Signature trust establishment failed for metadata entry
Jehan Procaccia
jehan.procaccia at tem-tsp.eu
Mon Jun 29 13:32:12 UTC 2020
Le 29/06/2020 à 13:22, Peter Schober a écrit :
> * Jehan Procaccia <jehan.procaccia at tem-tsp.eu> [2020-06-29 08:26]:
>> - EntityDescriptor 'recruitee' failed signature verification, removing from
>> metadata provider
>>
>> Is there something I can workaround on my side or the service provider mess
>> something in their metadata ?
> If the signature is incorrect then SP would have to fix the signature
> (or you'd have to remove the signature validation filter, throwing any
> security out the window).
>
> You can verify the signature outside of the IDP codebase using
> e.g. XmlSecTool or xmlsec1 or samlsign, cf.
> https://wiki.shibboleth.net/confluence/display/CONCEPT/MetadataCorrectness#MetadataCorrectness-SignatureVerification
>
> -peter
>
checking the signature with XmlSecTool does show a problem
//root/xmlsectool-1.1.5/xmlsectool.sh --verifySignature --certificate
/var/www/html/federation/metadata/fede-imt-cert.pem --inFile
/var/www/html/federation/metadata/fede-imt-ext-recruitee-signed.xml/
///INFO XmlSecTool - Reading XML document from file
'/var/www/html/federation/metadata/fede-imt-ext-recruitee-signed.xml'//
//INFO XmlSecTool - XML document parsed and is well-formed.//
//ERROR XmlSecTool - Unknown error//
//java.lang*.StringIndexOutOfBoundsException: String index out of range:
-1*//
// at java.lang.String.substring(String.java:1949) ~[na:1.6.0_41]//
// at java.lang.String.substring(String.java:1916) ~[na:1.6.0_41]//
// at
edu.internet2.middleware.security.XmlSecTool.validateSignatureReferenceUri(XmlSecTool.java:623)
~[xmlsectool-1.1.5.jar:na]//
// at
edu.internet2.middleware.security.XmlSecTool.validateSignatureReference(XmlSecTool.java:602)
~[xmlsectool-1.1.5.jar:na]//
// at
edu.internet2.middleware.security.XmlSecTool.verifySignature(XmlSecTool.java:554)
~[xmlsectool-1.1.5.jar:na]//
// at
edu.internet2.middleware.security.XmlSecTool.main(XmlSecTool.java:156)
~[xmlsectool-1.1.5.jar:na]/
This /fede-imt-ext-recruitee-signed.xml /is just an agregate done with
aggregator-cli-0.7.0
/<?xml version="1.0"
encoding="UTF-8"?><md://*EntitiesDescriptor*//xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
ID="607e2258-9ccd-4b45-85aa-d1846432bcec" cacheDuration="P1DT0H0M0.000S"
validUntil="2020-12-23T12:40:49.155Z"><ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">/
/<md://*EntityDescriptor
*//xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="id159317657424081159320976712" entityID="recruitee"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">//
/
/</md://*EntityDescriptor*//>//
//</md://*EntitiesDescriptor*//>//
/
but for the purpose of debuging my problem it contains only One SP ,
that's the one problematic .
"checking" (--validateSchema) that SP metadata (MD) alone doesn't show
problems though :
/# ./xmlsectool.sh --validateSchema --schemaDirectory
schemaDirectory/samlschemas/ --inFile
/root/xml/fede-imt-metadata-svn/fede-imt-ext-recruitee-metadata/sp.institutminestelecom-recruitee.xml
//
//INFO XmlSecTool - Reading XML document from file
'/root/xml/fede-imt-metadata-svn/fede-imt-ext-recruitee-metadata/sp.institutminestelecom-recruitee.xml'//
//INFO XmlSecTool - XML document parsed and is well-formed.//
//INFO XmlSecTool - XML document is schema valid/
is the trust in signature failing because of the "Federation"
aggregation signing (which I doubt beacause when I remove that specific
SP , others aggreted don't complained ) or because of that specific SP
embeded certificate/sign-keys ?
How can I check for that SP MD embeded signaure/certificate (which I
paste below ) .
thanks .
PS: I read from
https://wiki.shibboleth.net/confluence/display/SHIB/ShibbolethTrustEngine
that there must be a match between certificate Subject and EntityID ,
could it be here the pb ?
/<md:EntityDescriptor
xmlns:dsig=//"http://www.w3.org/2000/09/xmldsig#"//xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="id159317657424081159320976712" entityID="recruitee"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"> //
/ /
// <ds:Signature xmlns:ds=//"http://www.w3.org/2000/09/xmldsig#"//> //
// <ds:SignedInfo> //
// <ds:CanonicalizationMethod
Algorithm=//"http://www.w3.org/2001/10/xml-exc-c14n#"///> //
// <ds:SignatureMethod
Algorithm=//"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"///> //
// <ds:Reference URI="#id159317657424081159320976712"> //
// <ds:Transforms> //
// <ds:Transform
Algorithm=//"http://www.w3.org/2000/09/xmldsig#enveloped-signature"///> //
// <ds:Transform
Algorithm=//"http://www.w3.org/2001/10/xml-exc-c14n#"///> //
// </ds:Transforms> //
// <ds:DigestMethod
Algorithm=//"http://www.w3.org/2001/04/xmlenc#sha256"///> //
//<ds:DigestValue>pd4TVQMyNzW1kXQUj5FpvgAAWEfo3+FrPtPAsLhhZyw=</ds:DigestValue>
//
// </ds:Reference> //
// </ds:SignedInfo> //
//<ds:SignatureValue>Cu8YFTDn2VXtN4Sx+Tu/LX/KPNggYrbpShEfXptZdCj+h8fuwI95GXTTr3AfjChf1NDi3qfxHRK0nVtxv5KyiBP4PZH22oTPi/zRT60JAt/aPxaXviOxGBQoVIXOGBJkKLkbGQrMNTSyCwJ+YrIBLHCCgoGiAgRsUs0iOQwvVuO5EdHt/xVORy0EVfrIG30mIigB94WIy//OgBBcIamQqOkI1isYzq5QDufhb6il02P9omoY6hrxahy77PKlj0p9zIBqtSlxEAgb1nhrE5TIX5uS9K5YQ9pYunXFxjrHNGioQ02SttX+o0SL2K2XSaPBQUxFRFPN2RT+BxJgCT/oDHBk+WDk/OD1kl7Y0PiRaF99BQfHuz1+DTCOcCHzAgOpUIGlbuRsPaJlrf0Q6tX2q7OzpiORsHTrSysQGV+nUWHc5LQwsYcGv/scVo3jkvD3Xhu2Pt3fyF0zj1ofzxQjuKIJHKAXYiMkp+FAtpewTx7wAcsU8N95F/6PnqL7Czn6PVgOQVoKeEwscBO1cBsVOliUZ7zQZ2jv+sLDk5V9+5ic9rXU5Pss3/Jakf7UixkOrYfhV6Zi5xkStBN/x/z1kkg/JNQLqXEdh5DykkdLxBvlUi3opSdL0p1oEob+Ch3vz7m8Whorayw2gO7leojcLEU+D19T+EfFZa3Uwo+oODA=</ds:SignatureValue>
//
// <ds:KeyInfo> //
// <ds:X509Data> //
//<ds:X509Certificate>MIIFzjCCA7YCCQDxXP/Xc4ZwNzANBgkqhkiG9w0BAQsFADCBqDELMAkGA1UEBhMCTkwxFjAUBgNVBAgMDU5vcnRoIEhvbGxhbmQxEjAQBgNVBAcMCUFtc3RlcmRhbTExMC8GA1UECgwoUmVjcnVpdGVlIEIuVi4gKENvbXBhbnkgbnVtYmVyIDYzODgxODI5KTEWMBQGA1UECwwNcmVjcnVpdGVlLmNvbTEiMCAGA1UEAwwZU1NPIHNpZ25hdHVyZSBjZXJ0aWZpY2F0ZTAeFw0xOTAzMDgxNDQ1NDZaFw0yOTAzMDUxNDQ1NDZaMIGoMQswCQYDVQQGEwJOTDEWMBQGA1UECAwNTm9ydGggSG9sbGFuZDESMBAGA1UEBwwJQW1zdGVyZGFtMTEwLwYDVQQKDChSZWNydWl0ZWUgQi5WLiAoQ29tcGFueSBudW1iZXIgNjM4ODE4MjkpMRYwFAYDVQQLDA1yZWNydWl0ZWUuY29tMSIwIAYDVQQDDBlTU08gc2lnbmF0dXJlIGNlcnRpZmljYXRlMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwpFSMWM3/uTOlJ6ghrLlfx8ng1mZ/3kO0YHr+lyswE47hEhgAaiW42CdaGZUlhzPtMYRtHbZ73bCQRRRmqf2PrsxS79fcHxgyS0fElshClnozXLIelM5m+PIJkXH3wh+7O1iyb1ZVh7pyI4Jq8NurogLXe3Jh8PQC/l8tLfCOjuh8chRGDtn88fwntVSPK4es52JC8C2BY121U8y1eda7vRvf5agso97KhjMGdTQ3W5XNNBQKOjoJPFa+e39OWCER5BgpzDvSJkXtl4lA2CVizzjCGldaMAB2m9nWKNGCspWFUNWvd2ozPO2iUUiBfMoPBXzfYoDUoonqznGN7nyY0bGjXJydmi3w5srApET5uvW0q4ygBuzUhfDX3M4hmPxiKdMFeyF7W+DiTKg6NGXByrdUTs9djd0dNuMFZXtM96V9KnH0E+acYKN+RkZMieDwM+KAVXO1Ye7+hfoXl86f12O1OBWAY9RIrqotyFJGR6/wFACaOVT/9hs9x2M0lQd1T7iMNlWweXtA/ZgerG+q3/IjPNXLoHUBW7SU+uhH3bXBkGYJ2+r3pLODBxtY+xwXPWukChVV0j7+6bc13DBxEbtmDIVBihtu0zxrlOOg+FNEosBVf8cB9bU/IJmDZDIBQQYQhVJh75Gx0FhqcOdsesQv6J+hQ6FeE2j/ZoAZPUCAwEAATANBgkqhkiG9w0BAQsFAAOCAgEAOAu4XVSJtTtCdHSyBxSu1cXOIQK6CQAmN8ximibI3/C7zxJ92//6QmzYFiDASF46KYeeDRaOg7aVGCnxOMDr6qFDY62mnA/cI8zCWpFB89cSDj9sd4Nxpv1taQi9jADDutHLk0OdqUPS0GeULpQczdJ9ilqwrZlPkRMIamzUq7UXH/CnG7V2yv1BqDU1Pu5Z+LPmEXR8DVbmGJCUwepUbvJsfU3UTjCM/4MLpolbtoPbVJprsm4gWXRSEC2MKYOSy5+Oer3cZ3g/RMCqX1DdnOn8uykuKEF7ve0z65F1bGHAkS4dK3t10QrUzsUk+hBGMDO3mVKH1jI/4GM9iIT57+Ubue+ih6nn9KrQk8JY+D52C70zhqC0bqI6oyBfMC3oXSLBeZrF74cKP9bUZs0OXaHdsNHGxg3TR2rU4ThzbJd3tu/jLL3UPnNdSUQJDJuVh6A8WkKFIoZ+448qCKdyid6lkHP6MqHLCNcWj0x/y+5BP1iN8o8BIjQjXKa2ls9KzVZZj9CI+rGJ0vicORvgD+CEdEAKgXqEj/SxIL/jBs7bHclxVUz1Lz5GLNtAdh7jbxZS2hB2anGKzc7sb29jw2ZooVvJ5wSuz95QRYFlpqufvvWtuwbD87c64yM6yqof7V7uLkltx2g6VlTxUnx2XZB5YHsLt+p2FYOuTVyYpcU=</ds:X509Certificate>
//
// </ds:X509Data> //
// </ds:KeyInfo> //
// </ds:Signature> //
// <md:SPSSODescriptor AuthnRequestsSigned="true"
WantAssertionsSigned="true"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> //
// <md:KeyDescriptor use="signing"> //
// <dsig:KeyInfo> //
// <dsig:X509Data> //
//<dsig:X509Certificate>MIIFzjCCA7YCCQDxXP/Xc4ZwNzANBgkqhkiG9w0BAQsFADCBqDELMAkGA1UEBhMCTkwxFjAUBgNVBAgMDU5vcnRoIEhvbGxhbmQxEjAQBgNVBAcMCUFtc3RlcmRhbTExMC8GA1UECgwoUmVjcnVpdGVlIEIuVi4gKENvbXBhbnkgbnVtYmVyIDYzODgxODI5KTEWMBQGA1UECwwNcmVjcnVpdGVlLmNvbTEiMCAGA1UEAwwZU1NPIHNpZ25hdHVyZSBjZXJ0aWZpY2F0ZTAeFw0xOTAzMDgxNDQ1NDZaFw0yOTAzMDUxNDQ1NDZaMIGoMQswCQYDVQQGEwJOTDEWMBQGA1UECAwNTm9ydGggSG9sbGFuZDESMBAGA1UEBwwJQW1zdGVyZGFtMTEwLwYDVQQKDChSZWNydWl0ZWUgQi5WLiAoQ29tcGFueSBudW1iZXIgNjM4ODE4MjkpMRYwFAYDVQQLDA1yZWNydWl0ZWUuY29tMSIwIAYDVQQDDBlTU08gc2lnbmF0dXJlIGNlcnRpZmljYXRlMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwpFSMWM3/uTOlJ6ghrLlfx8ng1mZ/3kO0YHr+lyswE47hEhgAaiW42CdaGZUlhzPtMYRtHbZ73bCQRRRmqf2PrsxS79fcHxgyS0fElshClnozXLIelM5m+PIJkXH3wh+7O1iyb1ZVh7pyI4Jq8NurogLXe3Jh8PQC/l8tLfCOjuh8chRGDtn88fwntVSPK4es52JC8C2BY121U8y1eda7vRvf5agso97KhjMGdTQ3W5XNNBQKOjoJPFa+e39OWCER5BgpzDvSJkXtl4lA2CVizzjCGldaMAB2m9nWKNGCspWFUNWvd2ozPO2iUUiBfMoPBXzfYoDUoonqznGN7nyY0bGjXJydmi3w5srApET5uvW0q4ygBuzUhfDX3M4hmPxiKdMFeyF7W+DiTKg6NGXByrdUTs9djd0dNuMFZXtM96V9KnH0E+acYKN+RkZMieDwM+KAVXO1Ye7+hfoXl86f12O1OBWAY9RIrqotyFJGR6/wFACaOVT/9hs9x2M0lQd1T7iMNlWweXtA/ZgerG+q3/IjPNXLoHUBW7SU+uhH3bXBkGYJ2+r3pLODBxtY+xwXPWukChVV0j7+6bc13DBxEbtmDIVBihtu0zxrlOOg+FNEosBVf8cB9bU/IJmDZDIBQQYQhVJh75Gx0FhqcOdsesQv6J+hQ6FeE2j/ZoAZPUCAwEAATANBgkqhkiG9w0BAQsFAAOCAgEAOAu4XVSJtTtCdHSyBxSu1cXOIQK6CQAmN8ximibI3/C7zxJ92//6QmzYFiDASF46KYeeDRaOg7aVGCnxOMDr6qFDY62mnA/cI8zCWpFB89cSDj9sd4Nxpv1taQi9jADDutHLk0OdqUPS0GeULpQczdJ9ilqwrZlPkRMIamzUq7UXH/CnG7V2yv1BqDU1Pu5Z+LPmEXR8DVbmGJCUwepUbvJsfU3UTjCM/4MLpolbtoPbVJprsm4gWXRSEC2MKYOSy5+Oer3cZ3g/RMCqX1DdnOn8uykuKEF7ve0z65F1bGHAkS4dK3t10QrUzsUk+hBGMDO3mVKH1jI/4GM9iIT57+Ubue+ih6nn9KrQk8JY+D52C70zhqC0bqI6oyBfMC3oXSLBeZrF74cKP9bUZs0OXaHdsNHGxg3TR2rU4ThzbJd3tu/jLL3UPnNdSUQJDJuVh6A8WkKFIoZ+448qCKdyid6lkHP6MqHLCNcWj0x/y+5BP1iN8o8BIjQjXKa2ls9KzVZZj9CI+rGJ0vicORvgD+CEdEAKgXqEj/SxIL/jBs7bHclxVUz1Lz5GLNtAdh7jbxZS2hB2anGKzc7sb29jw2ZooVvJ5wSuz95QRYFlpqufvvWtuwbD87c64yM6yqof7V7uLkltx2g6VlTxUnx2XZB5YHsLt+p2FYOuTVyYpcU=</dsig:X509Certificate>
//
// </dsig:X509Data> //
// </dsig:KeyInfo> //
// </md:KeyDescriptor> //
// <md:KeyDescriptor use="encryption"> //
// <dsig:KeyInfo> //
// <dsig:X509Data> //
//<dsig:X509Certificate>MIIFzjCCA7YCCQDxXP/Xc4ZwNzANBgkqhkiG9w0BAQsFADCBqDELMAkGA1UEBhMCTkwxFjAUBgNVBAgMDU5vcnRoIEhvbGxhbmQxEjAQBgNVBAcMCUFtc3RlcmRhbTExMC8GA1UECgwoUmVjcnVpdGVlIEIuVi4gKENvbXBhbnkgbnVtYmVyIDYzODgxODI5KTEWMBQGA1UECwwNcmVjcnVpdGVlLmNvbTEiMCAGA1UEAwwZU1NPIHNpZ25hdHVyZSBjZXJ0aWZpY2F0ZTAeFw0xOTAzMDgxNDQ1NDZaFw0yOTAzMDUxNDQ1NDZaMIGoMQswCQYDVQQGEwJOTDEWMBQGA1UECAwNTm9ydGggSG9sbGFuZDESMBAGA1UEBwwJQW1zdGVyZGFtMTEwLwYDVQQKDChSZWNydWl0ZWUgQi5WLiAoQ29tcGFueSBudW1iZXIgNjM4ODE4MjkpMRYwFAYDVQQLDA1yZWNydWl0ZWUuY29tMSIwIAYDVQQDDBlTU08gc2lnbmF0dXJlIGNlcnRpZmljYXRlMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwpFSMWM3/uTOlJ6ghrLlfx8ng1mZ/3kO0YHr+lyswE47hEhgAaiW42CdaGZUlhzPtMYRtHbZ73bCQRRRmqf2PrsxS79fcHxgyS0fElshClnozXLIelM5m+PIJkXH3wh+7O1iyb1ZVh7pyI4Jq8NurogLXe3Jh8PQC/l8tLfCOjuh8chRGDtn88fwntVSPK4es52JC8C2BY121U8y1eda7vRvf5agso97KhjMGdTQ3W5XNNBQKOjoJPFa+e39OWCER5BgpzDvSJkXtl4lA2CVizzjCGldaMAB2m9nWKNGCspWFUNWvd2ozPO2iUUiBfMoPBXzfYoDUoonqznGN7nyY0bGjXJydmi3w5srApET5uvW0q4ygBuzUhfDX3M4hmPxiKdMFeyF7W+DiTKg6NGXByrdUTs9djd0dNuMFZXtM96V9KnH0E+acYKN+RkZMieDwM+KAVXO1Ye7+hfoXl86f12O1OBWAY9RIrqotyFJGR6/wFACaOVT/9hs9x2M0lQd1T7iMNlWweXtA/ZgerG+q3/IjPNXLoHUBW7SU+uhH3bXBkGYJ2+r3pLODBxtY+xwXPWukChVV0j7+6bc13DBxEbtmDIVBihtu0zxrlOOg+FNEosBVf8cB9bU/IJmDZDIBQQYQhVJh75Gx0FhqcOdsesQv6J+hQ6FeE2j/ZoAZPUCAwEAATANBgkqhkiG9w0BAQsFAAOCAgEAOAu4XVSJtTtCdHSyBxSu1cXOIQK6CQAmN8ximibI3/C7zxJ92//6QmzYFiDASF46