Credential failed name check.

[Cantor, Scott]

On 8/20/15, 11:13 AM, "users on behalf of Johan Åkerstrøm" <users-bounces at shibboleth.net on behalf of Johan.Akerstrom at skill.no> wrote:

>The cert I have is the same as the one in the metadata.

But is that what's in the signature itself?

> So something is definitely wrong at the SP/metadata generation side. Will verify the request against the cert in the metadata to know for sure. Any good tools for that or should I just knock up a quick mock up tool?

There are tools to directly validate signatures, but none of them are terrifically easy since you have to get the message out intact without breaking the signature. We have a Java tool, xmlsectool, that can validate them. There's a tool in the SP as well, and there are various other utilities around.

But if the cert in the metadata is actually the one that is showing up in the KeyInfo of the Signature, then they aren't actually using that cert's private key to sign with. So you basically have nothing to go on here, you couldn't possibly fix it.

The PKIX part would be relevant if they *were* in fact signing with that cert's key, but if that's what's in the metadata, that's not the case. So there's nothing you could do here, it would never work no matter what you changed.

For PKIX to work, they have to send a cert with the right key in it across so we can check the raw signature and then the PKIX step will happen. But in that scenario, you'd just slam that cert into the metadata and be done. So if that's not possible, neither is PKIX.

-- Scott