From 0342f0f34ab6e06aabff15931e65b079282699f9 Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Sun, 25 May 2025 12:49:00 +0200 Subject: [PATCH 1/2] Add Parameter checking on validateBinarySign, inspired on CVE-2025-27773 fix. Add test coverage for validateBinarySign --- lib/Saml2/Error.php | 1 + lib/Saml2/Utils.php | 33 ++ tests/src/OneLogin/Saml2/UtilsTest.php | 427 +++++++++++++++++++++++++ 3 files changed, 461 insertions(+) diff --git a/lib/Saml2/Error.php b/lib/Saml2/Error.php index 7afc8ddd..ae0c2e55 100644 --- a/lib/Saml2/Error.php +++ b/lib/Saml2/Error.php @@ -25,6 +25,7 @@ class OneLogin_Saml2_Error extends Exception const SAML_SINGLE_LOGOUT_NOT_SUPPORTED = 12; const PRIVATE_KEY_NOT_FOUND = 13; const UNSUPPORTED_SETTINGS_OBJECT = 14; + const INVALID_PARAMETER = 15; /** * Constructor diff --git a/lib/Saml2/Utils.php b/lib/Saml2/Utils.php index 521cb3f0..7fbd14ac 100644 --- a/lib/Saml2/Utils.php +++ b/lib/Saml2/Utils.php @@ -730,6 +730,10 @@ protected static function buildWithBaseURLPath($info) */ public static function extractOriginalQueryParam($name) { + if (!isset($_SERVER['QUERY_STRING']) || empty($_SERVER['QUERY_STRING'])) { + return ''; + } + $index = strpos($_SERVER['QUERY_STRING'], $name.'='); $substring = substr($_SERVER['QUERY_STRING'], $index + strlen($name) + 1); $end = strpos($substring, '&'); @@ -1511,12 +1515,41 @@ public static function validateBinarySign($messageType, $getData, $idpData, $ret } if ($retrieveParametersFromServer) { + if (!isset($_SERVER['QUERY_STRING']) || empty($_SERVER['QUERY_STRING'])) { + throw new OneLogin_Saml2_Error( + "No query string provided", + OneLogin_Saml2_Error::INVALID_PARAMETER + ); + } + $keys = ["SAMLRequest", "SAMLResponse", "RelayState", "SigAlg", "Signature"]; + foreach ($keys as $key) { + if (substr_count($_SERVER['QUERY_STRING'], $key) > 1) { + throw new OneLogin_Saml2_Error( + "Duplicate parameter in query string", + OneLogin_Saml2_Error::INVALID_PARAMETER + ); + } + } + if (substr_count($_SERVER['QUERY_STRING'], "SAMLRequest") > 0 && substr_count($_SERVER['QUERY_STRING'], "SAMLResponse") > 0) { + throw new OneLogin_Saml2_Error( + "Both SAMLRequest and SAMLResponse provided", + OneLogin_Saml2_Error::INVALID_PARAMETER + ); + } + $signedQuery = $messageType.'='.OneLogin_Saml2_Utils::extractOriginalQueryParam($messageType); if (isset($getData['RelayState'])) { $signedQuery .= '&RelayState='.OneLogin_Saml2_Utils::extractOriginalQueryParam('RelayState'); } $signedQuery .= '&SigAlg='.OneLogin_Saml2_Utils::extractOriginalQueryParam('SigAlg'); } else { + if (isset($getData['SAMLRequest']) && isset($getData['SAMLResponse'])) { + throw new Error( + "Both SAMLRequest and SAMLResponse provided", + OneLogin_Saml2_Error::INVALID_PARAMETER + ); + } + $signedQuery = $messageType.'='.urlencode($getData[$messageType]); if (isset($getData['RelayState'])) { $signedQuery .= '&RelayState='.urlencode($getData['RelayState']); diff --git a/tests/src/OneLogin/Saml2/UtilsTest.php b/tests/src/OneLogin/Saml2/UtilsTest.php index c91c71a8..4f1d9b4b 100644 --- a/tests/src/OneLogin/Saml2/UtilsTest.php +++ b/tests/src/OneLogin/Saml2/UtilsTest.php @@ -1337,4 +1337,431 @@ public function testValidateSign() $this->assertContains('Reference validation failed', $e->getMessage()); } } + + /** + * Tests the validateBinarySign method of the Utils + * + * @covers OneLogin_Saml2_Utils::validateSign + */ + public function testValidateBinarySignIsValid() + { + $settingsDir = TEST_ROOT .'/settings/'; + include $settingsDir.'settings1.php'; + + $settings = new OneLogin_Saml2_Settings($settingsInfo); + $idpData = $settings->getIdPData(); + + unset($_SERVER['QUERY_STRING']); + $getData = array( + 'SAMLRequest' => 'fZJNa+MwEIb/ivHdiTyyZEskhkJYCPQDtmUPvQRZHm8NtqRKMuTnr2J3IbuHXsQwM887My86BDVPTj7a33aJP/FzwRCz6zyZINfKMV+8kVaFMUijZgwyavn68PQoYUek8zZabaf8DvmeUCGgj6M1eXY+HfOLILwHVQ+MK1ozrBG7itQcKzpQ3pQCdDU0DdQIefYLfUjkMU9CCQ9hwbMJUZmYUqSsCkILIG8ll8Alg/c8O6VrRqPiSn3E6OR+H+IyDDtt5z2a3tnRxHAXhSns3IfLs2cbX8yLfxgi+iQvBC2IKKB8g1JWm3x7uN0r10V8+yU/9m6HVzW7Cdchh/1900Y8J1vOp+yH9bOK3/t1y4x9MaytMnplwogm5u1l6KDrgUHFGeVEU92xUlCkrOZMNITr9LIUdvprhW3qtoKTrxhuZp5Nj9f2gn0D0IPQyfnkPlOEQpO0uko1DDSBqqtEl+aITew//m/yn2/U/gE=', + 'RelayState' => '_1037fbc88ec82ce8e770b2bed1119747bb812a07e6', + 'SigAlg' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1', + 'Signature' => 'L2YrP7Ngms1ew8va4drALt9bjK4ZInIS8V6W3HUSlvW/Hw2VD93vy1jPdDBsrRt8cLIuAkkHatemiq1bbgWyrGqlbX5VA/klRYJvHVowfUh2vuf8s17bdFWUOlsTWXxKaA2lJl93MnzJQsZrfVeCqJrcTsSFlYYbcqr/g5Kdcgg=' + ); + $retrieveParametersFromServer = false; + $messageType = 'SAMLRequest'; + $this->assertTrue(OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData, $idpData, $retrieveParametersFromServer)); + + $retrieveParametersFromServer = true; + $_SERVER['QUERY_STRING'] = 'SAMLRequest=' . urlencode('fZJNa+MwEIb/ivHdiTyyZEskhkJYCPQDtmUPvQRZHm8NtqRKMuTnr2J3IbuHXsQwM887My86BDVPTj7a33aJP/FzwRCz6zyZINfKMV+8kVaFMUijZgwyavn68PQoYUek8zZabaf8DvmeUCGgj6M1eXY+HfOLILwHVQ+MK1ozrBG7itQcKzpQ3pQCdDU0DdQIefYLfUjkMU9CCQ9hwbMJUZmYUqSsCkILIG8ll8Alg/c8O6VrRqPiSn3E6OR+H+IyDDtt5z2a3tnRxHAXhSns3IfLs2cbX8yLfxgi+iQvBC2IKKB8g1JWm3x7uN0r10V8+yU/9m6HVzW7Cdchh/1900Y8J1vOp+yH9bOK3/t1y4x9MaytMnplwogm5u1l6KDrgUHFGeVEU92xUlCkrOZMNITr9LIUdvprhW3qtoKTrxhuZp5Nj9f2gn0D0IPQyfnkPlOEQpO0uko1DDSBqqtEl+aITew//m/yn2/U/gE='). '&RelayState='.urlencode('_1037fbc88ec82ce8e770b2bed1119747bb812a07e6') . '&SigAlg='.urlencode('http://www.w3.org/2000/09/xmldsig#rsa-sha1').'&Signature=' . urlencode('L2YrP7Ngms1ew8va4drALt9bjK4ZInIS8V6W3HUSlvW/Hw2VD93vy1jPdDBsrRt8cLIuAkkHatemiq1bbgWyrGqlbX5VA/klRYJvHVowfUh2vuf8s17bdFWUOlsTWXxKaA2lJl93MnzJQsZrfVeCqJrc'); + $this->assertTrue(OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData, $idpData, $retrieveParametersFromServer)); + + unset($_SERVER['QUERY_STRING']); + $getData2 = array( + 'SAMLResponse' => 'fZJva8IwEMa/Ssl7TZrW/gnqGHMMwSlM8cXeyLU9NaxNQi9lfvxVZczB5ptwSe733MPdjQma2qmFPdjOvyE5awiDU1MbUpevCetaoyyQJmWgQVK+VOvH14WSQ6Fca70tbc1ukPsEEGHrtTUsmM8mbDfKUhnFci8gliGINI/yXIAAiYnsw6JIRgWWAKlkwRZb6skJ64V6nKjDuSEPxvdPIowHIhpIsQkTFaYqSt9ZMEPy2oC/UEfvHSnOnfZFV38MjR1oN7TtgRv8tAZre9CGV9jYkGtT4Wnoju6Bauprme/ebOyErZbPi9XLfLnDoohwhHGc5WVSVhjCKM6rBMpYQpWJrIizfZ4IZNPxuTPqYrmd/m+EdONqPOfy8yG5rhxv0EMFHs52xvxWaHyd3tqD7+j37clWGGyh7vD+POiSrdZdWSIR49NrhR9R/teGTL8A', + 'RelayState' => 'https://pitbulk.no-ip.org/newonelogin/demo1/index.php', + 'SigAlg' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1', + 'Signature' => 'vfWbbc47PkP3ejx4bjKsRX7lo9Ml1WRoE5J5owF/0mnyKHfSY6XbhO1wwjBV5vWdrUVX+xp6slHyAf4YoAsXFS0qhan6txDiZY4Oec6yE+l10iZbzvie06I4GPak4QrQ4gAyXOSzwCrRmJu4gnpeUxZ6IqKtdrKfAYRAcVfNKGA=' + ); + $retrieveParametersFromServer = false; + $messageType = 'SAMLResponse'; + $this->assertTrue(OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData2, $idpData, $retrieveParametersFromServer)); + + $retrieveParametersFromServer = true; + $_SERVER['QUERY_STRING'] = 'SAMLResponse='.urlencode('fZJva8IwEMa/Ssl7TZrW/gnqGHMMwSlM8cXeyLU9NaxNQi9lfvxVZczB5ptwSe733MPdjQma2qmFPdjOvyE5awiDU1MbUpevCetaoyyQJmWgQVK+VOvH14WSQ6Fca70tbc1ukPsEEGHrtTUsmM8mbDfKUhnFci8gliGINI/yXIAAiYnsw6JIRgWWAKlkwRZb6skJ64V6nKjDuSEPxvdPIowHIhpIsQkTFaYqSt9ZMEPy2oC/UEfvHSnOnfZFV38MjR1oN7TtgRv8tAZre9CGV9jYkGtT4Wnoju6Bauprme/ebOyErZbPi9XLfLnDoohwhHGc5WVSVhjCKM6rBMpYQpWJrIizfZ4IZNPxuTPqYrmd/m+EdONqPOfy8yG5rhxv0EMFHs52xvxWaHyd3tqD7+j37clWGGyh7vD+POiSrdZdWSIR49NrhR9R/teGTL8A').'&RelayState='.urlencode('https://pitbulk.no-ip.org/newonelogin/demo1/index.php').'&SigAlg='.urlencode('http://www.w3.org/2000/09/xmldsig#rsa-sha1').'&Signature='.urlencode('vfWbbc47PkP3ejx4bjKsRX7lo9Ml1WRoE5J5owF/0mnyKHfSY6XbhO1wwjBV5vWdrUVX+xp6slHyAf4YoAsXFS0qhan6txDiZY4Oec6yE+l10iZbzvie06I4GPak4QrQ4gAyXOSzwCrRmJu4gnpeUxZ6IqKtdrKfAYRAcVfNKGA='); + $this->assertTrue(OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData2, $idpData, $retrieveParametersFromServer)); + } + + /** + * Tests the validateBinarySign method of the Utils + * + * @covers OneLogin_Saml2_Utils::validateSign + */ + public function testValidateBinarySignIsValidx509certMulti() + { + $settingsDir = TEST_ROOT .'/settings/'; + include $settingsDir.'settings6.php'; + + $settings = new OneLogin_Saml2_Settings($settingsInfo); + $idpData = $settings->getIdPData(); + + unset($_SERVER['QUERY_STRING']); + $getData = array( + 'SAMLRequest' => 'fZJNa+MwEIb/ivHdiTyyZEskhkJYCPQDtmUPvQRZHm8NtqRKMuTnr2J3IbuHXsQwM887My86BDVPTj7a33aJP/FzwRCz6zyZINfKMV+8kVaFMUijZgwyavn68PQoYUek8zZabaf8DvmeUCGgj6M1eXY+HfOLILwHVQ+MK1ozrBG7itQcKzpQ3pQCdDU0DdQIefYLfUjkMU9CCQ9hwbMJUZmYUqSsCkILIG8ll8Alg/c8O6VrRqPiSn3E6OR+H+IyDDtt5z2a3tnRxHAXhSns3IfLs2cbX8yLfxgi+iQvBC2IKKB8g1JWm3x7uN0r10V8+yU/9m6HVzW7Cdchh/1900Y8J1vOp+yH9bOK3/t1y4x9MaytMnplwogm5u1l6KDrgUHFGeVEU92xUlCkrOZMNITr9LIUdvprhW3qtoKTrxhuZp5Nj9f2gn0D0IPQyfnkPlOEQpO0uko1DDSBqqtEl+aITew//m/yn2/U/gE=', + 'RelayState' => '_1037fbc88ec82ce8e770b2bed1119747bb812a07e6', + 'SigAlg' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1', + 'Signature' => 'L2YrP7Ngms1ew8va4drALt9bjK4ZInIS8V6W3HUSlvW/Hw2VD93vy1jPdDBsrRt8cLIuAkkHatemiq1bbgWyrGqlbX5VA/klRYJvHVowfUh2vuf8s17bdFWUOlsTWXxKaA2lJl93MnzJQsZrfVeCqJrcTsSFlYYbcqr/g5Kdcgg=' + ); + $retrieveParametersFromServer = false; + $messageType = 'SAMLRequest'; + $this->assertTrue(OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData, $idpData, $retrieveParametersFromServer)); + + $retrieveParametersFromServer = true; + $_SERVER['QUERY_STRING'] = 'SAMLRequest=' . urlencode('fZJNa+MwEIb/ivHdiTyyZEskhkJYCPQDtmUPvQRZHm8NtqRKMuTnr2J3IbuHXsQwM887My86BDVPTj7a33aJP/FzwRCz6zyZINfKMV+8kVaFMUijZgwyavn68PQoYUek8zZabaf8DvmeUCGgj6M1eXY+HfOLILwHVQ+MK1ozrBG7itQcKzpQ3pQCdDU0DdQIefYLfUjkMU9CCQ9hwbMJUZmYUqSsCkILIG8ll8Alg/c8O6VrRqPiSn3E6OR+H+IyDDtt5z2a3tnRxHAXhSns3IfLs2cbX8yLfxgi+iQvBC2IKKB8g1JWm3x7uN0r10V8+yU/9m6HVzW7Cdchh/1900Y8J1vOp+yH9bOK3/t1y4x9MaytMnplwogm5u1l6KDrgUHFGeVEU92xUlCkrOZMNITr9LIUdvprhW3qtoKTrxhuZp5Nj9f2gn0D0IPQyfnkPlOEQpO0uko1DDSBqqtEl+aITew//m/yn2/U/gE='). '&RelayState='.urlencode('_1037fbc88ec82ce8e770b2bed1119747bb812a07e6') . '&SigAlg='.urlencode('http://www.w3.org/2000/09/xmldsig#rsa-sha1').'&Signature=' . urlencode('L2YrP7Ngms1ew8va4drALt9bjK4ZInIS8V6W3HUSlvW/Hw2VD93vy1jPdDBsrRt8cLIuAkkHatemiq1bbgWyrGqlbX5VA/klRYJvHVowfUh2vuf8s17bdFWUOlsTWXxKaA2lJl93MnzJQsZrfVeCqJrc'); + $this->assertTrue(OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData, $idpData, $retrieveParametersFromServer)); + + unset($_SERVER['QUERY_STRING']); + $getData2 = array( + 'SAMLResponse' => 'fZJva8IwEMa/Ssl7TZrW/gnqGHMMwSlM8cXeyLU9NaxNQi9lfvxVZczB5ptwSe733MPdjQma2qmFPdjOvyE5awiDU1MbUpevCetaoyyQJmWgQVK+VOvH14WSQ6Fca70tbc1ukPsEEGHrtTUsmM8mbDfKUhnFci8gliGINI/yXIAAiYnsw6JIRgWWAKlkwRZb6skJ64V6nKjDuSEPxvdPIowHIhpIsQkTFaYqSt9ZMEPy2oC/UEfvHSnOnfZFV38MjR1oN7TtgRv8tAZre9CGV9jYkGtT4Wnoju6Bauprme/ebOyErZbPi9XLfLnDoohwhHGc5WVSVhjCKM6rBMpYQpWJrIizfZ4IZNPxuTPqYrmd/m+EdONqPOfy8yG5rhxv0EMFHs52xvxWaHyd3tqD7+j37clWGGyh7vD+POiSrdZdWSIR49NrhR9R/teGTL8A', + 'RelayState' => 'https://pitbulk.no-ip.org/newonelogin/demo1/index.php', + 'SigAlg' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1', + 'Signature' => 'vfWbbc47PkP3ejx4bjKsRX7lo9Ml1WRoE5J5owF/0mnyKHfSY6XbhO1wwjBV5vWdrUVX+xp6slHyAf4YoAsXFS0qhan6txDiZY4Oec6yE+l10iZbzvie06I4GPak4QrQ4gAyXOSzwCrRmJu4gnpeUxZ6IqKtdrKfAYRAcVfNKGA=' + ); + $retrieveParametersFromServer = false; + $messageType = 'SAMLResponse'; + $this->assertTrue(OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData2, $idpData, $retrieveParametersFromServer)); + + $retrieveParametersFromServer = true; + $_SERVER['QUERY_STRING'] = 'SAMLResponse='.urlencode('fZJva8IwEMa/Ssl7TZrW/gnqGHMMwSlM8cXeyLU9NaxNQi9lfvxVZczB5ptwSe733MPdjQma2qmFPdjOvyE5awiDU1MbUpevCetaoyyQJmWgQVK+VOvH14WSQ6Fca70tbc1ukPsEEGHrtTUsmM8mbDfKUhnFci8gliGINI/yXIAAiYnsw6JIRgWWAKlkwRZb6skJ64V6nKjDuSEPxvdPIowHIhpIsQkTFaYqSt9ZMEPy2oC/UEfvHSnOnfZFV38MjR1oN7TtgRv8tAZre9CGV9jYkGtT4Wnoju6Bauprme/ebOyErZbPi9XLfLnDoohwhHGc5WVSVhjCKM6rBMpYQpWJrIizfZ4IZNPxuTPqYrmd/m+EdONqPOfy8yG5rhxv0EMFHs52xvxWaHyd3tqD7+j37clWGGyh7vD+POiSrdZdWSIR49NrhR9R/teGTL8A').'&RelayState='.urlencode('https://pitbulk.no-ip.org/newonelogin/demo1/index.php').'&SigAlg='.urlencode('http://www.w3.org/2000/09/xmldsig#rsa-sha1').'&Signature='.urlencode('vfWbbc47PkP3ejx4bjKsRX7lo9Ml1WRoE5J5owF/0mnyKHfSY6XbhO1wwjBV5vWdrUVX+xp6slHyAf4YoAsXFS0qhan6txDiZY4Oec6yE+l10iZbzvie06I4GPak4QrQ4gAyXOSzwCrRmJu4gnpeUxZ6IqKtdrKfAYRAcVfNKGA='); + $this->assertTrue(OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData2, $idpData, $retrieveParametersFromServer)); + } + + /** + * Tests the validateBinarySign method of the Utils + * Case where the signature is wrong + * + * @covers OneLogin_Saml2_Utils::validateSign + */ + public function testValidateBinarySignSignatureWrong() + { + $settingsDir = TEST_ROOT .'/settings/'; + include $settingsDir.'settings1.php'; + + $settings = new OneLogin_Saml2_Settings($settingsInfo); + $idpData = $settings->getIdPData(); + + unset($_SERVER['QUERY_STRING']); + $getData = array( + 'SAMLRequest' => 'fZJNa+MwEIb/ivHdiTyyZEskhkJYCPQDtmUPvQRZHm8NtqRKMuTnr2J3IbuHXsQwM887My86BDVPTj7a33aJP/FzwRCz6zyZINfKMV+8kVaFMUijZgwyavn68PQoYUek8zZabaf8DvmeUCGgj6M1eXY+HfOLILwHVQ+MK1ozrBG7itQcKzpQ3pQCdDU0DdQIefYLfUjkMU9CCQ9hwbMJUZmYUqSsCkILIG8ll8Alg/c8O6VrRqPiSn3E6OR+H+IyDDtt5z2a3tnRxHAXhSns3IfLs2cbX8yLfxgi+iQvBC2IKKB8g1JWm3x7uN0r10V8+yU/9m6HVzW7Cdchh/1900Y8J1vOp+yH9bOK3/t1y4x9MaytMnplwogm5u1l6KDrgUHFGeVEU92xUlCkrOZMNITr9LIUdvprhW3qtoKTrxhuZp5Nj9f2gn0D0IPQyfnkPlOEQpO0uko1DDSBqqtEl+aITew//m/yn2/U/gE=', + 'RelayState' => '_1037fbc88ec82ce8e770b2bed1119747bb812a07e6', + 'SigAlg' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1', + 'Signature' => 'WRONGL2YrP7Ngms1ew8va4drALt9bjK4ZInIS8V6W3HUSlvW/Hw2VD93vy1jPdDBsrRt8cLIuAkkHatemiq1bbgWyrGqlbX5VA/klRYJvHVowfUh2vuf8s17bdFWUOlsTWXxKaA2lJl93MnzJQsZrfVeCqJrcTsSFlYYbcqr/g5Kdcgg=' + ); + $retrieveParametersFromServer = false; + $messageType = 'SAMLRequest'; + $this->assertFalse(OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData, $idpData, $retrieveParametersFromServer)); + + $getData2 = array( + 'SAMLResponse' => 