pysaml2 icon indicating copy to clipboard operation
pysaml2 copied to clipboard
verified publisher icon IdentityPython

[WiP] Disable weak xmlsec algorithms

Open peppelinux opened this issue 6 years ago • 5 comments

This PR aims to implement a blacklist parameter for xml algs, as discussed here:

  • https://github.com/IdentityPython/pysaml2/issues/421
  • https://github.com/IdentityPython/pysaml2/pull/626/files

Confguration parameter can be declared as follow:

SAML_IDP_CONFIG = {
    'debug' : True,
    'xmlsec_binary': get_xmlsec_binary(['/opt/local/bin', '/usr/bin/xmlsec1']),
    'xmlsec_disabled_algs': ('http://www.w3.org/2001/04/xmldsig-more#md5',
                             'http://www.w3.org/2001/04/xmldsig-more#rsa-md5'),
    ...

All Submissions:

  • [x] Have you checked to ensure there aren't other open Pull Requests for the same update/change?
  • [x] Have you added an explanation of what problem you are trying to solve with this PR?
  • [x] Have you added information on what your changes do and why you chose this as your solution?
  • [ ] Have you written new tests for your changes?
  • [x] Does your submission pass tests?
  • [x] This project follows PEP8 style guide. Have you run your code against the 'flake8' linter?

peppelinux avatar Aug 01 '19 12:08 peppelinux

Digest and signing are different operations. We should not mix them together. This should be configured separately for the two.

c00kiemon5ter avatar Aug 01 '19 13:08 c00kiemon5ter

The metadata is just declaring something. We should prohibit actually using the algos when they are going to be used to sign docs or create digests.

c00kiemon5ter avatar Aug 01 '19 13:08 c00kiemon5ter

Digest and signing are different operations. We should not mix them together. This should be configured separately for the two.

I understand but they are xmlsec's algs, so we could handle them in a unique parameter. This will simplify user's approach.. but somethings sounds to me that this solution won't like to you :) It can be done both ways, just discuss it together first.

The metadata is just declaring something. We should prohibit actually using the algos when they are going to be used to sign docs or create digests.

I agree and this is just a basic implementation to start from. I saw how xmlsec is used in pysaml and I think that it would be better to handle this new born parameter together with the upcoming (?) xmlsec-handler refactor. Have you already choose a xmlsec API handler? This would be the point to start from, coupling in it this PR

peppelinux avatar Aug 01 '19 13:08 peppelinux

I'd also put some reference here as personal notes:

  • sigver.CryptoBackendXmlSec1.init, actually do not handle config directly but takes **kwargs;
  • sigver.security_context, get configuration as paramenters. In it calls sigver.security_context that initialize sigver.CryptoBackendXmlSec1
  • entity.Entity.sign get sign_alg and digest_alg as arguments (validate these in relation to blacklist)
  • entity.Entity().sec = security_context(self.config)

Also: sigver.SecurityContext().metadata handles metadata...

peppelinux avatar Aug 01 '19 13:08 peppelinux

pyXMLsecurity is an alternative to xmlsec1, just need to have an example

https://github.com/IdentityPython/pyXMLSecurity

it only have signing features and no crypto: https://github.com/IdentityPython/pyXMLSecurity/blob/master/src/xmlsec/crypto.py

peppelinux avatar Aug 20 '19 13:08 peppelinux