search

jitbit / AspNetSaml

Very simple SAML 2.0 consumer module for ASP.NET/C#
https://www.jitbit.com
Apache License 2.0
361 stars 118 forks source link

Altered certificate still passes the IsValid() check #65

Closed dmorse-ow closed 2 years ago

dmorse-ow commented 2 years ago

During testing, we altered some of the characters in the certificate string. If it's just a minor change, it sometimes throws an invalid certificate exception, but other times it will still pass the IsValid() check that is performed. I was able to get IsValid() to return true by replacing the last character in the certificate issued by the SAML provider before the

-----END CERTIFICATE-----

line with an f instead of an X.

I tested changing signedXml.CheckSignature(_certificate, true) to signedXml.CheckSignature(_certificate, false) and doing so made IsValid() return false when presented with an altered certificate string.

Is there a reason why this code isn't verifying that the certificate is valid, only that the signature is?

alex-jitbit commented 2 years ago

Base64 decoding is reliable against some minor character edits.

ThickCranium commented 2 years ago

Just to clarify a bit: While Base64 is reliable against minor character edits, in the case of @dmorse-ow, modifications to the certificate he indicated return IsValid() when tested against the SAML provider, but using that same certificate in the actual SSO login process will fail as the certificate does not match the SAML provider Base64 certificate. The test org has made modifications to multiple areas of the certificate Base64 string and were able to continue getting true IsValid() responses.