Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Weak or unknown asymmetric padding #39442

Open
hvedati opened this issue Jan 28, 2025 · 6 comments · May be fixed by #39761
Open

Weak or unknown asymmetric padding #39442

hvedati opened this issue Jan 28, 2025 · 6 comments · May be fixed by #39761
Assignees
@pvaneck @xiangyan99
Labels
Azure.Identity Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Milestone
2025-03

Comments

@hvedati
Copy link

hvedati commented Jan 28, 2025

  • Package Name:
  • Package Version:
  • Operating System:
  • Python Version:

Describe the bug
Use of unapproved, weak, or unknown asymmetric padding algorithm or API : PKCS1V15

To Reproduce
Steps to reproduce the behavior:
The code in question is coming from here - https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/identity/azure-identity/azure/identity/_internal/aadclient_certificate.py.

Expected behavior
The padding algorithm needs to be updated.

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context
Add any other context about the problem here.
@hvedati hvedati changed the title weak or unknown asymmetric padding Weak or unknown asymmetric padding Jan 28, 2025
@github-actions github-actions bot added customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Jan 28, 2025
@kashifkhan
Copy link
Member

Thank you for the feedback @hvedati . Can you provide some screenshots, the error message or code that can help us see this issue.

@kashifkhan kashifkhan added the needs-author-feedback Workflow: More information is needed from author to address the issue. label Jan 28, 2025
@github-actions github-actions bot removed the needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. label Jan 28, 2025
@github-actions GitHub Actions
Copy link

Hi @hvedati. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.

@hvedati
Copy link
Author

hvedati commented Jan 28, 2025
edited
Loading

Thank you for the feedback @hvedati . Can you provide some screenshots, the error message or code that can help us see this issue.

@kashifkhan This is the s360 item that was assigned to our team.

Image> We consume the azure_identity sdk for python in our repo when building the stack-hci-vm cli. We want to keep the code we use in our repo in sync with the python sdk.

@github-actions github-actions bot added needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team and removed needs-author-feedback Workflow: More information is needed from author to address the issue. labels Jan 28, 2025
@pvaneck
Copy link
Member

pvaneck commented Jan 29, 2025

@xiangyan99 Looks like this is for the async certificate credential, and it is in need of an update to use the PS256 algorithm with PSS padding based on Entra guidance. Based on MSAL's implementation, PS256 is used for most cases, however, there still might be a need to use RS256. Looks like it might still be used in cases of ADFS? Not sure if this is actually be the case, but if there's still a valid reason to keep the weak padding in, then we'd also need a way to suppress the CodeQL warnings (I think # noqa might suppress).

@kristapratico kristapratico added the Client This issue points to a problem in the data-plane of the library. label Feb 4, 2025
@pvaneck pvaneck moved this from Untriaged to Not Started in Azure Identity SDK Improvements Feb 14, 2025
@pvaneck pvaneck added this to the 2025-03 milestone Feb 14, 2025
@hvedati
Copy link
Author

hvedati commented Feb 18, 2025

Hi @pvaneck! Is there an ETA for when this padding issue will be resolved?

@pvaneck pvaneck linked a pull request Feb 19, 2025 that will close this issue
Draft
@pvaneck
Copy link
Member

pvaneck commented Feb 19, 2025

Hey, @hvedati, I have a PR out to update the logic, and I am aiming to get it out in the early March release. However, I will likely still have to keep the old padding algorithm around to maintain support for older ADFS auth scenarios. CodeQL will likely still flag the use of PKCS1v15 padding here, and it's something that'll just have to be dismissed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pvaneck pvaneck

@xiangyan99 xiangyan99

Labels
Azure.Identity Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Projects
Azure Identity SDK Improvements
Status: Not Started
Milestone
2025-03
Development

Successfully merging a pull request may close this issue.

[Identity] Update async cert credential algorithm pvaneck/azure-sdk-for-python
5 participants
@kashifkhan @pvaneck @xiangyan99 @kristapratico @hvedati