Merge pull request #292 from onelogin/deprecated_algorithm_detection

Add rejectDeprecatedAlgorithm settings. Define DEPRECATED_ALGORITHMS …

Author: pitbulk

README.md

@@ -507,7 +507,12 @@ In addition to the required settings data (idp, sp), extra settings can be defin
         //    'http://www.w3.org/2001/04/xmlenc#sha256'
         //    'http://www.w3.org/2001/04/xmldsig-more#sha384'
         //    'http://www.w3.org/2001/04/xmlenc#sha512'
-        "digestAlgorithm": "http://www.w3.org/2001/04/xmlenc#sha256"
+        "digestAlgorithm": "http://www.w3.org/2001/04/xmlenc#sha256",
+
+        // If the toolkit receive a message signed with a
+        // deprecated algoritm (defined at the constant class)
+        // will raise an error and reject the message
+        "rejectDeprecatedAlgorithm": true
     },
 
     // Contact information template, it is recommended to supply

demo-bottle/saml/advanced_settings.json

@@ -12,7 +12,8 @@
         "wantAssertionsEncrypted": false,
         "allowSingleLabelDomains": false,
         "signatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
-        "digestAlgorithm": "http://www.w3.org/2001/04/xmlenc#sha256"
+        "digestAlgorithm": "http://www.w3.org/2001/04/xmlenc#sha256",
+        "rejectDeprecatedAlgorithm": true
     },
     "contactPerson": {
         "technical": {

demo-django/saml/advanced_settings.json

@@ -12,7 +12,8 @@
         "wantAssertionsEncrypted": false,
         "allowSingleLabelDomains": false,
         "signatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
-        "digestAlgorithm": "http://www.w3.org/2001/04/xmlenc#sha256"
+        "digestAlgorithm": "http://www.w3.org/2001/04/xmlenc#sha256",
+        "rejectDeprecatedAlgorithm": true
     },
     "contactPerson": {
         "technical": {

demo-flask/saml/advanced_settings.json

@@ -12,7 +12,8 @@
         "wantAssertionsEncrypted": false,
         "allowSingleLabelDomains": false,
         "signatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
-        "digestAlgorithm": "http://www.w3.org/2001/04/xmlenc#sha256"
+        "digestAlgorithm": "http://www.w3.org/2001/04/xmlenc#sha256",
+        "rejectDeprecatedAlgorithm": true
     },
     "contactPerson": {
         "technical": {

demo_pyramid/demo_pyramid/saml/advanced_settings.json

@@ -12,7 +12,8 @@
         "wantAssertionsEncrypted": false,
         "allowSingleLabelDomains": false,
         "signatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
-        "digestAlgorithm": "http://www.w3.org/2001/04/xmlenc#sha256"
+        "digestAlgorithm": "http://www.w3.org/2001/04/xmlenc#sha256",
+        "rejectDeprecatedAlgorithm": true
     },
     "contactPerson": {
         "technical": {

src/onelogin/saml2/constants.py

@@ -116,3 +116,6 @@ class OneLogin_Saml2_Constants(object):
     AES256_CBC = 'http://www.w3.org/2001/04/xmlenc#aes256-cbc'
     RSA_1_5 = 'http://www.w3.org/2001/04/xmlenc#rsa-1_5'
     RSA_OAEP_MGF1P = 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p'
+
+    # Define here the deprecated algorithms
+    DEPRECATED_ALGORITHMS = [DSA_SHA1, RSA_SHA1, SHA1]

src/onelogin/saml2/errors.py

@@ -113,6 +113,8 @@ class OneLogin_Saml2_ValidationError(Exception):
     WRONG_NUMBER_OF_SIGNATURES = 43
     RESPONSE_EXPIRED = 44
     AUTHN_CONTEXT_MISMATCH = 45
+    DEPRECATED_SIGNATURE_METHOD = 46
+    DEPRECATED_DIGEST_METHOD = 47
 
     def __init__(self, message, code=0, errors=None):
         """

src/onelogin/saml2/logout_request.py

@@ -335,6 +335,7 @@ def is_valid(self, request_data, raise_exceptions=False):
             if 'lowercase_urlencoding' in request_data.keys():
                 lowercase_urlencoding = request_data['lowercase_urlencoding']
 
+            security = self.__settings.get_security_data()
             if self.__settings.is_strict():
                 res = OneLogin_Saml2_Utils.validate_xml(dom, 'saml-schema-protocol-2.0.xsd', self.__settings.is_debug_active())
                 if not isinstance(res, Document):
@@ -343,8 +344,6 @@ def is_valid(self, request_data, raise_exceptions=False):
                         OneLogin_Saml2_ValidationError.INVALID_XML_FORMAT
                     )
 
-                security = self.__settings.get_security_data()
-
                 current_url = OneLogin_Saml2_Utils.get_self_url_no_query(request_data)
 
                 # Check NotOnOrAfter
@@ -395,6 +394,14 @@ def is_valid(self, request_data, raise_exceptions=False):
                 else:
                     sign_alg = get_data['SigAlg']
 
