litsec / swedish-eid-opensaml Goto Github PK

Add support for the entity categories introduced to support eIDAS integration.

Upgrade dependencies to latest OpenSAML version (3.4.2).

See Principal Selection in SAML Authentication Requests.

Snyk reports the following vulnerabilities:

HIGH SEVERITY

Arbitrary Code Execution
Vulnerable module: commons-collections:commons-collections
Introduced through: org.opensaml:[email protected]

Elliptic Curve Key Disclosure
Vulnerable module: com.nimbusds:nimbus-jose-jwt
Introduced through: com.nimbusds:[email protected]

Invalid Elliptic Curve Attack
Vulnerable module: com.nimbusds:nimbus-jose-jwt
Introduced through: com.nimbusds:[email protected]

Unexpected Code Execution
Vulnerable module: org.bouncycastle:bcprov-jdk15on
Introduced through: se.litsec.opensaml:[email protected], org.opensaml:[email protected] and others

MEDIUM SEVERITY

Deserialization of Untrusted Data
Vulnerable module: com.google.guava:guava
Introduced through: se.litsec.opensaml:[email protected] and net.shibboleth.utilities:[email protected]

Insecure Encryption
Vulnerable module: org.bouncycastle:bcprov-jdk15on
Introduced through: se.litsec.opensaml:[email protected], org.opensaml:[email protected] and others

Add logic for matching IdP:s against an SP's entity categories according to Entity Categories for the Swedish eID Framework.

The swedish-eid-opensaml should have support for the PrincipalSelection extension in AuthnRequestmessages.

See https://docs.swedenconnect.se/technical-framework/updates/ELN-0614_-_Principal_Selection_in_SAML_Authentication_Requests.html.

If no address is supplied to the SwedishEidSubjectConfirmationValidator the validateAddress fails if we are running strict validation. This is wrong.

OpenSAML provides the class org.opensaml.xmlsec.config.impl.DefaultSecurityConfigurationBootstrap which contains the OpenSAML-defaults for crypto algorithms. These defaults differ slightly with the algorithms suggested in SAML2Int (https://kantarainitiative.github.io/SAMLprofiles/saml2int.html) and the ones defined within the Swedish eID Framework (not published yet).

We should introduce a SwedishEidSecurityConfigurationBootstrap class corresponding to the OpenSAML class but with the Swedish eID-settings.

The encrypt method of the se.litsec.swedisheid.opensaml.saml2.signservice.SignMessageFactory class should be extended so that it also accepts a list of md:EncryptionMethod elements found in the peer's metadata entry (or rather, a new encrypt-method should be introduced and the old one should be deprecated).

As it is now, we hardwire the algorithms used (both for the key encryption and the data encryption).

When decrypting messages that are encrypted using RSA-OAEP-MGF1P we run into problems if using the SunPKCS11 provider. A work-around for the underlying OpenSAML Decrypter class has been implemented in eidas-opensaml (https://github.com/litsec/opensaml-ext/blob/master/opensaml3/src/main/java/se/litsec/opensaml/xmlsec/ExtendedDecrypter.java).

We should make use of this work-around in SignMessageDecrypter.

A number of contract entity categories have been added by the Sweden Connect-federation. We should add those.

This also requires implementing a Metadata signature verifier.