
    </saml:AttributeStatement>
  </saml:Assertion>
</samlp:Response>

As you can see it modified the attribute namespaces, add a signature namespace, dropped assertion and response namespaces and modified the issuer namespace. this is causing it to fail signature validation.

slimm609 avatar May 01 '18 22:05 slimm609

@slimm609 Interesting. It seems not possible that res get mutated between after-decryption and before-verification. res, as a string, is passed into xml schema validation as value.

https://github.com/tngan/samlify/blob/5537489b83320e1d99bd116e4bf761c148692d30/src/entity.ts#L251-L266

Where did you put the trace and get the above context ?

tngan avatar May 04 '18 17:05 tngan

@slimm609 Any feedback on it ?

tngan avatar Oct 07 '18 03:10 tngan