Merge pull request #84 from waterkip/GH-verify-xml-and_trust_anchors

BREAKING CHANGES: Verifying XML and trust anchors on SAML responses

Author: timlegge

lib/Net/SAML2/Binding/POST.pm

@@ -28,6 +28,8 @@ use Net::SAML2::XML::Sig;
 use MIME::Base64 qw/ decode_base64 /;
 use Crypt::OpenSSL::Verify;
 
+with 'Net::SAML2::Role::VerifyXML';
+
 =head2 new( )
 
 Constructor. Returns an instance of the POST binding.
@@ -59,27 +61,19 @@ sub handle_response {
 
     # unpack and check the signature
     my $xml = decode_base64($response);
-    my $xml_opts = { x509 => 1 };
-    $xml_opts->{ cert_text } = $self->cert_text if ($self->cert_text);
-    $xml_opts->{ exclusive } = 1;
-    $xml_opts->{ no_xml_declaration } = 1;
-    my $x = Net::SAML2::XML::Sig->new($xml_opts);
-    my $ret = $x->verify($xml);
-    die "signature check failed" unless $ret;
-
-    if ($self->cacert) {
-        my $cert = $x->signer_cert
-            or die "Certificate not provided and not in SAML Response, cannot validate";
-
-        my $ca = Crypt::OpenSSL::Verify->new($self->cacert, { strict_certs => 0, });
-        if ($ca->verify($cert)) {
-            return sprintf("%s (verified)", $cert->subject);
-        } else {
-            return 0;
-        }
-    }
-
-    return 1;
+
+    $self->verify_xml(
+        $xml,
+        no_xml_declaration => 1,
+        $self->cert_text ? (
+            cert_text => $self->cert_text
+        ) : (),
+        $self->cacert ? (
+            cacert => $self->cacert
+        ) : (),
+
+    );
+    return $xml;
 }
 
 __PACKAGE__->meta->make_immutable;

lib/Net/SAML2/Binding/SOAP.pm

@@ -1,17 +1,19 @@
-use strict;
-use warnings;
 package Net::SAML2::Binding::SOAP;
+use Moose;
+
 # VERSION
 
-use Moose;
 use MooseX::Types::URI qw/ Uri /;
 use Net::SAML2::XML::Util qw/ no_comments /;
+use Carp qw(croak);
+
+with 'Net::SAML2::Role::VerifyXML';
 
-# ABSTRACT: Net::SAML2::Binding::Artifact - SOAP binding for SAML
+# ABSTRACT: Net::SAML2::Binding::SOAP - SOAP binding for SAML
 
 =head1 NAME
 
-Net::SAML2::Binding::Artifact - SOAP binding for SAML2
+Net::SAML2::Binding::SOAP - SOAP binding for SAML2
 
 =head1 SYNOPSIS
 
@@ -93,7 +95,18 @@ has 'url'      => (isa => Uri, is => 'ro', required => 1, coerce => 1);
 has 'key'      => (isa => 'Str', is => 'ro', required => 1);
 has 'cert'     => (isa => 'Str', is => 'ro', required => 1);
 has 'idp_cert' => (isa => 'Str', is => 'ro', required => 1);
-has 'cacert'   => (isa => 'Str', is => 'ro', required => 1);
+has 'cacert' => (
+    is        => 'ro',
+    isa       => 'Str',
+    required  => 0,
+    predicate => 'has_cacert'
+);
+has 'anchors' => (
+    is        => 'ro',
+    isa       => 'HashRef',
+    required  => 0,
+    predicate => 'has_anchors'
+);
 
 =head2 request( $message )
 
@@ -142,35 +155,16 @@ Accepts a string containing the complete SOAP response.
 sub handle_response {
     my ($self, $response) = @_;
 
-    # verify the response
-    my $x = Net::SAML2::XML::Sig->new(
-    {
-        x509 => 1,
-        cert_text => $self->idp_cert,
-        exclusive => 1,
+    my $saml = _get_saml_from_soap($response);
+    $self->verify_xml(
+        $saml,
         no_xml_declaration => 1,
-    });
-
-    my $ret = $x->verify($response);
-    die "bad SOAP response" unless $ret;
-
-    # verify the signing certificate
-    my $cert = $x->signer_cert;
-    my $ca = Crypt::OpenSSL::Verify->new($self->cacert, { strict_certs => 0, });
-    $ret = $ca->verify($cert);
-    die "bad signer cert" unless $ret;
-
-    my $subject = sprintf("%s (verified)", $cert->subject);
+        cert_text          => $self->idp_cert,
+        cacert             => $self->cacert,
+        anchors            => $self->anchors
+    );
+    return $saml;
 
-    # parse the SOAP response and return the payload
-    my $dom = no_comments($response);
-
-    my $parser = XML::LibXML::XPathContext->new($dom);
-    $parser->registerNs('soap-env', 'http://schemas.xmlsoap.org/soap/envelope/');
-    $parser->registerNs('samlp', 'urn:oasis:names:tc:SAML:2.0:protocol');
-
-    my $saml = $parser->findnodes_as_string('/soap-env:Envelope/soap-env:Body/*');
-    return ($subject, $saml);
 }
 
 =head2 handle_request( $request )
@@ -184,29 +178,29 @@ Accepts a string containing the complete SOAP request.
 sub handle_request {
     my ($self, $request) = @_;
 
-    my $dom = no_comments($request);
+    my $saml = _get_saml_from_soap($request);
+    if (defined $saml) {
+        $self->verify_xml(
+            $saml,
+            cert_text => $self->idp_cert,
+            cacert    => $self->cacert
+        );
+        return $saml;
+    }
+
+    return;
+}
 
+sub _get_saml_from_soap {
+    my $soap  = shift;
+    my $dom   = no_comments($soap);
     my $parser = XML::LibXML::XPathContext->new($dom);
     $parser->registerNs('soap-env', 'http://schemas.xmlsoap.org/soap/envelope/');
     $parser->registerNs('samlp', 'urn:oasis:names:tc:SAML:2.0:protocol');
-
-    my ($nodes) = $parser->findnodes('/soap-env:Envelope/soap-env:Body/*');
-    my $saml = $nodes->toString;
-
-    if (defined $saml) {
-        my $x = Net::SAML2::XML::Sig->new({ x509 => 1, cert_text => $self->idp_cert, exclusive => 1, });
-        my $ret = $x->verify($saml);
-        die "bad signature" unless $ret;
-
-        my $cert = $x->signer_cert;
-        my $ca = Crypt::OpenSSL::Verify->new($self->cacert, { strict_certs => 0, });
-        $ret = $ca->verify($cert);
-        die "bad certificate in request: ".$cert->subject unless $ret;
-
-        my $subject = $cert->subject;
-        return ($subject, $saml);
+    my $set = $parser->findnodes('/soap-env:Envelope/soap-env:Body/*');
+    if ($set->size) {
+        return $set->get_node(1)->toString();
     }
-
     return;
 }
 

