Merge pull request #104 from OpenConext/feature/secure-verify-signature-use

MKodde · web-flow · commit b0de34751679 · 2021-11-23T11:17:30.000+01:00
Secure the way the verifySignature method is used
diff --git a/src/Entity/HostedEntities.php b/src/Entity/HostedEntities.php
@@ -142,7 +142,7 @@ private function generateUrl($routeDefinition)
 
         $context = $this->router->getContext();
 
-        $context->fromRequest($this->requestStack->getMasterRequest());
+        $context->fromRequest($this->requestStack->getMainRequest());
 
         $url = $this->router->generate($route, $parameters, RouterInterface::ABSOLUTE_URL);
 
diff --git a/src/Http/ReceivedAuthnRequestQueryString.php b/src/Http/ReceivedAuthnRequestQueryString.php
@@ -288,9 +288,10 @@ public function getSignedRequestPayload()
      */
     public function verify(XMLSecurityKey $key)
     {
-        if ($key->verifySignature($this->getSignedRequestPayload(), $this->getDecodedSignature())) {
-            return true;
+        $isVerified = $key->verifySignature($this->getSignedRequestPayload(), $this->getDecodedSignature());
+        if ($isVerified !== 1) {
+            return false;
         }
-        return false;
+        return true;
     }
 }
diff --git a/src/Signing/SignatureVerifier.php b/src/Signing/SignatureVerifier.php
@@ -21,7 +21,7 @@
 use Psr\Log\LoggerInterface;
 use RobRichards\XMLSecLibs\XMLSecurityKey;
 use SAML2\Certificate\Key;
-use SAML2\Certificate\KeyLoader as KeyLoader;
+use SAML2\Certificate\KeyLoader;
 use SAML2\Certificate\X509;
 use Surfnet\SamlBundle\Entity\ServiceProvider;
 use Surfnet\SamlBundle\Http\ReceivedAuthnRequestQueryString;
@@ -151,13 +151,13 @@ public function isSignedWith(AuthnRequest $request, X509 $publicKey)
         $key = new XMLSecurityKey(XMLSecurityKey::RSA_SHA256, array('type' => 'public'));
         $key->loadKey($publicKey->getCertificate());
 
-        if ($key->verifySignature($request->getSignedRequestQuery(), $request->getSignature())) {
-            $this->logger->debug('Signature VERIFIED');
-            return true;
+        $isVerified = $key->verifySignature($request->getSignedRequestQuery(), $request->getSignature());
+        if ($isVerified !== 1) {
+            $this->logger->debug('Signature NOT VERIFIED');
+            return false;
         }
 
-        $this->logger->debug('Signature NOT VERIFIED');
-
-        return false;
+        $this->logger->debug('Signature VERIFIED');
+        return true;
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -288,9 +288,10 @@ public function getSignedRequestPayload()`
`288`	`288`	`*/`
`289`	`289`	`public function verify(XMLSecurityKey $key)`
`290`	`290`	`{`
`291`		`- if ($key->verifySignature($this->getSignedRequestPayload(), $this->getDecodedSignature())) {`
`292`		`- return true;`
	`291`	`+ $isVerified = $key->verifySignature($this->getSignedRequestPayload(), $this->getDecodedSignature());`
	`292`	`+ if ($isVerified !== 1) {`
	`293`	`+ return false;`
`293`	`294`	`}`
`294`		`- return false;`
	`295`	`+ return true;`
`295`	`296`	`}`
`296`	`297`	`}`