get_idp_cert() erroneously returns wrong private key from data.mdb

[i128]

For VMware vSphere 6.7.0.4600, the get_idp_cert() function returns the first instance of bytes found that it thinks are a private key. I do see you perform a check_key_valid() to check if its a true cert or not. But unfortunately, these false positives pass the check.

Consequently, the private key is invalid and the SAML assertion can not be signed.

A quick fix to address the issue was comment out like 135 (which returns the key) and instead write all possible keys to separate files.

then with each key, i ran openssl rsa -noout -text -in $keyname to check if the key was valid or not. Out of the 100+ possible private keys extracted by get_idp_cert() one eventually was found to be correct. This key was then manually fed into sign_assertion()

Im sure there's a better way to address this. But it was the fix that worked for me at the time.

[scopedsecurity]

Hey, really appreciate the detailed issue. I'll have to think some about a solution - my gut instinct is that I can improve the IdP certificate locating logic and also do some real certificate validation beyond just checking the first few bytes.

In your case, were all the false positives real certificates or did they just happen to pass the rough checks I had in place?

[i128]

Sorry for the late response.

In my case, all of the false positives were NOT certificates. At least not valid to the point where openssl could read them.