Improve deprecated-alg code

pitbulk · pitbulk · commit e6d0501ba967 · 2020-11-23T11:36:57.000+01:00
diff --git a/core/src/main/java/com/onelogin/saml2/logout/LogoutRequest.java b/core/src/main/java/com/onelogin/saml2/logout/LogoutRequest.java
@@ -457,14 +457,9 @@ public Boolean isValid() throws Exception {
 					signAlg = Constants.RSA_SHA1;
 				}
 
-				if (signAlg.equals(Constants.RSA_SHA1)) {
-					Boolean rejectDeprecatedAlg = settings.getRejectDeprecatedAlg();
-					if (rejectDeprecatedAlg) {
-						LOGGER.error("A deprecated algorithm (RSA_SHA1) found in the Signature element, rejecting it");
-						return false;
-					} else {
-						LOGGER.info("RSA_SHA1 alg found in a Signature element, consider request a more robust alg");
-					}
+				Boolean rejectDeprecatedAlg = settings.getRejectDeprecatedAlg();
+				if (Util.mustRejectDeprecatedSignatureAlgo(signAlg, rejectDeprecatedAlg)) {
+					return false;
 				}
 
 				String relayState = request.getEncodedParameter("RelayState");
diff --git a/core/src/main/java/com/onelogin/saml2/logout/LogoutResponse.java b/core/src/main/java/com/onelogin/saml2/logout/LogoutResponse.java
@@ -258,14 +258,9 @@ public Boolean isValid(String requestId) {
 					signAlg = Constants.RSA_SHA1;
 				}
 
-				if (signAlg.equals(Constants.RSA_SHA1)) {
-					Boolean rejectDeprecatedAlg = settings.getRejectDeprecatedAlg();
-					if (rejectDeprecatedAlg) {
-						LOGGER.error("A deprecated algorithm (RSA_SHA1) found in the Signature element, rejecting it");
-						return false;
-					} else {
-						LOGGER.info("RSA_SHA1 alg found in a Signature element, consider request a more robust alg");
-					}
+				Boolean rejectDeprecatedAlg = settings.getRejectDeprecatedAlg();
+				if (Util.mustRejectDeprecatedSignatureAlgo(signAlg, rejectDeprecatedAlg)) {
+					return false;
 				}
 
 				String signedQuery = "SAMLResponse=" + request.getEncodedParameter("SAMLResponse");
diff --git a/core/src/main/java/com/onelogin/saml2/util/Util.java b/core/src/main/java/com/onelogin/saml2/util/Util.java
@@ -27,6 +27,7 @@
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
 import java.security.spec.PKCS8EncodedKeySpec;
+import java.util.Arrays;
 import java.util.Calendar;
 import java.util.HashMap;
 import java.util.HashSet;
@@ -116,6 +117,8 @@ public final class Util {
 	/** Indicates if JAXP 1.5 support has been detected. */
 	private static boolean JAXP_15_SUPPORTED = isJaxp15Supported();
 
+	private static final Set<String> DEPRECATED_ALGOS = new HashSet<>(Arrays.asList(Constants.RSA_SHA1, Constants.DSA_SHA1));
+
 	static {
 		System.setProperty("org.apache.xml.security.ignoreLineBreaks", "true");
 		org.apache.xml.security.Init.init();
@@ -1093,13 +1096,8 @@ private static Map<String,Object> getSignatureData(Node signNode, String alg, Bo
 				throw new Exception(sigMethodAlg + " is not a valid supported algorithm");
 			}
 
-			if (sigMethodAlg.equals(Constants.RSA_SHA1)) {
-				if (rejectDeprecatedAlg) {
-					LOGGER.error("A deprecated algorithm (RSA_SHA1) found in the Signature element, rejecting it");
-					return signatureData;
-				} else {
-					LOGGER.info("RSA_SHA1 alg found in a Signature element, consider request a more robust alg");
-				}
+			if (Util.mustRejectDeprecatedSignatureAlgo(sigMethodAlg, rejectDeprecatedAlg)) {
+				return signatureData;
 			}
 
 			signatureData.put("signature", signature);
@@ -1122,6 +1120,19 @@ private static Map<String,Object> getSignatureData(Node signNode, String alg, Bo
 		return signatureData;
     }
 
+    public static Boolean mustRejectDeprecatedSignatureAlgo(String signAlg, Boolean rejectDeprecatedAlg) {
+		if (DEPRECATED_ALGOS.contains(signAlg)) {
+			String errorMsg = "Found a deprecated algorithm "+ signAlg +" related to the Signature element,";
+			if (rejectDeprecatedAlg) {
+				LOGGER.error(errorMsg + " rejecting it");
+				return true;
+			} else {
+				LOGGER.info(errorMsg + " consider requesting a more robust algorithm");
+			}
+    	}
+		return false;
+	}
+    
 	/**
 	 * Validate signature of the Node.
 	 *