KYeeDRaOg7aVGCnxOMDr6qFDY62mnA/cI8zCWpFB89cSDj9sd4Nxpv1taQi9jADDutHLk0OdqUPS0GeULpQczdJ9ilqwrZlPkRMIamzUq7UXH/CnG7V2yv1BqDU1Pu5Z+LPmEXR8DVbmGJCUwepUbvJsfU3UTjCM/4MLpolbtoPbVJprsm4gWXRSEC2MKYOSy5+Oer3cZ3g/RMCqX1DdnOn8uykuKEF7ve0z65F1bGHAkS4dK3t10QrUzsUk+hBGMDO3mVKH1jI/4GM9iIT57+Ubue+ih6nn9KrQk8JY+D52C70zhqC0bqI6oyBfMC3oXSLBeZrF74cKP9bUZs0OXaHdsNHGxg3TR2rU4ThzbJd3tu/jLL3UPnNdSUQJDJuVh6A8WkKFIoZ+448qCKdyid6lkHP6MqHLCNcWj0x/y+5BP1iN8o8BIjQjXKa2ls9KzVZZj9CI+rGJ0vicORvgD+CEdEAKgXqEj/SxIL/jBs7bHclxVUz1Lz5GLNtAdh7jbxZS2hB2anGKzc7sb29jw2ZooVvJ5wSuz95QRYFlpqufvvWtuwbD87c64yM6yqof7V7uLkltx2g6VlTxUnx2XZB5YHsLt+p2FYOuTVyYpcU=</dsig:X509Certificate>
//
// </dsig:X509Data> //
// </dsig:KeyInfo> //
// </md:KeyDescriptor> //
// <md:SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location=//"https://auth.recruitee.com/sso/sp/logout/institutminestelecom"///>
//
// <md:SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location=//"https://auth.recruitee.com/sso/sp/logout/institutminestelecom"///>
//
// <md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location=//"https://auth.recruitee.com/sso/sp/consume/institutminestelecom"//index="0"
isDefault="true"/> //
// <md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location=//"https://auth.recruitee.com/sso/sp/consume/institutminestelecom"//index="1"/>
//
// </md:SPSSODescriptor> //
// <md:Organization> //
// <md:OrganizationName xml:lang="en">Recruitee</md:OrganizationName> //
// <md:OrganizationDisplayName
xml:lang="en">Recruitee</md:OrganizationDisplayName> //
// <md:OrganizationURL
xml:lang="en">//https://recruitee.com//</md:OrganizationURL> //
// </md:Organization> //
// <md:ContactPerson contactType="technical"> //
// <md:SurName>Recruitee Support</md:SurName> //
//<md:EmailAddress>//support at recruitee.com//</md:EmailAddress> //
// </md:ContactPerson> //
//</md:EntityDescriptor> /
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200629/f45ae125/attachment.htm>
More information about the users
mailing list