Credential failed name check error upon updating SP certificate

[Mark Cairney]

Hi,

We've recently been working with a vendor who are upgrading the
certificate in their metadata from an old SHA1 cert to a SHA256 cert.

However we got the following error when logging in using the new cert:

2022-04-06 17:57:55,973 - INFO
[org.opensaml.security.x509.impl.BasicX509Credent
ialNameEvaluator:297] - [129.215.16.48]|Credential failed name check:
[subjectNa
me='CN=careerhub.ed']
2022-04-06 17:57:55,974 - WARN
[net.shibboleth.idp.profile.impl.WebFlowMessageHa
ndlerAdaptor:197] - [129.215.16.48]|Profile Action
WebFlowMessageHandlerAdaptor:
Exception handling message
org.opensaml.messaging.handler.MessageHandlerException: Validation of
protocol m
essage signature failed
at org.opensaml.saml.common.binding.security.impl.SAMLProtocolMessageXML
SignatureSecurityHandler.doEvaluate(SAMLProtocolMessageXMLSignatureSecurityHandl
er.java:147)

We reverted back to the old certificate and the SP started working again
however we're a bit confused as to why the IdP doesn't like the new
certificate.

The details of the new cert are:


Certificate:
Data:
Version: 3 (0x2)
Serial Number:
1d:15:be:5e:b3:f5:0f:94:46:f8:27:a7:86:30:59:76
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = careerhub-ed
Validity
Not Before: Oct 11 14:31:16 2021 GMT
Not After : Oct 11 14:41:16 2041 GMT
Subject: CN = careerhub-ed
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:ab:38:08:1a:06:f6:c5:da:b5:46:17:9e:c1:85:
4f:e5:80:99:6e:f8:79:c1:ae:83:29:09:d0:b8:4c:
a6:65:a9:f1:cc:54:2e:ab:66:88:43:a3:8f:11:23:
6e:ab:68:90:2a:2e:48:24:f7:eb:9e:67:7f:cc:c7:
d9:1c:f1:49:83:0e:bc:88:6f:69:41:1e:e2:95:ec:
8a:68:86:3e:60:d9:67:ba:73:5c:af:f3:a8:de:f6:
76:2a:70:48:3a:bf:b1:3d:4c:c2:35:84:f1:57:f8:
92:29:22:47:20:09:a1:a6:52:b4:d1:41:31:a1:1a:
0b:61:f0:2d:b7:cc:cc:a5:60:54:48:38:20:83:91:
e0:88:2c:91:a5:e3:ef:5e:cf:7d:e8:05:f1:ff:26:
35:e9:2f:be:9f:23:89:03:97:e4:b5:6c:84:07:d0:
d6:a5:04:ef:cc:f9:68:0f:69:f1:13:87:9d:09:ae:
8c:42:24:75:7d:fb:51:98:7e:fa:34:56:47:38:d9:
41:34:7b:48:9f:c5:65:56:e4:55:05:e4:dc:6d:2c:
e1:5a:3c:1a:d2:d8:03:60:53:58:d4:17:c9:a5:84:
dc:15:3f:f7:d9:17:25:46:75:50:ac:67:cd:d2:13:
c6:32:22:f8:39:13:73:f5:88:fb:62:02:fc:ef:c8:
f7:15
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Subject Alternative Name:
DNS:careerhub-ed
X509v3 Subject Key Identifier:
95:98:29:82:36:42:53:C6:E3:28:15:94:1B:EF:01:7E:D9:0E:EA:96
Signature Algorithm: sha256WithRSAEncryption
78:ad:a1:13:1f:80:4e:23:cb:79:77:78:c5:4e:be:07:0f:1b:
bf:b5:2e:e7:da:38:37:9f:3c:45:15:31:8a:37:4e:77:ee:ea:
34:7d:0e:a1:26:7e:b0:27:43:dc:bf:cc:9b:2d:ae:fc:6c:86:
f9:af:85:ac:97:a7:f4:27:92:ea:ec:aa:20:9d:6d:73:12:9f:
de:aa:46:a4:52:7c:ed:93:50:1c:32:c0:62:af:43:55:dc:93:
7a:57:66:d0:6d:8f:ae:31:a6:3b:85:2f:f9:60:95:f0:fb:06:
a6:c0:37:3c:d7:a7:ff:ad:a0:ff:51:82:32:ef:97:02:97:60:
b6:b0:47:f7:e4:a3:47:1a:6e:dd:b8:66:53:11:bd:fd:0b:98:
06:1b:2c:46:e9:e1:bc:b7:76:40:0b:4a:a3:3f:67:65:11:fa:
15:7f:48:f6:df:29:c3:e4:95:1b:57:09:6e:ac:53:a2:86:5a:
0a:c4:66:a9:45:2c:fe:e2:19:c0:41:24:58:d5:6f:a4:9a:8d:
27:59:54:e3:d4:92:18:fe:67:50:9e:d0:89:ce:2f:8f:5b:e8:
78:7c:c9:24:07:a3:a4:90:24:48:32:64:02:29:31:b4:7a:77:
ef:01:a3:0a:0c:d6:2b:b1:28:5a:f0:74:07:66:37:25:d8:60:
57:e9:7a:9c


The only thing we could think of is that the IdP is being picky about
the CN being a FQDN and having a matching Subject AltName in place
having had a quick look at the OpenSAML
"BasicX509CredentialNameEvaluator" class but it would be good to know
what triggers a failure in this and if there are differing requirements
in place for signing and encryption keys. We've got this working on Dev
now using a fully-qualified domain name as the CN and DNS
SubjectAltName. We did try a new cert with the same Subject as the old
one i.e. "CN= careerhub-ed" but this also failed.

The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. Is e buidheann carthannais a th’ ann an Oilthigh Dhùn Èideann, clàraichte an Alba, àireamh clàraidh SC005336.