Skip to content

Update from samael 0.0.19 to 0.0.22#10793

Open
jmpesp wants to merge 2 commits into
oxidecomputer:mainfrom
jmpesp:samael_22
Open

Update from samael 0.0.19 to 0.0.22#10793
jmpesp wants to merge 2 commits into
oxidecomputer:mainfrom
jmpesp:samael_22

Conversation

@jmpesp

@jmpesp jmpesp commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

This update broke a few tests because of samael's new behaviour of removing parts of the XML documents (in a process they call reducing) if they aren't signed. Notably this reducing process includes removing the signature nodes themselves, meaning Nexus cannot check the signature algorithm and reject the deprecated ones. Luckily the ServiceProvider builder now accepts an allowed signature algorithms list, and the values in the enum of allowed algorithms match the existing list we were checking against.

There's also a behaviour change: this new version of samael will return a signature error for XML documents with comments. This means that instead of Nexus accepting SAML Responses with comments in them and correctly figuring out the canonicalized content, they will now be rejected, which still keeps us safe from the original vulnerability mentioned by the failing test comments, but could potentially cause an issue if a customer's IDP is sending documents with comments in them. This seems worth the tradeoff as version 0.0.22 contains what looks like a few security related fixes that we should pull in.

Fixes #10702

This update broke a few tests because of samael's new behaviour of
removing parts of the XML documents (in a process they call reducing) if
they aren't signed. Notably this reducing process includes removing the
signature nodes themselves, meaning Nexus cannot check the signature
algorithm and reject the deprecated ones. Luckily the ServiceProvider
builder now accepts an allowed signature algorithms list, and the values
in the enum of allowed algorithms match the existing list we were
checking against.

There's also a behaviour change: this new version of samael will return
a signature error for XML documents with comments. This means that
instead of Nexus accepting SAML Responses with comments in them and
correctly figuring out the canonicalized content, they will now be
rejected, which still keeps us safe from the original vulnerability
mentioned by the failing test comments, but could potentially cause an
issue if a customer's IDP is sending documents with comments in them.
This seems worth the tradeoff as version 0.0.22 contains what looks like
a few security related fixes that we should pull in.

Fixes oxidecomputer#10702
@jmpesp jmpesp requested review from iliana and inickles July 10, 2026 18:40
@jmpesp

jmpesp commented Jul 10, 2026

Copy link
Copy Markdown
Contributor Author

I also pushed a test to validate that we reject documents signed with non-allowed signature algorithms

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

want samael 0.0.20+

1 participant