Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pysaml2 incomaptible with xmlsec1 version 1.3.0 #906

Closed
chludwig-haufe opened this issue May 12, 2023 · 3 comments
Closed

pysaml2 incomaptible with xmlsec1 version 1.3.0 #906

chludwig-haufe opened this issue May 12, 2023 · 3 comments

Comments

@chludwig-haufe
Copy link

On April 12, 2023, xmlsec version 1.3.0 has been released; this is also the version you now get by default via, e.g., Homebrew on MacOS. The new version brings some breaking changes. I encountered two changes so far that break pysaml2:

  1. pysaml2 seems to rely on “lax” key binding. For commands that operate on such keys, xmlsec 1.3.0 requires the new command line option --lax-key-search.

    (API breaking change) Changed the key search to strict mode: only keys referenced by KeyInfo are used. To restore the old "lax" mode, set XMLSEC_KEYINFO_FLAGS_LAX_KEY_SEARCH flag on xmlSecKeyInfoCtx or use '--lax-key-search' option for XMLSec command line utility.

  2. The status output of xmlsec adds text before (but on the same line as) the tokens OK or FAIL. This breaks (at least) saml2.sigver.parse_xmlsec_output that expects these tokens without any prefix or suffix their respective output line.

Code Version

pysaml 7.4.1

Expected Behavior

Successful authentications, no matter whether xmlsec has been updated to the latest (minor) version or not.

Current Behavior

For instance the signing of SAML2 requests and responses fails with an error that says the key was not found.

Possible Solution

I worked around this issue by putting an xmlsec wrapper script into our project that:

  1. inserts the command line option --lax-key-search in case of the xmlsec1 commands --encrypt, --decrypt, --sign, and --verify;
  2. ensures the tokens OK and FAIL in the xmlsec output are placed on lines of their own;

I consider this wrapper script a stop-gap solution only, though; it might break again anytime there's a new release of xmlsec or pysaml2. An implementation of #886 would be a better fix, IMHO.

Steps to Reproduce

  1. Install xmlsec version 1.3.0.
  2. Configure a pysaml2-based application to use the xmlsec 1.3.0 binary.
  3. Create a signed authentication request.
    4.The signature fails with a key not found error.
@MathieuB1 MathieuB1 mentioned this issue May 16, 2023
Open
@ottcsconsult
Copy link

I confirm this issue. @chludwig-haufe could you post your wrapper script, please?

@chludwig-haufe
Copy link
Author

@ottcsconsult Sure, I uploaded the wrapper script as a gist – feel free to use it.

Please note, the wrapper was thrown together quickly and tested only for our specific use cases. So no guarantees it works for you...

@c00kiemon5ter
Copy link
Member

Hello, and thanks for the report.
I will be merging #902 and releasing a new version soon.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@c00kiemon5ter @chludwig-haufe @ottcsconsult