Error creating SP metadata when adding X509 certificate for encryption

Lipscomb, Gary glipscomb at csu.edu.au
Mon Feb 26 18:33:56 EST 2018 

Hi list,

I'm trying to update a vendor supplied SP metadata file [2] with their public key certificate to encrypt assertions.

Shibboleth IdP 3.3.2 is throwing this error [1]

The vendor states
" We tested on our end signing, using this public key and was able to successfully decrypt the assertions as well. The public key is using an RSA 1_5 algo and is as specified here (https://www.w3.org/TR/2002/REC-xmlenc-core-20021210/Overview.html#rsa-1_5)."

Their metadata generation doesn't add in the certificate.
It all works if I remove the KeyDescriptor section.
Any ideas? Have I left any section out of the metadata.

Regards

Gary


[1] error message in idp-process.log

2018-02-27 10:10:38,718 - ERROR [org.springframework.webflow.execution.ActionExecutionException:76] -
org.springframework.webflow.execution.ActionExecutionException: Exception thrown executing net.shibboleth.idp.saml.saml2.profile.impl.PopulateEncryptionParameters at a1be63e in state 'OutboundContextsAndSecurityParameters' of flow 'SAML2/Unsolicited/SSO' -- action execution attributes were 'map[[empty]]'
        at org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:60)
Caused by: org.cryptacular.StreamException: IO error
        at org.cryptacular.util.CertUtil.readCertificate(CertUtil.java:256)
Caused by: java.io.IOException: Short read of DER length
        at sun.security.util.DerInputStream.getLength(DerInputStream.java:582)


[2] Metadata

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2019-02-15T21:28:33Z" cacheDuration="PT1519162113S" entityID="https://csu.thrive123.com.au/">

  <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

    <md:Extensions>
      <mdui:UIInfo xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui">
        <mdui:DisplayName xml:lang="en">Thrive - QA</mdui:DisplayName>
      </mdui:UIInfo>
    </md:Extensions>

    <md:KeyDescriptor use="encryption">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
            <ds:X509Certificate>MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC
AgEAuhmq5s3VLyw3qLmu8EpbJWXJ5kRiX9PyezBRz0irSbkeRJUe35wricISL0tv
f9gioJQ6AmDlL/Zrd4JPq5ynE6pfA9Me6YBGUyRo1Sxsz97voTE3aC4CKGYGe5+T
Opozvak2cTny3c0DXiEe99+EXFdxae7/NK4bmFCwaZsBr2QPVyZ1g+G31pfjRF+W
BrcF9D26kOEpdHYNCg3fQfkBX7F/cO2lv4huRHUULI2OrMHG9jY146CgQKVnUSWM
LB5GVjwpapLL7ajjzNd5KaFu1xfGtWTNW2Ax+gfrKULyrCb2r6iTcGkYNyKelGxw
Oge27kh1zjA7pCxSeZPnIXkMjfgxTN+pxi+xp17nszuBsYcrvaAhleu56yeam8Ff
YkHmVMVqpjWAtQbZXxzE36ALKS5nestS+TMHmN7NO5M0Xk6GL4MxhgMN2R2YsRzu
WLi6RhBiqi4QfP9jbZopFS+RBGQQ5lwnoK82UMxYrJvstRjF/EtUsBpqTg03tv3M
JjZPTOYnQWWuTX8YwLa36HrxRF8lxMj04YzBm8Bd31gT7gr7UIcjDEUtNWAZAkxt
2mJBO29zlF5SprBZ0Gbq8bVh//XSVm8BG8WN/lqG0a7JHq6GzORiD8ZHoEn3dvDS
8y2b6nv13pqzskd7O0IwrJyWBlZ59/VX+yggkmAP94LXLiMCAwEAAQ==
            </ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
    </md:KeyDescriptor>

    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://csu.thrive123.com.au/Authentication/EndLogin?idp=129974" index="1"/>
  </md:SPSSODescriptor>
  </md:EntityDescriptor>

|   ALBURY-WODONGA   |   BATHURST   |   CANBERRA   |   DUBBO   |   GOULBURN   |   MELBOURNE   |   ORANGE   |   PORT MACQUARIE   |   SYDNEY   |   WAGGA WAGGA   |

LEGAL NOTICE
This email (and any attachment) is confidential and is intended for the use of the addressee(s) only. If you are not the intended recipient of this email, you must not copy, distribute, take any action in reliance on it or disclose it to anyone. Any confidentiality is not waived or lost by reason of mistaken delivery. Email should be checked for viruses and defects before opening. Charles Sturt University (CSU) does not accept liability for viruses or any consequence which arise as a result of this email transmission. Email communications with CSU may be subject to automated email filtering, which could result in the delay or deletion of a legitimate email before it is read at CSU. The views expressed in this email are not necessarily those of CSU.
Charles Sturt University in Australia The Grange Chancellery, Panorama Avenue, Bathurst NSW Australia 2795 (ABN: 83 878 708 551; CRICOS Provider Number: 00005F (National)). TEQSA Provider Number: PV12018
Consider the environment before printing this email.

More information about the users mailing list