search

SAML-Toolkits / python3-saml

MIT License
704 stars 309 forks source link

python3-saml not compatible w. python-xmlsec > 1.0.9 and xmlsec1 1.2.33 ? #291

Closed Hanserfaust closed 2 years ago

Hanserfaust commented 2 years ago

Regarding released version 1.12.0

Python 3.9, mac-OS 11.6, brew-installed xmlsec1 (1.2.33)

What triggered my error?

Signature error during SAML2 flow (redirect back to SP), using the flask demo application vs. Keycloak:

validate_node_sign()

returns False,

Debugging leads me to the call xmlsec.Key.from_memory() raising exception (but decorator just returning False was hiding the root cause).

Investigation: Invalid library versions?

In setup.py

https://github.com/onelogin/python3-saml/blob/master/setup.py#L43

req. says xmlsec >= 1.0.5

But as of today (Dec 2021), just installing the latest xmlsec (1.3.12) will not work with python3-saml (or more specifically, function validate_node_sign() will not work)

Digging around in the python-xmlsec git-repo I found that after xmlsec version 1.0.9, it was refactored/(or updated vs new libxml1 version?) and at least some constants is not valid anymore, for example (my bug):

https://github.com/onelogin/python3-saml/blob/master/src/onelogin/saml2/utils.py#L970

Code: dsig_ctx.key = xmlsec.Key.from_memory(cert, xmlsec.KeyFormat.CERT_PEM, None)

xmlsec.KeyFormat does not exist anymore (not crystal clear where it was defined as it builds on a C-source):

https://github.com/mehcode/python-xmlsec/tree/1.0.8/src

In later versions (1.3.12 below) my guess is it replaced w.

xmlsec.constants.KeyDataFormatPem https://github.com/mehcode/python-xmlsec/blob/1.3.12/src/xmlsec/constants.pyi#L27

I would suggest changing setup.py for python3-saml says xmlsec <= 1.0.9 ?

However, on my Mac on libxmlsec 1.2.33

pip install xmlsec==1.0.9

fails to build/install since i'm on libxml1 1.2.33.

Possble next step would be to downgrade libxml1 library to 1.2.14 (as per your recommendations in README.me here on github), but not sure I would like to go down that path as a viable solution for us since that would put us on old code-bases around 2017-2018, not optimal for a SAML solution in my opinion.

Hanserfaust commented 2 years ago

Solved and closing issue: Post-xmas debugging, I successfully ran the unit test-suite of python3-saml vs python-xmlsec 1.3.12.

I was thrown under the bus since xmlsec.KeyFormat was not explicitly defined in later versions in combo with the quite anonymous error codes of the library. Root-cause of my problem was a mal-formed certificate.