Certificate Load Issue within Java / Shibboleth 3.2.1

Brent Putman putmanb at georgetown.edu
Tue Jul 25 03:48:01 EDT 2017

On 7/25/17 3:32 AM, Brent Putman wrote:
>> 2017-07-25 13:53:16,725 - WARN [org.opensaml.saml.common.binding.security.impl.BaseSAMLSimpleSignatureSecurityHandler:291] - Message Handler:  Error evaluating the request's simple signature using the trust engine
>> org.opensaml.security.SecurityException: Error resolving trusted credentials
>>         at org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine.doValidate(ExplicitKeySignatureTrustEngine.java:147)
>> Caused by: net.shibboleth.utilities.java.support.resolver.ResolverException: Error processing KeyInfo child element
>>         at org.opensaml.xmlsec.keyinfo.impl.BasicProviderKeyInfoCredentialResolver.processKeyInfoChild(BasicProviderKeyInfoCredentialResolver.java:322)
>> Caused by: org.opensaml.security.SecurityException: Error extracting certificates from X509Data
>>         at org.opensaml.xmlsec.keyinfo.impl.provider.InlineX509DataProvider.extractCertificates(InlineX509DataProvider.java:192)
> Is this from a signed SAML request?  That's what it looks like to
> me... except it can't be Redirect b/c that doesn't convey a KeyInfo. 
> So it would have to be POST SimpleSign, which is also unusual. 
> Although I guess since it appears to be a Shibboleth SP, then it's
> supported, and maybe there's some way this has been (mis)configured.

Oh, never mind.  I misread the trace.  I think the actual cert error is
coming from the metadata credential resolver used by the trust engine,
processing the entity's metadata's KeyDescriptor/KeyInfo.  So it
probably is just a plain old signed Redirect binding request.

After you removed the EC cert from the metadata, is the request then
processed successfully?  If so, then they're signing with one of the
other 2 certs (RSA), and that's probably an acceptable workaround, if
you are willing to live with having to modify the metadata on your side
like that.  You still might want to politely suggest that they
re-consider that EC cert and re-generate it with a named curve.

If not (or if they *do* start signing to you with that EC cert in the
future), then you have to do one of my other suggestions.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20170725/4572d995/attachment.html>

More information about the users mailing list