From fd80067b0d77cf6a8fb8fabe24df2fccf6cb10e3 Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Tue, 26 Nov 2019 10:01:59 +0100 Subject: [PATCH] Fix #232 Make Fingerprint check case insensitive --- core/src/main/java/com/onelogin/saml2/util/Util.java | 2 +- .../java/com/onelogin/saml2/test/util/UtilsTest.java | 9 +++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/core/src/main/java/com/onelogin/saml2/util/Util.java b/core/src/main/java/com/onelogin/saml2/util/Util.java index 01c019b5..8dc3dfe8 100644 --- a/core/src/main/java/com/onelogin/saml2/util/Util.java +++ b/core/src/main/java/com/onelogin/saml2/util/Util.java @@ -1014,7 +1014,7 @@ public static Boolean validateSignNode(Node signNode, X509Certificate cert, Stri X509Certificate providedCert = keyInfo.getX509Certificate(); String calculatedFingerprint = calculateX509Fingerprint(providedCert, alg); for (String fingerprintStr : fingerprint.split(",")) { - if (calculatedFingerprint.equals(fingerprintStr.trim())) { + if (calculatedFingerprint.equalsIgnoreCase(fingerprintStr.trim())) { res = signature.checkSignatureValue(providedCert); } } diff --git a/core/src/test/java/com/onelogin/saml2/test/util/UtilsTest.java b/core/src/test/java/com/onelogin/saml2/test/util/UtilsTest.java index 284ed880..aa77b1c1 100644 --- a/core/src/test/java/com/onelogin/saml2/test/util/UtilsTest.java +++ b/core/src/test/java/com/onelogin/saml2/test/util/UtilsTest.java @@ -1092,6 +1092,8 @@ public void testValidateSign() throws URISyntaxException, IOException, Certifica X509Certificate cert = Util.loadCert(certString); String fingerprint_sha1 = "afe71c28ef740bc87425be13a2263d37971da1f9"; String fingerprint_sha256 = "c51cfa06c7a49767f6eab18238eae1c56708e29264da3d11f538a12cd2c357ba"; + String fingerprint_sha1_uppercase = "AFE71C28EF740BC87425BE13A2263D37971DA1F9"; + String fingerprint_sha256_uppercase = "C51CFA06C7A49767F6EAB18238EAE1C56708E29264DA3D11F538A12CD2C357BA"; // Signed Response String signedResponseStr = Util.getFileAsString("data/responses/signed_message_response.xml.base64"); @@ -1102,6 +1104,8 @@ public void testValidateSign() throws URISyntaxException, IOException, Certifica assertTrue(Util.validateSign(samlSignedResponseDocument, (X509Certificate) null, fingerprint_sha1, null, RESPONSE_SIGNATURE_XPATH)); assertTrue(Util.validateSign(samlSignedResponseDocument, (X509Certificate) null, fingerprint_sha1, "SHA-1", RESPONSE_SIGNATURE_XPATH)); assertTrue(Util.validateSign(samlSignedResponseDocument, (X509Certificate) null, fingerprint_sha256, "SHA-256", RESPONSE_SIGNATURE_XPATH)); + assertTrue(Util.validateSign(samlSignedResponseDocument, (X509Certificate) null, fingerprint_sha1_uppercase, "SHA-1", RESPONSE_SIGNATURE_XPATH)); + assertTrue(Util.validateSign(samlSignedResponseDocument, (X509Certificate) null, fingerprint_sha256_uppercase, "SHA-256", RESPONSE_SIGNATURE_XPATH)); assertFalse(Util.validateSign(samlSignedResponseDocument, (X509Certificate) null, fingerprint_sha256, "SHA-256", ASSERTION_SIGNATURE_XPATH)); assertFalse(Util.validateSign(samlSignedResponseDocument, cert, null, null, "")); assertFalse(Util.validateSign(samlSignedResponseDocument, (X509Certificate) null, null, null, "")); @@ -1114,6 +1118,7 @@ public void testValidateSign() throws URISyntaxException, IOException, Certifica assertTrue(Util.validateSign(samlSignedAssertionDocument, cert, null, null, ASSERTION_SIGNATURE_XPATH)); assertTrue(Util.validateSign(samlSignedAssertionDocument, (X509Certificate) null, fingerprint_sha1, null, ASSERTION_SIGNATURE_XPATH)); assertTrue(Util.validateSign(samlSignedAssertionDocument, (X509Certificate) null, fingerprint_sha1, "SHA-1", ASSERTION_SIGNATURE_XPATH)); + assertTrue(Util.validateSign(samlSignedAssertionDocument, (X509Certificate) null, fingerprint_sha1_uppercase, "SHA-1", ASSERTION_SIGNATURE_XPATH)); assertFalse(Util.validateSign(samlSignedAssertionDocument, (X509Certificate) null, fingerprint_sha1, "SHA-1", RESPONSE_SIGNATURE_XPATH)); // Double Signed Response @@ -1127,8 +1132,12 @@ public void testValidateSign() throws URISyntaxException, IOException, Certifica assertTrue(Util.validateSign(samlDoubleSignedResponseDocument, (X509Certificate) null, fingerprint_sha1, null, RESPONSE_SIGNATURE_XPATH)); assertTrue(Util.validateSign(samlDoubleSignedResponseDocument, (X509Certificate) null, fingerprint_sha1, "SHA-1", ASSERTION_SIGNATURE_XPATH)); assertTrue(Util.validateSign(samlDoubleSignedResponseDocument, (X509Certificate) null, fingerprint_sha1, "SHA-1", RESPONSE_SIGNATURE_XPATH)); + assertTrue(Util.validateSign(samlDoubleSignedResponseDocument, (X509Certificate) null, fingerprint_sha1_uppercase, "SHA-1", ASSERTION_SIGNATURE_XPATH)); + assertTrue(Util.validateSign(samlDoubleSignedResponseDocument, (X509Certificate) null, fingerprint_sha1_uppercase, "SHA-1", RESPONSE_SIGNATURE_XPATH)); assertTrue(Util.validateSign(samlDoubleSignedResponseDocument, (X509Certificate) null, fingerprint_sha256, "SHA-256", ASSERTION_SIGNATURE_XPATH)); assertTrue(Util.validateSign(samlDoubleSignedResponseDocument, (X509Certificate) null, fingerprint_sha256, "SHA-256", RESPONSE_SIGNATURE_XPATH)); + assertTrue(Util.validateSign(samlDoubleSignedResponseDocument, (X509Certificate) null, fingerprint_sha256_uppercase, "SHA-256", ASSERTION_SIGNATURE_XPATH)); + assertTrue(Util.validateSign(samlDoubleSignedResponseDocument, (X509Certificate) null, fingerprint_sha256_uppercase, "SHA-256", RESPONSE_SIGNATURE_XPATH)); } /**