pysaml2 does not support certificate passwords

[erickt]

It appears that pysaml2 does not support certificates with passwords, which results in OpenSSL prompting for a password when the certificate is parsed. I don't think it'd be terribly hard to support, we would just have to update every instance of RSA.importKey to pass in an optionally configured passphrase.

[rohe]

30 okt 2015 kl. 10:52 skrev Erick Tryzelaar notifications@github.com:

It appears that pysaml2 does not support certificates with passwords, which results in OpenSSL prompting for a password when the certificate is parsed. I don’t think it'd be terribly hard to support, we would just have to update every instance of RSA.importKey to pass in an optionally configured passphrase.

I’d appreciate if you would send in a pull request otherwise I will do it but not within the next week.

— Roland
'Look, that's why there's rules, understand? So that you think before you break ’em.’ - Terry Pratchett

[erickt]

Hello @rohe: I'm slowly working on a PR. Current challenge is that xmlsec1 currently only allows passwords to be passed in on the commandline, or through an interactive prompt. The former is insecure, since one could either see the argument with ps or in the .bash_history, the latter requires using a PTY, which makes it not portable to some OSs. The right solution is probably to switch over to using python-xmlsec and exposing the xmlsec API that passes the password along to the underlying library. For hue, we're probably first going to implement the PTY approach for the short term, and then over time implement the python-xmlsec. Would you be interested in the PTY? If not, I can just patch my fork, and then upstream the python-xmlsec version once it's done.

[rohe]

Hi Erick,

2 nov 2015 kl. 13:24 skrev Erick Tryzelaar notifications@github.com:

Hello @rohe: I'm slowly working on a PR. Current challenge is that xmlsec1 currently only allows passwords to be passed in on the commandline, or through an interactive prompt. The former is insecure, since one could either see the argument with ps or in the .bash_history, the latter requires using a PTY, which makes it not portable to some OSs. The right solution is probably to switch over to using python-xmlsec and exposing the xmlsec API that passes the password along to the underlying library. For hue, we're probably first going to implement the PTY approach for the short term, and then over time implement the python-xmlsec. Would you be interested in the PTY?

I would.

If not, I can just patch my fork, and then upstream the python-xmlsec version once it's done.

I’d like to have the python-xmlsec version too.
When I started implementing pysaml2, python-xmlsec was in such a bad state that I didn’t really
consider it to be a viable option. If it’s better today I’d really like to have it as an option beside xmlsec.

— Roland
'Look, that's why there's rules, understand? So that you think before you break ’em.’ - Terry Pratchett

[erickt]

Unfortunately I don't actually know the state of python-xmlsec. It seems to have some fairly regular downloads (1289 in the past month), but I'm not personally familiar with the project.

[rectalogic]

dm.xmlsec.binding might be an alternative to python-xmlsec. Onelogin python-saml uses it https://github.com/onelogin/python-saml/blob/master/src/onelogin/saml2/utils.py#L712

[rohe]

14 jan 2016 kl. 19:01 skrev Andrew Wason notifications@github.com:

dm.xmlsec.binding might be an alternative to python-xmlsec. Onelogin python-saml uses it https://github.com/onelogin/python-saml/blob/master/src/onelogin/saml2/utils.py#L712

Do you know anything about their plans to support Python 3.X ?
They only list support for 2.4, 2.6 and 2.7 now.

— Roland

[erickt]

Just to let you know, in Hue we've implemented a short term solution in our fork of pysaml2. It decrypts the certificate in memory, then passes it to xmlsec1 through a named pipe. I didn't submit it here for review because this technique only works on POSIX systems, and I'm not sure if pysaml2 supports Windows.

[rohe]

22 jan 2016 kl. 19:23 skrev Erick Tryzelaar notifications@github.com:

Just to let you know, in Hue we've implemented a short term solution in our fork of pysaml2. It decrypts the certificate in memory, then passes it to xmlsec1 through a named pipe. I didn't submit it here for review because this technique only works on POSIX systems, and I'm not sure if pysaml2 supports Windows.

I and my group are mainly concerned with *nix based systems.
I would prefer if we didn’t, well ware of the consequences, add something that would make it impossible to use pysaml2 on Windows.

If you could add certificate password support such that it would work on a POSIX system but not be available on other systems I would gladly accept such a pull request.

”Everybody should be quiet near a little stream and listen."
From ’Open House for Butterflies’ by Ruth Krauss

[erickt]

@rohe: Yeah that would be the best solution. We thought though that we wouldn't have the time to validate saml using a new xmlsec library for our next release. Long term we're hoping switching pysaml2 to a python binding of xmlsec like dm.xmlsec.binding would be the better option.

[rohe]

11 feb 2016 kl. 19:22 skrev Erick Tryzelaar notifications@github.com:

@rohe: Yeah that would be the best solution. We thought though that we wouldn't have the time to validate saml using a new xmlsec library for our next release. Long term we're hoping switching pysaml2 to a python binding of xmlsec like dm.xmlsec.binding would be the better option.

Agree !
The reason for me not to use the python bindings for xmlsec when I started this project almost a decade ago was
that the bindings was in such a poor state and I didn’t want to take on the responsibility for keeping them
maintained. That may have changed (the first reason not the second :-)).

— Roland

”Everybody should be quiet near a little stream and listen."
From ’Open House for Butterflies’ by Ruth Krauss

[pitbulk]

Hi @rohe,

I'm the developer of OneLogin's SAML toolkits.
I used your pysaml2 library when I was working at Yaco with Lorenzo Gil and saw you at Terena conferences.

At python-saml I used dm.xmlsec.binding so it only works on Python 2.X

After experience some installing problems and the request of python3 support I wanted to release a new version of the same toolkit based in a python3 compatible solution.

@bgaifullin, that currently help supporting python-xmlsec did a great job and helped me to migrate part of the code, and python3-saml appeared, based on python-xmlsec instead of dm.xmlsec.binding, working on python2 and python3.

@mehcode, the main maintainer of python-xmlsec has its own SAML library

So nowadays SAML developers have several alternatives :)

Best regards and thanks for your contributions.