Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: saml signatureAlgorithm in AuthnRequest #2792

Merged
merged 1 commit into from
Mar 19, 2024
Merged

fix: saml signatureAlgorithm in AuthnRequest #2792

merged 1 commit into from
Mar 19, 2024

Conversation

swalchemist
Copy link
Contributor

  • This fixes a regression introduced in commit d10922a where we stopped reading the signatureAlgorithm from the properties file and only used the SHA1 default.

[#187250012]

@swalchemist @hsinn0
fix: saml signatureAlgorithm in AuthnRequest
af42c14 
* This fixes a regression introduced in commit d10922a where we stopped reading the signatureAlgorithm from the properties file and only used the SHA1 default.

[#187250012]

Co-authored-by: Hongchol Sinn <hongchol.sinn@broadcom.com>
@swalchemist swalchemist requested a review from a team March 19, 2024 19:07
@cf-gitbot
Copy link

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/187271895

The labels on this github issue will be updated when the story is started.

Tallicia
Tallicia reviewed Mar 19, 2024
View reviewed changes
uaa/src/main/webapp/WEB-INF/spring/saml-providers.xml
@@ -301,6 +301,10 @@

<bean id="fixedHttpMetaDataProvider" class="org.cloudfoundry.identity.uaa.provider.saml.FixedHttpMetaDataProvider" />

<bean id="defaultSamlConfig" class="org.cloudfoundry.identity.uaa.provider.saml.SamlConfigurationBean">
<property name="signatureAlgorithm" value="${login.saml.signatureAlgorithm:SHA1}"/>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this to be SHA256?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is to be whatever you configure in TAS setting and what is in uaa.yml.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same thought here :) I guess the state was SHA-1 before but would be good to have a plan to adapt a secure default.

Copy link
Contributor

@Tallicia Tallicia Mar 19, 2024
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should the default value be SHA256. the default being SHA1 is not secure. This is not terrible since it is overridden, but the default should be closer to SHAKE256 or SHA3-512

Copy link
Contributor

@hsinn0 hsinn0 Mar 19, 2024
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In production, SHA1 was never supposed to be used. In OpsManager, you can set the value to SHA256 or SHA512 only. SHA1 was exposed only because we removed the bean by mistake.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@torsten-sap Is this a PR you can approve as acceptable?

Tallicia
Tallicia approved these changes Mar 19, 2024
View reviewed changes
Copy link
Contributor

@Tallicia Tallicia left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks approvable, though the SHA1 usage instead of SHA256 in the saml-providers.xml I'd like to understand why.

@hsinn0
Copy link
Contributor

hsinn0 commented Mar 19, 2024
edited

the SHA1 usage instead of SHA256 in the saml-providers.xml I'd like to understand why.

The bean definition is the same as the old one we took out by mistake.

value="${login.saml.signatureAlgorithm:SHA1}" means that we set the value to login.saml.signatureAlgorithm property value if it exists, but set to "SHA1" if not. That is, it is the fallback default value.

@Tallicia
Copy link
Contributor

the SHA1 usage instead of SHA256 in the saml-providers.xml I'd like to understand why.

The bean definition is the same as the old one we took out by mistake.

value="${login.saml.signatureAlgorithm:SHA1}" means that we set the value to login.saml.signatureAlgorithm property value if it exists, but set to "SHA1" if not. That is, it is the fallback default value.

Following this fix we should consider ensuring our defaults are as secure as possible: https://en.wikipedia.org/wiki/Secure_Hash_Algorithms

@swalchemist
Copy link
Contributor Author

We considered changing the default to SHA256, but decided to keep the same default as before. Note that TAS will always set it to SHA256 or SHA512, so we do not expect this default to have any effect in TAS. It is true that a default of SHA256 would have made the bug less severe and we might want to consider changing that soon.

@Tallicia Tallicia merged commit 6c8e2f5 into develop Mar 19, 2024
20 checks passed
@Tallicia Tallicia deleted the saml-signature-algorithm-fix-187250012 branch March 19, 2024 21:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Tallicia Tallicia Tallicia approved these changes

@torsten-sap torsten-sap torsten-sap left review comments

@hsinn0 hsinn0 hsinn0 approved these changes

Assignees
No one assigned
Labels
bug
Projects
Foundational Infrastructure Working Group
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@swalchemist @cf-gitbot @hsinn0 @Tallicia @torsten-sap