Merge pull request #1210 from progressonderwijs/revert-1208-patrick/optionally_check_signature

tjibbechris · web-flow · commit 39235833a0bb · 2025-11-13T14:44:25.000+01:00
Revert "Add an option to ignore signature validation"
diff --git a/src/ProgressOnderwijsUtils/SingleSignOn/SsoProcessor.cs b/src/ProgressOnderwijsUtils/SingleSignOn/SsoProcessor.cs
@@ -45,13 +45,6 @@ static string EncodeQueryParameter(string key, string value)
     }
 
     public static Maybe<SsoAttributes, string> GetAttributes(string rawSamlResponse, X509Certificate2 certificate)
-        => GetAttributes(rawSamlResponse, certificate, false);
-
-    [Obsolete("This method ignores signature validation and should not be used in production code")]
-    public static Maybe<SsoAttributes, string> GetAttributesWithEvilIgnoreSignatureCheck(string rawSamlResponse, X509Certificate2 certificate)
-        => GetAttributes(rawSamlResponse, certificate, true);
-
-    static Maybe<SsoAttributes, string> GetAttributes(string rawSamlResponse, X509Certificate2 certificate, bool evilIgnoreSignatureCheck)
     {
         byte[] bytes;
         try {
@@ -92,7 +85,7 @@ static Maybe<SsoAttributes, string> GetAttributes(string rawSamlResponse, X509Ce
             return Maybe.Error("Public key missing");
         }
 
-        if (!dsig.CheckSignature(key) && !evilIgnoreSignatureCheck) {
+        if (!dsig.CheckSignature(key)) {
             return Maybe.Error("Signature invalid");
         }
 

Original file line number	Diff line number	Diff line change
`@@ -45,13 +45,6 @@ static string EncodeQueryParameter(string key, string value)`
`45`	`45`	`}`
`46`	`46`
`47`	`47`	`public static Maybe<SsoAttributes, string> GetAttributes(string rawSamlResponse, X509Certificate2 certificate)`
`48`		`- => GetAttributes(rawSamlResponse, certificate, false);`
`49`		`-`
`50`		`- [Obsolete("This method ignores signature validation and should not be used in production code")]`
`51`		`- public static Maybe<SsoAttributes, string> GetAttributesWithEvilIgnoreSignatureCheck(string rawSamlResponse, X509Certificate2 certificate)`
`52`		`- => GetAttributes(rawSamlResponse, certificate, true);`
`53`		`-`
`54`		`- static Maybe<SsoAttributes, string> GetAttributes(string rawSamlResponse, X509Certificate2 certificate, bool evilIgnoreSignatureCheck)`
`55`	`48`	`{`
`56`	`49`	`byte[] bytes;`
`57`	`50`	`try {`
`@@ -92,7 +85,7 @@ static Maybe<SsoAttributes, string> GetAttributes(string rawSamlResponse, X509Ce`
`92`	`85`	`return Maybe.Error("Public key missing");`
`93`	`86`	`}`
`94`	`87`
`95`		`- if (!dsig.CheckSignature(key) && !evilIgnoreSignatureCheck) {`
	`88`	`+ if (!dsig.CheckSignature(key)) {`
`96`	`89`	`return Maybe.Error("Signature invalid");`
`97`	`90`	`}`
`98`	`91`