PySAML2 not using signing_algorithm from sp service

[openbrian]

sp specific algorithms not being used

Code Version

7.4

Expected Behavior

https://pysaml2.readthedocs.io/en/latest/howto/config.html#signing-algorithm should be used as demonstrated.

Current Behavior

The default algorithm is used. This is sha1. Sha1 in FIPS mode (openssl) is not permitted. xmlsec1 will crash or error out. I'll put error messages in a comment.

Possible Solution

In Entity constructor, when getting the algorithms from the config, include the context which is self.entity_type.

Or, alter config getattr such that if context is specified, look there first. If the attribute is not there, then look it up (inherit) from one level up.

And/Or, drop the {context}{attr}, and stick with nested dictionaries.

Or, set the default algorithm to be anything but sha1 which is considered insecure.

Steps to Reproduce

Use PySAML2 with OpenSSL in FIPS mode. Otherwise pretty generic config. set authn_requests_signed to true.

[openbrian]

func=xmlSecOpenSSLEvpSignatureExecute:file=evp_signatures.c:
line=562:obj=rsa-sha1:
subj=EVP_SignFinal:
error=4:crypto library function failed:openssl error: error:1C8000AE:Provider routines::digest not allowed

func=xmlSecTransformDefaultPushBin:file=transforms.c:
line=1934:obj=rsa-sha1:
subj=xmlSecTransformExecute:
error=1:xmlsec library function failed:final=1

func=xmlSecTransformIOBufferClose:file=transforms.c:
line=2563:obj=rsa-sha1:
subj=xmlSecTransformPushBin:
error=1:xmlsec library function failed:

[openbrian]

Also interesting how the config context gets clobbered here.

pysaml2/src/saml2/config.py

Line 262 in 7cb4f09

self.context = typ

pysaml2/src/saml2/config.py

Line 263 in 7cb4f09

self.context = self.def_context