From 73751e995dc6fbf569e22d293f28760114b5bc58 Mon Sep 17 00:00:00 2001
From: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Date: Thu, 21 Dec 2023 05:22:25 -0500
Subject: [PATCH] [8.12] Update platform security modules (main) (#173232)
 (#173788)

# Backport

This will backport the following commits from `main` to `8.12`:
- [Update platform security modules (main)
(#173232)](https://github.com/elastic/kibana/pull/173232)

<!--- Backport version: 8.9.7 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT
[{"author":{"name":"renovate[bot]","email":"29139614+renovate[bot]@users.noreply.github.com"},"sourceCommit":{"committedDate":"2023-12-20T19:58:38Z","message":"Update
platform security modules (main)
(#173232)","sha":"35d79a901d9c690fbb128f138203799f97826291","branchLabelMapping":{"^v8.13.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Team:Security","release_note:skip","backport:all-open","v8.13.0"],"number":173232,"url":"https://github.com/elastic/kibana/pull/173232","mergeCommit":{"message":"Update
platform security modules (main)
(#173232)","sha":"35d79a901d9c690fbb128f138203799f97826291"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v8.13.0","labelRegex":"^v8.13.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/173232","number":173232,"mergeCommit":{"message":"Update
platform security modules (main)
(#173232)","sha":"35d79a901d9c690fbb128f138203799f97826291"}}]}]
BACKPORT-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 package.json                                  | 11 ++-
 packages/kbn-mock-idp-plugin/common/utils.ts  | 14 ++--
 .../saml_provider/server/saml_tools.ts        | 15 ++--
 .../packages/helpers/saml/saml_tools.ts       | 15 ++--
 yarn.lock                                     | 74 +++++++++----------
 5 files changed, 62 insertions(+), 67 deletions(-)

diff --git a/package.json b/package.json
index 7e2b354361164..dbd7f0a4e43e5 100644
--- a/package.json
+++ b/package.json
@@ -935,7 +935,7 @@
     "file-saver": "^1.3.8",
     "fnv-plus": "^1.3.1",
     "font-awesome": "4.7.0",
-    "formik": "^2.2.9",
+    "formik": "^2.4.5",
     "fp-ts": "^2.3.1",
     "geojson-vt": "^3.2.1",
     "get-port": "^5.0.0",
@@ -1407,7 +1407,7 @@
     "@types/nock": "^10.0.3",
     "@types/node": "18.18.5",
     "@types/node-fetch": "2.6.4",
-    "@types/node-forge": "^1.3.1",
+    "@types/node-forge": "^1.3.10",
     "@types/nodemailer": "^6.4.0",
     "@types/normalize-path": "^3.0.0",
     "@types/object-hash": "^1.3.0",
@@ -1456,7 +1456,7 @@
     "@types/testing-library__jest-dom": "^5.14.7",
     "@types/textarea-caret": "^3.0.1",
     "@types/tinycolor2": "^1.4.1",
-    "@types/tough-cookie": "^4.0.2",
+    "@types/tough-cookie": "^4.0.5",
     "@types/type-detect": "^4.0.1",
     "@types/uuid": "^9.0.0",
     "@types/vinyl": "^2.0.4",
@@ -1466,7 +1466,6 @@
     "@types/webpack-env": "^1.15.3",
     "@types/webpack-merge": "^4.1.5",
     "@types/webpack-sources": "^0.1.4",
-    "@types/xml-crypto": "^1.4.2",
     "@types/xml2js": "^0.4.11",
     "@types/yargs": "^15.0.0",
     "@types/yauzl": "^2.9.1",
@@ -1638,7 +1637,7 @@
     "tempy": "^0.3.0",
     "terser": "^5.16.5",
     "terser-webpack-plugin": "^4.2.3",
-    "tough-cookie": "^4.1.2",
+    "tough-cookie": "^4.1.3",
     "tree-kill": "^1.2.2",
     "ts-morph": "^13.0.2",
     "tsd": "^0.20.0",
@@ -1654,7 +1653,7 @@
     "webpack-dev-server": "^4.9.3",
     "webpack-merge": "^4.2.2",
     "webpack-sources": "^1.4.1",
-    "xml-crypto": "^3.0.1",
+    "xml-crypto": "^5.0.0",
     "xmlbuilder": "13.0.2",
     "yargs": "^15.4.1",
     "yarn-deduplicate": "^6.0.2"
diff --git a/packages/kbn-mock-idp-plugin/common/utils.ts b/packages/kbn-mock-idp-plugin/common/utils.ts
index 5d55fbc565685..f98425f08248f 100644
--- a/packages/kbn-mock-idp-plugin/common/utils.ts
+++ b/packages/kbn-mock-idp-plugin/common/utils.ts
@@ -149,19 +149,19 @@ export async function createSAMLResponse(options: {
     </saml:Assertion>
   `;
 
