Credential failed name check error upon updating SP certificate
Mark Cairney
Mark.Cairney at ed.ac.uk
Thu Apr 7 14:08:34 UTC 2022
Hi Nate,
Well spotted and well worth pointing out. The original SHA-1 certificate
had a subject of "CN=careerhub.ed"
while the initial new SHA-256 certificate had a subject of
"CN=careerhub-ed". We then tried adjusting this with another
newly-generated cert with a subject of "CN=careerhub.ed" but this
exhibited the same issue and at this point we decided to roll back the
change.
Kind regards,
Mark
On 07/04/2022 14:59, Nate Klingenstein wrote:
> This email was sent to you by someone outside the University.
> You should only click on links or attachments if you are certain that
> the email is genuine and the content is safe.
> Mark,
>
> This may be an artifact and irrelevant, but I see the IdP logging a CN
> of careerhub.ed and the certificate with issuer and subject
> careerhub-ed. Any thoughts on that?
>
> Just an observation,
> Nate
>
> On Thu, Apr 7, 2022, 7:37 AM Mark Cairney via users
> <users at shibboleth.net> wrote:
>
> Hi,
>
> We've recently been working with a vendor who are upgrading the
> certificate in their metadata from an old SHA1 cert to a SHA256 cert.
>
> However we got the following error when logging in using the new cert:
>
> 2022-04-06 17:57:55,973 - INFO
> [org.opensaml.security.x509.impl.BasicX509Credent
> ialNameEvaluator:297] - [129.215.16.48]|Credential failed name check:
> [subjectNa
> me='CN=careerhub.ed']
> 2022-04-06 17:57:55,974 - WARN
> [net.shibboleth.idp.profile.impl.WebFlowMessageHa
> ndlerAdaptor:197] - [129.215.16.48]|Profile Action
> WebFlowMessageHandlerAdaptor:
> Exception handling message
> org.opensaml.messaging.handler.MessageHandlerException: Validation of
> protocol m
> essage signature failed
> at
> org.opensaml.saml.common.binding.security.impl.SAMLProtocolMessageXML
> SignatureSecurityHandler.doEvaluate(SAMLProtocolMessageXMLSignatureSecurityHandl
> er.java:147)
>
> We reverted back to the old certificate and the SP started working
> again
> however we're a bit confused as to why the IdP doesn't like the new
> certificate.
>
> The details of the new cert are:
>
>
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number:
> 1d:15:be:5e:b3:f5:0f:94:46:f8:27:a7:86:30:59:76
> Signature Algorithm: sha256WithRSAEncryption
> Issuer: CN = careerhub-ed
> Validity
> Not Before: Oct 11 14:31:16 2021 GMT
> Not After : Oct 11 14:41:16 2041 GMT
> Subject: CN = careerhub-ed
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> RSA Public-Key: (2048 bit)
> Modulus:
> 00:ab:38:08:1a:06:f6:c5:da:b5:46:17:9e:c1:85:
> 4f:e5:80:99:6e:f8:79:c1:ae:83:29:09:d0:b8:4c:
> a6:65:a9:f1:cc:54:2e:ab:66:88:43:a3:8f:11:23:
> 6e:ab:68:90:2a:2e:48:24:f7:eb:9e:67:7f:cc:c7:
> d9:1c:f1:49:83:0e:bc:88:6f:69:41:1e:e2:95:ec:
