Modify signature reference URI only when use inner signature certificate

Florent · Florent PIGOUT · commit eafae456df6d · 2016-04-07T13:01:28.000+02:00
When Response should be verifiy with the IdP certificate and the signature
reference URI is empty we can not modify the Response content or it will be
considered as invalid, ex.:

$ xmlsec1 --sign \
--id-attr:ID urn:oasis:names:tc:SAML:2.0:protocol:Response \
--privkey-pem python-saml/metadata.key \
--output python-saml/signed_assertion.xml \
python-saml/unsigned_assertion.xml

$ xmlsec1 --verify \
--id-attr:ID urn:oasis:names:tc:SAML:2.0:protocol:Response \
--pubkey-cert python-saml/metadata.crt \
python-saml/signed_assertion.xml

OK

$ python -c "
from onelogin.saml2.utils import OneLogin_Saml2_Utils
with open('python-saml/signed_assertion.xml') as assertion:
    with open('python-saml/metadata.crt') as cert:
        print OneLogin_Saml2_Utils.validate_sign(assertion.read(), cert.read(), debug=True)
"
signatures.c:346(xmlSecOpenSSLEvpSignatureVerify) obj=rsa-sha1 subject=EVP_VerifyFinal msg=signature do not match errno=18
False

On another hand we should continue to do that if we validate the xml
with an internal certificate.
diff --git a/src/onelogin/saml2/utils.py b/src/onelogin/saml2/utils.py
@@ -1051,15 +1051,15 @@ def validate_node_sign(signature_node, elem, cert=None, fingerprint=None, finger
                     if fingerprint == x509_fingerprint_value:
                         cert = OneLogin_Saml2_Utils.format_cert(x509_cert_value)
 
+                # Check if Reference URI is empty
+                reference_elem = OneLogin_Saml2_Utils.query(signature_node, '//ds:Reference')
+                if len(reference_elem) > 0:
+                    if reference_elem[0].get('URI') == '':
+                        reference_elem[0].set('URI', '#%s' % signature_node.getparent().get('ID'))
+
             if cert is None or cert == '':
                 return False
 
-            # Check if Reference URI is empty
-            reference_elem = OneLogin_Saml2_Utils.query(signature_node, '//ds:Reference')
-            if len(reference_elem) > 0:
-                if reference_elem[0].get('URI') == '':
-                    reference_elem[0].set('URI', '#%s' % signature_node.getparent().get('ID'))
-
             dsig_ctx = xmlsec.DSigCtx()
 
             file_cert = OneLogin_Saml2_Utils.write_temp_file(cert)
diff --git a/tests/src/OneLogin/saml2_tests/response_test.py b/tests/src/OneLogin/saml2_tests/response_test.py
@@ -1218,6 +1218,12 @@ def testIsValidSignWithEmptyReferenceURI(self):
         response = OneLogin_Saml2_Response(settings, xml)
         self.assertTrue(response.is_valid(self.get_request_data()))
 
+    def testIsValidSignWithEmptyReferenceURIAndIdPCert(self):
+        settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
+        xml = self.file_contents(join(self.data_path, 'responses', 'valid_response_with_unsigned_assertion.xml.base64'))
+        response = OneLogin_Saml2_Response(settings, xml)
+        self.assertTrue(response.is_valid(self.get_request_data()))
+
     def testIsValidWithoutInResponseTo(self):
         """
         If assertion contains InResponseTo but not the Response tag, we should