-  const signature = new SignedXml();
+  const signature = new SignedXml({ privateKey: await readFile(KBN_KEY_PATH) });
   signature.signatureAlgorithm = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256';
-  signature.signingKey = await readFile(KBN_KEY_PATH);
+  signature.canonicalizationAlgorithm = 'http://www.w3.org/2001/10/xml-exc-c14n#';
 
   // Adds a reference to a `Assertion` xml element and an array of transform algorithms to be used during signing.
-  signature.addReference(
-    `//*[local-name(.)='Assertion']`,
-    [
+  signature.addReference({
+    xpath: `//*[local-name(.)='Assertion']`,
+    digestAlgorithm: 'http://www.w3.org/2001/04/xmlenc#sha256',
+    transforms: [
       'http://www.w3.org/2000/09/xmldsig#enveloped-signature',
       'http://www.w3.org/2001/10/xml-exc-c14n#',
     ],
-    'http://www.w3.org/2001/04/xmlenc#sha256'
-  );
+  });
 
   signature.computeSignature(samlAssertionTemplateXML, {
     location: { reference: `//*[local-name(.)='Issuer']`, action: 'after' },
diff --git a/x-pack/test/cloud_integration/plugins/saml_provider/server/saml_tools.ts b/x-pack/test/cloud_integration/plugins/saml_provider/server/saml_tools.ts
index 0be46a431d7d4..7d1a6cbfa4255 100644
--- a/x-pack/test/cloud_integration/plugins/saml_provider/server/saml_tools.ts
+++ b/x-pack/test/cloud_integration/plugins/saml_provider/server/saml_tools.ts
@@ -29,6 +29,7 @@ const parseStringAsync = promisify(parseString);
 
 const signingKey = fs.readFileSync(KBN_KEY_PATH);
 const signatureAlgorithm = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256';
+const canonicalizationAlgorithm = 'http://www.w3.org/2001/10/xml-exc-c14n#';
 
 export async function getSAMLRequestId(urlWithSAMLRequestId: string) {
   const inflatedSAMLRequest = (await inflateRawAsync(
@@ -87,19 +88,19 @@ export async function getSAMLResponse({
     </saml:Assertion>
   `;
 
-  const signature = new SignedXml();
+  const signature = new SignedXml({ privateKey: signingKey });
   signature.signatureAlgorithm = signatureAlgorithm;
-  signature.signingKey = signingKey;
+  signature.canonicalizationAlgorithm = canonicalizationAlgorithm;
 
   // Adds a reference to a `Assertion` xml element and an array of transform algorithms to be used during signing.
-  signature.addReference(
-    `//*[local-name(.)='Assertion']`,
-    [
+  signature.addReference({
+    xpath: `//*[local-name(.)='Assertion']`,
+    digestAlgorithm: 'http://www.w3.org/2001/04/xmlenc#sha256',
+    transforms: [
       'http://www.w3.org/2000/09/xmldsig#enveloped-signature',
       'http://www.w3.org/2001/10/xml-exc-c14n#',
     ],
-    'http://www.w3.org/2001/04/xmlenc#sha256'
-  );
+  });
 
