pysaml2 icon indicating copy to clipboard operation
pysaml2 copied to clipboard

Published 20 hours ago verified publisher icon IdentityPython

pysaml2 does not support certificate passwords

Open erickt opened this issue 9 years ago • 13 comments

It appears that pysaml2 does not support certificates with passwords, which results in OpenSSL prompting for a password when the certificate is parsed. I don't think it'd be terribly hard to support, we would just have to update every instance of RSA.importKey to pass in an optionally configured passphrase.

erickt avatar Oct 30 '15 17:10 erickt

30 okt 2015 kl. 10:52 skrev Erick Tryzelaar [email protected]:

It appears that pysaml2 does not support certificates with passwords, which results in OpenSSL prompting for a password when the certificate is parsed. I don’t think it'd be terribly hard to support, we would just have to update every instance of RSA.importKey to pass in an optionally configured passphrase.

I’d appreciate if you would send in a pull request otherwise I will do it but not within the next week.

— Roland 'Look, that's why there's rules, understand? So that you think before you break ’em.’ - Terry Pratchett

rohe avatar Nov 01 '15 23:11 rohe

Hello @rohe: I'm slowly working on a PR. Current challenge is that xmlsec1 currently only allows passwords to be passed in on the commandline, or through an interactive prompt. The former is insecure, since one could either see the argument with ps or in the .bash_history, the latter requires using a PTY, which makes it not portable to some OSs. The right solution is probably to switch over to using python-xmlsec and exposing the xmlsec API that passes the password along to the underlying library. For hue, we're probably first going to implement the PTY approach for the short term, and then over time implement the python-xmlsec. Would you be interested in the PTY? If not, I can just patch my fork, and then upstream the python-xmlsec version once it's done.

erickt avatar Nov 02 '15 21:11 erickt

Hi Erick,

2 nov 2015 kl. 13:24 skrev Erick Tryzelaar [email protected]:

Hello @rohe: I'm slowly working on a PR. Current challenge is that xmlsec1 currently only allows passwords to be passed in on the commandline, or through an interactive prompt. The former is insecure, since one could either see the argument with ps or in the .bash_history, the latter requires using a PTY, which makes it not portable to some OSs. The right solution is probably to switch over to using python-xmlsec and exposing the xmlsec API that passes the password along to the underlying library. For hue, we're probably first going to implement the PTY approach for the short term, and then over time implement the python-xmlsec. Would you be interested in the PTY?

I would.

If not, I can just patch my fork, and then upstream the python-xmlsec version once it's done.

I’d like to have the python-xmlsec version too. When I started implementing pysaml2, python-xmlsec was in such a bad state that I didn’t really consider it to be a viable option. If it’s better today I’d really like to have it as an option beside xmlsec.

— Roland 'Look, that's why there's rules, understand? So that you think before you break ’em.’ - Terry Pratchett

rohe avatar Nov 03 '15 01:11 rohe

Unfortunately I don't actually know the state of python-xmlsec. It seems to have some fairly regular downloads (1289 in the past month), but I'm not personally familiar with the project.

erickt avatar Nov 03 '15 01:11 erickt

dm.xmlsec.binding might be an alternative to python-xmlsec. Onelogin python-saml uses it https://github.com/onelogin/python-saml/blob/master/src/onelogin/saml2/utils.py#L712

rectalogic avatar Jan 14 '16 18:01 rectalogic

14 jan 2016 kl. 19:01 skrev Andrew Wason [email protected]:

dm.xmlsec.binding might be an alternative to python-xmlsec. Onelogin python-saml uses it https://github.com/onelogin/python-saml/blob/master/src/onelogin/saml2/utils.py#L712

Do you know anything about their plans to support Python 3.X ? They only list support for 2.4, 2.6 and 2.7 now.

— Roland

rohe avatar Jan 15 '16 07:01 rohe

Just to let you know, in Hue we've implemented a short term solution in our fork of pysaml2. It decrypts the certificate in memory, then passes it to xmlsec1 through a named pipe. I didn't submit it here for review because this technique only works on POSIX systems, and I'm not sure if pysaml2 supports Windows.

erickt avatar Jan 22 '16 18:01 erickt

22 jan 2016 kl. 19:23 skrev Erick Tryzelaar [email protected]:

Just to let you know, in Hue we've implemented a short term solution in our fork of pysaml2. It decrypts the certificate in memory, then passes it to xmlsec1 through a named pipe. I didn't submit it here for review because this technique only works on POSIX systems, and I'm not sure if pysaml2 supports Windows.

I and my group are mainly concerned with *nix based systems. I would prefer if we didn’t, well ware of the consequences, add something that would make it impossible to use pysaml2 on Windows.

If you could add certificate password support such that it would work on a POSIX system but not be available on other systems I would gladly accept such a pull request.

”Everybody should be quiet near a little stream and listen." From ’Open House for Butterflies’ by Ruth Krauss

rohe avatar Feb 11 '16 11:02 rohe

@rohe: Yeah that would be the best solution. We thought though that we wouldn't have the time to validate saml using a new xmlsec library for our next release. Long term we're hoping switching pysaml2 to a python binding of xmlsec like dm.xmlsec.binding would be the better option.

erickt avatar Feb 11 '16 18:02 erickt

11 feb 2016 kl. 19:22 skrev Erick Tryzelaar [email protected]:

@rohe: Yeah that would be the best solution. We thought though that we wouldn't have the time to validate saml using a new xmlsec library for our next release. Long term we're hoping switching pysaml2 to a python binding of xmlsec like dm.xmlsec.binding would be the better option.

Agree ! The reason for me not to use the python bindings for xmlsec when I started this project almost a decade ago was that the bindings was in such a poor state and I didn’t want to take on the responsibility for keeping them maintained. That may have changed (the first reason not the second :-)).

— Roland

”Everybody should be quiet near a little stream and listen." From ’Open House for Butterflies’ by Ruth Krauss

rohe avatar Feb 12 '16 07:02 rohe

Hi @rohe,

I'm the developer of OneLogin's SAML toolkits. I used your pysaml2 library when I was working at Yaco with Lorenzo Gil and saw you at Terena conferences.

At python-saml I used dm.xmlsec.binding so it only works on Python 2.X

After experience some installing problems and the request of python3 support I wanted to release a new version of the same toolkit based in a python3 compatible solution.

@bgaifullin, that currently help supporting python-xmlsec did a great job and helped me to migrate part of the code, and python3-saml appeared, based on python-xmlsec instead of dm.xmlsec.binding, working on python2 and python3.

@mehcode, the main maintainer of python-xmlsec has its own SAML library

So nowadays SAML developers have several alternatives :)

Best regards and thanks for your contributions.

pitbulk avatar Feb 14 '16 05:02 pitbulk

The final solution for this kind of problem would be converting (using openssl) a key (or certificate) encoded with a password to one without.

openssl rsa -in [original.key] -out [new.key]

peppelinux avatar Sep 05 '20 22:09 peppelinux

@c00kiemon5ter can we close this or do you want to follow It to implement this feature?

peppelinux avatar Oct 09 '20 22:10 peppelinux