Altered certificate still passes the IsValid() check
dmorse-ow opened this issue · 2 comments
During testing, we altered some of the characters in the certificate string. If it's just a minor change, it sometimes throws an invalid certificate exception, but other times it will still pass the IsValid() check that is performed. I was able to get IsValid() to return true by replacing the last character in the certificate issued by the SAML provider before the
-----END CERTIFICATE-----
line with an f instead of an X.
I tested changing signedXml.CheckSignature(_certificate, true) to signedXml.CheckSignature(_certificate, false) and doing so made IsValid() return false when presented with an altered certificate string.
Is there a reason why this code isn't verifying that the certificate is valid, only that the signature is?
Base64 decoding is reliable against some minor character edits.
Just to clarify a bit:
While Base64 is reliable against minor character edits, in the case of @dmorse-ow, modifications to the certificate he indicated return IsValid() when tested against the SAML provider, but using that same certificate in the actual SSO login process will fail as the certificate does not match the SAML provider Base64 certificate. The test org has made modifications to multiple areas of the certificate Base64 string and were able to continue getting true IsValid() responses.