   signature.computeSignature(samlAssertionTemplateXML, {
     location: { reference: `//*[local-name(.)='Issuer']`, action: 'after' },
diff --git a/x-pack/test/security_api_integration/packages/helpers/saml/saml_tools.ts b/x-pack/test/security_api_integration/packages/helpers/saml/saml_tools.ts
index ad34f37fdc0a4..255625082407b 100644
--- a/x-pack/test/security_api_integration/packages/helpers/saml/saml_tools.ts
+++ b/x-pack/test/security_api_integration/packages/helpers/saml/saml_tools.ts
@@ -28,6 +28,7 @@ const parseStringAsync = promisify(parseString);
 
 const signingKey = fs.readFileSync(KBN_KEY_PATH);
 const signatureAlgorithm = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256';
+const canonicalizationAlgorithm = 'http://www.w3.org/2001/10/xml-exc-c14n#';
 
 export async function getSAMLRequestId(urlWithSAMLRequestId: string) {
   const inflatedSAMLRequest = (await inflateRawAsync(
@@ -83,19 +84,19 @@ export async function getSAMLResponse({
     </saml:Assertion>
   `;
 
-  const signature = new SignedXml();
+  const signature = new SignedXml({ privateKey: signingKey });
   signature.signatureAlgorithm = signatureAlgorithm;
-  signature.signingKey = signingKey;
+  signature.canonicalizationAlgorithm = canonicalizationAlgorithm;
 
   // Adds a reference to a `Assertion` xml element and an array of transform algorithms to be used during signing.
-  signature.addReference(
-    `//*[local-name(.)='Assertion']`,
-    [
+  signature.addReference({
+    xpath: `//*[local-name(.)='Assertion']`,
+    digestAlgorithm: 'http://www.w3.org/2001/04/xmlenc#sha256',
+    transforms: [
       'http://www.w3.org/2000/09/xmldsig#enveloped-signature',
       'http://www.w3.org/2001/10/xml-exc-c14n#',
     ],
-    'http://www.w3.org/2001/04/xmlenc#sha256'
-  );
+  });
 
   signature.computeSignature(samlAssertionTemplateXML, {
     location: { reference: `//*[local-name(.)='Issuer']`, action: 'after' },
diff --git a/yarn.lock b/yarn.lock
index d944eec2eca7a..bb172009e5868 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -9628,10 +9628,10 @@
     "@types/node" "*"
     form-data "^3.0.0"
 
-"@types/node-forge@^1.3.1":
-  version "1.3.1"
-  resolved "https://registry.yarnpkg.com/@types/node-forge/-/node-forge-1.3.1.tgz#49e44432c306970b4e900c3b214157c480af19fa"
-  integrity sha512-hvQ7Wav8I0j9amPXJtGqI/Yx70zeF62UKlAYq8JPm0nHzjKKzZvo9iR3YI2MiOghZRlOI+tQ2f6D+G6vVf4V2Q==
+"@types/node-forge@^1.3.10":
+  version "1.3.10"
+  resolved "https://registry.yarnpkg.com/@types/node-forge/-/node-forge-1.3.10.tgz#62a19d4f75a8b03290578c2b04f294b1a5a71b07"
+  integrity sha512-y6PJDYN4xYBxwd22l+OVH35N+1fCYWiuC3aiP2SlXVE6Lo7SS+rSx9r89hLxrP4pn6n1lBGhHJ12pj3F3Mpttw==
   dependencies:
     "@types/node" "*"
 
@@ -10149,10 +10149,10 @@
   dependencies:
     "@types/geojson" "*"
 
-"@types/tough-cookie@*", "@types/tough-cookie@^4.0.2":
-  version "4.0.2"
-  resolved "https://registry.yarnpkg.com/@types/tough-cookie/-/tough-cookie-4.0.2.tgz#6286b4c7228d58ab7866d19716f3696e03a09397"
-  integrity sha512-Q5vtl1W5ue16D+nIaW8JWebSSraJVlK+EthKn7e7UcD4KWsaSJ8BqGPXNaPghgtcn/fhvrN17Tv8ksUsQpiplw==
+"@types/tough-cookie@*", "@types/tough-cookie@^4.0.5":
+  version "4.0.5"
+  resolved "https://registry.yarnpkg.com/@types/tough-cookie/-/tough-cookie-4.0.5.tgz#cb6e2a691b70cb177c6e3ae9c1d2e8b2ea8cd304"
+  integrity sha512-/Ad8+nIOV7Rl++6f1BdKxFSMgmoqEoYbHRpPcx3JEfv8VRsQe9Z4mCXeJBzxs7mbHY/XOZZuXlRNfhpVPbs6ZA==
 
