Metadata signature accepted by xmlsectool, not by SP

Ian Bobbitt ibobbitt at grnoc.iu.edu
Mon May 9 16:31:59 EDT 2016 

I'm trying to sign a set of metadata, and load it into an SP. It works if I don't check signatures, but obviously that's
a bad idea.

When I run shibd in test mode, I get errors about being unable to verify the signature:

# shibd -t
2016-05-09 20:24:45 WARN OpenSAML.MetadataFilter.Signature : filtering out group at root of instance after failed
signature check: Unable to verify signature with supplied key(s).
2016-05-09 20:24:45 WARN OpenSAML.MetadataProvider.XML : adjusted reload interval to 600 seconds
2016-05-09 20:24:45 WARN OpenSAML.MetadataProvider.XML : trying backup file, exception loading remote resource:
SignatureMetadataFilter unable to verify signature at root of metadata instance.
2016-05-09 20:24:45 WARN OpenSAML.MetadataFilter.Signature : filtering out group at root of instance after failed
signature check: Unable to verify signature with supplied key(s).
2016-05-09 20:24:45 CRIT OpenSAML.Metadata.Chaining : failure initializing MetadataProvider: SignatureMetadataFilter
unable to verify signature at root of metadata instance.
overall configuration is loadable, check console for non-fatal problems

But xmlsectool is fine.

$ ./xmlsectool-1.2.0/xmlsectool.sh --verifySignature --inFile /var/www/html/metadata/grnoc.xml --certificate
/var/www/html/metadata/grnoc.crt
INFO  XmlSecTool - Reading XML document from file '/var/www/html/metadata/grnoc.xml'
INFO  XmlSecTool - XML document parsed and is well-formed.
INFO  XmlSecTool - XML document signature verified.

I nave validation configured on the MetadataProvider

            <MetadataProvider type="XML"
                              uri="http://idp-test.grnoc.iu.edu/metadata/grnoc.xml"
                              backingFilePath="/etc/shibboleth/grnoc.xml"
                              reloadInterval="7200"
                              validate="true">
                 <SignatureMetadataFilter certificate="/etc/shibboleth/grnoc.crt" />
                 <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200" />
            </MetadataProvider>

and I know the cert (http://idp-test.grnoc.iu.edu/metadata/grnoc.crt) matches the signing key.

What am I doing wrong signing this? I'm wanting to use a short script to assemble metadata from various SPs and sign
them using https://github.com/mehcode/python-xmlsec/, but I've also tried signing with xmlsectool and get the same
results. The SP I'm using to try to validate it is version 2.5.6 on CentOS 6.

-- 
Ian

More information about the users mailing list