'fZJva8IwEMa/Ssl7TZrW/gnqGHMMwSlM8cXeyLU9NaxNQi9lfvxVZczB5ptwSe733MPdjQma2qmFPdjOvyE5awiDU1MbUpevCetaoyyQJmWgQVK+VOvH14WSQ6Fca70tbc1ukPsEEGHrtTUsmM8mbDfKUhnFci8gliGINI/yXIAAiYnsw6JIRgWWAKlkwRZb6skJ64V6nKjDuSEPxvdPIowHIhpIsQkTFaYqSt9ZMEPy2oC/UEfvHSnOnfZFV38MjR1oN7TtgRv8tAZre9CGV9jYkGtT4Wnoju6Bauprme/ebOyErZbPi9XLfLnDoohwhHGc5WVSVhjCKM6rBMpYQpWJrIizfZ4IZNPxuTPqYrmd/m+EdONqPOfy8yG5rhxv0EMFHs52xvxWaHyd3tqD7+j37clWGGyh7vD+POiSrdZdWSIR49NrhR9R/teGTL8A', + 'RelayState' => 'https://pitbulk.no-ip.org/newonelogin/demo1/index.php', + 'SigAlg' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1', + 'Signature' => 'WRONGvfWbbc47PkP3ejx4bjKsRX7lo9Ml1WRoE5J5owF/0mnyKHfSY6XbhO1wwjBV5vWdrUVX+xp6slHyAf4YoAsXFS0qhan6txDiZY4Oec6yE+l10iZbzvie06I4GPak4QrQ4gAyXOSzwCrRmJu4gnpeUxZ6IqKtdrKfAYRAcVfNKGA=' + ); + $retrieveParametersFromServer = false; + $messageType = 'SAMLResponse'; + $this->assertFalse(OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData2, $idpData, $retrieveParametersFromServer)); + } + + /** + * Tests the validateBinarySign method of the Utils + * Case where the cert is wrong + * + * @covers OneLogin_Saml2_Utils::validateSign + */ + public function testValidateBinarySignCertWrong() + { + $settingsDir = TEST_ROOT .'/settings/'; + include $settingsDir.'settings1.php'; + + $settingsInfo['idp']['x509cert'] = 'MIICZDCCAc2gAwIBAgIBADANBgkqhkiG9w0BAQ0FADBPMQswCQYDVQQGEwJ1czEUMBIGA1UECAwLZXhhbXBsZS5jb20xFDASBgNVBAoMC2V4YW1wbGUuY29tMRQwEgYDVQQDDAtleGFtcGxlLmNvbTAeFw0yNTA1MjQyMjUyNTlaFw0zNTA1MjIyMjUyNTlaME8xCzAJBgNVBAYTAnVzMRQwEgYDVQQIDAtleGFtcGxlLmNvbTEUMBIGA1UECgwLZXhhbXBsZS5jb20xFDASBgNVBAMMC2V4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD4pXDtSHXYCBA7j5Rc5v+Eh1QigIN2BPXcLtzvaQL5ajifXoQsXuSkcO3Rg7kcTVFcSjhtvM7/NUDq8yEq5g6cYCbdJHXCPH2xkotS57YWkY8zYohOuSa8LNLNeBVTcngQqLbprjgUAXjyXq8rlXu80lNgMw8eo7MbQCQpgC4VqwIDAQABo1AwTjAdBgNVHQ4EFgQUmPov0WxzvYUtCluz0AEFFWIx/NYwHwYDVR0jBBgwFoAUmPov0WxzvYUtCluz0AEFFWIx/NYwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQCHTsdA7LbSeDRiqqOHw+50ncIFCC2s4m6qBaxNrwSSyhoZKWhyUNxfnKIB4s/jaQxITn6U8hvuEv6e3Ews+07j4yIISF2SWefStAf8P/7Rt+qHQiV2zcE/RzxW4Trvav1dIfjqF26hOPQqGVnAKGP8wcjsEhwxUVOLP6EUTIoH3A=='; + $settings = new OneLogin_Saml2_Settings($settingsInfo); + + $idpData = $settings->getIdPData(); + $retrieveParametersFromServer = false; + + unset($_SERVER['QUERY_STRING']); + $getData = array( + 'SAMLRequest' => 'fZJNa+MwEIb/ivHdiTyyZEskhkJYCPQDtmUPvQRZHm8NtqRKMuTnr2J3IbuHXsQwM887My86BDVPTj7a33aJP/FzwRCz6zyZINfKMV+8kVaFMUijZgwyavn68PQoYUek8zZabaf8DvmeUCGgj6M1eXY+HfOLILwHVQ+MK1ozrBG7itQcKzpQ3pQCdDU0DdQIefYLfUjkMU9CCQ9hwbMJUZmYUqSsCkILIG8ll8Alg/c8O6VrRqPiSn3E6OR+H+IyDDtt5z2a3tnRxHAXhSns3IfLs2cbX8yLfxgi+iQvBC2IKKB8g1JWm3x7uN0r10V8+yU/9m6HVzW7Cdchh/1900Y8J1vOp+yH9bOK3/t1y4x9MaytMnplwogm5u1l6KDrgUHFGeVEU92xUlCkrOZMNITr9LIUdvprhW3qtoKTrxhuZp5Nj9f2gn0D0IPQyfnkPlOEQpO0uko1DDSBqqtEl+aITew//m/yn2/U/gE=', + 'RelayState' => '_1037fbc88ec82ce8e770b2bed1119747bb812a07e6', + 'SigAlg' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1', + 'Signature' => 'L2YrP7Ngms1ew8va4drALt9bjK4ZInIS8V6W3HUSlvW/Hw2VD93vy1jPdDBsrRt8cLIuAkkHatemiq1bbgWyrGqlbX5VA/klRYJvHVowfUh2vuf8s17bdFWUOlsTWXxKaA2lJl93MnzJQsZrfVeCqJrcTsSFlYYbcqr/g5Kdcgg=' + ); + $messageType = 'SAMLRequest'; + $this->assertFalse(OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData, $idpData, $retrieveParametersFromServer)); + + $getData2 = array( + 'SAMLResponse' => 'fZJva8IwEMa/Ssl7TZrW/gnqGHMMwSlM8cXeyLU9NaxNQi9lfvxVZczB5ptwSe733MPdjQma2qmFPdjOvyE5awiDU1MbUpevCetaoyyQJmWgQVK+VOvH14WSQ6Fca70tbc1ukPsEEGHrtTUsmM8mbDfKUhnFci8gliGINI/yXIAAiYnsw6JIRgWWAKlkwRZb6skJ64V6nKjDuSEPxvdPIowHIhpIsQkTFaYqSt9ZMEPy2oC/UEfvHSnOnfZFV38MjR1oN7TtgRv8tAZre9CGV9jYkGtT4Wnoju6Bauprme/ebOyErZbPi9XLfLnDoohwhHGc5WVSVhjCKM6rBMpYQpWJrIizfZ4IZNPxuTPqYrmd/m+EdONqPOfy8yG5rhxv0EMFHs52xvxWaHyd3tqD7+j37clWGGyh7vD+POiSrdZdWSIR49NrhR9R/teGTL8A', + 'RelayState' => 'https://pitbulk.no-ip.org/newonelogin/demo1/index.php', + 'SigAlg' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1', + 'Signature' => 'vfWbbc47PkP3ejx4bjKsRX7lo9Ml1WRoE5J5owF/0mnyKHfSY6XbhO1wwjBV5vWdrUVX+xp6slHyAf4YoAsXFS0qhan6txDiZY4Oec6yE+l10iZbzvie06I4GPak4QrQ4gAyXOSzwCrRmJu4gnpeUxZ6IqKtdrKfAYRAcVfNKGA=' + ); + $messageType = 'SAMLResponse'; + $this->assertFalse(OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData2, $idpData, $retrieveParametersFromServer)); + } + + /** + * Tests the validateBinarySign method of the Utils + * Case removed element, ex RelayState + * + * @covers OneLogin_Saml2_Utils::validateSign + */ + public function testValidateBinarySignRemovedParam() + { + $settingsDir = TEST_ROOT .'