 "@types/type-detect@^4.0.1":
   version "4.0.1"
@@ -10264,14 +10264,6 @@
   dependencies:
     "@types/node" "*"
 
-"@types/xml-crypto@^1.4.2":
-  version "1.4.2"
-  resolved "https://registry.yarnpkg.com/@types/xml-crypto/-/xml-crypto-1.4.2.tgz#5ea7ef970f525ae8fe1e2ce0b3d40da1e3b279ae"
-  integrity sha512-1kT+3gVkeBDg7Ih8NefxGYfCApwZViMIs5IEs5AXF6Fpsrnf9CLAEIRh0DYb1mIcRcvysVbe27cHsJD6rJi36w==
-  dependencies:
-    "@types/node" "*"
-    xpath "0.0.27"
-
 "@types/xml2js@^0.4.11":
   version "0.4.11"
   resolved "https://registry.yarnpkg.com/@types/xml2js/-/xml2js-0.4.11.tgz#bf46a84ecc12c41159a7bd9cf51ae84129af0e79"
@@ -10721,10 +10713,15 @@
     object.fromentries "^2.0.0"
     prop-types "^15.7.0"
 
-"@xmldom/xmldom@^0.8.5":
-  version "0.8.6"
-  resolved "https://registry.yarnpkg.com/@xmldom/xmldom/-/xmldom-0.8.6.tgz#8a1524eb5bd5e965c1e3735476f0262469f71440"
-  integrity sha512-uRjjusqpoqfmRkTaNuLJ2VohVr67Q5YwDATW3VU7PfzTj6IRaihGrYI7zckGZjxQPBIp63nfvJbM+Yu5ICh0Bg==
+"@xmldom/is-dom-node@^1.0.1":
+  version "1.0.1"
+  resolved "https://registry.yarnpkg.com/@xmldom/is-dom-node/-/is-dom-node-1.0.1.tgz#83b9f3e1260fb008061c6fa787b93a00f9be0629"
+  integrity sha512-CJDxIgE5I0FH+ttq/Fxy6nRpxP70+e2O048EPe85J2use3XKdatVM7dDVvFNjQudd9B49NPoZ+8PG49zj4Er8Q==
+
+"@xmldom/xmldom@^0.8.10":
+  version "0.8.10"
+  resolved "https://registry.yarnpkg.com/@xmldom/xmldom/-/xmldom-0.8.10.tgz#a1337ca426aa61cef9fe15b5b28e340a72f6fa99"
+  integrity sha512-2WALfTl4xo2SkGCYRt6rDTFfk9R1czmBvUQy12gK2KuRKIpWEhcbbzy8EZXtz/jkRqHX8bFEc6FC1HjX4TUWYw==
 
 "@xobotyi/scrollbar-width@1.9.5":
   version "1.9.5"
@@ -17174,18 +17171,19 @@ formidable@^2.1.2:
     once "^1.4.0"
     qs "^6.11.0"
 
-formik@^2.2.9:
-  version "2.2.9"
-  resolved "https://registry.yarnpkg.com/formik/-/formik-2.2.9.tgz#8594ba9c5e2e5cf1f42c5704128e119fc46232d0"
-  integrity sha512-LQLcISMmf1r5at4/gyJigGn0gOwFbeEAlji+N9InZF6LIMXnFNkO42sCI8Jt84YZggpD4cPWObAZaxpEFtSzNA==
+formik@^2.4.5:
+  version "2.4.5"
+  resolved "https://registry.yarnpkg.com/formik/-/formik-2.4.5.tgz#f899b5b7a6f103a8fabb679823e8fafc7e0ee1b4"
+  integrity sha512-Gxlht0TD3vVdzMDHwkiNZqJ7Mvg77xQNfmBRrNtvzcHZs72TJppSTDKHpImCMJZwcWPBJ8jSQQ95GJzXFf1nAQ==
   dependencies:
+    "@types/hoist-non-react-statics" "^3.3.1"
     deepmerge "^2.1.1"
     hoist-non-react-statics "^3.3.0"
     lodash "^4.17.21"
     lodash-es "^4.17.21"
     react-fast-compare "^2.0.1"
     tiny-warning "^1.0.2"
-    tslib "^1.10.0"
+    tslib "^2.0.0"
 