> 8a:68:86:3e:60:d9:67:ba:73:5c:af:f3:a8:de:f6:
> 76:2a:70:48:3a:bf:b1:3d:4c:c2:35:84:f1:57:f8:
> 92:29:22:47:20:09:a1:a6:52:b4:d1:41:31:a1:1a:
> 0b:61:f0:2d:b7:cc:cc:a5:60:54:48:38:20:83:91:
> e0:88:2c:91:a5:e3:ef:5e:cf:7d:e8:05:f1:ff:26:
> 35:e9:2f:be:9f:23:89:03:97:e4:b5:6c:84:07:d0:
> d6:a5:04:ef:cc:f9:68:0f:69:f1:13:87:9d:09:ae:
> 8c:42:24:75:7d:fb:51:98:7e:fa:34:56:47:38:d9:
> 41:34:7b:48:9f:c5:65:56:e4:55:05:e4:dc:6d:2c:
> e1:5a:3c:1a:d2:d8:03:60:53:58:d4:17:c9:a5:84:
> dc:15:3f:f7:d9:17:25:46:75:50:ac:67:cd:d2:13:
> c6:32:22:f8:39:13:73:f5:88:fb:62:02:fc:ef:c8:
> f7:15
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Key Usage: critical
> Digital Signature, Key Encipherment
> X509v3 Extended Key Usage:
> TLS Web Client Authentication, TLS Web Server Authentication
> X509v3 Subject Alternative Name:
> DNS:careerhub-ed
> X509v3 Subject Key Identifier:
> 95:98:29:82:36:42:53:C6:E3:28:15:94:1B:EF:01:7E:D9:0E:EA:96
> Signature Algorithm: sha256WithRSAEncryption
> 78:ad:a1:13:1f:80:4e:23:cb:79:77:78:c5:4e:be:07:0f:1b:
> bf:b5:2e:e7:da:38:37:9f:3c:45:15:31:8a:37:4e:77:ee:ea:
> 34:7d:0e:a1:26:7e:b0:27:43:dc:bf:cc:9b:2d:ae:fc:6c:86:
> f9:af:85:ac:97:a7:f4:27:92:ea:ec:aa:20:9d:6d:73:12:9f:
> de:aa:46:a4:52:7c:ed:93:50:1c:32:c0:62:af:43:55:dc:93:
> 7a:57:66:d0:6d:8f:ae:31:a6:3b:85:2f:f9:60:95:f0:fb:06:
> a6:c0:37:3c:d7:a7:ff:ad:a0:ff:51:82:32:ef:97:02:97:60:
> b6:b0:47:f7:e4:a3:47:1a:6e:dd:b8:66:53:11:bd:fd:0b:98:
> 06:1b:2c:46:e9:e1:bc:b7:76:40:0b:4a:a3:3f:67:65:11:fa:
> 15:7f:48:f6:df:29:c3:e4:95:1b:57:09:6e:ac:53:a2:86:5a:
> 0a:c4:66:a9:45:2c:fe:e2:19:c0:41:24:58:d5:6f:a4:9a:8d:
> 27:59:54:e3:d4:92:18:fe:67:50:9e:d0:89:ce:2f:8f:5b:e8:
> 78:7c:c9:24:07:a3:a4:90:24:48:32:64:02:29:31:b4:7a:77:
> ef:01:a3:0a:0c:d6:2b:b1:28:5a:f0:74:07:66:37:25:d8:60:
> 57:e9:7a:9c
>
>
> The only thing we could think of is that the IdP is being picky about
> the CN being a FQDN and having a matching Subject AltName in place
> having had a quick look at the OpenSAML
> "BasicX509CredentialNameEvaluator" class but it would be good to know
> what triggers a failure in this and if there are differing
> requirements
> in place for signing and encryption keys. We've got this working
> on Dev
> now using a fully-qualified domain name as the CN and DNS
> SubjectAltName. We did try a new cert with the same Subject as the old
> one i.e. "CN= careerhub-ed" but this also failed.
>
> The University of Edinburgh is a charitable body, registered in
> Scotland, with registration number SC005336. Is e buidheann
> carthannais a th’ ann an Oilthigh Dhùn Èideann, clàraichte an
> Alba, àireamh clàraidh SC005336.
> --
> For Consortium Member technical support, see
> https://shibboleth.atlassian.net/wiki/x/ZYEpPw
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
>
More information about the users
mailing list