Fix verification of Logoutresponse signatures

Old behaviour is preserved if the correct (raw URI-encoded) parts
are not provided.

Previous commits fix (and test) the equivalent check for SloLogoutrequest.

Author: jeffparsons

lib/onelogin/ruby-saml/logoutresponse.rb

@@ -211,18 +211,48 @@ def validate_signature
         return true unless options.has_key? :get_params
         return true unless options[:get_params].has_key? 'Signature'
 
+        # SAML specifies that the signature should be derived from a concatenation
+        # of URI-encoded values _as sent by the IDP_:
+        #
+        # > Further, note that URL-encoding is not canonical; that is, there are multiple legal encodings for a given
+        # > value. The relying party MUST therefore perform the verification step using the original URL-encoded
+        # > values it received on the query string. It is not sufficient to re-encode the parameters after they have been
+        # > processed by software because the resulting encoding may not match the signer's encoding.
+        #
+        # <http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf>
+        #
+        # If we don't have the original parts (for backward compatibility) required to correctly verify the signature,
+        # then fabricate them by re-encoding the parsed URI parameters, and hope that we're lucky enough to use
+        # the exact same URI-encoding as the IDP. (This is not the case if the IDP is ADFS!)
+        options[:raw_get_params] ||= {}
+        if options[:raw_get_params]['SAMLResponse'].nil? && !options[:get_params]['SAMLResponse'].nil?
+          options[:raw_get_params]['SAMLResponse'] = CGI.escape(options[:get_params]['SAMLResponse'])
+        end
+        if options[:raw_get_params]['RelayState'].nil? && !options[:get_params]['RelayState'].nil?
+          options[:raw_get_params]['RelayState'] = CGI.escape(options[:get_params]['RelayState'])
+        end
+        if options[:raw_get_params]['SigAlg'].nil? && !options[:get_params]['SigAlg'].nil?
+          options[:raw_get_params]['SigAlg'] = CGI.escape(options[:get_params]['SigAlg'])
+        end
+
+        # If we only received the raw version of SigAlg,
+        # then parse it back into the decoded params hash for convenience.
+        if options[:get_params]['SigAlg'].nil? && !options[:raw_get_params]['SigAlg'].nil?
+          options[:get_params]['SigAlg'] = CGI.unescape(options[:raw_get_params]['SigAlg'])
+        end
+
         idp_cert = settings.get_idp_cert
         idp_certs = settings.get_idp_cert_multi
 
         if idp_cert.nil? && (idp_certs.nil? || idp_certs[:signing].empty?)
           return options.has_key? :relax_signature_validation
         end
 
-        query_string = OneLogin::RubySaml::Utils.build_query(
-          :type        => 'SAMLResponse',
-          :data        => options[:get_params]['SAMLResponse'],
-          :relay_state => options[:get_params]['RelayState'],
-          :sig_alg     => options[:get_params]['SigAlg']
+        query_string = OneLogin::RubySaml::Utils.build_query_from_raw_parts(
+          :type            => 'SAMLResponse',
+          :raw_data        => options[:raw_get_params]['SAMLResponse'],
+          :raw_relay_state => options[:raw_get_params]['RelayState'],
+          :raw_sig_alg     => options[:raw_get_params]['SigAlg']
         )
 
         if idp_certs.nil? || idp_certs[:signing].empty?

test/logoutresponse_test.rb

@@ -283,6 +283,80 @@ class RubySamlTest < Minitest::Test
           assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.send(:validate_signature) }
           assert logoutresponse.errors.include? "Invalid Signature on Logout Response"
         end
+
+        it "raise when get_params encoding differs from what this library generates" do
+          settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
+          settings.soft = false
+          options = {}
+          options[:get_params] = params
+          options[:get_params]['RelayState'] = 'http://example.com'
+          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(params['SAMLResponse'], settings, options)
+          # Assemble query string.
+          query = OneLogin::RubySaml::Utils.build_query(
+            type: 'SAMLResponse',
+            data: params['SAMLResponse'],
+            relay_state: params['RelayState'],
+            sig_alg: params['SigAlg'],
+          )
+          # Modify the query string so that it encodes the same values,
+          # but with different percent-encoding. Sanity-check that they
+          # really are equialent before moving on.
+          original_query = query.dup
+          query.gsub!("example", "ex%61mple")
+          refute_equal(query, original_query)
+          assert_equal(CGI.unescape(query), CGI.unescape(original_query))
+          # Make normalised signature based on our modified params.
+          sign_algorithm = XMLSecurity::BaseDocument.new.algorithm(settings.security[:signature_method])
+          signature = settings.get_sp_key.sign(sign_algorithm.new, query)
+          params['Signature'] = Base64.encode64(signature).gsub(/\n/, "")
+          # Re-create the Logoutresponse based on these modified parameters,
+          # and ask it to validate the signature. It will do it incorrectly,
+          # because it will compute it based on re-encoded query parameters,
+          # rather than their original encodings.
+          options[:get_params] = params
+          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(params['SAMLResponse'], settings, options)
+          assert_raises(OneLogin::RubySaml::ValidationError, "Invalid Signature on Logout Request") do
+            logoutresponse.send(:validate_signature)
+          end
+        end
+
+        it "return true even if raw_get_params encoding differs from what this library generates" do
+          settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
+          settings.soft = false
+          options = {}
+          options[:get_params] = params
+          options[:get_params]['RelayState'] = 'http://example.com'
+          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(params['SAMLResponse'], settings, options)
+          # Assemble query string.
+          query = OneLogin::RubySaml::Utils.build_query(
+            type: 'SAMLResponse',
+            data: params['SAMLResponse'],
+            relay_state: params['RelayState'],
+            sig_alg: params['SigAlg'],
+          )
+          # Modify the query string so that it encodes the same values,
+          # but with different percent-encoding. Sanity-check that they
+          # really are equialent before moving on.
+          original_query = query.dup
+          query.gsub!("example", "ex%61mple")
+          refute_equal(query, original_query)
+          assert_equal(CGI.unescape(query), CGI.unescape(original_query))
+          # Make normalised signature based on our modified params.
+          sign_algorithm = XMLSecurity::BaseDocument.new.algorithm(settings.security[:signature_method])
+          signature = settings.get_sp_key.sign(sign_algorithm.new, query)
+          params['Signature'] = Base64.encode64(signature).gsub(/\n/, "")
+          # Re-create the Logoutresponse based on these modified parameters,
+          # and ask it to validate the signature. Provide the altered parameter
+          # in its raw URI-encoded form, so that we don't have to guess the value
+          # that contributed to the signature.
+          options[:get_params] = params
+          options[:get_params].delete("RelayState")
+          options[:raw_get_params] = {
+            "RelayState" => "http%3A%2F%2Fex%61mple.com",
+          }
+          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(params['SAMLResponse'], settings, options)
+          assert logoutresponse.send(:validate_signature)
+        end
       end
 
       describe "#validate_signature" do