openbrian
commented
4 months ago func=xmlSecOpenSSLEvpSignatureExecute:file=evp_signatures.c: line=562:obj=rsa-sha1: subj=EVP_SignFinal: error=4:crypto library function failed:openssl error: error:1C8000AE:Provider routines::digest not allowed
func=xmlSecTransformDefaultPushBin:file=transforms.c: line=1934:obj=rsa-sha1: subj=xmlSecTransformExecute: error=1:xmlsec library function failed:final=1
func=xmlSecTransformIOBufferClose:file=transforms.c: line=2563:obj=rsa-sha1: subj=xmlSecTransformPushBin: error=1:xmlsec library function failed:
sp specific algorithms not being used
Code Version
7.4
Expected Behavior
https://pysaml2.readthedocs.io/en/latest/howto/config.html#signing-algorithm should be used as demonstrated.
Current Behavior
The default algorithm is used. This is sha1. Sha1 in FIPS mode (openssl) is not permitted. xmlsec1 will crash or error out. I'll put error messages in a comment.
Possible Solution
In Entity constructor, when getting the algorithms from the config, include the context which is self.entity_type.
Or, alter config getattr such that if context is specified, look there first. If the attribute is not there, then look it up (inherit) from one level up.
And/Or, drop the {context}{attr}, and stick with nested dictionaries.
Or, set the default algorithm to be anything but sha1 which is considered insecure.
Steps to Reproduce
Use PySAML2 with OpenSSL in FIPS mode. Otherwise pretty generic config. set authn_requests_signed to true.