add tests to prove signature wrapping attack resistance

Author: zendesk-mradmacher

lib/samlr/tools/metadata_builder.rb

@@ -13,12 +13,14 @@ def self.build(options = {})
         name_identity_format     = options[:name_identity_format]
         consumer_service_url     = options[:consumer_service_url]
         consumer_service_binding = options[:consumer_service_binding] || "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+        metadata_id              = options[:metadata_id] || Samlr::Tools.uuid
+        sign_metadata            = options[:sign_metadata] || false
 
         # Mandatory
         entity_id                 = options.fetch(:entity_id)
 
         builder = Nokogiri::XML::Builder.new do |xml|
-          xml.EntityDescriptor("xmlns:md" => NS_MAP["md"], "entityID" => entity_id) do
+          xml.EntityDescriptor("xmlns:md" => NS_MAP["md"], "ID" => metadata_id, "entityID" => entity_id) do
             xml.doc.root.namespace = xml.doc.root.namespace_definitions.find { |ns| ns.prefix == "md" }
 
             xml["md"].SPSSODescriptor("protocolSupportEnumeration" => NS_MAP["samlp"]) do
@@ -33,7 +35,14 @@ def self.build(options = {})
           end
         end
 
-        builder.to_xml(COMPACT)
+        metadata = builder.doc
+
+        if sign_metadata
+          metadata_options = options
+          metadata = ResponseBuilder.sign(metadata, metadata_id, metadata_options)
+        end
+
+        metadata.to_xml(COMPACT)
       end
 
     end

lib/samlr/tools/response_builder.rb

@@ -125,7 +125,11 @@ def self.sign(document, element_id, options)
           end unless skip_keyinfo
         end
         # digest.root.last_element_child.after "<SignatureValue>#{signature}</SignatureValue>"
-        element.at("./saml:Issuer", NS_MAP).add_next_sibling(digest)
+        if element.at("./saml:Issuer", NS_MAP)
+          element.at("./saml:Issuer", NS_MAP).add_next_sibling(digest)
+        else
+          element.children.first.add_previous_sibling(digest)
+        end
 
         document
       end

test/unit/test_response_signature_wrapping_attack.rb

@@ -0,0 +1,55 @@
+require File.expand_path("test/test_helper")
+
+describe Samlr do
+  describe "invalid multiple saml responses" do
+    let(:shared_id) { Samlr::Tools.uuid }
+    let(:xml_response_doc) do
+      options = {
+        :destination     => "https://example.org/saml/endpoint",
+        :in_response_to  => Samlr::Tools.uuid,
+        :name_id         => "[email protected]",
+        :audience        => "example.org",
+        :not_on_or_after => Samlr::Tools::Timestamp.stamp(Time.now + 60),
+        :not_before      => Samlr::Tools::Timestamp.stamp(Time.now - 60),
+        :response_id     => Samlr::Tools.uuid,
+        skip_conditions: true,
+        sign_response: false,
+        sign_assertion: false,
+        assertion_id: shared_id,
+        certificate: TEST_CERTIFICATE
+      }
+      Samlr::Tools::ResponseBuilder.build(options)
+    end
+    let(:xml_metadata_doc) do
+      options = {
+        :entity_id            => "https://sp.example.com/saml2",
+        :name_identity_format => "identity_format",
+        :consumer_service_url => "https://support.sp.example.com/",
+        :sign_metadata        => true,
+        metadata_id: shared_id,
+        certificate: TEST_CERTIFICATE
+      }
+      Samlr::Tools::MetadataBuilder.build(options)
+    end
+
+    let(:fingerprint) { Samlr::Certificate.new(TEST_CERTIFICATE.x509).fingerprint.value }
+    let(:saml_response) { Samlr::Response.new(Base64.encode64(xml_response_doc), fingerprint: fingerprint) }
+
+    it "succeeds" do
+      metadata_doc = Nokogiri::XML(xml_metadata_doc)
+      response_doc = Nokogiri::XML(xml_response_doc)
+
+      metadata_signature_doc = metadata_doc.xpath("md:EntityDescriptor/ds:Signature", Samlr::NS_MAP).first
+      metadata_entity_descriptor_doc = metadata_doc.xpath("md:EntityDescriptor", Samlr::NS_MAP).first
+
+      assertion_doc = response_doc.xpath("/samlp:Response/saml:Assertion", Samlr::NS_MAP).first
+      assertion_doc.xpath("saml:Subject/saml:NameID").first.content = "[email protected]"
+      assertion_doc.xpath("saml:Subject/saml:SubjectConfirmation/saml:SubjectConfirmationData", Samlr::NS_MAP).first.add_child(metadata_entity_descriptor_doc.dup)
+      response_doc.at("/samlp:Response/saml:Issuer", Samlr::NS_MAP).add_next_sibling(metadata_signature_doc.dup)
+
+      crafted_saml_response = Samlr::Response.new(Base64.encode64(response_doc.to_xml), fingerprint: fingerprint)
+      error = assert_raises(Samlr::SignatureError) { crafted_saml_response.verify! }
+      assert_equal "Expected 1 element with id #{shared_id}, found 2", error.details
+    end
+  end
+end