+                reject_deprecated_alg = security.get('rejectDeprecatedAlgorithm', False)
+                if reject_deprecated_alg:
+                    if sign_alg in OneLogin_Saml2_Constants.DEPRECATED_ALGORITHMS:
+                        raise OneLogin_Saml2_ValidationError(
+                            'Deprecated signature algorithm found: %s' % sign_alg,
+                            OneLogin_Saml2_ValidationError.DEPRECATED_SIGNATURE_METHOD
+                        )
+
                 signed_query = 'SAMLRequest=%s' % OneLogin_Saml2_Utils.get_encoded_parameter(get_data, 'SAMLRequest', lowercase_urlencoding=lowercase_urlencoding)
                 if 'RelayState' in get_data:
                     signed_query = '%s&RelayState=%s' % (signed_query, OneLogin_Saml2_Utils.get_encoded_parameter(get_data, 'RelayState', lowercase_urlencoding=lowercase_urlencoding))

src/onelogin/saml2/logout_response.py

@@ -90,6 +90,7 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False):
             if 'lowercase_urlencoding' in request_data.keys():
                 lowercase_urlencoding = request_data['lowercase_urlencoding']
 
+            security = self.__settings.get_security_data()
             if self.__settings.is_strict():
                 res = OneLogin_Saml2_Utils.validate_xml(self.document, 'saml-schema-protocol-2.0.xsd', self.__settings.is_debug_active())
                 if not isinstance(res, Document):
@@ -98,8 +99,6 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False):
                         OneLogin_Saml2_ValidationError.INVALID_XML_FORMAT
                     )
 
-                security = self.__settings.get_security_data()
-
                 in_response_to = self.get_in_response_to()
                 # Check if the InResponseTo of the Logout Response matches the ID of the Logout Request (requestId) if provided
                 if request_id is not None and in_response_to and in_response_to != request_id:
@@ -145,6 +144,14 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False):
                 else:
                     sign_alg = get_data['SigAlg']
 
+                reject_deprecated_alg = security.get('rejectDeprecatedAlgorithm', False)
+                if reject_deprecated_alg:
+                    if sign_alg in OneLogin_Saml2_Constants.DEPRECATED_ALGORITHMS:
+                        raise OneLogin_Saml2_ValidationError(
+                            'Deprecated signature algorithm found: %s' % sign_alg,
+                            OneLogin_Saml2_ValidationError.DEPRECATED_SIGNATURE_METHOD
+                        )
+
                 signed_query = 'SAMLResponse=%s' % OneLogin_Saml2_Utils.get_encoded_parameter(get_data, 'SAMLResponse', lowercase_urlencoding=lowercase_urlencoding)
                 if 'RelayState' in get_data:
                     signed_query = '%s&RelayState=%s' % (signed_query, OneLogin_Saml2_Utils.get_encoded_parameter(get_data, 'RelayState', lowercase_urlencoding=lowercase_urlencoding))

src/onelogin/saml2/response.py

@@ -104,6 +104,7 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False):
             has_signed_response = '{%s}Response' % OneLogin_Saml2_Constants.NS_SAMLP in signed_elements
             has_signed_assertion = '{%s}Assertion' % OneLogin_Saml2_Constants.NS_SAML in signed_elements
 
+            security = self.__settings.get_security_data()
             if self.__settings.is_strict():
                 no_valid_xml_msg = 'Invalid SAML Response. Not match the saml-schema-protocol-2.0.xsd'
                 res = OneLogin_Saml2_Utils.validate_xml(
@@ -130,7 +131,6 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False):
                             OneLogin_Saml2_ValidationError.INVALID_XML_FORMAT
                         )
 
-                security = self.__settings.get_security_data()
                 current_url = OneLogin_Saml2_Utils.get_self_url_no_query(request_data)
 
                 in_response_to = self.get_in_response_to()
@@ -688,6 +688,9 @@ def process_signed_elements(self):
         """
         sign_nodes = self.__query('//ds:Signature')
 
+        security = self.__settings.get_security_data()
+        reject_deprecated_alg = security.get('rejectDeprecatedAlgorithm', False)
+
         signed_elements = []
         verified_seis = []
         verified_ids = []
@@ -736,6 +739,26 @@ def process_signed_elements(self):
                         )
                     verified_seis.append(sei)
 
+            # Check the signature and digest algorithm
+            if reject_deprecated_alg:
+                sig_method_node = OneLogin_Saml2_Utils.query(sign_node, './/ds:SignatureMethod')
+                if sig_method_node:
+                    sig_method = sig_method_node[0].get("Algorithm")
+                    if sig_method in OneLogin_Saml2_Constants.DEPRECATED_ALGORITHMS:
+                        raise OneLogin_Saml2_ValidationError(
+                            'Deprecated signature algorithm found: %s' % sig_method,
+                            OneLogin_Saml2_ValidationError.DEPRECATED_SIGNATURE_METHOD
+                        )
+
+                dig_method_node = OneLogin_Saml2_Utils.query(sign_node, './/ds:DigestMethod')
+                if dig_method_node:
+                    dig_method = dig_method_node[0].get("Algorithm")
+                    if dig_method in OneLogin_Saml2_Constants.DEPRECATED_ALGORITHMS:
+                        raise OneLogin_Saml2_ValidationError(
+                            'Deprecated digest algorithm found: %s' % dig_method,
+                            OneLogin_Saml2_ValidationError.DEPRECATED_DIGEST_METHOD
+                        )
+
             signed_elements.append(signed_element)
 
         if signed_elements: