Bug 1634267

Summary: ECP signature check fails with LASSO_DS_ERROR_SIGNATURE_NOT_FOUND when assertion signed instead of response
Product: Red Hat Enterprise Linux 7 Reporter: John Dennis <jdennis>
Component: lassoAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.7CC: cpelland, extras-qa, jdennis, jhrozek, nkinder, rcritten, spoore, ssorce
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: sync-to-jira
Fixed In Version: lasso-2.5.1-3.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1634266 Environment:
Last Closed: 2019-08-06 12:58:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1634266, 1634268    
Bug Blocks:    

Description John Dennis 2018-09-29 13:32:03 UTC 
+++ This bug was initially created as a clone of Bug #1634266 +++

In SAML either the Assertion or the SAML message (i.e. Request, Response) can be signed. When the SP receives a PAOS response it checks the signature in lasso_login_process_paos_response_msg(). As long as the signature was on the Response everything worked as expected. But if it was the Assertion that was signed instead of the response then lasso_login_process_paos_response_msg() incorrectly responds with the LASSO_DS_ERROR_SIGNATURE_NOT_FOUND error.

--- Additional comment from John Dennis on 2018-09-29 09:29:27 EDT ---

Upstream bug (there is no bug tracker for this bug database)

https://dev.entrouvert.org/issues/26828

--- Additional comment from John Dennis on 2018-09-29 09:30:42 EDT ---

Problem first reported by OpenStack Keystone team when testing K2K. See https://bugs.launchpad.net/keystone/+bug/1794726
Comment 2 John Dennis 2018-11-15 14:59:40 UTC 
I have a patch ready for this, I just need to submit it upstream.
Comment 3 Jakub Hrozek 2018-11-15 21:43:40 UTC 
(In reply to John Dennis from comment #2)
> I have a patch ready for this, I just need to submit it upstream.

Thank you. Since the problem was triggered by Keystone, do you think it warrants a RHEL-7 update? What about RHEL-8, would 8.1 be sufficient?
Comment 4 John Dennis 2018-11-15 22:51:03 UTC 
Yes, I think this needs to go in RHEL-7 and RHEL-8. The only reason I had been waiting was I had an outstanding request to the OpenStack reporter to test a scratch RHEL-7 build I provided to confirm the fix worked as expected. I never heard back even after pinging one additional time for an update. So I don't believe there is any reason to hold off on submitting upstream. Once upstream commits we can pull it into the RHEL builds.
Comment 5 Jakub Hrozek 2019-02-05 12:56:19 UTC 
Upstream commit: https://dev.entrouvert.org/projects/lasso/repository/revisions/642182bdf49c9c93a86b093ad7335c8a7a5ae8cc
Comment 6 Jakub Hrozek 2019-02-18 22:32:46 UTC 
btw https://dev.entrouvert.org/projects/lasso/repository/revisions/9525237236eef4097300d9b6e93d2178a7a72267 was backported as well as a prerequisite for https://dev.entrouvert.org/projects/lasso/repository/revisions/642182bdf49c9c93a86b093ad7335c8a7a5ae8cc
Comment 8 Scott Poore 2019-06-10 15:08:04 UTC 
Verified Sanity Only

Version ::

lasso-2.5.1-3.el7.x86_64

Results ::

mod_auth_mellon regression tests were run against RH-SSO 7.3 IdP with SSSD Provider configured for IPA and AD Trusted user testing.  All users were allowed or denied access as expected during browser based manual login tests.

Also, reviewed the build log for this package and it looks like it's good.

Test of interest is in login_tests_saml2 which is included in tests_SOURCES.


Making check in tests
make[2]: Entering directory `/builddir/build/BUILD/lasso-2.5.1/tests'
Making check in data
make[3]: Entering directory `/builddir/build/BUILD/lasso-2.5.1/tests/data'
make[3]: Nothing to be done for `check'.
make[3]: Leaving directory `/builddir/build/BUILD/lasso-2.5.1/tests/data'
make[3]: Entering directory `/builddir/build/BUILD/lasso-2.5.1/tests'
make  check-TESTS
make[4]: Entering directory `/builddir/build/BUILD/lasso-2.5.1/tests'
make[5]: Entering directory `/builddir/build/BUILD/lasso-2.5.1/tests'
PASS: tests
PASS: tests2
make[6]: Entering directory `/builddir/build/BUILD/lasso-2.5.1/tests'
Making all in data
make[7]: Entering directory `/builddir/build/BUILD/lasso-2.5.1/tests/data'
make[7]: Nothing to be done for `all'.
make[7]: Leaving directory `/builddir/build/BUILD/lasso-2.5.1/tests/data'
make[7]: Entering directory `/builddir/build/BUILD/lasso-2.5.1/tests'
make[7]: Nothing to be done for `all-am'.
make[7]: Leaving directory `/builddir/build/BUILD/lasso-2.5.1/tests'
make[6]: Leaving directory `/builddir/build/BUILD/lasso-2.5.1/tests'
============================================================================
Testsuite summary for lasso 2.5.1
============================================================================
# TOTAL: 2
# PASS:  2
# SKIP:  0
# XFAIL: 0
# FAIL:  0
# XPASS: 0
# ERROR: 0
============================================================================
make[5]: Leaving directory `/builddir/build/BUILD/lasso-2.5.1/tests'
make[4]: Leaving directory `/builddir/build/BUILD/lasso-2.5.1/tests'
make[3]: Leaving directory `/builddir/build/BUILD/lasso-2.5.1/tests'
make[2]: Leaving directory `/builddir/build/BUILD/lasso-2.5.1/tests'

Above, you can see "PASS: tests".  So the unit test was run and passed.
Comment 10 errata-xmlrpc 2019-08-06 12:58:19 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2150