1634267 – ECP signature check fails with LASSO_DS_ERROR_SIGNATURE_NOT_FOUND when assertion signed instead of response

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1634267 - ECP signature check fails with LASSO_DS_ERROR_SIGNATURE_NOT_FOUND when assertion signed instead of response

Summary: ECP signature check fails with LASSO_DS_ERROR_SIGNATURE_NOT_FOUND when assert...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	lasso
Sub Component:
Version:	7.7
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Jakub Hrozek
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:	sync-to-jira
Depends On:	1634266 1634268
Blocks:
TreeView+	depends on / blocked

Reported:	2018-09-29 13:32 UTC by John Dennis
Modified:	2019-08-06 12:58 UTC (History)
CC List:	8 users (show)
Fixed In Version:	lasso-2.5.1-3.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1634266
Environment:
Last Closed:	2019-08-06 12:58:19 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Launchpad	1794726	0	None	None	None	2018-09-29 13:32:03 UTC
Red Hat Product Errata	RHBA-2019:2150	0	None	None	None	2019-08-06 12:58:20 UTC

Description John Dennis 2018-09-29 13:32:03 UTC

+++ This bug was initially created as a clone of Bug #1634266 +++

In SAML either the Assertion or the SAML message (i.e. Request, Response) can be signed. When the SP receives a PAOS response it checks the signature in lasso_login_process_paos_response_msg(). As long as the signature was on the Response everything worked as expected. But if it was the Assertion that was signed instead of the response then lasso_login_process_paos_response_msg() incorrectly responds with the LASSO_DS_ERROR_SIGNATURE_NOT_FOUND error.

--- Additional comment from John Dennis on 2018-09-29 09:29:27 EDT ---

Upstream bug (there is no bug tracker for this bug database)

https://dev.entrouvert.org/issues/26828

--- Additional comment from John Dennis on 2018-09-29 09:30:42 EDT ---

Problem first reported by OpenStack Keystone team when testing K2K. See https://bugs.launchpad.net/keystone/+bug/1794726

Comment 2 John Dennis 2018-11-15 14:59:40 UTC

I have a patch ready for this, I just need to submit it upstream.

Comment 3 Jakub Hrozek 2018-11-15 21:43:40 UTC

(In reply to John Dennis from comment #2)
> I have a patch ready for this, I just need to submit it upstream.

Thank you. Since the problem was triggered by Keystone, do you think it warrants a RHEL-7 update? What about RHEL-8, would 8.1 be sufficient?

Comment 4 John Dennis 2018-11-15 22:51:03 UTC

Yes, I think this needs to go in RHEL-7 and RHEL-8. The only reason I had been waiting was I had an outstanding request to the OpenStack reporter to test a scratch RHEL-7 build I provided to confirm the fix worked as expected. I never heard back even after pinging one additional time for an update. So I don't believe there is any reason to hold off on submitting upstream. Once upstream commits we can pull it into the RHEL builds.

Comment 5 Jakub Hrozek 2019-02-05 12:56:19 UTC

Upstream commit: https://dev.entrouvert.org/projects/lasso/repository/revisions/642182bdf49c9c93a86b093ad7335c8a7a5ae8cc

Comment 6 Jakub Hrozek 2019-02-18 22:32:46 UTC

btw https://dev.entrouvert.org/projects/lasso/repository/revisions/9525237236eef4097300d9b6e93d2178a7a72267 was backported as well as a prerequisite for https://dev.entrouvert.org/projects/lasso/repository/revisions/642182bdf49c9c93a86b093ad7335c8a7a5ae8cc

Comment 8 Scott Poore 2019-06-10 15:08:04 UTC

Verified Sanity Only

Version ::

lasso-2.5.1-3.el7.x86_64

Results ::

mod_auth_mellon regression tests were run against RH-SSO 7.3 IdP with SSSD Provider configured for IPA and AD Trusted user testing.  All users were allowed or denied access as expected during browser based manual login tests.

Also, reviewed the build log for this package and it looks like it's good.

Test of interest is in login_tests_saml2 which is included in tests_SOURCES.


Making check in tests
make[2]: Entering directory `/builddir/build/BUILD/lasso-2.5.1/tests'
Making check in data
make[3]: Entering directory `/builddir/build/BUILD/lasso-2.5.1/tests/data'
make[3]: Nothing to be done for `check'.
make[3]: Leaving directory `/builddir/build/BUILD/lasso-2.5.1/tests/data'
make[3]: Entering directory `/builddir/build/BUILD/lasso-2.5.1/tests'
make  check-TESTS
make[4]: Entering directory `/builddir/build/BUILD/lasso-2.5.1/tests'
make[5]: Entering directory `/builddir/build/BUILD/lasso-2.5.1/tests'
PASS: tests
PASS: tests2
make[6]: Entering directory `/builddir/build/BUILD/lasso-2.5.1/tests'
Making all in data
make[7]: Entering directory `/builddir/build/BUILD/lasso-2.5.1/tests/data'
make[7]: Nothing to be done for `all'.
make[7]: Leaving directory `/builddir/build/BUILD/lasso-2.5.1/tests/data'
make[7]: Entering directory `/builddir/build/BUILD/lasso-2.5.1/tests'
make[7]: Nothing to be done for `all-am'.
make[7]: Leaving directory `/builddir/build/BUILD/lasso-2.5.1/tests'
make[6]: Leaving directory `/builddir/build/BUILD/lasso-2.5.1/tests'
============================================================================
Testsuite summary for lasso 2.5.1
============================================================================
# TOTAL: 2
# PASS:  2
# SKIP:  0
# XFAIL: 0
# FAIL:  0
# XPASS: 0
# ERROR: 0
============================================================================
make[5]: Leaving directory `/builddir/build/BUILD/lasso-2.5.1/tests'
make[4]: Leaving directory `/builddir/build/BUILD/lasso-2.5.1/tests'
make[3]: Leaving directory `/builddir/build/BUILD/lasso-2.5.1/tests'
make[2]: Leaving directory `/builddir/build/BUILD/lasso-2.5.1/tests'

Above, you can see "PASS: tests".  So the unit test was run and passed.

Comment 10 errata-xmlrpc 2019-08-06 12:58:19 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2150

Note You need to log in before you can comment on or make changes to this bug.