pysaml2 icon indicating copy to clipboard operation
pysaml2 copied to clipboard
verified publisher icon IdentityPython

Problem with signing with ECDSA key

Open kuter opened this issue 5 years ago • 4 comments

What I'm trying to do is to integrate with SAML IDP which requires signing certificate with ECDSA key. I've already run code from example/ with RSA keys and everything works as I expect.

Code Version

  • pysaml2 6.1.0
  • xmlsec1 1.2.30

Expected Behavior

Send an signed XML request using xmlsec1 to IDP.

Current Behavior

I'm using modified version of sp_conf.example, I've done few changes and my config looks like:

CONFIG = {
    "entityid": "ENTITY_ID",
    'entity_category': [COC],
    "description": "Example SP",
    "service": {
        "sp": {
            "want_response_signed": False,
            "authn_requests_signed": True,
            "logout_requests_signed": True,
            "endpoints": {
                "assertion_consumer_service": [
                    (ASSERTION_CONSUMER_SERVICE, BINDING_HTTP_ARTIFACT)
                ],
                "single_logout_service": [
                    ("%s/slo/redirect" % BASE, BINDING_HTTP_REDIRECT),
                    ("%s/slo/post" % BASE, BINDING_HTTP_POST),
                ],
            }
        },
    },
    "key_file": "pki/sig_ec.key",  # ECDSA key
    "cert_file": "pki/sig_ec.pem"
    "xmlsec_binary": xmlsec_path,
    "delete_tmpfiles": False,
    "metadata": {
        "remote": [
            {
                "url": "https://link.to/metadata",
            },
        ],
    },
    "name_form": NAME_FORMAT_URI,
}

now when I'm trying to log in I got error:

curl http://localhost:8087
Failed to construct the AuthnRequest: ['/usr/bin/xmlsec1', '--sign', '--privkey-pem', 'pki/sig_ec.key', '--id-attr:ID', 'urn:oasis:names:tc:SAML:2.0:protocol:AuthnRequest', '--node-id', 'id-idFLrq2sBQ7DzpM5d', '--output', '/tmp/tmpf03ehong.xml', '/tmp/tmph4baetl4.xml']

Steps to Reproduce

Try to sign a request with ECDSA key.

kuter avatar Aug 28 '20 10:08 kuter

Which kind of distribution / xmlsec1 release you're using?

peppelinux avatar Sep 06 '20 01:09 peppelinux

I'm using xmlsec1 1.2.30 from openSUSE Tumbleweed repositiories .. but according to the docs https://www.aleksey.com/xmlsec/xmldsig.html xmlsec1 does not support ECDA security algorithm at all.

kuter avatar Sep 07 '20 05:09 kuter

Bad news, you should consider to build a new CryptoBackend! Often discusses replacing xmlsec1 with something different but still nothing on the horizon

peppelinux avatar Sep 11 '20 22:09 peppelinux

There seems to be some support for ecdsa sigs:

$ xmlsec1 --version
xmlsec1 1.2.30 (openssl)

$ xmlsec1 --list-transforms | grep -io ecdsa........
ecdsa-sha1","
ecdsa-sha224"
ecdsa-sha256"
ecdsa-sha384"
ecdsa-sha512"

see also,

  • https://github.com/lsh123/xmlsec/issues?q=ecdsa
  • https://www.aleksey.com/pipermail/xmlsec/2017/010120.html

I have not tested it, but it might be worth trying out to support this.

c00kiemon5ter avatar Sep 29 '20 11:09 c00kiemon5ter