search

IdentityPython / pysaml2

Python implementation of SAML2
Apache License 2.0
555 stars 422 forks source link

Problem with signing with ECDSA key #712

Open kuter opened 4 years ago

kuter commented 4 years ago

What I'm trying to do is to integrate with SAML IDP which requires signing certificate with ECDSA key. I've already run code from example/ with RSA keys and everything works as I expect.

Code Version

Expected Behavior

Send an signed XML request using xmlsec1 to IDP.

Current Behavior

I'm using modified version of sp_conf.example, I've done few changes and my config looks like:

CONFIG = {
    "entityid": "ENTITY_ID",
    'entity_category': [COC],
    "description": "Example SP",
    "service": {
        "sp": {
            "want_response_signed": False,
            "authn_requests_signed": True,
            "logout_requests_signed": True,
            "endpoints": {
                "assertion_consumer_service": [
                    (ASSERTION_CONSUMER_SERVICE, BINDING_HTTP_ARTIFACT)
                ],
                "single_logout_service": [
                    ("%s/slo/redirect" % BASE, BINDING_HTTP_REDIRECT),
                    ("%s/slo/post" % BASE, BINDING_HTTP_POST),
                ],
            }
        },
    },
    "key_file": "pki/sig_ec.key",  # ECDSA key
    "cert_file": "pki/sig_ec.pem"
    "xmlsec_binary": xmlsec_path,
    "delete_tmpfiles": False,
    "metadata": {
        "remote": [
            {
                "url": "https://link.to/metadata",
            },
        ],
    },
    "name_form": NAME_FORMAT_URI,
}

now when I'm trying to log in I got error:

curl http://localhost:8087
Failed to construct the AuthnRequest: ['/usr/bin/xmlsec1', '--sign', '--privkey-pem', 'pki/sig_ec.key', '--id-attr:ID', 'urn:oasis:names:tc:SAML:2.0:protocol:AuthnRequest', '--node-id', 'id-idFLrq2sBQ7DzpM5d', '--output', '/tmp/tmpf03ehong.xml', '/tmp/tmph4baetl4.xml']

Steps to Reproduce

Try to sign a request with ECDSA key.

peppelinux commented 4 years ago

Which kind of distribution / xmlsec1 release you're using?

kuter commented 4 years ago

I'm using xmlsec1 1.2.30 from openSUSE Tumbleweed repositiories .. but according to the docs https://www.aleksey.com/xmlsec/xmldsig.html xmlsec1 does not support ECDA security algorithm at all.

peppelinux commented 4 years ago

Bad news, you should consider to build a new CryptoBackend! Often discusses replacing xmlsec1 with something different but still nothing on the horizon

c00kiemon5ter commented 4 years ago

There seems to be some support for ecdsa sigs:

$ xmlsec1 --version
xmlsec1 1.2.30 (openssl)

$ xmlsec1 --list-transforms | grep -io ecdsa........
ecdsa-sha1","
ecdsa-sha224"
ecdsa-sha256"
ecdsa-sha384"
ecdsa-sha512"

see also,

I have not tested it, but it might be worth trying out to support this.