fusionauth-issues icon indicating copy to clipboard operation
fusionauth-issues copied to clipboard

Published 20 hours ago verified publisher icon FusionAuth

SAMLv2 Identity provider can not sign request when I "Import RSA key Pair" with Certificat as public and private key

Open konvergence opened this issue 2 years ago • 7 comments

SAMLv2 Identity provider can not sign request when I "Import RSA key Pair" with Certificat as public and private key

Description

  • When I "Import RSA key Pair" with public key and private key, fusionauth generate a certificate for 10 years and I can use it to sign SAML request as Request signing key
  • when I "Import RSA key Pair" with Certificat (as public key) and private key, fusionauth recognize well the certificat, But I can not see it into the listbox Request signing key to sign SAML request

Affects versions

fusionauth 1.36.4

Steps to reproduce

Steps to reproduce the behavior:

  1. Go to 'Key Master'
  2. Click on 'Import RSA key Pair' : MyAuthrorityCert
  3. Put certificat as public key
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
  1. Put private key
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
  1. Goto Identity Provider
  2. Select option
  3. Enable Sign Request
  4. Can not see MyAuthrorityCert into the listbox Request signing key

documentation

  • into https://fusionauth.io/docs/v1/tech/core-concepts/key-master#import-rsa-key-pair
    • Public key REQUIRED : The PEM encoded public key to import.
  • into https://fusionauth.io/docs/v1/tech/apis/keys#import-a-key
    • key.publicKey [String] OPTIONAL : The Key public key. Required if importing an RSA or EC key and a certificate is not provided.

konvergence avatar Aug 02 '22 15:08 konvergence

One more information : we I use the API key , i can correctly import create an RSA Key pair with certificat, publikey and privatekey. So it is a UI bug ? May be there is a way to add a Certificat input field ?

konvergence avatar Aug 03 '22 09:08 konvergence

@konvergence thanks for filing the issue. So to repeat back what you are saying so I understand:

  • If you use a cert and private key to create an RSA key pair using the API, you can use that to sign the SAML request for an identity provider.
  • if you use that same cert and private key to create an RSA key pair using the UI, you can't use that to sign a SAML request (it doesn't show up in the drop down)

Is that what is happening?

mooreds avatar Aug 03 '22 13:08 mooreds

Yes, absolutely !

When I use API to create "RSA Key Pair" I can use it as Request signing key into my SAML IdP configuration example


curl -v -X POST -L https://myfusion/api/key/import \
     -H 'Authorization: zzzzzzzzzzz' \
     -H 'Accept: application/json' \
     -H 'Content-Type: application/json' \
     -d '{
  "key": {
    "name": "my-cert-key"
    ,"type": "RSA"
    ,"algorithm": "RS256"
    ,"certificate": "-----BEGIN CERTIFICATE-----\n*****\n-----END CERTIFICATE-----"
    ,"publicKey": "-----BEGIN PUBLIC KEY-----\n****\n-----END PUBLIC KEY-----"
    ,"privateKey": "-----BEGIN RSA PRIVATE KEY-----\n***\n-----END RSA PRIVATE KEY-----"
  }
}'

When I use web UI to import "RSA Key Pair" my-cert-key , I copy certificate as publicKey then privatekey

  • the Web UI well recognize the certifcate info
  • if I export the key my-cert-key, I have only fingerprints.txt, public-key.pem and public-keys.pub. But not certificat.crt. and the public-key.pem contain the certificate PEM
  • I can not see my-cert-key for Request signing key into my SAML IdP configuration

konvergence avatar Aug 04 '22 15:08 konvergence

Thank you for the details, @konvergence !

mooreds avatar Aug 04 '22 20:08 mooreds

I think this is working as design. In order to sign a SAML request or response FusionAuth requires a certificate. If all we end up with is a public a private key - this is not adequate to build a SAML signature.

robotdan avatar Aug 05 '22 17:08 robotdan

@robotdan ,

The issue is that I when I use the UI to import a certificate with this privatekey , I can't use it to sign SAML request. The UI does not extract the public key from the certificate and treats the certificate as a public key.

With API, I import a key with certificate, publickey and privatekey, and the key can be use to sign SAMLrequest

konvergence avatar Aug 07 '22 05:08 konvergence

Maybe I have mis-understood.

When I use web UI to import "RSA Key Pair" my-cert-key , I copy certificate as publicKey then privatekey

This sounds like you are not importing the certificate as a cert - but as a public key? Is that correct? If that is the case, I would expect the behavior you're seeing. Maybe we are just missing an option to import a cert + private key pair?

When you say you use the API it works, can you provide more details on how you are calling the API?

robotdan avatar Aug 08 '22 03:08 robotdan

@robotdan

You right, there is no options on Web UI to import a cert + private key pair. The details of API calls are here : https://github.com/FusionAuth/fusionauth-issues/issues/1805#issuecomment-1205383819

konvergence avatar Sep 05 '22 07:09 konvergence

Internal:

  • https://github.com/FusionAuth/fusionauth-app/pull/175

robotdan avatar Jan 31 '23 00:01 robotdan