Skip to content

Add HSM Support for Decrypting Assertions #9055

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Add HSM Support for Decrypting Assertions #9055

wants to merge 1 commit into from

Conversation

ryan13mt
Copy link

@ryan13mt ryan13mt commented Sep 28, 2020
edited
Loading

To solve issue: #9044

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Sep 28, 2020
@ryan13mt ryan13mt mentioned this pull request Sep 28, 2020
Closed
jzheaux
jzheaux requested changes Sep 28, 2020
View reviewed changes
Copy link
Contributor

@jzheaux jzheaux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, @ryan13mt, for another PR! I've left some feedback inline.

@jzheaux jzheaux self-assigned this Sep 28, 2020
@jzheaux jzheaux added in: saml2 An issue in SAML2 modules type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged labels Sep 28, 2020
@ryan13mt ryan13mt requested a review from jzheaux September 29, 2020 08:41
jzheaux
jzheaux requested changes Sep 29, 2020
View reviewed changes
Copy link
Contributor

@jzheaux jzheaux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the updates, @ryan13mt! I like where this is headed; I've left some feedback inline.

Also, just a reminder to add tests for the setters. I believe it would suffice to use mock Consumer instances.

...framework/security/saml2/provider/service/authentication/OpenSamlAuthenticationProvider.java Outdated
@@ -211,6 +211,32 @@

private Converter<Saml2AuthenticationToken, Decrypter> decrypterConverter = new DecrypterConverter();

private Decrypter decrypter;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This isn't thread-safe. Because the decrypter instance is changed with each authentication, two concurrent authentication attempts will clobber each other's value here.

Instead, the default values below will need to construct a Decrypter using the details from Saml2AuthenticationToken. For assertionDecrypter, I think this will look something like:

Decrypter decrypter = this.decrypterConverter.convert(responseToken.getToken());
for (EncryptedAssertion encryptedAssertion : responseToken.getResponse().getEncryptedAssertions()) {
// ...

with something similar being done in principalDecrypter.

...framework/security/saml2/provider/service/authentication/OpenSamlAuthenticationProvider.java Outdated
@@ -407,6 +477,14 @@ public boolean supports(Class<?> authentication) {
return authentication != null && Saml2AuthenticationToken.class.isAssignableFrom(authentication);
}

private Consumer<ResponseToken> getAssertionDecrypter() {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To simplify the code, I recommend removing these getters and having the code refer directly to the fields.

@ryan13mt ryan13mt requested a review from jzheaux September 30, 2020 14:22
@ryan13mt
Copy link
Author

@jzheaux locally this is failing as well like the other pull request. Not really sure on what the reason is.

Execution failed for task ':spring-security-samples-boot-oauth2resourceserver-webflux:integrationTest'
Execution failed for task ':spring-security-samples-boot-oauth2webclient-webflux:test'

jzheaux
jzheaux requested changes Sep 30, 2020
View reviewed changes
Copy link
Contributor

@jzheaux jzheaux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the updates, @ryan13mt! In preparation for merging, will you please squash your commits? Also, if you like, please consider adding yourself to the list of authors.

@ryan13mt ryan13mt requested a review from jzheaux October 1, 2020 14:43
@ryan13mt
Copy link
Author

ryan13mt commented Oct 1, 2020
edited
Loading

Thanks @jzheaux hope i squashed my commits the right way. Is there anything else needed to close this PR please?

Also i noticed this is not linked to the issue yet.

@ryan13mt
Copy link
Author

ryan13mt commented Oct 7, 2020

Hi again @jzheaux is there any other input needed from my end cause i am going to be reassigned into a new project and would have very limited time to contribute further to this and the other pull request #9056

Thanks and sorry for the spam 🤣

@jzheaux
Copy link
Contributor

jzheaux commented Oct 14, 2020

Thanks for your contribution, @ryan13mt! This is now merged into master via 535ae3e as well as a polish commit of d0581c9 to adjust the method names.

In a few minutes, it should be available in 5.5.0-SNAPSHOT in https://repo.spring.io/libs-snapshot. Please try it out to make sure it meets your needs.

@jzheaux jzheaux closed this Oct 14, 2020
@ryan13mt
Copy link
Author

Hello @jzheaux thanks for closing this issue and merging to master.

I am finding a problem with the polishing commit. You added a check in d0581c9#diff-e1434c9a229d033aa3fe922ab7b9637a54ba5a2521711e3b362e70bc7f787833R511 where you are checking if a response is signed and if true, doing the elements decryption. Is there a reason this check was added?

I believe this is not correct since there are use cases where the idp will sign and encrypt the assertion but will leave the response unsigned as is in our case. Thus having an unsigned SAML Response with an encrypted signed Assertion should still decrypt the assertion and then checking that it has been signed before throwing the error "Either the response or one of the assertions is unsigned. Please either sign the response or all of the assertions.". or in my case it's throwing "No assertions found in response." since the encrypted assertions have not being decrypted yet.

With this new check, the library is now requiring that a response must be signed if it contains an encrypted assertion.

Thanks

@jzheaux jzheaux added this to the 5.5.0-M1 milestone Nov 4, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jzheaux jzheaux Awaiting requested review from jzheaux

Assignees

@jzheaux jzheaux

Labels
in: saml2 An issue in SAML2 modules type: enhancement A general enhancement
Projects
None yet
Milestone
5.5.0-M1
Development

Successfully merging this pull request may close these issues.
3 participants
@ryan13mt @jzheaux @spring-projects-issues