Skip to content

BREAKING CHANGE: Fix digest method algorithm id#135

Merged
adamjmcgrath merged 3 commits into
auth0:masterfrom
adamjmcgrath:digest-method-alg
Jul 2, 2026
Merged

BREAKING CHANGE: Fix digest method algorithm id#135
adamjmcgrath merged 3 commits into
auth0:masterfrom
adamjmcgrath:digest-method-alg

Conversation

@adamjmcgrath

Copy link
Copy Markdown
Contributor

Description

Replaces #118

http://www.w3.org/2000/09/xmldsig#sha256 and http://www.w3.org/2000/09/xmldsig#sha512 are not valid DigestMethod algorithm values, the correct DigestMethod algorithm identifier’s should be http://www.w3.org/2001/04/xmlenc#sha256 and http://www.w3.org/2001/04/xmlenc#sha512. (see XML Encryption Syntax and Processing Version 1.1 )

Update the decryption logic to support the new 2001/04/xmlenc identifiers for encryption and decryption and the existing 2000/09/xmldsig identifiers for decryption (for backwards compatibility)

This is a breaking change for people doing rsa-oaep with sha256 or sha512

References

https://www.w3.org/TR/xmlenc-core1/#sec-SHA256

Testing

  • This change adds test coverage for new/changed/fixed functionality

Checklist

  • I have added documentation for new/changed functionality in this PR or in auth0.com/docs
  • All active GitHub checks for tests, formatting, and security are passing
  • The correct base branch is being used, if not the default branch

@adamjmcgrath adamjmcgrath requested a review from a team as a code owner June 30, 2026 12:41
@adamjmcgrath adamjmcgrath mentioned this pull request Jun 30, 2026
4 tasks
const digestUri = DIGEST_ALGORITHMS[keyEncryptionDigest] || keyEncryptionDigest;

// RSA-OAEP requires it. RSA-1.5 must NOT have it.
const isOAEP = keyEncryptionMethod && keyEncryptionMethod.includes('rsa-oaep');

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add a link to the relevant portion of the spec that says RSA-1.5 must not have a DigestMethod?

@adamjmcgrath adamjmcgrath Jul 1, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There isn't really a relevant portion of the spec, but I updated the comment 8bc66ed

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is that a breaking change ?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't know how anyone could rely on the DigestMethod when using RSA 1.5, but the shape of the XML is changing, so strictly speaking yes

Comment thread lib/xmlenc.js Outdated
oaepHash = 'sha256';
break;
case 'http://www.w3.org/2001/04/xmlenc#sha512':
case 'http://www.w3.org/2000/09/xmldsig#sha512':

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we have a similar comment here about // backwards compatibility for previous wrong usage?

@adamjmcgrath adamjmcgrath Jul 1, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added a comment 8bc66ed

const digestUri = DIGEST_ALGORITHMS[keyEncryptionDigest] || keyEncryptionDigest;

// RSA-OAEP requires it. RSA-1.5 must NOT have it.
const isOAEP = keyEncryptionMethod && keyEncryptionMethod.includes('rsa-oaep');

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a previous check on whether the key encryption method is on an allow list? The check here is pretty lax in that rsa-oaep can appear anywhere within the string.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Comment thread test/xmlenc.digest.js
var xmlenc = require('../lib');
var keyinfoTemplate = require('../lib/templates/keyinfo.tpl.xml');

var RSA_OAEP = 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p';

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we try both http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p and http://www.w3.org/2001/04/xmlenc#rsa-oaep?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe there's a http://www.w3.org/2009/xmlenc11#rsa-oaep but we don't support that https://github.com/auth0/node-xml-encryption/blob/master/lib/xmlenc.js#L56-L66

Comment thread test/xmlenc.digest.js Outdated
assert(xml.includes('<DigestMethod Algorithm="' + custom + '" />'));
});

it('includes a DigestMethod for RSA-OAEP', function () {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All the previous tests are implicitly RSA-OAEP, make sense to ditch this test and add an explicit keyEncryptionMethod to those?

@adamjmcgrath adamjmcgrath Jul 1, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ditched 👍 8bc66ed

Comment thread test/xmlenc.digest.js
}

['sha1', 'sha256', 'sha512'].forEach(function (digest) {
it('round trips with ' + digest, function (done) {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would this test have failed prior to this fix?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, but it seems like a reasonable regression test to have

Comment thread test/xmlenc.digest.js
});
});

it('emits the correct xmlenc URI in the produced XML for sha256', function (done) {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't see similar tests for sha1/sha512?

@adamjmcgrath adamjmcgrath Jul 1, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added tests for sha1 and sha512 8bc66ed


module.exports = ({ encryptionPublicCert, encryptedKey, keyEncryptionMethod, keyEncryptionDigest }) => `
const DIGEST_ALGORITHMS = {
'sha1': 'http://www.w3.org/2000/09/xmldsig#sha1',

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe add a comment about why sha1 uses xmldsig and the others use xmlenc within the URI.

@adamjmcgrath adamjmcgrath Jul 1, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added a comment 8bc66ed

Comment thread lib/xmlenc.js
switch (keyDigestMethodAlgorithm) {
case 'http://www.w3.org/2000/09/xmldsig#sha256':
case 'http://www.w3.org/2001/04/xmlenc#sha256':
case 'http://www.w3.org/2000/09/xmldsig#sha256': // backwards compatibility for previous wrong usage

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this what we want ?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it is 👍

@adamjmcgrath adamjmcgrath merged commit e226c22 into auth0:master Jul 2, 2026
4 checks passed
@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

🎉 This PR is included in version 5.0.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants