Skip to content

Providing a password for an encrypted private key #501

Description

@kc548

Hello,

I'm trying to set up SATOSA with a key_file parameter containing an encrypted private key.

However, I get the following error :

[2026-06-01 14:30:27,003] [ERROR] [saml2.sigver.security_context] Cannot import key from /etc/satosa/certs/sp.key: Password was not given but private key is encrypted
Password was not given but private key is encrypted
[2026-06-01 14:30:27,003] [ERROR] [satosa.proxy_server.make_app] Failed to create WSGI app.
Traceback (most recent call last):
  File "/usr/local/lib/python3.13/site-packages/satosa/proxy_server.py", line 197, in make_app
    res1 = WsgiApplication(satosa_config)
  File "/usr/local/lib/python3.13/site-packages/satosa/proxy_server.py", line 119, in __init__
    super().__init__(config)
    ~~~~~~~~~~~~~~~~^^^^^^^^
  File "/usr/local/lib/python3.13/site-packages/satosa/base.py", line 56, in __init__
    backends = load_backends(self.config, self._auth_resp_callback_func,
                             self.config["INTERNAL_ATTRIBUTES"])
  File "/usr/local/lib/python3.13/site-packages/satosa/plugin_loader.py", line 44, in load_backends
    backend_modules = _load_plugins(
        config.get("CUSTOM_PLUGIN_MODULE_PATHS"),
        config["BACKEND_MODULES"],
        backend_filter, config["BASE"],
        internal_attributes, callback)
  File "/usr/local/lib/python3.13/site-packages/satosa/plugin_loader.py", line 181, in _load_plugins
    instance = module_class(callback, internal_attributes, module_config, base_url,
                            plugin_config["name"])
  File "/usr/local/lib/python3.13/site-packages/satosa/backends/saml2.py", line 119, in __init__
    sp_config = SPConfig().load(copy.deepcopy(config[SAMLBackend.KEY_SP_CONFIG]))
  File "/usr/local/lib/python3.13/site-packages/saml2/config.py", line 338, in load
    self.load_complex(cnf)
    ~~~~~~~~~~~~~~~~~^^^^^
  File "/usr/local/lib/python3.13/site-packages/saml2/config.py", line 272, in load_complex
    self.setattr("", "metadata", self.load_metadata(cnf["metadata"]))
                                 ~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.13/site-packages/saml2/config.py", line 385, in load_metadata
    mds = MetadataStore(
        acs,
    ...<3 lines>...
        http_client_timeout=self.http_client_timeout,
    )
  File "/usr/local/lib/python3.13/site-packages/saml2/mdstore.py", line 1024, in __init__
    self.security = security_context(config)
                    ~~~~~~~~~~~~~~~~^^^^^^^^
  File "/usr/local/lib/python3.13/site-packages/saml2/sigver.py", line 977, in security_context
    rsa_key = import_rsa_key_from_file(_file_name)
  File "/usr/local/lib/python3.13/site-packages/saml2/sigver.py", line 460, in import_rsa_key_from_file
    key = saml2.cryptography.asymmetric.load_pem_private_key(data)
  File "/usr/local/lib/python3.13/site-packages/saml2/cryptography/asymmetric.py", line 10, in load_pem_private_key
    key = _serialization.load_pem_private_key(data, password)

How can I provide the password for my private key ? I checked the SATOSA and pysaml2 documentation but I did not find any relevant parameter to achieve this.

Thanks.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions