Make SAML trust anchors work on verification of the SAML request

SAML uses a concept called trust anchors where you can say, I trust this party
because of $reasons. These trust anchors can be the issuing party, the DN of
the certificate, etc. The previous code implemented a partial solution to this,
it just said that the trust anchor was the DN of the certificate of the signer.
This is somewhat weird, as the certificate is already verified by the CA
certificate which is user supplied.

Now you can submit a CA and you can inject trust anchors into the SOAP binding
so it is checked with the verify_xml call. The trust anchors can be one of the
following `subject`, `issuer` or `issuer_hash`.

Signed-off-by: Wesley Schwengle <waterkip@cpan.org>

Author: waterkip

lib/Net/SAML2/Binding/SOAP.pm

@@ -5,14 +5,15 @@ use Moose;
 
 use MooseX::Types::URI qw/ Uri /;
 use Net::SAML2::XML::Util qw/ no_comments /;
+use Carp qw(croak);
 
 with 'Net::SAML2::Role::VerifyXML';
 
-# ABSTRACT: Net::SAML2::Binding::Artifact - SOAP binding for SAML
+# ABSTRACT: Net::SAML2::Binding::SOAP - SOAP binding for SAML
 
 =head1 NAME
 
-Net::SAML2::Binding::Artifact - SOAP binding for SAML2
+Net::SAML2::Binding::SOAP - SOAP binding for SAML2
 
 =head1 SYNOPSIS
 
@@ -94,7 +95,18 @@ has 'url'      => (isa => Uri, is => 'ro', required => 1, coerce => 1);
 has 'key'      => (isa => 'Str', is => 'ro', required => 1);
 has 'cert'     => (isa => 'Str', is => 'ro', required => 1);
 has 'idp_cert' => (isa => 'Str', is => 'ro', required => 1);
-has 'cacert'   => (isa => 'Str', is => 'ro', required => 0);
+has 'cacert' => (
+    is        => 'ro',
+    isa       => 'Str',
+    required  => 0,
+    predicate => 'has_cacert'
+);
+has 'anchors' => (
+    is        => 'ro',
+    isa       => 'HashRef',
+    required  => 0,
+    predicate => 'has_anchors'
+);
 
 =head2 request( $message )
 
@@ -149,6 +161,7 @@ sub handle_response {
         no_xml_declaration => 1,
         cert_text          => $self->idp_cert,
         cacert             => $self->cacert,
+        anchors            => $self->anchors
     );
     return $saml;
 
@@ -180,11 +193,15 @@ sub handle_request {
 
 sub _get_saml_from_soap {
     my $soap  = shift;
-    my $dom = no_comments($soap);
+    my $dom   = no_comments($soap);
     my $parser = XML::LibXML::XPathContext->new($dom);
     $parser->registerNs('soap-env', 'http://schemas.xmlsoap.org/soap/envelope/');
     $parser->registerNs('samlp', 'urn:oasis:names:tc:SAML:2.0:protocol');
-    return $parser->findnodes_as_string('/soap-env:Envelope/soap-env:Body/*');
+    my $set = $parser->findnodes('/soap-env:Envelope/soap-env:Body/*');
+    if ($set->size) {
+        return $set->get_node(1)->toString();
+    }
+    return;
 }
 
 =head2 create_soap_envelope( $message )

lib/Net/SAML2/Role/VerifyXML.pm

@@ -4,6 +4,9 @@ use Moose::Role;
 
 use Net::SAML2::XML::Sig;
 use Crypt::OpenSSL::Verify;
+use Crypt::OpenSSL::X509;
+use Carp qw(croak);
+use List::Util qw(none);
 
 # ABSTRACT: A role to verify the SAML response XML
 
@@ -41,9 +44,18 @@ use Crypt::OpenSSL::Verify;
         # Most of these options are passed to Net::SAML2::XML::Sig, except for the
         # cacert
         # Most options are optional
-        cacert    => $self->cacert,
         cert_text => $self->cert,
         no_xml_declaration => 1,
+
+        # Used for a trust model, if lacking, everything is trusted
+        cacert  => $self->cacert,
+        # or check specific certificates based on subject/issuer or issuer hash
+        anchors => {
+            # one of the following is allowed
+            subject     => ["subject a",     "subject b"],
+            issuer      => ["Issuer A",      "Issuer B"],
+            issuer_hash => ["Issuer A hash", "Issuer B hash"],
+        },
     );
 
 =cut
@@ -54,23 +66,53 @@ sub verify_xml {
     my %args = @_;
 
     my $cacert   = delete $args{cacert};
+    my $anchors  = delete $args{anchors};
 
     my $x = Net::SAML2::XML::Sig->new({
         x509      => 1,
         exclusive => 1,
         %args,
     });
 
-    die "XML signature check failed\n" unless $x->verify($xml);
+    croak("XML signature check failed") unless $x->verify($xml);
 
