From 1133cb89dcf7223798bc4299ab5958ac7287d471 Mon Sep 17 00:00:00 2001 From: Santeri Horttanainen Date: Fri, 20 Jul 2018 12:48:35 +0300 Subject: [PATCH 1/5] Ensure that cert matches the one in the SAML. --- lib/validateSignature.js | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lib/validateSignature.js b/lib/validateSignature.js index 7639d94..ede3707 100644 --- a/lib/validateSignature.js +++ b/lib/validateSignature.js @@ -14,6 +14,7 @@ module.exports = function validateSignature(xml, cert, certThumbprint) { }); var calculatedThumbprint; + var certfromSaml; signed.keyInfoProvider = { getKey: function getKey(keyInfo) { @@ -29,6 +30,8 @@ module.exports = function validateSignature(xml, cert, certThumbprint) { } } + certFromSaml = keyInfo[0].getElementsByTagNameNS('http://www.w3.org/2000/09/xmldsig#', 'X509Certificate'); + return certToPEM(cert); }, getKeyInfo: function getKeyInfo(key) { @@ -41,7 +44,7 @@ module.exports = function validateSignature(xml, cert, certThumbprint) { var valid = signed.checkSignature(xml); if (cert) { - return valid; + return valid && cert === certFromSaml; } if (certThumbprint) { From aba60d03be6a5f1be3a34dda2edd128cc7c2693b Mon Sep 17 00:00:00 2001 From: Santeri Horttanainen Date: Fri, 20 Jul 2018 12:55:11 +0300 Subject: [PATCH 2/5] Fixed a typo. Added logging to check keys' format --- lib/validateSignature.js | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/validateSignature.js b/lib/validateSignature.js index ede3707..7bfda42 100644 --- a/lib/validateSignature.js +++ b/lib/validateSignature.js @@ -14,7 +14,7 @@ module.exports = function validateSignature(xml, cert, certThumbprint) { }); var calculatedThumbprint; - var certfromSaml; + var certFromSaml; signed.keyInfoProvider = { getKey: function getKey(keyInfo) { @@ -44,6 +44,8 @@ module.exports = function validateSignature(xml, cert, certThumbprint) { var valid = signed.checkSignature(xml); if (cert) { + console.log(cert); + console.log(certFromSaml) return valid && cert === certFromSaml; } From 7040d035e947ed88def7bf784132cc98f5bf3349 Mon Sep 17 00:00:00 2001 From: Santeri Horttanainen Date: Fri, 20 Jul 2018 12:58:44 +0300 Subject: [PATCH 3/5] convert xml node to string before comparison. --- lib/validateSignature.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/validateSignature.js b/lib/validateSignature.js index 7bfda42..6116b24 100644 --- a/lib/validateSignature.js +++ b/lib/validateSignature.js @@ -30,7 +30,7 @@ module.exports = function validateSignature(xml, cert, certThumbprint) { } } - certFromSaml = keyInfo[0].getElementsByTagNameNS('http://www.w3.org/2000/09/xmldsig#', 'X509Certificate'); + certFromSaml = keyInfo[0].getElementsByTagNameNS('http://www.w3.org/2000/09/xmldsig#', 'X509Certificate')[0].firstChild.toString(); return certToPEM(cert); }, From 96198188a3ffa4fd71709ac063686146bcd5309e Mon Sep 17 00:00:00 2001 From: Santeri Horttanainen Date: Fri, 20 Jul 2018 13:04:02 +0300 Subject: [PATCH 4/5] Removed unnecessary logging --- lib/validateSignature.js | 2 -- 1 file changed, 2 deletions(-) diff --git a/lib/validateSignature.js b/lib/validateSignature.js index 6116b24..e8ee09b 100644 --- a/lib/validateSignature.js +++ b/lib/validateSignature.js @@ -44,8 +44,6 @@ module.exports = function validateSignature(xml, cert, certThumbprint) { var valid = signed.checkSignature(xml); if (cert) { - console.log(cert); - console.log(certFromSaml) return valid && cert === certFromSaml; } From 81b25820bb95f888fe9d59d089274c3673b0510e Mon Sep 17 00:00:00 2001 From: Santeri Horttanainen Date: Fri, 20 Jul 2018 15:38:57 +0300 Subject: [PATCH 5/5] updated dependencies. The previous lodash version had a vulnerability to it. --- package.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/package.json b/package.json index a518543..6e71d4b 100644 --- a/package.json +++ b/package.json @@ -4,11 +4,11 @@ "description": "SAML 2.0 and 1.1 token parser for Node.js", "main": "./lib/index.js", "dependencies": { - "lodash": "3.10.1", + "lodash": "4.17.10", "thumbprint": "0.0.1", - "xml-crypto": "0.8.1", - "xml2js": "0.4.4", - "xmldom": "0.1.19" + "xml-crypto": "0.10.1", + "xml2js": "0.4.19", + "xmldom": "0.1.27" }, "repository": { "type": "git",