/settings/'; + include $settingsDir.'settings1.php'; + + $settings = new OneLogin_Saml2_Settings($settingsInfo); + + $idpData = $settings->getIdPData(); + $retrieveParametersFromServer = false; + + unset($_SERVER['QUERY_STRING']); + $getData = array( + 'SAMLRequest' => 'fZJNa+MwEIb/ivHdiTyyZEskhkJYCPQDtmUPvQRZHm8NtqRKMuTnr2J3IbuHXsQwM887My86BDVPTj7a33aJP/FzwRCz6zyZINfKMV+8kVaFMUijZgwyavn68PQoYUek8zZabaf8DvmeUCGgj6M1eXY+HfOLILwHVQ+MK1ozrBG7itQcKzpQ3pQCdDU0DdQIefYLfUjkMU9CCQ9hwbMJUZmYUqSsCkILIG8ll8Alg/c8O6VrRqPiSn3E6OR+H+IyDDtt5z2a3tnRxHAXhSns3IfLs2cbX8yLfxgi+iQvBC2IKKB8g1JWm3x7uN0r10V8+yU/9m6HVzW7Cdchh/1900Y8J1vOp+yH9bOK3/t1y4x9MaytMnplwogm5u1l6KDrgUHFGeVEU92xUlCkrOZMNITr9LIUdvprhW3qtoKTrxhuZp5Nj9f2gn0D0IPQyfnkPlOEQpO0uko1DDSBqqtEl+aITew//m/yn2/U/gE=', + 'RelayState' => '_1037fbc88ec82ce8e770b2bed1119747bb812a07e6', + 'SigAlg' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1', + 'Signature' => 'L2YrP7Ngms1ew8va4drALt9bjK4ZInIS8V6W3HUSlvW/Hw2VD93vy1jPdDBsrRt8cLIuAkkHatemiq1bbgWyrGqlbX5VA/klRYJvHVowfUh2vuf8s17bdFWUOlsTWXxKaA2lJl93MnzJQsZrfVeCqJrcTsSFlYYbcqr/g5Kdcgg=' + ); + unset($getData['RelayState']); + $messageType = 'SAMLRequest'; + $this->assertFalse(OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData, $idpData, $retrieveParametersFromServer)); + + $getData2 = array( + 'SAMLResponse' => 'fZJva8IwEMa/Ssl7TZrW/gnqGHMMwSlM8cXeyLU9NaxNQi9lfvxVZczB5ptwSe733MPdjQma2qmFPdjOvyE5awiDU1MbUpevCetaoyyQJmWgQVK+VOvH14WSQ6Fca70tbc1ukPsEEGHrtTUsmM8mbDfKUhnFci8gliGINI/yXIAAiYnsw6JIRgWWAKlkwRZb6skJ64V6nKjDuSEPxvdPIowHIhpIsQkTFaYqSt9ZMEPy2oC/UEfvHSnOnfZFV38MjR1oN7TtgRv8tAZre9CGV9jYkGtT4Wnoju6Bauprme/ebOyErZbPi9XLfLnDoohwhHGc5WVSVhjCKM6rBMpYQpWJrIizfZ4IZNPxuTPqYrmd/m+EdONqPOfy8yG5rhxv0EMFHs52xvxWaHyd3tqD7+j37clWGGyh7vD+POiSrdZdWSIR49NrhR9R/teGTL8A', + 'RelayState' => 'https://pitbulk.no-ip.org/newonelogin/demo1/index.php', + 'SigAlg' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1', + 'Signature' => 'vfWbbc47PkP3ejx4bjKsRX7lo9Ml1WRoE5J5owF/0mnyKHfSY6XbhO1wwjBV5vWdrUVX+xp6slHyAf4YoAsXFS0qhan6txDiZY4Oec6yE+l10iZbzvie06I4GPak4QrQ4gAyXOSzwCrRmJu4gnpeUxZ6IqKtdrKfAYRAcVfNKGA=' + ); + unset($getData2['RelayState']); + $messageType = 'SAMLResponse'; + $this->assertFalse(OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData2, $idpData, $retrieveParametersFromServer)); + } + + /** + * Tests the validateBinarySign method of the Utils + * Case No Query String + * + * @covers OneLogin_Saml2_Utils::validateSign + */ + public function testValidateBinarySignNoQueryString() + { + $settingsDir = TEST_ROOT .'/settings/'; + include $settingsDir.'settings1.php'; + + $settings = new OneLogin_Saml2_Settings($settingsInfo); + + $idpData = $settings->getIdPData(); + $retrieveParametersFromServer = true; + + unset($_SERVER['QUERY_STRING']); + $getData = array( + 'SAMLRequest' => 'fZJNa+MwEIb/ivHdiTyyZEskhkJYCPQDtmUPvQRZHm8NtqRKMuTnr2J3IbuHXsQwM887My86BDVPTj7a33aJP/FzwRCz6zyZINfKMV+8kVaFMUijZgwyavn68PQoYUek8zZabaf8DvmeUCGgj6M1eXY+HfOLILwHVQ+MK1ozrBG7itQcKzpQ3pQCdDU0DdQIefYLfUjkMU9CCQ9hwbMJUZmYUqSsCkILIG8ll8Alg/c8O6VrRqPiSn3E6OR+H+IyDDtt5z2a3tnRxHAXhSns3IfLs2cbX8yLfxgi+iQvBC2IKKB8g1JWm3x7uN0r10V8+yU/9m6HVzW7Cdchh/1900Y8J1vOp+yH9bOK3/t1y4x9MaytMnplwogm5u1l6KDrgUHFGeVEU92xUlCkrOZMNITr9LIUdvprhW3qtoKTrxhuZp5Nj9f2gn0D0IPQyfnkPlOEQpO0uko1DDSBqqtEl+aITew//m/yn2/U/gE=', + 'RelayState' => '_1037fbc88ec82ce8e770b2bed1119747bb812a07e6', + 'SigAlg' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1', + 'Signature' => 'L2YrP7Ngms1ew8va4drALt9bjK4ZInIS8V6W3HUSlvW/Hw2VD93vy1jPdDBsrRt8cLIuAkkHatemiq1bbgWyrGqlbX5VA/klRYJvHVowfUh2vuf8s17bdFWUOlsTWXxKaA2lJl93MnzJQsZrfVeCqJrcTsSFlYYbcqr/g5Kdcgg=' + ); + unset($getData['RelayState']); + $messageType = 'SAMLRequest'; + try { + OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData, $idpData, $retrieveParametersFromServer); + $this->fail('Error was not raised'); + } catch (Exception $e) { + $expectedMessage = "No query string provided"; + $this->assertEquals($expectedMessage, $e->getMessage()); + } + + $getData2 = array( + 'SAMLResponse' => 'fZJva8IwEMa/Ssl7TZrW/gnqGHMMwSlM8cXeyLU9NaxNQi9lfvxVZczB5ptwSe733MPdjQma2qmFPdjOvyE5awiDU1MbUpevCetaoyyQJmWgQVK+VOvH14WSQ6Fca70tbc1ukPsEEGHrtTUsmM8mbDfKUhnFci8gliGINI/yXIAAiYnsw6JIRgWWAKlkwRZb6skJ64V6nKjDuSEPxvdPIowHIhpIsQkTFaYqSt9ZMEPy2oC/UEfvHSnOnfZFV38MjR1oN7TtgRv8tAZre9CGV9jYkGtT4Wnoju6Bauprme/ebOyErZbPi9XLfLnDoohwhHGc5WVSVhjCKM6rBMpYQpWJrIizfZ4IZNPxuTPqYrmd/m+EdONqPOfy8yG5rhxv0EMFHs52xvxWaHyd3tqD7+j37clWGGyh7vD+POiSrdZdWSIR49NrhR9R/teGTL8A', + 'RelayState' => 'https://pitbulk.no-ip.org/newonelogin/demo1/index.php', + 'SigAlg' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1', + 'Signature' => 'vfWbbc47PkP3ejx4bjKsRX7lo9Ml1WRoE5J5owF/0mnyKHfSY6XbhO1wwjBV5vWdrUVX+xp6slHyAf4YoAsXFS0qhan6txDiZY4Oec6yE+l10iZbzvie06I4GPak4QrQ4gAyXOSzwCrRmJu4gnpeUxZ6IqKtdrKfAYRAcVfNKGA=' + ); + unset($getData2['RelayState']); + $messageType = 'SAMLResponse'; + try { + OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData2, $idpData, $retrieveParametersFromServer); + $this->fail('Error was not raised'); + } catch (Exception $e) { + $expectedMessage = "No query string provided"; + $this->assertEquals($expectedMessage, $e->getMessage()); + } + } + + /** + * Tests the validateBinarySign method of the Utils + * Case No Cert + * + * @covers OneLogin_Saml2_Utils::validateSign + */ + public function testValidateBinarySignNoCert() + { + $settingsDir = TEST_ROOT .'