Merge branch 'release/4.3'

MKodde · MKodde · commit add45ebea90b · 2021-11-23T11:22:55.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,7 @@
+# 4.3.2
+**Bugfix**
+* Secure the way the verifySignature method is used #104
+
 # 4.3.1
 **Bugfix**
 * Update metadata.xml template reference
diff --git a/src/Entity/HostedEntities.php b/src/Entity/HostedEntities.php
@@ -142,7 +142,7 @@ private function generateUrl($routeDefinition)
 
         $context = $this->router->getContext();
 
-        $context->fromRequest($this->requestStack->getMasterRequest());
+        $context->fromRequest($this->requestStack->getMainRequest());
 
         $url = $this->router->generate($route, $parameters, RouterInterface::ABSOLUTE_URL);
 
diff --git a/src/Http/ReceivedAuthnRequestQueryString.php b/src/Http/ReceivedAuthnRequestQueryString.php
@@ -288,9 +288,10 @@ public function getSignedRequestPayload()
      */
     public function verify(XMLSecurityKey $key)
     {
-        if ($key->verifySignature($this->getSignedRequestPayload(), $this->getDecodedSignature())) {
-            return true;
+        $isVerified = $key->verifySignature($this->getSignedRequestPayload(), $this->getDecodedSignature());
+        if ($isVerified !== 1) {
+            return false;
         }
-        return false;
+        return true;
     }
 }
diff --git a/src/Signing/SignatureVerifier.php b/src/Signing/SignatureVerifier.php
@@ -21,7 +21,7 @@
 use Psr\Log\LoggerInterface;
 use RobRichards\XMLSecLibs\XMLSecurityKey;
 use SAML2\Certificate\Key;
-use SAML2\Certificate\KeyLoader as KeyLoader;
+use SAML2\Certificate\KeyLoader;
 use SAML2\Certificate\X509;
 use Surfnet\SamlBundle\Entity\ServiceProvider;
 use Surfnet\SamlBundle\Http\ReceivedAuthnRequestQueryString;
@@ -151,13 +151,13 @@ public function isSignedWith(AuthnRequest $request, X509 $publicKey)
         $key = new XMLSecurityKey(XMLSecurityKey::RSA_SHA256, array('type' => 'public'));
         $key->loadKey($publicKey->getCertificate());
 
-        if ($key->verifySignature($request->getSignedRequestQuery(), $request->getSignature())) {
-            $this->logger->debug('Signature VERIFIED');
-            return true;
+        $isVerified = $key->verifySignature($request->getSignedRequestQuery(), $request->getSignature());
+        if ($isVerified !== 1) {
+            $this->logger->debug('Signature NOT VERIFIED');
+            return false;
         }
 
-        $this->logger->debug('Signature NOT VERIFIED');
-
-        return false;
+        $this->logger->debug('Signature VERIFIED');
+        return true;
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -288,9 +288,10 @@ public function getSignedRequestPayload()`
`288`	`288`	`*/`
`289`	`289`	`public function verify(XMLSecurityKey $key)`
`290`	`290`	`{`
`291`		`- if ($key->verifySignature($this->getSignedRequestPayload(), $this->getDecodedSignature())) {`
`292`		`- return true;`
	`291`	`+ $isVerified = $key->verifySignature($this->getSignedRequestPayload(), $this->getDecodedSignature());`
	`292`	`+ if ($isVerified !== 1) {`
	`293`	`+ return false;`
`293`	`294`	`}`
`294`		`- return false;`
	`295`	`+ return true;`
`295`	`296`	`}`
`296`	`297`	`}`