HUE-3102 [libsaml] Add support for private key passwords

ranade1 · ranade1 · commit 966b27083b28 · 2020-04-09T13:15:53.000-07:00
This is also tracked by IdentityPython/pysaml2#278. This patch adds support for SAML certificates that are protected with a password. The way it does so is with a bit of trickiness, due to the fact that `xmlsec1`, which is an external program that pysaml2 uses to sign the XML requests, which does not have great support for password protected certificates. It either supports passing in the password on the command line (which is not safe since someone else on the machine could see the password), or through an interactive prompt. The proper way to fix this would be to update pysaml2 to use another xmlsec library, but implementing that may take some time. In the short/medium term, this patch implements this instead by decrypting the certificate in memory, and passing this decrypted certificate to xmlsec1 through a named pipe. This protects us from the decrypted certificate ever hitting the disk. Unfortunately, this solution is only portable to POSIX-compatible platforms. That is fine for Hue, but it probably means we cannot push this patch to the upstream pysaml2 repository. This patch will tied us over until the upstream project switches to a better xmlsec library.
diff --git a/desktop/core/ext-py/pysaml2-4.9.0/src/saml2/config.py b/desktop/core/ext-py/pysaml2-4.9.0/src/saml2/config.py
@@ -32,6 +32,7 @@
     "entityid",
     "xmlsec_binary",
     "key_file",
+    "key_file_passphrase",
     "cert_file",
     "encryption_keypairs",
     "additional_cert_files",
@@ -193,6 +194,7 @@ def __init__(self, homedir="."):
         self.xmlsec_path = []
         self.debug = False
         self.key_file = None
+        self.key_file_passphrase = None
         self.cert_file = None
         self.encryption_keypairs = None
         self.additional_cert_files = None
diff --git a/desktop/core/ext-py/pysaml2-4.9.0/src/saml2/sigver.py b/desktop/core/ext-py/pysaml2-4.9.0/src/saml2/sigver.py
@@ -19,7 +19,7 @@
 import saml2.cryptography.asymmetric
 import saml2.cryptography.pki
 
-from tempfile import NamedTemporaryFile
+from tempfile import NamedTemporaryFile, mkdtemp
 from subprocess import Popen
 from subprocess import PIPE
 
@@ -483,6 +483,19 @@ def parse_xmlsec_output(output):
 def sha1_digest(msg):
     return hashlib.sha1(msg).digest()
 
+class NamedPipe(object):
+    def __init__(self):
+        self._tempdir = mkdtemp()
+        self.name = os.path.join(self._tempdir, 'fifo')
+
+        try:
+            os.mkfifo(self.name)
+        except:
+            os.rmdir(self._tempdir)
+
+    def close(self):
+        os.remove(self.name)
+        os.rmdir(self._tempdir)
 
 class Signer(object):
     """Abstract base class for signing algorithms."""
@@ -651,10 +664,10 @@ def encrypt(self, text, recv_key, template, key_type):
     def encrypt_assertion(self, statement, enc_key, template, key_type, node_xpath):
         raise NotImplementedError()
 
-    def decrypt(self, enctext, key_file, id_attr):
+    def decrypt(self, enctext, key_file, id_attr, passphrase=None):
         raise NotImplementedError()
 
-    def sign_statement(self, statement, node_name, key_file, node_id, id_attr):
+    def sign_statement(self, statement, node_name, key_file, node_id, id_attr, passphrase=None):
         raise NotImplementedError()
 
     def validate_signature(self, enctext, cert_file, cert_type, node_name, node_id, id_attr):
@@ -775,7 +788,7 @@ def encrypt_assertion(self, statement, enc_key, template, key_type='des-192', no
 
         return output.decode('utf-8')
 
-    def decrypt(self, enctext, key_file, id_attr):
+    def decrypt(self, enctext, key_file, id_attr, passphrase=None):
         """
 
         :param enctext: XML document containing an encrypted part
@@ -786,6 +799,16 @@ def decrypt(self, enctext, key_file, id_attr):
         logger.debug('Decrypt input len: %d', len(enctext))
         _, fil = make_temp(enctext, decode=False)
 
+        named_pipe = None
+        if key_file is not None:
+            if passphrase is not None:
+                named_pipe = NamedPipe()
+                # Decrypt the certificate
+                with open(key_file) as f, open(named_pipe.name, 'wb') as g:
+                    key = crypto.load_privatekey(crypto.FILETYPE_PEM, f.read(), passphrase=passphrase)
+                    g.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, key))
+                key_file = named_pipe.name
+
         com_list = [
             self.xmlsec,
             '--decrypt',
@@ -801,7 +824,7 @@ def decrypt(self, enctext, key_file, id_attr):
 
         return output.decode('utf-8')
 
-    def sign_statement(self, statement, node_name, key_file, node_id, id_attr):
+    def sign_statement(self, statement, node_name, key_file, node_id, id_attr, passphrase=None):
         """
         Sign an XML statement.
 
@@ -823,6 +846,16 @@ def sign_statement(self, statement, node_name, key_file, node_id, id_attr):
             delete=self._xmlsec_delete_tmpfiles,
         )
 
+        named_pipe = None
+        if key_file is not None:
+            if passphrase is not None:
+                named_pipe = NamedPipe()
+                # Decrypt the certificate
+                with open(key_file) as f, open(named_pipe.name, 'wb') as g:
+                    key = crypto.load_privatekey(crypto.FILETYPE_PEM, f.read(), passphrase=passphrase)
+                    g.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, key))
+                key_file = named_pipe.name
+
         com_list = [
             self.xmlsec,
             '--sign',
@@ -939,7 +972,7 @@ def version(self):
         # better than static 0.0 here.
         return 'XMLSecurity 0.0'
 
-    def sign_statement(self, statement, node_name, key_file, node_id, id_attr):
+    def sign_statement(self, statement, node_name, key_file, node_id, id_attr, passphrase=None):
         """
         Sign an XML statement.
 