/settings/'; + include $settingsDir.'settings1.php'; + + $settings = new OneLogin_Saml2_Settings($settingsInfo); + + $idpData = $settings->getIdPData(); + unset($idpData['x509cert']); + + $retrieveParametersFromServer = false; + + unset($_SERVER['QUERY_STRING']); + $getData = array( + 'SAMLRequest' => 'fZJNa+MwEIb/ivHdiTyyZEskhkJYCPQDtmUPvQRZHm8NtqRKMuTnr2J3IbuHXsQwM887My86BDVPTj7a33aJP/FzwRCz6zyZINfKMV+8kVaFMUijZgwyavn68PQoYUek8zZabaf8DvmeUCGgj6M1eXY+HfOLILwHVQ+MK1ozrBG7itQcKzpQ3pQCdDU0DdQIefYLfUjkMU9CCQ9hwbMJUZmYUqSsCkILIG8ll8Alg/c8O6VrRqPiSn3E6OR+H+IyDDtt5z2a3tnRxHAXhSns3IfLs2cbX8yLfxgi+iQvBC2IKKB8g1JWm3x7uN0r10V8+yU/9m6HVzW7Cdchh/1900Y8J1vOp+yH9bOK3/t1y4x9MaytMnplwogm5u1l6KDrgUHFGeVEU92xUlCkrOZMNITr9LIUdvprhW3qtoKTrxhuZp5Nj9f2gn0D0IPQyfnkPlOEQpO0uko1DDSBqqtEl+aITew//m/yn2/U/gE=', + 'RelayState' => '_1037fbc88ec82ce8e770b2bed1119747bb812a07e6', + 'SigAlg' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1', + 'Signature' => 'L2YrP7Ngms1ew8va4drALt9bjK4ZInIS8V6W3HUSlvW/Hw2VD93vy1jPdDBsrRt8cLIuAkkHatemiq1bbgWyrGqlbX5VA/klRYJvHVowfUh2vuf8s17bdFWUOlsTWXxKaA2lJl93MnzJQsZrfVeCqJrcTsSFlYYbcqr/g5Kdcgg=' + ); + $messageType = 'SAMLRequest'; + try { + OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData, $idpData, $retrieveParametersFromServer); + $this->fail('Error was not raised'); + } catch (Exception $e) { + $expectedMessage = "In order to validate the sign on the Logout Request, the x509cert of the IdP is required"; + $this->assertEquals($expectedMessage, $e->getMessage()); + } + + $getData2 = array( + 'SAMLResponse' => 'fZJva8IwEMa/Ssl7TZrW/gnqGHMMwSlM8cXeyLU9NaxNQi9lfvxVZczB5ptwSe733MPdjQma2qmFPdjOvyE5awiDU1MbUpevCetaoyyQJmWgQVK+VOvH14WSQ6Fca70tbc1ukPsEEGHrtTUsmM8mbDfKUhnFci8gliGINI/yXIAAiYnsw6JIRgWWAKlkwRZb6skJ64V6nKjDuSEPxvdPIowHIhpIsQkTFaYqSt9ZMEPy2oC/UEfvHSnOnfZFV38MjR1oN7TtgRv8tAZre9CGV9jYkGtT4Wnoju6Bauprme/ebOyErZbPi9XLfLnDoohwhHGc5WVSVhjCKM6rBMpYQpWJrIizfZ4IZNPxuTPqYrmd/m+EdONqPOfy8yG5rhxv0EMFHs52xvxWaHyd3tqD7+j37clWGGyh7vD+POiSrdZdWSIR49NrhR9R/teGTL8A', + 'RelayState' => 'https://pitbulk.no-ip.org/newonelogin/demo1/index.php', + 'SigAlg' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1', + 'Signature' => 'vfWbbc47PkP3ejx4bjKsRX7lo9Ml1WRoE5J5owF/0mnyKHfSY6XbhO1wwjBV5vWdrUVX+xp6slHyAf4YoAsXFS0qhan6txDiZY4Oec6yE+l10iZbzvie06I4GPak4QrQ4gAyXOSzwCrRmJu4gnpeUxZ6IqKtdrKfAYRAcVfNKGA=' + ); + $messageType = 'SAMLResponse'; + try { + OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData2, $idpData, $retrieveParametersFromServer); + $this->fail('Error was not raised'); + } catch (Exception $e) { + $expectedMessage = "In order to validate the sign on the Logout Response, the x509cert of the IdP is required"; + $this->assertEquals($expectedMessage, $e->getMessage()); + } + } + + /** + * Tests the validateBinarySign method of the Utils + * Case Invalid Parameters: Ex. SAMLRequest and SAMLResponse present at the same time + * + * @covers OneLogin_Saml2_Utils::validateSign + */ + public function testValidateBinarySignReqAndRes() + { + $settingsDir = TEST_ROOT .'/settings/'; + include $settingsDir.'settings1.php'; + + $settings = new OneLogin_Saml2_Settings($settingsInfo); + + $idpData = $settings->getIdPData(); + $retrieveParametersFromServer = false; + + unset($_SERVER['QUERY_STRING']); + $getData = array( + 'SAMLRequest' => 'fZJNa+MwEIb/ivHdiTyyZEskhkJYCPQDtmUPvQRZHm8NtqRKMuTnr2J3IbuHXsQwM887My86BDVPTj7a33aJP/FzwRCz6zyZINfKMV+8kVaFMUijZgwyavn68PQoYUek8zZabaf8DvmeUCGgj6M1eXY+HfOLILwHVQ+MK1ozrBG7itQcKzpQ3pQCdDU0DdQIefYLfUjkMU9CCQ9hwbMJUZmYUqSsCkILIG8ll8Alg/c8O6VrRqPiSn3E6OR+H+IyDDtt5z2a3tnRxHAXhSns3IfLs2cbX8yLfxgi+iQvBC2IKKB8g1JWm3x7uN0r10V8+yU/9m6HVzW7Cdchh/1900Y8J1vOp+yH9bOK3/t1y4x9MaytMnplwogm5u1l6KDrgUHFGeVEU92xUlCkrOZMNITr9LIUdvprhW3qtoKTrxhuZp5Nj9f2gn0D0IPQyfnkPlOEQpO0uko1DDSBqqtEl+aITew//m/yn2/U/gE=', + 'SAMLResponse' => 