From 0a937542bee65a0a430597d0041033d330bcc473 Mon Sep 17 00:00:00 2001 From: Paul Mach Date: Wed, 23 Aug 2023 08:58:16 -0700 Subject: [PATCH 1/2] compare notBefore and notOnOrAfter at millisecond level --- validate.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/validate.go b/validate.go index 44e9d1d..449fb66 100644 --- a/validate.go +++ b/validate.go @@ -61,7 +61,7 @@ const ( //all SAML2 contracts are upheld. func (sp *SAMLServiceProvider) VerifyAssertionConditions(assertion *types.Assertion) (*WarningInfo, error) { warningInfo := &WarningInfo{} - now := sp.Clock.Now() + now := sp.Clock.Now().Truncate(time.Millisecond) conditions := assertion.Conditions if conditions == nil { @@ -77,6 +77,7 @@ func (sp *SAMLServiceProvider) VerifyAssertionConditions(assertion *types.Assert return nil, ErrParsing{Tag: NotBeforeAttr, Value: conditions.NotBefore, Type: "time.RFC3339"} } + notBefore = notBefore.Truncate(time.Millisecond) if now.Before(notBefore) { warningInfo.InvalidTime = true } @@ -90,6 +91,7 @@ func (sp *SAMLServiceProvider) VerifyAssertionConditions(assertion *types.Assert return nil, ErrParsing{Tag: NotOnOrAfterAttr, Value: conditions.NotOnOrAfter, Type: "time.RFC3339"} } + notOnOrAfter = notOnOrAfter.Truncate(time.Millisecond) if now.After(notOnOrAfter) { warningInfo.InvalidTime = true } From efdf76c0c624ab8e966b6ffc010cdf13717dc3d8 Mon Sep 17 00:00:00 2001 From: Paul Mach Date: Wed, 23 Aug 2023 09:12:45 -0700 Subject: [PATCH 2/2] add clock leeway --- saml.go | 2 ++ validate.go | 4 ++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/saml.go b/saml.go index 49a2fb8..ddba727 100644 --- a/saml.go +++ b/saml.go @@ -72,7 +72,9 @@ type SAMLServiceProvider struct { ValidateEncryptionCert bool SkipSignatureValidation bool AllowMissingAttributes bool + Clock *dsig.Clock + ClockLeeway time.Duration // to handle clock drift issues // Required encryption key and default signing key. // Deprecated: Use SetSPKeyStore instead of setting or reading this field. diff --git a/validate.go b/validate.go index 449fb66..6d35624 100644 --- a/validate.go +++ b/validate.go @@ -77,7 +77,7 @@ func (sp *SAMLServiceProvider) VerifyAssertionConditions(assertion *types.Assert return nil, ErrParsing{Tag: NotBeforeAttr, Value: conditions.NotBefore, Type: "time.RFC3339"} } - notBefore = notBefore.Truncate(time.Millisecond) + notBefore = notBefore.Add(-sp.ClockLeeway).Truncate(time.Millisecond) if now.Before(notBefore) { warningInfo.InvalidTime = true } @@ -91,7 +91,7 @@ func (sp *SAMLServiceProvider) VerifyAssertionConditions(assertion *types.Assert return nil, ErrParsing{Tag: NotOnOrAfterAttr, Value: conditions.NotOnOrAfter, Type: "time.RFC3339"} } - notOnOrAfter = notOnOrAfter.Truncate(time.Millisecond) + notOnOrAfter = notOnOrAfter.Add(sp.ClockLeeway).Truncate(time.Millisecond) if now.After(notOnOrAfter) { warningInfo.InvalidTime = true }