-    return unless $cacert;
+    if (!$anchors && !$cacert) {
+        return 1;
+    }
 
     my $cert = $x->signer_cert
         or die "Certificate not provided in SAML Response, cannot validate\n";
 
-    my $ca = Crypt::OpenSSL::Verify->new($cacert, { strict_certs => 0 });
-    return if $ca->verify($cert);
-    die "Could not verify CA certificate!\n";
+    if ($cacert) {
+        my $ca = Crypt::OpenSSL::Verify->new($cacert, { strict_certs => 0 });
+        eval { $ca->verify($cert) };
+        if ($@) {
+            croak("Could not verify CA certificate: $@");
+        }
+    }
+
+    return 1 if !$anchors;
+
+    if (ref $anchors ne 'HASH') {
+        croak("Unable to verify anchor trust");
+    }
+
+    my ($key) = keys %$anchors;
+    if (none { $key eq $_ } qw(subject issuer issuer_hash)) {
+        croak("Unable to verify anchor trust, requires subject, issuer or issuer_hash");
+    }
+
+    my $got = $cert->$key;
+    my $want = $anchors->{$key};
+    if (!ref $want) {
+        $want = [ $want ];
+    }
+
+    if (none { $_ eq $got } @$want) {
+        croak("Could not verify trust anchors of certificate!");
+    }
+    return 1;
+
 }
 
 

lib/Net/SAML2/XML/Util.pm

@@ -44,10 +44,11 @@ sub no_comments {
 
     # Remove comments from XML to mitigate XML comment auth bypass
     my $dom = XML::LibXML->load_xml(
-                    string => $xml,
-                    no_network => 1,
-                    load_ext_dtd => 0,
-                    expand_entities => 0 );
+        string          => $xml,
+        no_network      => 1,
+        load_ext_dtd    => 0,
+        expand_entities => 0
+    );
 
     for my $comment_node ($dom->findnodes('//comment()')) {
         $comment_node->parentNode->removeChild($comment_node);

t/05-soap-binding.t

@@ -4,6 +4,8 @@ use Test::Lib;
 use Test::Net::SAML2;
 
 use Net::SAML2::IdP;
+use Net::SAML2::Binding::SOAP;
+use Test::Mock::One;
 
 use LWP::UserAgent;
 
@@ -40,7 +42,7 @@ my $request_xml = $request->as_xml;
 my $xp = get_xpath($request_xml);
 isa_ok($xp, "XML::LibXML::XPathContext");
 
-my $ua = LWP::UserAgent->new;
+my $ua   = LWP::UserAgent->new;
 my $soap = $sp->soap_binding($ua, $slo_url, $idp_cert);
 isa_ok($soap, "Net::SAML2::Binding::SOAP");
 
@@ -65,4 +67,64 @@ is($soaped_request->session, $request->session,
 is($soaped_request->nameid, $request->nameid,
     "SOAP nameid equals request nameid");
 
+{
+    # Testing trust anchors of SAML
+    # You can set various trust anchors of SAML so the response is checked
+    # against some kind of anchor.
+    my %anchors = (
+        subject     => [qw(foo bar)],
+        issuer      => 'Net::SAML2',
+        issuer_hash => [
+            'f1d2d2f924e986ac86fdf7b36c94bcdf32beec15',
+            'e242ed3bffccdf271b7fbaf34ed72d089537b42f'
+        ],
+    );
+
+    my $xml      = "<xml></xml>";
+    my $override = Sub::Override->new(
+        'Net::SAML2::Binding::SOAP::_get_saml_from_soap' => sub {
+            return $xml;
+        },
+    );
+    $override->override(
+        'XML::Sig::new' => sub {
+            return Test::Mock::One->new(
+                subject     => 'foo',
+                issuer      => 'Net::SAML2',
+                issuer_hash => 'f1d2d2f924e986ac86fdf7b36c94bcdf32beec15',
+            );
+        }
+    );
+
+    foreach (keys %anchors) {
+        my $soap = Net::SAML2::Binding::SOAP->new(
+            url      => 'https://example.com/auth/saml',
+            key      => $sp->key,
+            cert     => $sp->cert,
+            idp_cert => $idp_cert,
+            anchors  => { $_ => $anchors{$_} }
+        );
+        isa_ok($soap, "Net::SAML2::Binding::SOAP");
+
+        is($soap->handle_response('here be soap'),
+            "<xml></xml>", "We got our XML, so we are verified");
+    }
+
+    my $soap = Net::SAML2::Binding::SOAP->new(
+        url      => 'https://example.com/auth/saml',
+        key      => $sp->key,
+        cert     => $sp->cert,
+        idp_cert => $idp_cert,
+        anchors  => { subject => 'testsuite failure expected' }
+    );
+
+    throws_ok(
+        sub {
+            $soap->handle_response('here be failure');
+        },
+        qr/Could not verify trust anchors of certificate!/,
+        "We cannot trust the anchor"
+    )
+}
+
 done_testing;