pysaml2 does not support certificate passwords #278
Comments
I’d appreciate if you would send in a pull request otherwise I will do it but not within the next week. — Roland |
|
Hello @rohe: I'm slowly working on a PR. Current challenge is that xmlsec1 currently only allows passwords to be passed in on the commandline, or through an interactive prompt. The former is insecure, since one could either see the argument with |
|
Hi Erick,
I would.
I’d like to have the python-xmlsec version too. — Roland |
|
Unfortunately I don't actually know the state of python-xmlsec. It seems to have some fairly regular downloads (1289 in the past month), but I'm not personally familiar with the project. |
|
dm.xmlsec.binding might be an alternative to python-xmlsec. Onelogin python-saml uses it https://github.com/onelogin/python-saml/blob/master/src/onelogin/saml2/utils.py#L712 |
Do you know anything about their plans to support Python 3.X ? — Roland |
This is also tracked by IdentityPython/pysaml2#278. This patch adds support for SAML certificates that are protected with a password. The way it does so is with a bit of trickiness, due to the fact that `xmlsec1`, which is an external program that pysaml2 uses to sign the XML requests, which does not have great support for password protected certificates. It either supports passing in the password on the command line (which is not safe since someone else on the machine could see the password), or through an interactive prompt. The proper way to fix this would be to update pysaml2 to use another xmlsec library, but implementing that may take some time. In the short/medium term, this patch implements this instead by decrypting the certificate in memory, and passing this decrypted certificate to xmlsec1 through a named pipe. This protects us from the decrypted certificate ever hitting the disk. Unfortunately, this solution is only portable to POSIX-compatible platforms. That is fine for Hue, but it probably means we cannot push this patch to the upstream pysaml2 repository. This patch will tied us over until the upstream project switches to a better xmlsec library.
|
Just to let you know, in Hue we've implemented a short term solution in our fork of pysaml2. It decrypts the certificate in memory, then passes it to |
I and my group are mainly concerned with *nix based systems. If you could add certificate password support such that it would work on a POSIX system but not be available on other systems I would gladly accept such a pull request. ”Everybody should be quiet near a little stream and listen." |
|
@rohe: Yeah that would be the best solution. We thought though that we wouldn't have the time to validate saml using a new xmlsec library for our next release. Long term we're hoping switching pysaml2 to a python binding of xmlsec like dm.xmlsec.binding would be the better option. |
Agree ! — Roland ”Everybody should be quiet near a little stream and listen." |
|
Hi @rohe, I'm the developer of OneLogin's SAML toolkits. At python-saml I used dm.xmlsec.binding so it only works on Python 2.X After experience some installing problems and the request of python3 support I wanted to release a new version of the same toolkit based in a python3 compatible solution. @bgaifullin, that currently help supporting python-xmlsec did a great job and helped me to migrate part of the code, and python3-saml appeared, based on python-xmlsec instead of dm.xmlsec.binding, working on python2 and python3. @mehcode, the main maintainer of python-xmlsec has its own SAML library So nowadays SAML developers have several alternatives :) Best regards and thanks for your contributions. |
This is also tracked by IdentityPython/pysaml2#278. This patch adds support for SAML certificates that are protected with a password. The way it does so is with a bit of trickiness, due to the fact that `xmlsec1`, which is an external program that pysaml2 uses to sign the XML requests, which does not have great support for password protected certificates. It either supports passing in the password on the command line (which is not safe since someone else on the machine could see the password), or through an interactive prompt. The proper way to fix this would be to update pysaml2 to use another xmlsec library, but implementing that may take some time. In the short/medium term, this patch implements this instead by decrypting the certificate in memory, and passing this decrypted certificate to xmlsec1 through a named pipe. This protects us from the decrypted certificate ever hitting the disk. Unfortunately, this solution is only portable to POSIX-compatible platforms. That is fine for Hue, but it probably means we cannot push this patch to the upstream pysaml2 repository. This patch will tied us over until the upstream project switches to a better xmlsec library.
This is also tracked by IdentityPython/pysaml2#278. This patch adds support for SAML certificates that are protected with a password. The way it does so is with a bit of trickiness, due to the fact that `xmlsec1`, which is an external program that pysaml2 uses to sign the XML requests, which does not have great support for password protected certificates. It either supports passing in the password on the command line (which is not safe since someone else on the machine could see the password), or through an interactive prompt. The proper way to fix this would be to update pysaml2 to use another xmlsec library, but implementing that may take some time. In the short/medium term, this patch implements this instead by decrypting the certificate in memory, and passing this decrypted certificate to xmlsec1 through a named pipe. This protects us from the decrypted certificate ever hitting the disk. Unfortunately, this solution is only portable to POSIX-compatible platforms. That is fine for Hue, but it probably means we cannot push this patch to the upstream pysaml2 repository. This patch will tied us over until the upstream project switches to a better xmlsec library.
This is also tracked by IdentityPython/pysaml2#278. This patch adds support for SAML certificates that are protected with a password. The way it does so is with a bit of trickiness, due to the fact that `xmlsec1`, which is an external program that pysaml2 uses to sign the XML requests, which does not have great support for password protected certificates. It either supports passing in the password on the command line (which is not safe since someone else on the machine could see the password), or through an interactive prompt. The proper way to fix this would be to update pysaml2 to use another xmlsec library, but implementing that may take some time. In the short/medium term, this patch implements this instead by decrypting the certificate in memory, and passing this decrypted certificate to xmlsec1 through a named pipe. This protects us from the decrypted certificate ever hitting the disk. Unfortunately, this solution is only portable to POSIX-compatible platforms. That is fine for Hue, but it probably means we cannot push this patch to the upstream pysaml2 repository. This patch will tied us over until the upstream project switches to a better xmlsec library.
