diff --git a/gradle/verification-metadata.xml b/gradle/verification-metadata.xml
index 13b6f4635265e..148f51adcd78f 100644
--- a/gradle/verification-metadata.xml
+++ b/gradle/verification-metadata.xml
@@ -3137,9 +3137,9 @@
-
-
-
+
+
+
diff --git a/x-pack/plugin/identity-provider/build.gradle b/x-pack/plugin/identity-provider/build.gradle
index b3ecff4659d86..b15f286623242 100644
--- a/x-pack/plugin/identity-provider/build.gradle
+++ b/x-pack/plugin/identity-provider/build.gradle
@@ -33,7 +33,7 @@ dependencies {
api "org.opensaml:opensaml-storage-api:3.4.5"
api "org.opensaml:opensaml-storage-impl:3.4.5"
api "net.shibboleth.utilities:java-support:7.5.1"
- api "org.apache.santuario:xmlsec:2.1.4"
+ api "org.apache.santuario:xmlsec:2.2.6"
api "io.dropwizard.metrics:metrics-core:3.2.2"
api ("org.cryptacular:cryptacular:1.2.4") {
exclude group: 'org.bouncycastle'
diff --git a/x-pack/plugin/security/build.gradle b/x-pack/plugin/security/build.gradle
index 431a64dd98a85..baaa6b9b74642 100644
--- a/x-pack/plugin/security/build.gradle
+++ b/x-pack/plugin/security/build.gradle
@@ -53,7 +53,7 @@ dependencies {
api "org.opensaml:opensaml-storage-api:3.4.5"
api "org.opensaml:opensaml-storage-impl:3.4.5"
api "net.shibboleth.utilities:java-support:7.5.1"
- api "org.apache.santuario:xmlsec:2.1.4"
+ api "org.apache.santuario:xmlsec:2.2.6"
api "io.dropwizard.metrics:metrics-core:3.2.2"
api ("org.cryptacular:cryptacular:1.2.4") {
exclude group: 'org.bouncycastle'
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/saml/SamlObjectHandler.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/saml/SamlObjectHandler.java
index a110296e0f8ef..073881d05191d 100644
--- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/saml/SamlObjectHandler.java
+++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/saml/SamlObjectHandler.java
@@ -11,6 +11,7 @@
import org.apache.logging.log4j.message.ParameterizedMessage;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.common.Strings;
+import org.elasticsearch.common.hash.MessageDigests;
import org.elasticsearch.core.CheckedFunction;
import org.elasticsearch.core.Nullable;
import org.elasticsearch.core.TimeValue;
@@ -27,6 +28,7 @@
import org.opensaml.saml.security.impl.SAMLSignatureProfileValidator;
import org.opensaml.security.credential.Credential;
import org.opensaml.security.x509.X509Credential;
+import org.opensaml.xmlsec.algorithm.AlgorithmSupport;
import org.opensaml.xmlsec.crypto.XMLSigningUtil;
import org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver;
import org.opensaml.xmlsec.encryption.support.EncryptedKeyResolver;
@@ -167,6 +169,21 @@ void validateSignature(Signature signature) {
checkIdpSignature(credential -> {
try {
+ final String signatureAlg = AlgorithmSupport.getKeyAlgorithm(signature.getSignatureAlgorithm());
+ final String keyAlg = credential.getPublicKey().getAlgorithm();
+ if (signatureAlg != null && signatureAlg.equals(keyAlg) == false) {
+ if (logger.isDebugEnabled()) {
+ String keyFingerprint = "SHA265:"
+ + MessageDigests.toHexString(MessageDigests.sha256().digest(credential.getPublicKey().getEncoded()));
+ logger.debug(
+ "Skipping [{}] key [{}] because it is not compatible with signature algorithm [{}]",
+ keyAlg,
+ keyFingerprint,
+ signatureAlg
+ );
+ }
+ return false;
+ }
return AccessController.doPrivileged((PrivilegedExceptionAction) () -> {
try (RestorableContextClassLoader ignore = new RestorableContextClassLoader(SignatureValidator.class)) {
SignatureValidator.validate(signature, credential);