Skip to content

Confusing documentation with regards to encryption/signing certificates. #985

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dino8890 opened this issue May 9, 2025 · 1 comment
Open

Confusing documentation with regards to encryption/signing certificates. #985

dino8890 opened this issue May 9, 2025 · 1 comment

Comments

@dino8890
Copy link

dino8890 commented May 9, 2025
edited
Loading

The documentation states that there are 2 ways to specify certificate and key for encryption and signing, however it is not clear what are the differences between them and which setting is preferred.

To quote the latest docs:

key_file
key_file is the name of a PEM formatted file that contains the private key of the service. This is currently used both to encrypt/sign assertions and as the client key in an HTTPS session.
cert_file
This is the public part of the service private/public key pair. cert_file must be a PEM formatted file with a single certificate.

    'sp': {
          'key_file': BASE_DIR + '/certificates/private.key',
          'cert_file': BASE_DIR + '/certificates/public.cert',
    }

However, there is also encryption_keypairs config:

encryption_keypairs
Indicates which certificates will be used for encryption capabilities:

# Encryption
'encryption_keypairs': [
    {
        'key_file': BASE_DIR + '/certificates/private.key',
        'cert_file': BASE_DIR + '/certificates/public.cert',
    },
],

As you can see, there is seemingly no difference, but the fact that the former is a little more detailed (IMO), it makes it seem like that's the preferred option.

Interestingly, djangosaml package states this in their docs:

The key_file and cert_file options reference the two parts of a standard x509 certificate. You need it to sign your metadata. For assertion encryption/decryption support please configure another set of key_file and cert_file, but as inner attributes of encryption_keypairs option.

If this is true, then this is a pretty important omission from pysaml2 docs as these configurations do different things. I'd be happy to submit a PR, but I need someone more familiar with the project to confirm this is the case.
@dino8890
Copy link
Author

Based on the generated metadata, it seems encryption_keypairs is used for encryption only, and the former key_file and cert_file is used for signing. This invalidates the statement in the documentation:

This is currently used both to encrypt/sign assertions and as the client key in an HTTPS session.

(emphasis mine)

I'll dig into the source code to confirm this is actually the case.

@dino8890 dino8890 mentioned this issue May 10, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@dino8890