Signature trust establishment failed for metadata entry
Jehan Procaccia
jehan.procaccia at tem-tsp.eu
Mon Jun 29 21:36:03 UTC 2020
Le 29/06/2020 à 16:03, Peter Schober a écrit :
> * Jehan Procaccia <jehan.procaccia at tem-tsp.eu> [2020-06-29 15:33]:
>
>> is the trust in signature failing because of the "Federation"
>> aggregation signing (which I doubt beacause when I remove that
>> specific SP , others aggreted don't complained ) or because of that
>> specific SP embeded certificate/sign-keys ?
> Not "because of that specific SP embeded certificate/sign-keys", but
> "because of that specific SP's embeded Signature element", AFAIU.
>
> I.e., if you're adding individually signed entities to your local
> aggregate I'd remove the signatures from all entities (possibly after
> first validating it, if that makes sense, e.g. if you recieved a
> trustworthy copy of the verification certificate out of bounds) except
> for the enclosing EntitiesDescriptor one.
> (All metadata consumers should be able to verify all included
> Signatures on any entities. If that cannot be ensured you should
> remove those signatures.)
>
> -peter
OK I removed the Signature element :
<ds:Signature xmlns:ds="http://www.w3.org ...
<ds:SignatureValue>Cu8YF...ODA=</ds:SignatureValue> </ds:KeyInfo>
</ds:Signature>
from that specific SP's, and kept signing myself the agregate (in
this case for that only one SP)
/./xmlsectool.sh --sign --inFile fede-imt-ext-recruitee-unsigned.xml
--outFile Downloads/fede-imt-ext-recruitee-signed.xml --certificate
../ssl/fede-cert.pem --key ../ssl/fede-key.pem/
and now it does load ;-)
/2020-06-29 23:24:23,221 - INFO
[org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:465]
- Metadata Resolver FileBackedHTTPMetadataResolver fedeIMTextRecruitee:
New metadata successfully loaded for
'https://federation.mydomain.eu/metadata/fede-imt-ext-recruitee-signed.xml'//
/
Thanks a lot for the help .
is there a security issue by removing that SP own/embeded signature
(provider by the partner) , as long as I resign it on my side with my
"federation-agregrate" ?
regards . /
/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200629/e511489c/attachment.htm>
More information about the users
mailing list