Adds ability to validate signatures of AuthnRequest and SAMLResponse

Author: gislikonrad

src/Solid.Identity.Protocols.Sam2p.Tests/Extensions/XmlDocumentExtensions.cs

@@ -0,0 +1,40 @@
+using System.Security.Cryptography;
+using System.Security.Cryptography.Xml;
+using Microsoft.IdentityModel.Tokens;
+using Microsoft.IdentityModel.Xml;
+using KeyInfo = System.Security.Cryptography.Xml.KeyInfo;
+using Reference = System.Security.Cryptography.Xml.Reference;
+using RSAKeyValue = System.Security.Cryptography.Xml.RSAKeyValue;
+
+namespace System.Xml;
+
+public static class XmlDocumentExtensions
+{
+    public static void SignXml(this XmlDocument document, RSA key, string id = null)
+    {
+        var signer = new SignedXml(document);
+        var root = document.DocumentElement;
+        if (root == null)
+            throw new ArgumentException("Invalid document", nameof(document));
+        
+        var reference = new Reference(id ?? string.Empty);
+        reference.AddTransform(new XmlDsigExcC14NTransform());
+        signer.Signature.SignedInfo.CanonicalizationMethod = SignedXml.XmlDsigExcC14NTransformUrl;
+        signer.Signature.SignedInfo.AddReference(reference);
+        
+        var keyInfo = new KeyInfo();
+        keyInfo.AddClause(new RSAKeyValue(key));
+        signer.Signature.KeyInfo = keyInfo;
+        
+        signer.SigningKey = key;
+        signer.ComputeSignature();
+        
+        var signature = signer.GetXml();
+
+        // Append the element to the XML document.
+        root.AppendChild(document.ImportNode(signature, true));
+
+        if (document.FirstChild is XmlDeclaration)
+            document.RemoveChild(document.FirstChild);
+    }
+}

src/Solid.Identity.Protocols.Sam2p.Tests/Saml2pSerializerTests.cs

@@ -6,13 +6,17 @@
 using System;
 using System.Collections.Generic;
 using System.IO;
+using System.Linq.Expressions;
+using System.Security.Cryptography;
+using System.Security.Cryptography.Xml;
 using System.Text;
 using System.Xml;
 using System.Xml.Linq;
 using Xunit;
 using FluentAssertions;
 using FluentAssertions.Extensions;
 using Microsoft.Extensions.Logging;
+using Microsoft.IdentityModel.Logging;
 
 namespace Solid.Identity.Protocols.Saml2p.Tests
 {
@@ -26,6 +30,8 @@ public class Saml2pSerializerTests
 
         public Saml2pSerializerTests()
         {
+            IdentityModelEventSource.ShowPII = true;
+            
             _mockHandler = new Mock<Saml2SecurityTokenHandler>();
             _mockHandler.CallBase = true;
             var mockWriterFactory = new Mock<IXmlWriterFactory>();
@@ -283,6 +289,22 @@ public void ShouldReadSamlResponseElement()
             var request = _serializer.DeserializeSamlResponse(xml);
             Assert.NotNull(request);
         }
+        
+
+        [Fact]
+        public void ShouldReadSamlResponseSignature()
+        {
+            using var key = RSA.Create(2048);
+            var xml = $"<samlp:Response xmlns:samlp=\"{_protocolNamespace}\" Version=\"2.0\"></samlp:Response>";
+            var document = new XmlDocument();
+            document.LoadXml(xml);
+            document.SignXml(key);
+
+            var signed = document.OuterXml;
+
+            var request = _serializer.DeserializeSamlResponse(signed);
+            Assert.NotNull(request.Signature);
+        }
 
         [Fact]
         public void ShouldReadSamlResponseVersionAttribute()
@@ -832,6 +854,21 @@ public void ShouldReadAuthnRequestElement()
             Assert.NotNull(request);
         }
 