* HUE-9225 [core] Upgrade certain third party python libraries that has identified vulnerabilities - Adding Django-1.11.29 * HUE-8905 [core] Apply HUE-8772 to Django-1.11.22 for fixing 'user is missing in mako context' (cherry picked from commit cf717de) * HUE-8905 [core] Apply HUE-8836 to Django-1.11.22 for HTTP_X_FORWARDED_HOST contains multiple hosts (cherry picked from commit 26e5f7a) * Revert "HUE-8905 [core] Apply HUE-8772 to Django-1.11.22 for fixing 'user is missing in mako context'" This reverts commit cf717de. (cherry picked from commit 9014bfa) * HUE-9225 [core] Upgrade certain third party python libraries that has identified vulnerabilities - Removing Django-1.11.22 * HUE-9225 [core] Upgrade certain third party python libraries that has identified vulnerabilities - Adding cryptography-2.9 - Removing cryptography-2.1.4 * HUE-9225 [core] Upgrade certain third party python libraries that has identified vulnerabilities - Adding MarkupSafe-1.1.1 - Removing MarkupSafe-0.9.3 * HUE-9225 [core] Upgrade certain third party python libraries that has identified vulnerabilities - Adding PyYAML-5.3.1 - Removing PyYAML-3.12 * HUE-9225 [core] Upgrade certain third party python libraries that has identified vulnerabilities - Adding requests-2.23.0 - Removing requests-2.18.4 * HUE-9225 [core] Upgrade certain third party python libraries that has identified vulnerabilities - Adding urllib3-1.22 - Removing urllib3-1.25.8 * HUE-5095 [backend] Python requests library should put port information in log message * HUE-9225 [core] Upgrade certain third party python libraries that has identified vulnerabilities - Adding requests-kerberos-0.12.0 - Removing requests-kerberos-0.6.1 * HUE-7127 [backend] Fix for Python requests Kerberos/GSSAPI authentication library fails to authenticate kerberos requests to the same destination current python request Kerberos library fails generating the GSSAPI authentication token with kerberos for the host which run multiple kerberised Testing Done: - Manual testing - using multiple load generator scripts - Tested on different cluster with Python 2.6 and Python 2.7 * HUE-8202 [jb] Fix mutual authentication failed with Isilon (#675) https://review.cloudera.org/r/12820/ * HUE-9225 [core] Upgrade certain third party python libraries that has identified vulnerabilities - Adding tablib-0.14.0 - Removing tablib-0.10.0 * HUE-2523 [core] Remove xlwt and xlrd from tablib * HUE-9225 [core] Upgrade certain third party python libraries that has identified vulnerabilities - Adding MarkupPy-1.14 * HUE-9225 [core] Upgrade certain third party python libraries that has identified vulnerabilities - Adding openpyxl-2.6.4 - Removing openpyxl-2.3.0-b2 - Removing openpyxl-2.5.3 * HUE-9225 [core] Upgrade certain third party python libraries that has identified vulnerabilities - Adding odfpy-1.4.1 * HUE-9225 [core] Upgrade certain third party python libraries that has identified vulnerabilities - Adding pysaml2-4.9.0 - Removing pysaml2-4.4.0 * HUE-3102 [libsaml] Add support for private key passwords This is also tracked by IdentityPython/pysaml2#278. This patch adds support for SAML certificates that are protected with a password. The way it does so is with a bit of trickiness, due to the fact that `xmlsec1`, which is an external program that pysaml2 uses to sign the XML requests, which does not have great support for password protected certificates. It either supports passing in the password on the command line (which is not safe since someone else on the machine could see the password), or through an interactive prompt. The proper way to fix this would be to update pysaml2 to use another xmlsec library, but implementing that may take some time. In the short/medium term, this patch implements this instead by decrypting the certificate in memory, and passing this decrypted certificate to xmlsec1 through a named pipe. This protects us from the decrypted certificate ever hitting the disk. Unfortunately, this solution is only portable to POSIX-compatible platforms. That is fine for Hue, but it probably means we cannot push this patch to the upstream pysaml2 repository. This patch will tied us over until the upstream project switches to a better xmlsec library. * HUE-9225 [core] Upgrade certain third party python libraries that has identified vulnerabilities - Adding chardet-3.0.4 * HUE-9225 [core] Upgrade certain third party python libraries that has identified vulnerabilities - Adding pycryptodomex-3.9.7 - Removing pycrypto-2.6.1 - Removing pycryptodomex-3.4.7 Co-authored-by: Ying Chen <[email protected]>
|
The final solution for this kind of problem would be converting (using openssl) a key (or certificate) encoded with a password to one without. |
|
@c00kiemon5ter can we close this or do you want to follow It to implement this feature? |
It appears that pysaml2 does not support certificates with passwords, which results in OpenSSL prompting for a password when the certificate is parsed. I don't think it'd be terribly hard to support, we would just have to update every instance of
RSA.importKeyto pass in an optionally configured passphrase.The text was updated successfully, but these errors were encountered: