Allow SPs to have multiple certs (LG-2049)

.circleci/config.yml

@@ -159,7 +159,8 @@ jobs:
             cp -a keys.example keys
             cp -a certs.example certs
             cp pwned_passwords/pwned_passwords.txt.sample pwned_passwords/pwned_passwords.txt
-            bundle exec rake db:create db:migrate db:seed --trace
+            bundle exec rake db:create db:migrate --trace
+            bundle exec rake db:seed
             bundle exec rake assets:precompile
       - run:
           name: Run Tests

app/controllers/concerns/saml_idp_auth_concern.rb

@@ -161,12 +161,35 @@ def saml_response
     )
   end
 
+  def matching_cert
+    return @matching_cert if defined?(@matching_cert)
+
+    @matching_cert = current_service_provider.ssl_certs.find do |ssl_cert|
+      fingerprint = Fingerprinter.fingerprint_cert(ssl_cert)
+
+      saml_request = SamlIdp::Request.from_deflated_request(
+        params[:SAMLRequest],
+        get_params: params,
+        cert: ssl_cert,
+      )
+      if saml_request&.service_provider
+        # Plumb the fingerprint through to the internal service_provider representation
+        saml_request.service_provider.fingerprint = fingerprint
+        saml_request.valid_signature?
+      end
+    end
+  end
+
   def encryption_opts
     query_params = UriService.params(request.original_url)
     if query_params[:skip_encryption].present? && current_service_provider.skip_encryption_allowed
       nil
-    else
-      current_service_provider.encryption_opts
+    elsif current_service_provider.encrypt_responses?
+      {
+        cert: matching_cert || current_service_provider.certs.first,
+        block_encryption: current_service_provider.block_encryption,
+        key_transport: 'rsa-oaep-mgf1p',
+      }
     end
   end
 
@@ -183,7 +206,7 @@ def current_service_provider
   end
 
   def current_issuer
-    @_issuer ||= saml_request.service_provider.identifier
+    @_issuer ||= saml_request.service_provider&.identifier
   end
 
   def request_url

app/controllers/saml_idp_controller.rb

@@ -33,6 +33,12 @@ def logout
     return sign_out_with_flash if raw_saml_request.nil?
 
     decode_request(raw_saml_request)
+
+    # Plumb the fingerprint through to the internal service_provider representation
+    if saml_request && matching_cert
+      saml_request.service_provider.fingerprint = Fingerprinter.fingerprint_cert(matching_cert)
+    end
+
     track_logout_event
 
     return head(:bad_request) unless valid_saml_request?

app/forms/openid_connect_token_form.rb

@@ -109,14 +109,25 @@ def validate_code_verifier
   def validate_client_assertion
     return if identity.blank?
 
-    payload, _headers = JWT.decode(client_assertion, service_provider.ssl_cert.public_key, true,
-                                   algorithm: 'RS256', iss: client_id,
-                                   verify_iss: true, sub: client_id,
-                                   verify_sub: true)
-    validate_aud_claim(payload)
-    validate_iat(payload)
-  rescue JWT::DecodeError => err
-    errors.add(:client_assertion, err.message)
+    payload, _headers, err = nil
+
+    matching_cert = service_provider.ssl_certs.find do |ssl_cert|
+      err = nil
+      payload, _headers = JWT.decode(client_assertion, ssl_cert.public_key, true,
+                                     algorithm: 'RS256', iss: client_id,
+                                     verify_iss: true, sub: client_id,
+                                     verify_sub: true)
+    rescue JWT::DecodeError => err
+      next
+    end
+
+    if matching_cert && payload
+      validate_aud_claim(payload)
+      validate_iat(payload)
+    else
+      errors.add(:client_assertion,
+                 err&.message || t('openid_connect.token.errors.invalid_signature'))
+    end
   end
 
   def validate_aud_claim(payload)

app/forms/security_event_form.rb

@@ -95,17 +95,31 @@ def check_public_key_error(public_key)
   end
 
   def validate_jwt
-    public_key = service_provider&.ssl_cert&.public_key
     return if check_jwt_parse_error
-    return if check_public_key_error(public_key)
 
-    JWT.decode(body, public_key, true, algorithm: 'RS256', leeway: Float::INFINITY)
-  rescue JWT::IncorrectAlgorithm
-    @error_code = ErrorCodes::JWT_CRYPTO
-    errors.add(:jwt, t('risc.security_event.errors.alg_unsupported', expected_alg: 'RS256'))
-  rescue JWT::VerificationError => err
-    @error_code = ErrorCodes::JWS
-    errors.add(:jwt, err.message)
+    error_code = nil
+    error_message = nil
+
+    matching_public_key = service_provider&.ssl_certs&.find do |ssl_cert|
+      error_code = nil
+      error_message = nil
+      JWT.decode(body, ssl_cert.public_key, true, algorithm: 'RS256', leeway: Float::INFINITY)
+    rescue JWT::IncorrectAlgorithm
+      error_code = ErrorCodes::JWT_CRYPTO
+      error_message = t('risc.security_event.errors.alg_unsupported', expected_alg: 'RS256')
+      nil
+    rescue JWT::VerificationError => err
+      error_code = ErrorCodes::JWS
+      error_message = err.message
+      nil
+    end
+
+    if error_code && error_message
+      @error_code = error_code
+      errors.add(:jwt, error_message)
+    else
+      check_public_key_error(matching_public_key)
+    end
   end
 
   def validate_jti

app/models/null_service_provider.rb

@@ -15,6 +15,7 @@ class NullServiceProvider
     attribute_bundle
     block_encryption
     cert
+    certs
     created_at
     default_aal
     description
@@ -40,7 +41,6 @@ class NullServiceProvider
     signature
     signed_response_message_requested
     sp_initiated_login_url
-    ssl_cert
     updated_at
   ].freeze
 
@@ -85,13 +85,15 @@ def encrypt_responses?
     false
   end
 
-  def encryption_opts; end
-
   def skip_encryption_allowed
     false
   end
 
   def allow_prompt_login
     false
   end
+
+  def ssl_certs
+    []
+  end
 end

app/models/service_provider.rb

@@ -2,7 +2,7 @@
 require 'identity_validations'
 
 class ServiceProvider < ApplicationRecord
-  self.ignored_columns = %w[deal_id agency aal]
+  self.ignored_columns = %w[deal_id agency aal fingerprint]
 
   belongs_to :agency
 
@@ -27,33 +27,20 @@ def self.from_issuer(issuer)
   end
 
   def metadata
-    attributes.symbolize_keys.merge(fingerprint: fingerprint)
+    attributes.symbolize_keys
   end
 
-  def ssl_cert
-    @ssl_cert ||= begin
-      return if cert.blank?
+  # @return [Array<OpenSSL::X509::Certificate>]
+  def ssl_certs
+    @ssl_certs ||= (certs.presence || Array(cert)).map do |cert|
       OpenSSL::X509::Certificate.new(load_cert(cert))
     end
   end
 
-  def fingerprint
-    @_fingerprint ||= super || Fingerprinter.fingerprint_cert(ssl_cert)
-  end
-
   def encrypt_responses?
     block_encryption != 'none'
   end
 
-  def encryption_opts
-    return nil unless encrypt_responses?
-    {
-      cert: ssl_cert,
-      block_encryption: block_encryption,
-      key_transport: 'rsa-oaep-mgf1p',
-    }
-  end
-
   def skip_encryption_allowed
     config = AppConfig.env.skip_encryption_allowed_list
     return false if config.blank?

