SP metadata that supports both sha1 and sha2?

[Cantor, Scott]

On 6/25/14, 11:56 AM, "Liam Hoekenga" <liamr at umich.edu> wrote:
>
>The SP in question is Gartner.  Their current metadata has sha1
>SignatureMethod and DigestMethod algorithms, and certificate "A".
>
>To support sha256, they're issuing new metadata that has sha256
>SignatureMethod and DigestMethod algorithms, and a new certificate
>(certificate "B").

In that case, they're still confused. The certificate doesn't need be (and
should not be) updated to support a different RSA signing algorithm.

But if they're insistent on changing the cert and/or key, then as you were
implying, they need to put them both in the metadata, but they need to
identify which one, if any, is used for encryption only. Standard key
rollover.

>They want to make sure that we're able to support both their sha1/cert A
>and sha256/cert B certificates at the same time, so our stuff won't break
>when they update their configuration.  Both sets of metadata use the same
>entityId.

Which is invalid, since you can't load both entities, thus your question.
They aren't doing it right. Please tell them that.

>I was able to put two Signature elements in the metadata (sha1 and sha2),
>and it seems to work correctly (based on the configuration in
>internal.xml).  Is this valid?  Is it correct?

No. And you can't put signature elements in the metadata, the metadata
signer does. One or both will simply be invalid signatures, and there's
nowhere to put a second signature element anyway (at a given level). It
would be schema invalid.

-- Scott