pysaml2 incomaptible with xmlsec1 version 1.3.0 #906
Description
On April 12, 2023, xmlsec version 1.3.0 has been released; this is also the version you now get by default via, e.g., Homebrew on MacOS. The new version brings some breaking changes. I encountered two changes so far that break pysaml2:
-
pysaml2 seems to rely on “lax” key binding. For commands that operate on such keys, xmlsec 1.3.0 requires the new command line option
--lax-key-search.(API breaking change) Changed the key search to strict mode: only keys referenced by KeyInfo are used. To restore the old "lax" mode, set XMLSEC_KEYINFO_FLAGS_LAX_KEY_SEARCH flag on xmlSecKeyInfoCtx or use '--lax-key-search' option for XMLSec command line utility.
-
The status output of xmlsec adds text before (but on the same line as) the tokens
OKorFAIL. This breaks (at least)saml2.sigver.parse_xmlsec_outputthat expects these tokens without any prefix or suffix their respective output line.
Code Version
pysaml 7.4.1
Expected Behavior
Successful authentications, no matter whether xmlsec has been updated to the latest (minor) version or not.
Current Behavior
For instance the signing of SAML2 requests and responses fails with an error that says the key was not found.
Possible Solution
I worked around this issue by putting an xmlsec wrapper script into our project that:
- inserts the command line option
--lax-key-searchin case of the xmlsec1 commands--encrypt,--decrypt,--sign, and--verify; - ensures the tokens
OKandFAILin the xmlsec output are placed on lines of their own;
I consider this wrapper script a stop-gap solution only, though; it might break again anytime there's a new release of xmlsec or pysaml2. An implementation of #886 would be a better fix, IMHO.
Steps to Reproduce
- Install xmlsec version 1.3.0.
- Configure a pysaml2-based application to use the xmlsec 1.3.0 binary.
- Create a signed authentication request.
4.The signature fails with a key not found error.