certs.example/sp/saml_test_sp2.crt

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDNjCCAh4CCQDN39Nwta1XWzANBgkqhkiG9w0BAQsFADBdMQswCQYDVQQGEwJV
+UzEdMBsGA1UECAwURGlzdHJpY3Qgb2YgQ29sdW1iaWExEzARBgNVBAcMCldhc2hp
+bmd0b24xDDAKBgNVBAoMA0dTQTEMMAoGA1UECwwDVFRTMB4XDTIxMDMyOTE2Mzk1
+M1oXDTIyMDMyOTE2Mzk1M1owXTELMAkGA1UEBhMCVVMxHTAbBgNVBAgMFERpc3Ry
+aWN0IG9mIENvbHVtYmlhMRMwEQYDVQQHDApXYXNoaW5ndG9uMQwwCgYDVQQKDANH
+U0ExDDAKBgNVBAsMA1RUUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+AMo28K48AyMI67bTrkXTk+THgyDLTj0aUVjmig8bTAlSZW8GLdG6I2BWlC3yCVL9
+cDx8ENWxtfG/1BQwT/+pf2f23iDzTPYR33z4Q1QZmuqZt39LGP2k3Ew0euzptQzR
+anKCzNo2FbO33LnXzktlVElv8YXR0rHNsAH0+sCH/sSn/dQ8cvqyIWzKAyVeZNVX
+qzyrYmLde0tiefWXrCRAZ+gbn0Vgcsd6082FaFvTRLmOWGBJaYD3SZXOSIyBgv8k
+FAd6ey69M5Qg2cGiiHYF+2rxv8MP5ddA2JIyxmdxajCDJZk7zJiUUWn1Lz0ravgI
+eEW1fF0w9Ss1cPvUOCCWNE8CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAw/T9Cm3n
+lhuO3h8hsTJVIZqiwQw7m/wI2rY9c/on0gwnsnxsvWL3Lvl5ZyqTKqFgXWoV90ZK
+PoY/Lv9c5RaPx90kV4ZwIJwzzgFVdR0gwsW6OpUXKZzt3LFNruWC+4KgmREsvRyK
+8ATfC5I5wVMxKf93YWEX3MBiHEh2VaTbn3cSukNVqUQsNAwYPrl3Fs3lXE6GbJAI
+OScEZWlLdC0/uSxrDj1WA4R/8NFMWZOlG6ImlkBqGIBIyByuucXn7ZzlUp453+LP
+KasY2FT+qJtytP05bULKIZHXLftV1CXktvt4dPTHvxwqDjLNiylfHFs/O76UE8ox
+tz6PXT2P0wJ0Cw==
+-----END CERTIFICATE-----

config/initializers/saml_idp.rb

@@ -36,8 +36,6 @@
 
   # Find ServiceProvider metadata_url and fingerprint based on our settings
   config.service_provider.finder = lambda do |issuer_or_entity_id|
-    sp_config = ServiceProviderConfig.new(issuer: issuer_or_entity_id)
-    sp = sp_config.service_provider
-    sp_config.sp_attributes.merge(fingerprint: sp.fingerprint, cert: sp.ssl_cert)
+    ServiceProvider.from_issuer(issuer_or_entity_id).metadata
   end
 end

config/locales/openid_connect/en.yml

@@ -30,6 +30,8 @@ en:
         invalid_code_verifier: code_verifier did not match code_challenge
         invalid_iat: iat must be an integer or floating point Unix timestamp representing
           a time in the past
+        invalid_signature: Could not validate assertion against any registered public
+          keys
     user_info:
       errors:
         malformed_authorization: Malformed Authorization header

config/locales/openid_connect/es.yml

@@ -30,6 +30,8 @@ es:
         invalid_code_verifier: code_verifier no coincide con code_challenge
         invalid_iat: iat debe ser una marca de tiempo Unix de punto flotante o entero
           que represente un tiempo en el pasado
+        invalid_signature: No se pudo validar la aserción contra ninguna clave pública
+          registrada
     user_info:
       errors:
         malformed_authorization: Título de autorización mal formado

config/locales/openid_connect/fr.yml

@@ -31,6 +31,8 @@ fr:
         invalid_code_verifier: code_verifier ne correspondait pas à code_challenge
         invalid_iat: iat doit être un horodatage Unix entier ou à virgule flottante
           représentant une heure dans le passé
+        invalid_signature: Impossible de valider l'assertion contre les clés publiques
+          enregistrées
     user_info:
       errors:
         malformed_authorization: Forme de l'en-tête d'autorisation non valide

config/service_providers.localdev.yml

@@ -4,7 +4,9 @@ test:
     assertion_consumer_logout_service_url: 'http://localhost:3000/test/saml/decode_slo_request'
     sp_initiated_login_url: 'http://localhost:3000/test/saml'
     block_encryption: 'none'
-    cert: 'saml_test_sp'
+    certs:
+      - 'saml_test_sp'
+      - 'saml_test_sp2'
     agency: 'Test Government Agency'
     agency_id: 1
     uuid_priority: 10

db/migrate/20210329162528_add_multiple_certs_to_service_providers.rb

@@ -0,0 +1,5 @@
+class AddMultipleCertsToServiceProviders < ActiveRecord::Migration[6.1]
+  def change
+    add_column :service_providers, :certs, :string, array: true
+  end
+end

db/schema.rb

@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 2021_03_16_082419) do
+ActiveRecord::Schema.define(version: 2021_03_29_162528) do
 
   # These are extensions that must be enabled in order to support this database
   enable_extension "plpgsql"
@@ -572,6 +572,7 @@
     t.date "iaa_end_date"
     t.string "app_id"
     t.integer "default_aal"
+    t.string "certs", array: true
     t.index ["issuer"], name: "index_service_providers_on_issuer", unique: true
   end
 

keys.example/saml_test_sp2.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDKNvCuPAMjCOu2
+065F05Pkx4Mgy049GlFY5ooPG0wJUmVvBi3RuiNgVpQt8glS/XA8fBDVsbXxv9QU
+ME//qX9n9t4g80z2Ed98+ENUGZrqmbd/Sxj9pNxMNHrs6bUM0WpygszaNhWzt9y5
+185LZVRJb/GF0dKxzbAB9PrAh/7Ep/3UPHL6siFsygMlXmTVV6s8q2Ji3XtLYnn1
+l6wkQGfoG59FYHLHetPNhWhb00S5jlhgSWmA90mVzkiMgYL/JBQHensuvTOUINnB
+ooh2Bftq8b/DD+XXQNiSMsZncWowgyWZO8yYlFFp9S89K2r4CHhFtXxdMPUrNXD7
+1DggljRPAgMBAAECggEAHLw77XaHt5XP8TYZgMC1NoCHiMR7RMGVp71zBvyJDJYR
+5foJztDVsB39hp3rZ0iuh1nWBpfvVAA/gfLvm1QZz8tL+4C3ggw+JwMchjnxQr8/
+TS59yaWAzK90fHAlk0G7D7S4qZWf9d791cbuANbQaHMo7ixH9Y5WIaEPdQaeVJGN
+98hDb/HnwprqUiIT6qONkECUTB5DkxfFO9YpD4GbI8lnYc7iou/T4lCCEb+OGfSt
+Wqy1EDgBRZkZu122xNWRXHbjh4vtRY5DeL9kY8aNPHCqve7T/XSQT35cUScQczwX
+C8Ds8qN/eXIUdoHBRlA7LHDOZOjvmRb/U6c9YUwfOQKBgQDzYN3lm/LW7p47abB7
+CUysj8+Y9QnG38BMxRkDZN/T5O1swDZbXtr9QK9gAF3ugLKae2AKL2EiZMB1scLK
+M4E4XNjMJVrK4UH77Xon7Dk6r7y8N2VjhPDHjllEtYvjbopcl5JKptkFYsVO4vcA
+m+OGsj2nd8QljUtwv0geD5aFLQKBgQDUs5N2IvpYI/2E6Eg7awX1eNGn7cw8gYhF
+/qzCmIuUcQJnUdYMCIoZghPJ5Xz7lCBKGmcHfr+Jh1uGQkEYjNfgwEIUPLhl2qi9
+scX9/NApPhwas6xvdOfPJq/BwaMR+oAvg+c6NhxUAFPAVvSCxI8eQPnNNQzOrnkm
+PDOrqHJE6wKBgHJ/b+VFqMlVGTv6TPyVM207ev8KyL63JVD4qPvfyS121fwDsY7q
+4Tuj4t3XTlmWUnA6+sPP5nK305OLPYjDElfh1ly0djJcJx7Oalm92G6znqctqJVZ
+Ra2cWoLophcpOg61gC1+sTrHbOvf+zReInyL/lV7EtxXzNYOJ299BeNBAoGAOfSI
+LHtRXSzJSiqEa/Q4Vm9KKQiJSr88o13GMuuftJ2qOv64ZOT6xAKGY8+s41u0BJz3
+D7rAc7e2/3kUBZ1ywOGB38O/trkCm1VSDmeRTHuI6tmkFWZ0NyRiZVfel+p6fPfi
+zCCsTVMdft3yl6L5IBQyPHDFAZfWmM10gsROBmsCgYEArmE3weGh7SBveHl1nmUi
+klY5edpP76N+qcRSB30ydNw2i7fHf09LzMu+/m8RmQeipaURNnF6ToE4cbQC1x/1
+sgYZNiXWR4gsdH2LjE8XWV/s9Cwf+AhFEVbvujJ9sb5xMjVol8HjV3rYog+4ID0u
+gVcJW1KC4o9vRNAQPMr5kfc=
+-----END PRIVATE KEY-----