lib/Net/SAML2/Role/VerifyXML.pm

@@ -0,0 +1,122 @@
+package Net::SAML2::Role::VerifyXML;
+use Moose::Role;
+# VERSION
+
+use Net::SAML2::XML::Sig;
+use Crypt::OpenSSL::Verify;
+use Crypt::OpenSSL::X509;
+use Carp qw(croak);
+use List::Util qw(none);
+
+# ABSTRACT: A role to verify the SAML response XML
+
+=head1 DESCRIPTION
+
+=head1 SYNOPSIS
+
+    use Net::SAML2::Some::Module;
+
+    use Moose;
+    with 'Net::SAML2::Role::VerifyXML';
+
+    sub do_something_with_xml {
+        my $self = shift;
+        my $xml  = shift;
+
+        $self->verify_xml($xml,
+            # Most of these options are passed to Net::SAML2::XML::Sig, except for the
+            # cacert
+            # Most options are optional
+            cacert    => $self->cacert,
+            cert_text => $self->cert,
+            no_xml_declaration => 1,
+        );
+    }
+
+=cut
+
+
+=head1 METHODS
+
+=head2 verify_xml($xml, %args)
+
+    $self->verify_xml($xml,
+        # Most of these options are passed to Net::SAML2::XML::Sig, except for the
+        # cacert
+        # Most options are optional
+        cert_text => $self->cert,
+        no_xml_declaration => 1,
+
+        # Used for a trust model, if lacking, everything is trusted
+        cacert  => $self->cacert,
+        # or check specific certificates based on subject/issuer or issuer hash
+        anchors => {
+            # one of the following is allowed
+            subject     => ["subject a",     "subject b"],
+            issuer      => ["Issuer A",      "Issuer B"],
+            issuer_hash => ["Issuer A hash", "Issuer B hash"],
+        },
+    );
+
+=cut
+
+sub verify_xml {
+    my $self = shift;
+    my $xml  = shift;
+    my %args = @_;
+
+    my $cacert   = delete $args{cacert};
+    my $anchors  = delete $args{anchors};
+
+    my $x = Net::SAML2::XML::Sig->new({
+        x509      => 1,
+        exclusive => 1,
+        %args,
+    });
+
+    croak("XML signature check failed") unless $x->verify($xml);
+
+    if (!$anchors && !$cacert) {
+        return 1;
+    }
+
+    my $cert = $x->signer_cert
+        or die "Certificate not provided in SAML Response, cannot validate\n";
+
+    if ($cacert) {
+        my $ca = Crypt::OpenSSL::Verify->new($cacert, { strict_certs => 0 });
+        eval { $ca->verify($cert) };
+        if ($@) {
+            croak("Could not verify CA certificate: $@");
+        }
+    }
+
+    return 1 if !$anchors;
+
+    if (ref $anchors ne 'HASH') {
+        croak("Unable to verify anchor trust");
+    }
+
+    my ($key) = keys %$anchors;
+    if (none { $key eq $_ } qw(subject issuer issuer_hash)) {
+        croak("Unable to verify anchor trust, requires subject, issuer or issuer_hash");
+    }
+
+    my $got = $cert->$key;
+    my $want = $anchors->{$key};
+    if (!ref $want) {
+        $want = [ $want ];
+    }
+
+    if (none { $_ eq $got } @$want) {
+        croak("Could not verify trust anchors of certificate!");
+    }
+    return 1;
+
+}
+
+
+1;
+
+__END__
+

lib/Net/SAML2/SP.pm

@@ -413,17 +413,13 @@ XXX UA
 sub soap_binding {
     my ($self, $ua, $idp_url, $idp_cert) = @_;
 
-    if (!$self->has_cacert) {
-        croak("Unable to create SOAP binding, no CA certificate provided");
-    }
-
     return Net::SAML2::Binding::SOAP->new(
         ua       => $ua,
         key      => $self->key,
         cert     => $self->cert,
         url      => $idp_url,
         idp_cert => $idp_cert,
-        cacert   => $self->cacert,
+        $self->has_cacert ? (cacert => $self->cacert) : (),
     );
 }
 

lib/Net/SAML2/Util.pm

@@ -5,7 +5,7 @@ package Net::SAML2::Util;
 
 use Crypt::OpenSSL::Random qw(random_pseudo_bytes);
 
-# ABSTRACT: Utility functions for Net:SAML2
+# ABSTRACT: Utility functions for Net::SAML2
 
 use Exporter qw(import);
 

lib/Net/SAML2/XML/Util.pm

@@ -44,10 +44,11 @@ sub no_comments {
 
     # Remove comments from XML to mitigate XML comment auth bypass
     my $dom = XML::LibXML->load_xml(
-                    string => $xml,
-                    no_network => 1,
-                    load_ext_dtd => 0,
-                    expand_entities => 0 );
+        string          => $xml,
+        no_network      => 1,
+        load_ext_dtd    => 0,
+        expand_entities => 0
+    );
 
     for my $comment_node ($dom->findnodes('//comment()')) {
         $comment_node->parentNode->removeChild($comment_node);

t/04-response.t

@@ -67,23 +67,19 @@ my $sp = net_saml2_sp();
 
 my $post = $sp->post_binding;
 
-my $subject;
+my $response_xml;
 
 lives_ok(
     sub {
-        $subject = $post->handle_response($response);
+        $response_xml = $post->handle_response($response);
     },
     '$sp->handle_response works'
 );
 
 
-ok(defined $subject, "->handle response verified something");
-like($subject, qr/verified/, "Matches the verified string");
-
-## TODO: Move to t/03-assertion
-my $assertion_xml = decode_base64($response);
-my $assertion = Net::SAML2::Protocol::Assertion->new_from_xml(xml => $xml);
+is($xml, $response_xml, "We have the response XML as XML");
 
+my $assertion = Net::SAML2::Protocol::Assertion->new_from_xml(xml => $response_xml);
 isa_ok($assertion, 'Net::SAML2::Protocol::Assertion');
 
 done_testing;