Skip to content

fix: validate signatures on HTTP-POST bound messages#4

Merged
william-suppo merged 1 commit into
masterfrom
fix/post-binding-signature-validation
Jul 2, 2026
Merged

fix: validate signatures on HTTP-POST bound messages#4
william-suppo merged 1 commit into
masterfrom
fix/post-binding-signature-validation

Conversation

@william-suppo

Copy link
Copy Markdown
Contributor

Summary

  • extractSignature() only recognized SignatureStringReader (the detached signature used by the HTTP-Redirect binding), so the enveloped <ds:Signature> carried by HTTP-POST bound messages was silently dropped, making validateSignature() always throw Invalid signature for POST-bound requests/responses (the most common SP flow: IdP posting a signed <Response> to the ACS endpoint).
  • Added handling for SignatureXmlReader: it is flattened into the same value/algorithm/data shape used for the Redirect binding, by reading the raw SignatureValue and re-canonicalizing SignedInfo — the same inputs XMLSecurityDSig::verify() itself relies on — so validateSignature() can verify both binding types through the same code path.
  • Reference/digest validation (validateReference()) is run to detect tampering with the signed content. It has to happen after the SignatureValue/SignedInfo are extracted, since validateReference() detaches the <ds:Signature> node from the document (per the enveloped-signature transform), which would otherwise throw off canonicalization if done first. A failed reference check is treated the same as no signature at all.
  • No public API changes — the Signature DTO shape is unchanged.

Fixes #1

extractSignature() only recognized SignatureStringReader (detached
signatures used by the Redirect binding), so enveloped XML signatures
carried by POST-bound messages were silently dropped and
validateSignature() always threw "Invalid signature".

Flatten SignatureXmlReader into the same value/algorithm/data shape by
reading the raw SignatureValue and re-canonicalizing SignedInfo, then
run reference/digest validation before the signature node gets
detached from the document by validateReference(). A failed reference
check is treated as no signature at all.

Fixes #1

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
@william-suppo william-suppo merged commit be9528e into master Jul 2, 2026
3 checks passed
@william-suppo william-suppo deleted the fix/post-binding-signature-validation branch July 2, 2026 12:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Signature validation doesn't work for POST-binding responses

1 participant