Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Using AES instead of DES-192 for Encryption #821

Open
JHoelting opened this issue Aug 23, 2021 · 6 comments · May be fixed by #924
Open

Using AES instead of DES-192 for Encryption #821

JHoelting opened this issue Aug 23, 2021 · 6 comments · May be fixed by #924
Labels
next-release should become part of the next release

Comments

@JHoelting
Copy link

When encrypting the SAML message, the configuration passed top xmlsec seem to use DES-192
This is the command thats ran

/usr/local/bin/xmlsec1 --encrypt --pubkey-cert-pem /var/folders/pg/cghxqls97rdb6dltkcy3v_2h0000gn/T/tmpwihgq3id --session-key des-192 --xml-data /var/folders/pg/cghxqls97rdb6dltkcy3v_2h0000gn/T/tmpvs7obw71 --node-xpath /*[local-name()='Response']/*[local-name()='EncryptedAssertion']/*[local-name()='Assertion'] --output /var/folders/pg/cghxqls97rdb6dltkcy3v_2h0000gn/T/tmp8epggsyb.xml /var/folders/pg/cghxqls97rdb6dltkcy3v_2h0000gn/T/tmp6oe7y7_2

Is it possible to use AES instead of DES-192, it seems like DES is hardcoded into the code and I cant find where to change it from the requirements.

Code Version

pysaml2==7.0.1

Expected Behavior

Have some way of configuring which algorithm is used for encryption

@peppelinux
Copy link
Member

It's a default paramenter in the code, here:

I think that we could use an option in the general configuration to handle this behaviour.

consider also the enc template
https://github.com/IdentityPython/pysaml2/blob/master/src/saml2/data/templates/template_enc.xml

@JHoelting
Copy link
Author

So does the code even support AES ? will changing key_type from des-192 to say AES-128 work? @peppelinux

@peppelinux
Copy link
Member

Try It, go ahead and share results, we can work on a pull request for that

@c00kiemon5ter
Copy link
Member

I agree that we should review this and change it (or make it configurable)

@c00kiemon5ter c00kiemon5ter added the next-release should become part of the next release label Nov 16, 2021
@melanger
Copy link

@c00kiemon5ter / @peppelinux do you have any plans considering this issue?

@peppelinux
Copy link
Member

I don't have any updates, formerly we should assign this issue to a developer and this should present a PR. Is there any candidates?

Hope to talk about this during the next idpy call, thank you melanger for having pointed out this

@xpavlic xpavlic linked a pull request Aug 6, 2023 that will close this issue
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
next-release should become part of the next release
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants