Describe the bug
When an EntitiesDescriptor, EntityDescriptor, or IDPSSODescriptor is being parsed, any included Signatures must be verified against a supplied trust store. This is especially critical if the metadata is fetched over an insecure channel. However, the methods in RelyingPartyRegistrations do not do this. Nor is it clear how someone might do it after the fact.
The underlying OpenSaml library provides all the necessary functionality. Spring Security just needs to call it. The now unsupported spring-security-saml does this correctly.
To Reproduce
The current API does not provide any way to provide trust material, even if it tried to verify signatures.
Expected behavior
See above.
Additional Information
This may qualify as a security issue, if people were expecting the previous behaviour of SAML metadata being cryptographically verified.
Describe the bug
When an
EntitiesDescriptor,EntityDescriptor, orIDPSSODescriptoris being parsed, any includedSignatures must be verified against a supplied trust store. This is especially critical if the metadata is fetched over an insecure channel. However, the methods inRelyingPartyRegistrationsdo not do this. Nor is it clear how someone might do it after the fact.The underlying OpenSaml library provides all the necessary functionality. Spring Security just needs to call it. The now unsupported spring-security-saml does this correctly.
To Reproduce
The current API does not provide any way to provide trust material, even if it tried to verify signatures.
Expected behavior
See above.
Additional Information
This may qualify as a security issue, if people were expecting the previous behaviour of SAML metadata being cryptographically verified.