You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
On April 12, 2023, xmlsec version 1.3.0 has been released; this is also the version you now get by default via, e.g., Homebrew on MacOS. The new version brings some breaking changes. I encountered two changes so far that break pysaml2:
pysaml2 seems to rely on “lax” key binding. For commands that operate on such keys, xmlsec 1.3.0 requires the new command line option --lax-key-search.
(API breaking change) Changed the key search to strict mode: only keys referenced by KeyInfo are used. To restore the old "lax" mode, set XMLSEC_KEYINFO_FLAGS_LAX_KEY_SEARCH flag on xmlSecKeyInfoCtx or use '--lax-key-search' option for XMLSec command line utility.
The status output of xmlsec adds text before (but on the same line as) the tokens OK or FAIL. This breaks (at least) saml2.sigver.parse_xmlsec_output that expects these tokens without any prefix or suffix their respective output line.
Code Version
pysaml 7.4.1
Expected Behavior
Successful authentications, no matter whether xmlsec has been updated to the latest (minor) version or not.
Current Behavior
For instance the signing of SAML2 requests and responses fails with an error that says the key was not found.
Possible Solution
I worked around this issue by putting an xmlsec wrapper script into our project that:
inserts the command line option --lax-key-search in case of the xmlsec1 commands --encrypt, --decrypt, --sign, and --verify;
ensures the tokens OK and FAIL in the xmlsec output are placed on lines of their own;
I consider this wrapper script a stop-gap solution only, though; it might break again anytime there's a new release of xmlsec or pysaml2. An implementation of #886 would be a better fix, IMHO.
Steps to Reproduce
Install xmlsec version 1.3.0.
Configure a pysaml2-based application to use the xmlsec 1.3.0 binary.
Create a signed authentication request.
4.The signature fails with a key not found error.
The text was updated successfully, but these errors were encountered:
On April 12, 2023, xmlsec version 1.3.0 has been released; this is also the version you now get by default via, e.g., Homebrew on MacOS. The new version brings some breaking changes. I encountered two changes so far that break pysaml2:
pysaml2 seems to rely on “lax” key binding. For commands that operate on such keys, xmlsec 1.3.0 requires the new command line option
--lax-key-search
.The status output of xmlsec adds text before (but on the same line as) the tokens
OK
orFAIL
. This breaks (at least)saml2.sigver.parse_xmlsec_output
that expects these tokens without any prefix or suffix their respective output line.Code Version
pysaml 7.4.1
Expected Behavior
Successful authentications, no matter whether xmlsec has been updated to the latest (minor) version or not.
Current Behavior
For instance the signing of SAML2 requests and responses fails with an error that says the key was not found.
Possible Solution
I worked around this issue by putting an xmlsec wrapper script into our project that:
--lax-key-search
in case of the xmlsec1 commands--encrypt
,--decrypt
,--sign
, and--verify
;OK
andFAIL
in the xmlsec output are placed on lines of their own;I consider this wrapper script a stop-gap solution only, though; it might break again anytime there's a new release of xmlsec or pysaml2. An implementation of #886 would be a better fix, IMHO.
Steps to Reproduce
4.The signature fails with a key not found error.
The text was updated successfully, but these errors were encountered: