Skip to content

Update from samael 0.0.19 to 0.0.22#10793

Open
jmpesp wants to merge 2 commits into
oxidecomputer:mainfrom
jmpesp:samael_22
Open

Update from samael 0.0.19 to 0.0.22#10793
jmpesp wants to merge 2 commits into
oxidecomputer:mainfrom
jmpesp:samael_22

Conversation

@jmpesp

@jmpesp jmpesp commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

This update broke a few tests because of samael's new behaviour of removing parts of the XML documents (in a process they call reducing) if they aren't signed. Notably this reducing process includes removing the signature nodes themselves, meaning Nexus cannot check the signature algorithm and reject the deprecated ones. Luckily the ServiceProvider builder now accepts an allowed signature algorithms list, and the values in the enum of allowed algorithms match the existing list we were checking against.

There's also a behaviour change: this new version of samael will return a signature error for XML documents with comments. This means that instead of Nexus accepting SAML Responses with comments in them and correctly figuring out the canonicalized content, they will now be rejected, which still keeps us safe from the original vulnerability mentioned by the failing test comments, but could potentially cause an issue if a customer's IDP is sending documents with comments in them. This seems worth the tradeoff as version 0.0.22 contains what looks like a few security related fixes that we should pull in.

Fixes #10702

This update broke a few tests because of samael's new behaviour of
removing parts of the XML documents (in a process they call reducing) if
they aren't signed. Notably this reducing process includes removing the
signature nodes themselves, meaning Nexus cannot check the signature
algorithm and reject the deprecated ones. Luckily the ServiceProvider
builder now accepts an allowed signature algorithms list, and the values
in the enum of allowed algorithms match the existing list we were
checking against.

There's also a behaviour change: this new version of samael will return
a signature error for XML documents with comments. This means that
instead of Nexus accepting SAML Responses with comments in them and
correctly figuring out the canonicalized content, they will now be
rejected, which still keeps us safe from the original vulnerability
mentioned by the failing test comments, but could potentially cause an
issue if a customer's IDP is sending documents with comments in them.
This seems worth the tradeoff as version 0.0.22 contains what looks like
a few security related fixes that we should pull in.

Fixes oxidecomputer#10702
@jmpesp
jmpesp requested review from iliana and inickles July 10, 2026 18:40
@jmpesp

jmpesp commented Jul 10, 2026

Copy link
Copy Markdown
Contributor Author

I also pushed a test to validate that we reject documents signed with non-allowed signature algorithms

@iliana

iliana commented Jul 13, 2026

Copy link
Copy Markdown
Collaborator

Can we manually test this against Keycloak + other IDPs we know are in use? Seems like the failure mode here is that a customer upgrades and can no longer log in which would be very bad.

Comment on lines +158 to +168
// Required
AllowedSignatureAlgorithm::RsaSha256,
AllowedSignatureAlgorithm::EcdsaSha256,
// Optional
AllowedSignatureAlgorithm::RsaSha224,
AllowedSignatureAlgorithm::RsaSha384,
AllowedSignatureAlgorithm::RsaSha512,
AllowedSignatureAlgorithm::EcdsaSha224,
AllowedSignatureAlgorithm::EcdsaSha384,
AllowedSignatureAlgorithm::EcdsaSha512,
AllowedSignatureAlgorithm::DsaSha256,

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(Noting for myself that these were previously further down the file, they're not new choices.)

Comment on lines +976 to +978
// This used to be a test that _accepted_ such responses, but a change to samael
// caused it to reject this test's response document. An example of an embedded
// comment is:

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a very funny part of the diff and I wish the comment view also included the old text.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

want samael 0.0.20+

2 participants