Functionality difference between Redhat UBI 8and UBI 9

[turbo-xav]

Hello,

I work with NestJs and passport SAML to authenticate users.

All is fine when i work locally, I work with Redhat UBI images to deploy my app into my cloud provider
It works on "UBI 8" image (ex: https://catalog.redhat.com/software/containers/ubi8/nodejs-18/6278e5c078709f5277f26998)

But when i execute it into a Redhat "UBI 9" image (https://catalog.redhat.com/software/containers/ubi9/nodejs-18/62e8e7ed22d1d3c2dfe2ca01)
All is right until the SAML IDP call my callback URl it trigger an error :
[Nest] 1 - 04/21/2023, 8:38:12 AM ERROR [ExceptionsHandler] Invalid signature

I investigate and i found the line code into xml-crypto which verify the signature :
Path is : "node_modules/xml-crypto/lib/signed-xml.js"
Here is the concerned function :

SignedXml.prototype.validateSignatureValue = function(doc, callback) {
  var signedInfoCanon = this.getCanonSignedInfoXml(doc)
  var signer = this.findSignatureAlgorithm(this.signatureAlgorithm)
  var res = signer.verifySignature(signedInfoCanon, this.signingKey, this.signatureValue, callback)
  if (!res && !callback) this.validationErrors.push("invalid signature: the signature value " +
                                        this.signatureValue + " is incorrect")
  return res
}

This line should affect "true" value to "res" but it affects "false" value.
var res = signer.verifySignature(signedInfoCanon, this.signingKey, this.signatureValue, callback)

Do you have any idea why this doesn't work on redhat UBI9 images ?
I couldn't find any information on the subject on Stack Overflow or any other source of information

• Environnement
  Redhat image : https://catalog.redhat.com/software/containers/ubi9/nodejs-18/62e8e7ed22d1d3c2dfe2ca01
  Nodejs : 18.12.1

Here is my dependencies into package.json :

 "dependencies": {
    "@nestjs/axios": "^1.0.1",
    "@nestjs/common": "^9.0.11",
    "@nestjs/config": "^2.2.0",
    "@nestjs/core": "^9.0.11",
    "@nestjs/event-emitter": "^1.3.1",
    "@nestjs/jwt": "^10.0.1",
    "@nestjs/mapped-types": "*",
    "@nestjs/passport": "^9.0.0",
    "@nestjs/platform-express": "^9.0.11",
    "@nestjs/serve-static": "^3.0.0",
    "@nestjs/swagger": "^6.0.5",
    "@nestjs/terminus": "^9.1.1",
    "@nestjs/typeorm": "^9.0.1",
    "@node-saml/passport-saml": "^4.0.2",
    "class-transformer": "^0.5.1",
    "class-validator": "^0.13.2",
    "cookie-parser": "^1.4.6",
    "express-session": "^1.17.3",
    "joi": "^17.6.0",
    "passport": "^0.6.0",
    "passport-jwt": "^4.0.0",
    "pg": "^8.7.3",
    "reflect-metadata": "^0.1.13",
    "rimraf": "^3.0.2",
    "rxjs": "^7.8.0",
    "swagger-ui-express": "^4.5.0",
    "typeorm": "^0.3.7",
    "url-parse": "^1.5.10"
  },
  "devDependencies": {
    "@compodoc/compodoc": "^1.1.19",
    "@nestjs/cli": "^9.0.0",
    "@nestjs/schematics": "^9.0.1",
    "@nestjs/testing": "^9.0.11",
    "@types/cookie-parser": "^1.4.3",
    "@types/express": "^4.17.13",
    "@types/express-session": "^1.17.5",
    "@types/jest": "^29.2.5",
    "@types/node": "^18.7.9",
    "@types/passport-jwt": "^3.0.8",
    "@types/supertest": "^2.0.12",
    "@typescript-eslint/eslint-plugin": "^5.33.1",
    "@typescript-eslint/parser": "^5.33.1",
    "eslint": "^8.22.0",
    "eslint-config-prettier": "^8.5.0",
    "eslint-plugin-prettier": "^4.2.1",
    "jest": "^29.3.1",
    "prettier": "^2.7.1",
    "supertest": "^6.2.4",
    "ts-jest": "^29.0.3",
    "ts-loader": "^9.3.1",
    "ts-node": "^10.9.1",
    "tsconfig-paths": "^4.1.0",
    "typescript": "^4.7.4"
  },

Thanks in advance for your help

[cjbarth]

It seems that there is a change in behavior between the UBI 8 and UBI 9 images. Can you test UBI 9 locally? Or, can you see what else might be different?

One good resource for a 3rd-party check of sanity is https://www.samltool.com/. What results do you get from there checking signatures?

[srd90]

Frist few questions:

• UBI8 == RHEL 8 based image ?
• UBI9 == RHEL 9 based image ?
• IdP is exactly same in both cases and you use exactly same IdP cert at passport-saml sides ?
  • If IdP is different you are sure you have configured correct IdP certs at passport-saml sides?

If answers are yes then:
As mentioned at issue description https://github.com/node-saml/xml-crypto is unable to verify messages signature.
xml-crypto uses OpenSSL behind the scenes .
Based on quick internet search RHEL8 is using OpenSSL 1.1.1<someting> and RHEL9 is using OpenSSL 3.0.<something>(*) so there is one big difference between those environments.

Without more information (stacktrace, information about certificate, signature algorithms etc.) it would be quite hard for anybody to help.

Note: OpenSSL 3.0.x has been around for a while. If this would be some systemic issue wth xml-crypto and OpenSSL 3.0.x then one could find quite a lot reports about it.

(*) https://www.redhat.com/en/blog/experience-bringing-openssl-30-rhel-and-fedora

[markstos]

Because this appears to consider a user environment and is not clearly a bug in this library, I'm moving this to discussions. If there's a clearly a bug with a SAML library, we can open an issue.