Merge pull request #1208 from progressonderwijs/patrick/optionally_check_signature

fdij · web-flow · commit d9da9e359ef6 · 2025-11-13T14:02:46.000+01:00
Add an option to ignore signature validation
diff --git a/src/ProgressOnderwijsUtils/SingleSignOn/SsoProcessor.cs b/src/ProgressOnderwijsUtils/SingleSignOn/SsoProcessor.cs
@@ -45,6 +45,13 @@ static string EncodeQueryParameter(string key, string value)
     }
 
     public static Maybe<SsoAttributes, string> GetAttributes(string rawSamlResponse, X509Certificate2 certificate)
+        => GetAttributes(rawSamlResponse, certificate, false);
+
+    [Obsolete("This method ignores signature validation and should not be used in production code")]
+    public static Maybe<SsoAttributes, string> GetAttributesWithEvilIgnoreSignatureCheck(string rawSamlResponse, X509Certificate2 certificate)
+        => GetAttributes(rawSamlResponse, certificate, true);
+
+    static Maybe<SsoAttributes, string> GetAttributes(string rawSamlResponse, X509Certificate2 certificate, bool evilIgnoreSignatureCheck)
     {
         byte[] bytes;
         try {
@@ -85,7 +92,7 @@ public static Maybe<SsoAttributes, string> GetAttributes(string rawSamlResponse,
             return Maybe.Error("Public key missing");
         }
 
-        if (!dsig.CheckSignature(key)) {
+        if (!dsig.CheckSignature(key) && !evilIgnoreSignatureCheck) {
             return Maybe.Error("Signature invalid");
         }
 

Original file line number	Diff line number	Diff line change
`@@ -45,6 +45,13 @@ static string EncodeQueryParameter(string key, string value)`
`45`	`45`	`}`
`46`	`46`
`47`	`47`	`public static Maybe<SsoAttributes, string> GetAttributes(string rawSamlResponse, X509Certificate2 certificate)`
	`48`	`+ => GetAttributes(rawSamlResponse, certificate, false);`
	`49`	`+`
	`50`	`+ [Obsolete("This method ignores signature validation and should not be used in production code")]`
	`51`	`+ public static Maybe<SsoAttributes, string> GetAttributesWithEvilIgnoreSignatureCheck(string rawSamlResponse, X509Certificate2 certificate)`
	`52`	`+ => GetAttributes(rawSamlResponse, certificate, true);`
	`53`	`+`
	`54`	`+ static Maybe<SsoAttributes, string> GetAttributes(string rawSamlResponse, X509Certificate2 certificate, bool evilIgnoreSignatureCheck)`
`48`	`55`	`{`
`49`	`56`	`byte[] bytes;`
`50`	`57`	`try {`
`@@ -85,7 +92,7 @@ public static Maybe<SsoAttributes, string> GetAttributes(string rawSamlResponse,`
`85`	`92`	`return Maybe.Error("Public key missing");`
`86`	`93`	`}`
`87`	`94`
`88`		`- if (!dsig.CheckSignature(key)) {`
	`95`	`+ if (!dsig.CheckSignature(key) && !evilIgnoreSignatureCheck) {`
`89`	`96`	`return Maybe.Error("Signature invalid");`
`90`	`97`	`}`
`91`	`98`