pysaml2
pysaml2 copied to clipboard
IdentityPython
Using AES instead of DES-192 for Encryption
When encrypting the SAML message, the configuration passed top xmlsec seem to use DES-192
This is the command thats ran
/usr/local/bin/xmlsec1 --encrypt --pubkey-cert-pem /var/folders/pg/cghxqls97rdb6dltkcy3v_2h0000gn/T/tmpwihgq3id --session-key des-192 --xml-data /var/folders/pg/cghxqls97rdb6dltkcy3v_2h0000gn/T/tmpvs7obw71 --node-xpath /*[local-name()='Response']/*[local-name()='EncryptedAssertion']/*[local-name()='Assertion'] --output /var/folders/pg/cghxqls97rdb6dltkcy3v_2h0000gn/T/tmp8epggsyb.xml /var/folders/pg/cghxqls97rdb6dltkcy3v_2h0000gn/T/tmp6oe7y7_2
Is it possible to use AES instead of DES-192, it seems like DES is hardcoded into the code and I cant find where to change it from the requirements.
Code Version
pysaml2==7.0.1
Expected Behavior
Have some way of configuring which algorithm is used for encryption
It's a default paramenter in the code, here:
- https://github.com/IdentityPython/pysaml2/blob/a9a4fe9601cac56917e38197c177772084dc5ce0/src/saml2/sigver.py#L1243
- https://github.com/IdentityPython/pysaml2/blob/a9a4fe9601cac56917e38197c177772084dc5ce0/src/saml2/sigver.py#L757
I think that we could use an option in the general configuration to handle this behaviour.
consider also the enc template https://github.com/IdentityPython/pysaml2/blob/master/src/saml2/data/templates/template_enc.xml
So does the code even support AES ? will changing key_type from des-192 to say AES-128 work? @peppelinux
Try It, go ahead and share results, we can work on a pull request for that
I agree that we should review this and change it (or make it configurable)
@c00kiemon5ter / @peppelinux do you have any plans considering this issue?
I don't have any updates, formerly we should assign this issue to a developer and this should present a PR. Is there any candidates?
Hope to talk about this during the next idpy call, thank you melanger for having pointed out this