+        [Fact]
+        public void ShouldReadAuthnRequestSignature()
+        {
+            using var key = RSA.Create(2048);
+            var xml = $"<samlp:AuthnRequest xmlns:samlp=\"{_protocolNamespace}\"></samlp:AuthnRequest>";
+            var document = new XmlDocument();
+            document.LoadXml(xml);
+            document.SignXml(key);
+
+            var signed = document.OuterXml;
+
+            var request = _serializer.DeserializeAuthnRequest(signed);
+            Assert.NotNull(request.Signature);
+        }
+
         [Theory]
         [InlineData("2.0")]
         public void ShouldReadAuthnRequestVersionAttribute(string expected)

src/Solid.Identity.Protocols.Saml2p/Abstractions/ISaml2pIdentityProvider.cs

@@ -7,6 +7,7 @@
 using System.Collections.Generic;
 using System.Text;
 using System.Threading.Tasks;
+using Solid.IdentityModel.Tokens;
 
 namespace Solid.Identity.Protocols.Saml2p.Abstractions
 {
@@ -49,5 +50,15 @@ public interface ISaml2pIdentityProvider : ISaml2pPartner<Saml2pServiceProviderE
         /// A flag indicating whether the SP can initiate SSO.
         /// </summary>
         bool AllowsSpInitiatedSso { get; }
+        
+        /// <summary>
+        /// A flag indicating whether signing AuthnRequest is required.
+        /// </summary>
+        bool RequiresSignedAuthnRequest { get; }
+        
+        /// <summary>
+        /// The <see cref="SignatureMethod"/> used to sign the AuthnRequest.
+        /// </summary>
+        SignatureMethod AuthnRequestSigningMethod { get; }
     }
 }

src/Solid.Identity.Protocols.Saml2p/Abstractions/ISaml2pPartner.cs

@@ -3,6 +3,7 @@
 using System;
 using System.Collections.Generic;
 using System.Text;
+using Microsoft.IdentityModel.Tokens;
 
 namespace Solid.Identity.Protocols.Saml2p.Abstractions
 {
@@ -51,5 +52,15 @@ public interface ISaml2pPartner<TEvents>
         /// The events object.
         /// </summary>
         TEvents Events { get; }
+        
+        /// <summary>
+        /// Signing key used to sign and validate SAMLResponse
+        /// </summary>
+        SecurityKey SamlResponseSigningKey { get; }
+        
+        /// <summary>
+        /// Signing key used to sign and validate AuthnRequest
+        /// </summary>
+        SecurityKey AuthnRequestSigningKey { get; }
     }
 }

src/Solid.Identity.Protocols.Saml2p/Abstractions/ISaml2pServiceProvider.cs

@@ -75,8 +75,14 @@ public interface ISaml2pServiceProvider : ISaml2pPartner<Saml2pIdentityProviderE
         /// </summary>
         bool RequiresEncryptedAssertion { get; }
 
-        //SecurityKey ResponseSigningKey { get; }
-        //string ResponseSigningAlgorithm { get; }
-        //string ResponseDigestAlgorithm { get; }
+        /// <summary>
+        /// A flag indicating whether signing SAMLResponse is required.
+        /// </summary>
+        bool RequiresSignedSamlResponse { get; }
+        
+        /// <summary>
+        /// The <see cref="SignatureMethod"/> used to sign the SAMLResponse.
+        /// </summary>
+        SignatureMethod SamlResponseSigningMethod { get; }
     }
 }

src/Solid.Identity.Protocols.Saml2p/Factories/AuthnRequestFactory.cs

@@ -72,6 +72,15 @@ public async Task<AuthnRequest> CreateAuthnRequestAsync(HttpContext context, ISa
                     Comparison = idp.RequestedAuthnContextClassRefComparison
                 }
             };
+
+            if (idp.RequiresSignedAuthnRequest)
+            {
+                if(idp is { AuthnRequestSigningKey: not null, AuthnRequestSigningMethod: not null })
+                    request.SigningCredentials = idp.AuthnRequestSigningMethod.CreateCredentials(idp.AuthnRequestSigningKey);
+                else
+                    throw new InvalidOperationException($"Partner '{idp.Id}' requires a signed AuthnRequest, but has misconfigured signing credentials.");
+            }
+            
             var generateContext = new GenerateRelayStateContext
             {
                 Partner = idp,

src/Solid.Identity.Protocols.Saml2p/Factories/SamlResponseFactory.cs

@@ -6,6 +6,7 @@
 using System.Collections.Generic;
 using System.Text;
 using Microsoft.Extensions.Options;
+using Microsoft.IdentityModel.Tokens;
 using Solid.Identity.Protocols.Saml2p.Abstractions;
 
 namespace Solid.Identity.Protocols.Saml2p.Factories
@@ -46,6 +47,14 @@ public SamlResponse Create(ISaml2pServiceProvider partner, Status status, string
                 RelayState = relayState
             };
 