 forwarded-parse@^2.1.0:
   version "2.1.0"
@@ -31214,13 +31212,14 @@ xdg-basedir@^4.0.0:
   resolved "https://registry.yarnpkg.com/xdg-basedir/-/xdg-basedir-4.0.0.tgz#4bc8d9984403696225ef83a1573cbbcb4e79db13"
   integrity sha512-PSNhEJDejZYV7h50BohL09Er9VaIefr2LMAf3OEmpCkjOi34eYyQYAXUTjEQtZJTKcF0E2UKTh+osDLsgNim9Q==
 
-xml-crypto@^3.0.1:
-  version "3.0.1"
-  resolved "https://registry.yarnpkg.com/xml-crypto/-/xml-crypto-3.0.1.tgz#1d4852b040e80413d8058e2917eddd9f17a00b8b"
-  integrity sha512-7XrwB3ujd95KCO6+u9fidb8ajvRJvIfGNWD0XLJoTWlBKz+tFpUzEYxsN+Il/6/gHtEs1RgRh2RH+TzhcWBZUw==
+xml-crypto@^5.0.0:
+  version "5.0.0"
+  resolved "https://registry.yarnpkg.com/xml-crypto/-/xml-crypto-5.0.0.tgz#e54dff59bf0e18527b91af7690513041ebb90273"
+  integrity sha512-TdJZp/gdKb5RYiZigLy/RUz9EpbEV+HoOR4ofby3VonDSn7FmNZlex7OuxLPD8sRlCLZ5YYFI+9s1OhFs7fwEw==
   dependencies:
-    "@xmldom/xmldom" "^0.8.5"
-    xpath "0.0.32"
+    "@xmldom/is-dom-node" "^1.0.1"
+    "@xmldom/xmldom" "^0.8.10"
+    xpath "^0.0.33"
 
 xml-name-validator@^4.0.0:
   version "4.0.0"
@@ -31262,15 +31261,10 @@ xmldoc@^1.1.2:
   dependencies:
     sax "^1.2.1"
 
-xpath@0.0.27:
-  version "0.0.27"
-  resolved "https://registry.yarnpkg.com/xpath/-/xpath-0.0.27.tgz#dd3421fbdcc5646ac32c48531b4d7e9d0c2cfa92"
-  integrity sha512-fg03WRxtkCV6ohClePNAECYsmpKKTv5L8y/X3Dn1hQrec3POx2jHZ/0P2qQ6HvsrU1BmeqXcof3NGGueG6LxwQ==
-
-xpath@0.0.32:
-  version "0.0.32"
-  resolved "https://registry.yarnpkg.com/xpath/-/xpath-0.0.32.tgz#1b73d3351af736e17ec078d6da4b8175405c48af"
-  integrity sha512-rxMJhSIoiO8vXcWvSifKqhvV96GjiD5wYb8/QHdoRyQvraTpp4IEv944nhGausZZ3u7dhQXteZuZbaqfpB7uYw==
+xpath@^0.0.33:
+  version "0.0.33"
+  resolved "https://registry.yarnpkg.com/xpath/-/xpath-0.0.33.tgz#5136b6094227c5df92002e7c3a13516a5074eb07"
+  integrity sha512-NNXnzrkDrAzalLhIUc01jO2mOzXGXh1JwPgkihcLLzw98c0WgYDmmjSh1Kl3wzaxSVWMuA+fe0WTWOBDWCBmNA==
 
 xstate@^4.38.2:
   version "4.38.2"