'fZJva8IwEMa/Ssl7TZrW/gnqGHMMwSlM8cXeyLU9NaxNQi9lfvxVZczB5ptwSe733MPdjQma2qmFPdjOvyE5awiDU1MbUpevCetaoyyQJmWgQVK+VOvH14WSQ6Fca70tbc1ukPsEEGHrtTUsmM8mbDfKUhnFci8gliGINI/yXIAAiYnsw6JIRgWWAKlkwRZb6skJ64V6nKjDuSEPxvdPIowHIhpIsQkTFaYqSt9ZMEPy2oC/UEfvHSnOnfZFV38MjR1oN7TtgRv8tAZre9CGV9jYkGtT4Wnoju6Bauprme/ebOyErZbPi9XLfLnDoohwhHGc5WVSVhjCKM6rBMpYQpWJrIizfZ4IZNPxuTPqYrmd/m+EdONqPOfy8yG5rhxv0EMFHs52xvxWaHyd3tqD7+j37clWGGyh7vD+POiSrdZdWSIR49NrhR9R/teGTL8A', + 'RelayState' => '_1037fbc88ec82ce8e770b2bed1119747bb812a07e6', + 'SigAlg' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1', + 'Signature' => 'L2YrP7Ngms1ew8va4drALt9bjK4ZInIS8V6W3HUSlvW/Hw2VD93vy1jPdDBsrRt8cLIuAkkHatemiq1bbgWyrGqlbX5VA/klRYJvHVowfUh2vuf8s17bdFWUOlsTWXxKaA2lJl93MnzJQsZrfVeCqJrcTsSFlYYbcqr/g5Kdcgg=' + ); + + $messageType = 'SAMLRequest'; + try { + OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData, $idpData, $retrieveParametersFromServer); + $this->fail('Error was not raised'); + } catch (Exception $e) { + $expectedMessage = "Both SAMLRequest and SAMLResponse provided"; + $this->assertEquals($expectedMessage, $e->getMessage()); + } + + $retrieveParametersFromServer = true; + $_SERVER['QUERY_STRING'] = 'SAMLRequest=' . urlencode('fZJNa+MwEIb/ivHdiTyyZEskhkJYCPQDtmUPvQRZHm8NtqRKMuTnr2J3IbuHXsQwM887My86BDVPTj7a33aJP/FzwRCz6zyZINfKMV+8kVaFMUijZgwyavn68PQoYUek8zZabaf8DvmeUCGgj6M1eXY+HfOLILwHVQ+MK1ozrBG7itQcKzpQ3pQCdDU0DdQIefYLfUjkMU9CCQ9hwbMJUZmYUqSsCkILIG8ll8Alg/c8O6VrRqPiSn3E6OR+H+IyDDtt5z2a3tnRxHAXhSns3IfLs2cbX8yLfxgi+iQvBC2IKKB8g1JWm3x7uN0r10V8+yU/9m6HVzW7Cdchh/1900Y8J1vOp+yH9bOK3/t1y4x9MaytMnplwogm5u1l6KDrgUHFGeVEU92xUlCkrOZMNITr9LIUdvprhW3qtoKTrxhuZp5Nj9f2gn0D0IPQyfnkPlOEQpO0uko1DDSBqqtEl+aITew//m/yn2/U/gE='). '&RelayState='.urlencode('_1037fbc88ec82ce8e770b2bed1119747bb812a07e6') . '%SAMLResponse=' . urlencode('fZJva8IwEMa/Ssl7TZrW/gnqGHMMwSlM8cXeyLU9NaxNQi9lfvxVZczB5ptwSe733MPdjQma2qmFPdjOvyE5awiDU1MbUpevCetaoyyQJmWgQVK+VOvH14WSQ6Fca70tbc1ukPsEEGHrtTUsmM8mbDfKUhnFci8gliGINI/yXIAAiYnsw6JIRgWWAKlkwRZb6skJ64V6nKjDuSEPxvdPIowHIhpIsQkTFaYqSt9ZMEPy2oC/UEfvHSnOnfZFV38MjR1oN7TtgRv8tAZre9CGV9jYkGtT4Wnoju6Bauprme/ebOyErZbPi9XLfLnDoohwhHGc5WVSVhjCKM6rBMpYQpWJrIizfZ4IZNPxuTPqYrmd/m+EdONqPOfy8yG5rhxv0EMFHs52xvxWaHyd3tqD7+j37clWGGyh7vD+POiSrdZdWSIR49NrhR9R/teGTL8A') . '&SigAlg='.urlencode('http://www.w3.org/2000/09/xmldsig#rsa-sha1').'&Signature=' . urlencode('L2YrP7Ngms1ew8va4drALt9bjK4ZInIS8V6W3HUSlvW/Hw2VD93vy1jPdDBsrRt8cLIuAkkHatemiq1bbgWyrGqlbX5VA/klRYJvHVowfUh2vuf8s17bdFWUOlsTWXxKaA2lJl93MnzJQsZrfVeCqJrc'); + try { + OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData, $idpData, $retrieveParametersFromServer); + $this->fail('Error was not raised'); + } catch (Exception $e) { + $expectedMessage = "Both SAMLRequest and SAMLResponse provided"; + $this->assertEquals($expectedMessage, $e->getMessage()); + } + + $getData2 = array( + 'SAMLRequest' => 'fZJNa+MwEIb/ivHdiTyyZEskhkJYCPQDtmUPvQRZHm8NtqRKMuTnr2J3IbuHXsQwM887My86BDVPTj7a33aJP/FzwRCz6zyZINfKMV+8kVaFMUijZgwyavn68PQoYUek8zZabaf8DvmeUCGgj6M1eXY+HfOLILwHVQ+MK1ozrBG7itQcKzpQ3pQCdDU0DdQIefYLfUjkMU9CCQ9hwbMJUZmYUqSsCkILIG8ll8Alg/c8O6VrRqPiSn3E6OR+H+IyDDtt5z2a3tnRxHAXhSns3IfLs2cbX8yLfxgi+iQvBC2IKKB8g1JWm3x7uN0r10V8+yU/9m6HVzW7Cdchh/1900Y8J1vOp+yH9bOK3/t1y4x9MaytMnplwogm5u1l6KDrgUHFGeVEU92xUlCkrOZMNITr9LIUdvprhW3qtoKTrxhuZp5Nj9f2gn0D0IPQyfnkPlOEQpO0uko1DDSBqqtEl+aITew//m/yn2/U/gE=', + 'SAMLResponse' => 'fZJva8IwEMa/Ssl7TZrW/gnqGHMMwSlM8cXeyLU9NaxNQi9lfvxVZczB5ptwSe733MPdjQma2qmFPdjOvyE5awiDU1MbUpevCetaoyyQJmWgQVK+VOvH14WSQ6Fca70tbc1ukPsEEGHrtTUsmM8mbDfKUhnFci8gliGINI/yXIAAiYnsw6JIRgWWAKlkwRZb6skJ64V6nKjDuSEPxvdPIowHIhpIsQkTFaYqSt9ZMEPy2oC/UEfvHSnOnfZFV38MjR1oN7TtgRv8tAZre9CGV9jYkGtT4Wnoju6Bauprme/ebOyErZbPi9XLfLnDoohwhHGc5WVSVhjCKM6rBMpYQpWJrIizfZ4IZNPxuTPqYrmd/m+EdONqPOfy8yG5rhxv0EMFHs52xvxWaHyd3tqD7+j37clWGGyh7vD+POiSrdZdWSIR49NrhR9R/teGTL8A', + 'RelayState' => 'https://pitbulk.no-ip.org/newonelogin/demo1/index.php', + 'SigAlg' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1', + 'Signature' => 'vfWbbc47PkP3ejx4bjKsRX7lo9Ml1WRoE5J5owF/0mnyKHfSY6XbhO1wwjBV5vWdrUVX+xp6slHyAf4YoAsXFS0qhan6txDiZY4Oec6yE+l10iZbzvie06I4GPak4QrQ4gAyXOSzwCrRmJu4gnpeUxZ6IqKtdrKfAYRAcVfNKGA=' + ); + + $messageType = 'SAMLResponse'; + $retrieveParametersFromServer = false; + try { + OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData2, $idpData, $retrieveParametersFromServer); + $this->fail('Error was not raised'); + } catch (Exception $e) { + $expectedMessage = "Both SAMLRequest and SAMLResponse provided"; + $this->assertEquals($expectedMessage, $e->getMessage()); + } + + $retrieveParametersFromServer = true; + $_SERVER['QUERY_STRING'] = 'SAMLRequest='. urlencode('fZJNa+MwEIb/ivHdiTyyZEskhkJYCPQDtmUPvQRZHm8NtqRKMuTnr2J3IbuHXsQwM887My86BDVPTj7a33aJP/FzwRCz6zyZINfKMV+8kVaFMUijZgwyavn68PQoYUek8zZabaf8DvmeUCGgj6M1eXY+HfOLILwHVQ+MK1ozrBG7itQcKzpQ3pQCdDU0DdQIefYLfUjkMU9CCQ9hwbMJUZmYUqSsCkILIG8ll8Alg/c8O6VrRqPiSn3E6OR+H+IyDDtt5z2a3tnRxHAXhSns3IfLs2cbX8yLfxgi+iQvBC2IKKB8g1JWm3x7uN0r10V8+yU/9m6HVzW7Cdchh/1900Y8J1vOp+yH9bOK3/t1y4x9MaytMnplwogm5u1l6KDrgUHFGeVEU92xUlCkrOZMNITr9LIUdvprhW3qtoKTrxhuZp5Nj9f2gn0D0IPQyfnkPlOEQpO0uko1DDSBqqtEl+aITew//m/yn2/U/gE=') . '&SAMLResponse='.urlencode('fZJva8IwEMa/Ssl7TZrW/gnqGHMMwSlM8cXeyLU9NaxNQi9lfvxVZczB5ptwSe733MPdjQma2qmFPdjOvyE5awiDU1MbUpevCetaoyyQJmWgQVK+VOvH14WSQ6Fca70tbc1ukPsEEGHrtTUsmM8mbDfKUhnFci8gliGINI/yXIAAiYnsw6JIRgWWAKlkwRZb6skJ64V6nKjDuSEPxvdPIowHIhpIsQkTFaYqSt9ZMEPy2oC/UEfvHSnOnfZFV38MjR1oN7TtgRv8tAZre9CGV9jYkGtT4Wnoju6Bauprme/ebOyErZbPi9XLfLnDoohwhHGc5WVSVhjCKM6rBMpYQpWJrIizfZ4IZNPxuTPqYrmd/m+EdONqPOfy8yG5rhxv0EMFHs52xvxWaHyd3tqD7+j37clWGGyh7vD+POiSrdZdWSIR49NrhR9R/teGTL8A').'&RelayState='.urlencode('https://pitbulk.no-ip.org/newonelogin/demo1/index.php').'&SigAlg='.urlencode('http://www.w3.org/2000/09/xmldsig#rsa-sha1').'&Signature='.urlencode('vfWbbc47PkP3ejx4bjKsRX7lo9Ml1WRoE5J5owF/0mnyKHfSY6XbhO1wwjBV5vWdrUVX+xp6slHyAf4YoAsXFS0qhan6txDiZY4Oec6yE+l10iZbzvie06I4GPak4QrQ4gAyXOSzwCrRmJu4gnpeUxZ6IqKtdrKfAYRAcVfNKGA='); + try { + OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData2, $idpData, $retrieveParametersFromServer); + $this->fail('Error was not raised'); + } catch (Exception $e) { + $expectedMessage = "Both SAMLRequest and SAMLResponse provided"; + $this->assertEquals($expectedMessage, $e->getMessage()); + } + } + + /** + * Tests the validateBinarySign method of the Utils + * Case Invalid Parameters: Ex. Duplicated Parameters + * + * @covers OneLogin_Saml2_Utils::validateSign + */ + public function testValidateBinarySignDuplicatedParameters() + { + $settingsDir = TEST_ROOT .'/settings/'; + include $settingsDir.'settings6.php'; + + $settings = new OneLogin_Saml2_Settings($settingsInfo); + $idpData = $settings->getIdPData(); + + $getData = array(); + $retrieveParametersFromServer = true; + $messageType = 'SAMLRequest'; + + $_SERVER['QUERY_STRING'] = 'SAMLRequest=xxx&SAMLRequest=yyy'; + try { + OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData, $idpData, $retrieveParametersFromServer); + $this->fail('Error was not raised'); + } catch (Exception $e) { + $expectedMessage = "Duplicate parameter in query string"; + $this->assertEquals($expectedMessage, $e->getMessage()); + } + + $_SERVER['QUERY_STRING'] = 'SAMLResponse=xxx&SAMLResponse=yyy'; + try { + OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData, $idpData, $retrieveParametersFromServer); + $this->fail('Error was not raised'); + } catch (Exception $e) { + $expectedMessage = "Duplicate parameter in query string"; + $this->assertEquals($expectedMessage, $e->getMessage()); + } + + $_SERVER['QUERY_STRING'] = 'RelayState=xxx&RelayState=yyy'; + try { + OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData, $idpData, $retrieveParametersFromServer); + $this->fail('Error was not raised'); + } catch (Exception $e) { + $expectedMessage = "Duplicate parameter in query string"; + $this->assertEquals($expectedMessage, $e->getMessage()); + } + + $_SERVER['QUERY_STRING'] = 'SigAlg=xxx&SigAlg=yyy'; + try { + OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData, $idpData, $retrieveParametersFromServer); + $this->fail('Error was not raised'); + } catch (Exception $e) { + $expectedMessage = "Duplicate parameter in query string"; + $this->assertEquals($expectedMessage, $e->getMessage()); + } + } } From d42321174e1185704e5b8b36cde6d79b131e2985 Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Sun, 25 May 2025 13:09:35 +0200 Subject: [PATCH 2/2] Fix typo and compatibility --- lib/Saml2/Utils.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/Saml2/Utils.php b/lib/Saml2/Utils.php index 7fbd14ac..5c36a485 100644 --- a/lib/Saml2/Utils.php +++ b/lib/Saml2/Utils.php @@ -1521,7 +1521,7 @@ public static function validateBinarySign($messageType, $getData, $idpData, $ret OneLogin_Saml2_Error::INVALID_PARAMETER ); } - $keys = ["SAMLRequest", "SAMLResponse", "RelayState", "SigAlg", "Signature"]; + $keys = array("SAMLRequest", "SAMLResponse", "RelayState", "SigAlg", "Signature"); foreach ($keys as $key) { if (substr_count($_SERVER['QUERY_STRING'], $key) > 1) { throw new OneLogin_Saml2_Error( @@ -1544,7 +1544,7 @@ public static function validateBinarySign($messageType, $getData, $idpData, $ret $signedQuery .= '&SigAlg='.OneLogin_Saml2_Utils::extractOriginalQueryParam('SigAlg'); } else { if (isset($getData['SAMLRequest']) && isset($getData['SAMLResponse'])) { - throw new Error( + throw new OneLogin_Saml2_Error( "Both SAMLRequest and SAMLResponse provided", OneLogin_Saml2_Error::INVALID_PARAMETER );