Skip to content

Remove the default for getKeyInfoContent forcing a consumer to choose#411

Merged
cjbarth merged 1 commit intonode-saml:masterfrom
cjbarth:get-key-info-default
Nov 26, 2023
Merged

Remove the default for getKeyInfoContent forcing a consumer to choose#411
cjbarth merged 1 commit intonode-saml:masterfrom
cjbarth:get-key-info-default

Conversation

@cjbarth
Copy link
Contributor

@cjbarth cjbarth commented Nov 25, 2023
edited
Loading

Per the discussion here, remove the default for getKeyInfoContent. This will force the consumer to make a decision here. The default implementation is still available.

@cjbarth cjbarth requested a review from LoneRifle November 25, 2023 14:48
@codecov
Copy link

codecov bot commented Nov 25, 2023

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (741240f) 73.36% compared to head (e1072d7) 73.17%.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master     #411      +/-   ##
==========================================
- Coverage   73.36%   73.17%   -0.20%     
==========================================
  Files           9        9              
  Lines         901      902       +1     
  Branches      239      239              
==========================================
- Hits          661      660       -1     
- Misses        142      143       +1     
- Partials       98       99       +1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@cjbarth cjbarth merged commit 468d674 into node-saml:master Nov 26, 2023
@cjbarth cjbarth deleted the get-key-info-default branch November 26, 2023 14:19
@srd90 srd90 mentioned this pull request Jan 10, 2024
Merged
@srd90
Copy link

srd90 commented Jan 22, 2024

@cjbarth This PR did not fix vulnerability. Discussion you referenced at the description of this PR suggested setting getCertFromKeyInfo by default to "noop" but this PR set getKeyInfoContent to "noop" (IMHO getKeyInfoContent is not involved at signature validation execution path and it does not have any effect to issue described at #399). I.e. if someone initiates SignedXML like this:

 const sig = new xmlCrypto.SignedXml();
 sig.publicCert = pemFile;
 sig.loadSignature(signature);

(that code was copy paste from node-saml/node-saml#341 's version https://github.com/node-saml/node-saml/blob/eaaae9f6ced68cdda5b5e7c79f136abc9a07039d/src/xml.ts#L113-L115 )

Then untrusted cert is used by default (i.e. if attacker re-signs XML message with own private key and attaches that key's cert then attacker can by pass signature validation). One example of this is described at node-saml/node-saml#341 (comment) (note that example applies to version https://github.com/node-saml/node-saml/tree/eaaae9f6ced68cdda5b5e7c79f136abc9a07039d of that PR branch)

So once again consider setting at least getKeyInfoFromCert (instead of/in addition to getKeyInfoContent) to noop and in addition to that consider switching precedence order of

xml-crypto/src/signed-xml.ts

Line 267 in f8cbbb7

const key = this.getCertFromKeyInfo(this.keyInfo) || this.publicCert || this.privateKey;

@aramshiva aramshiva mentioned this pull request Aug 27, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@LoneRifle LoneRifle LoneRifle approved these changes

Assignees

No one assigned

Labels

breaking-change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@cjbarth @srd90 @LoneRifle