+            if (partner.RequiresSignedSamlResponse)
+            {
+                if (partner is { SamlResponseSigningKey: not null, SamlResponseSigningMethod: not null })
+                    response.SigningCredentials = partner.SamlResponseSigningMethod.CreateCredentials(partner.SamlResponseSigningKey);
+                else
+                    throw new InvalidOperationException($"Partner '{partner.Id}' requires a signed SAMLResponse, but has misconfigured signing credentials.");
+            }
+
             return response;
         }
 

src/Solid.Identity.Protocols.Saml2p/Factories/SecurityTokenDescriptorFactory.cs

@@ -119,7 +119,7 @@ public async ValueTask<SecurityTokenDescriptor> CreateSecurityTokenDescriptorAsy
                 IssuedAt = issuedAt,
                 NotBefore = issuedAt.Subtract(tolerance),
                 Expires = expires,
-                SigningCredentials = GetSigningCredentials(partner),
+                SigningCredentials = GetAssertionSigningCredentials(partner),
                 EncryptingCredentials = GetEncryptingCredentials(partner)
             };
 
@@ -163,7 +163,7 @@ private EncryptingCredentials GetEncryptingCredentials(ISaml2pServiceProvider pa
             return credentials;
         }
 
-        private SigningCredentials GetSigningCredentials(ISaml2pServiceProvider partner)
+        private SigningCredentials GetAssertionSigningCredentials(ISaml2pServiceProvider partner)
         {
             if (partner.AssertionSigningKey == null)
                 throw new ArgumentNullException(nameof(partner.AssertionSigningKey));

src/Solid.Identity.Protocols.Saml2p/Middleware/Idp/AcceptSsoEndpointMiddleware.cs

@@ -101,13 +101,15 @@ private bool IsValid(AcceptSsoContext context, out SamlResponseStatus? status, o
 
             if (context.Partner == null)
             {
+                Logger.LogInformation("No partner found for requesting id");
                 status = SamlResponseStatus.Requester;
                 subStatus = SamlResponseStatus.RequestDenied;
                 return false;
             }
 
             if (!context.Partner.Enabled || !context.Partner.CanInitiateSso)
             {
+                Logger.LogInformation("Requesting partner is disabled or is not authorized to initiate sso");
                 status = SamlResponseStatus.Requester;
                 subStatus = SamlResponseStatus.RequestDenied;
                 return false;
@@ -120,6 +122,28 @@ private bool IsValid(AcceptSsoContext context, out SamlResponseStatus? status, o
                 return false;
             }
 
+            if (context.Partner.AuthnRequestSigningKey != null)
+            {
+                if(context.Request.Signature == null)
+                {
+                    Logger.LogInformation("Signature is missing in AuthnRequest");
+                    status = SamlResponseStatus.Requester;
+                    subStatus = SamlResponseStatus.RequestDenied;
+                    return false;
+                }
+
+                if (context.Request.Signature.KeyInfo.KeyName != context.Partner.AuthnRequestSigningKey.KeyId)
+                {
+                    Logger.LogInformation("AuthnRequest is signed by unexpected key");
+                    status = SamlResponseStatus.Requester;
+                    subStatus = SamlResponseStatus.RequestDenied;
+                    return false;
+                }
+            }
+
+
+
+
             status = null;
             subStatus = null;
             return true;

src/Solid.Identity.Protocols.Saml2p/Middleware/Saml2pEndpointMiddleware.cs

@@ -68,9 +68,7 @@ protected string SerializeSamlResponse(SamlResponse response, BindingType bindin
             using (var memory = new MemoryStream())
             {
                 using (var writer = XmlWriter.Create(memory, new XmlWriterSettings { OmitXmlDeclaration = true, Indent = false, CloseOutput = false, Encoding = new UTF8Encoding(false) }))
-                {
                     Serializer.SerializeSamlResponse(writer, response);
-                }
                 memory.Position = 0;
                 return Encoder.Encode(memory, binding);
             }