@@ -955,6 +988,8 @@ def sign_statement(self, statement, node_name, key_file, node_id, id_attr):
         import xmlsec
         import lxml.etree
 
+        assert passphrase is None, "Encrypted key files is not supported"
+
         xml = xmlsec.parse_xml(statement)
         signed = xmlsec.sign(xml, key_file)
         signed_str = lxml.etree.tostring(signed, xml_declaration=False, encoding="UTF-8")
@@ -1062,6 +1097,7 @@ def security_context(conf):
             tmp_cert_file=conf.tmp_cert_file,
             tmp_key_file=conf.tmp_key_file,
             validate_certificate=conf.validate_certificate,
+            key_file_passphrase=conf.key_file_passphrase,
             enc_key_files=enc_key_files,
             encryption_keypairs=conf.encryption_keypairs,
             sec_backend=sec_backend,
@@ -1251,6 +1287,7 @@ def __init__(
             generate_cert_info=None,
             tmp_cert_file=None, tmp_key_file=None,
             validate_certificate=None,
+            key_file_passphrase=None,
             enc_key_files=None, enc_key_type='pem',
             encryption_keypairs=None,
             enc_cert_type='pem',
@@ -1268,6 +1305,7 @@ def __init__(
 
         # Your private key for signing
         self.key_file = key_file
+        self.key_file_passphrase = key_file_passphrase
         self.key_type = key_type
 
         # Your public key for signing
@@ -1358,6 +1396,7 @@ def decrypt_keys(self, enctext, keys=None, id_attr=''):
         :return: The decrypted text
         """
         key_files = []
+        passphrase = self.key_file_passphrase
 
         if not isinstance(keys, list):
             keys = [keys]
@@ -1370,7 +1409,7 @@ def decrypt_keys(self, enctext, keys=None, id_attr=''):
             key_files.append(key_file)
 
         try:
-            dectext = self.decrypt(enctext, key_file=key_files, id_attr=id_attr)
+            dectext = self.decrypt(enctext, key_file=key_files, id_attr=id_attr, passphrase=passphrase)
         except DecryptError as e:
             raise
         else:
@@ -1379,12 +1418,15 @@ def decrypt_keys(self, enctext, keys=None, id_attr=''):
             for key_file in key_files:
                 os.unlink(key_file)
 
-    def decrypt(self, enctext, key_file=None, id_attr=''):
+    def decrypt(self, enctext, key_file=None, id_attr='', passphrase=None):
         """ Decrypting an encrypted text by the use of a private key.
 
         :param enctext: The encrypted text as a string
         :return: The decrypted text
         """
+        if passphrase is None:
+            passphrase = self.key_file_passphrase
+
         if not id_attr:
             id_attr = self.id_attr
 
@@ -1396,7 +1438,7 @@ def decrypt(self, enctext, key_file=None, id_attr=''):
         ]
         for key_file in key_files:
             try:
-                dectext = self.crypto.decrypt(enctext, key_file, id_attr)
+                dectext = self.crypto.decrypt(enctext, key_file, id_attr, passphrase=passphrase)
             except XmlsecError as e:
                 continue
             else:
@@ -1650,7 +1692,7 @@ def sign_statement_using_xmlsec(self, statement, **kwargs):
         """ Deprecated function. See sign_statement(). """
         return self.sign_statement(statement, **kwargs)
 
-    def sign_statement(self, statement, node_name, key=None, key_file=None, node_id=None, id_attr=''):
+    def sign_statement(self, statement, node_name, key=None, key_file=None, node_id=None, id_attr='', passphrase=None):
         """Sign a SAML statement.
 
         :param statement: The statement to be signed
@@ -1671,12 +1713,15 @@ def sign_statement(self, statement, node_name, key=None, key_file=None, node_id=
         if not key and not key_file:
             key_file = self.key_file
 
+        if not passphrase:
+            passphrase = self.key_file_passphrase
+
         return self.crypto.sign_statement(
                 statement,
                 node_name,
                 key_file,
                 node_id,
-                id_attr)
+                id_attr, passphrase=passphrase)
 
     def sign_assertion_using_xmlsec(self, statement, **kwargs):
         """ Deprecated function. See sign_assertion(). """
@@ -1709,7 +1754,7 @@ def sign_attribute_query(self, statement, **kwargs):
         return self.sign_statement(
                 statement, class_name(samlp.AttributeQuery()), **kwargs)
 
-    def multiple_signatures(self, statement, to_sign, key=None, key_file=None, sign_alg=None, digest_alg=None):
+    def multiple_signatures(self, statement, to_sign, key=None, key_file=None, sign_alg=None, digest_alg=None, passphrase=None):
         """
         Sign multiple parts of a statement
 
@@ -1740,7 +1785,7 @@ def multiple_signatures(self, statement, to_sign, key=None, key_file=None, sign_
                     key=key,
                     key_file=key_file,
                     node_id=sid,
-                    id_attr=id_attr)
+                    id_attr=id_attr, passphrase=passphrase)
 
         return statement
 
