Credential failed name check error upon updating SP certificate

[Mak, Steven]

Based on my experience with vendors saying one thing and doing another, it's likely it's just using the old pub cert still. The name check failure is likely unrelated. It is also an INFO line.

>From my experience the CN of the cert doesn't tend to matter. If you're not sure, you could simply add both pub certs to the SP metadata in parallel until the vendor assures you that they removed the old one.

But vendors often don't understand SAML well enough to do this well.

- Steve

From: users <users-bounces at shibboleth.net> on behalf of Mark Cairney via users <users at shibboleth.net>
Date: Thursday, April 7, 2022 at 9:37 AM
To: users at shibboleth.net <users at shibboleth.net>
Cc: Mark Cairney <Mark.Cairney at ed.ac.uk>
Subject: Credential failed name check error upon updating SP certificate
Hi,

We've recently been working with a vendor who are upgrading the
certificate in their metadata from an old SHA1 cert to a SHA256 cert.

However we got the following error when logging in using the new cert:

2022-04-06 17:57:55,973 - INFO
[org.opensaml.security.x509.impl.BasicX509Credent
ialNameEvaluator:297] - [129.215.16.48]|Credential failed name check:
[subjectNa
me='CN=careerhub.ed']
2022-04-06 17:57:55,974 - WARN
[net.shibboleth.idp.profile.impl.WebFlowMessageHa
ndlerAdaptor:197] - [129.215.16.48]|Profile Action
WebFlowMessageHandlerAdaptor:
Exception handling message
org.opensaml.messaging.handler.MessageHandlerException: Validation of
protocol m
essage signature failed
at org.opensaml.saml.common.binding.security.impl.SAMLProtocolMessageXML
SignatureSecurityHandler.doEvaluate(SAMLProtocolMessageXMLSignatureSecurityHandl
er.java:147)

We reverted back to the old certificate and the SP started working again
however we're a bit confused as to why the IdP doesn't like the new
certificate.

The details of the new cert are:


Certificate:
Data:
Version: 3 (0x2)
Serial Number:
1d:15:be:5e:b3:f5:0f:94:46:f8:27:a7:86:30:59:76
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = careerhub-ed
Validity
Not Before: Oct 11 14:31:16 2021 GMT
Not After : Oct 11 14:41:16 2041 GMT
Subject: CN = careerhub-ed
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:ab:38:08:1a:06:f6:c5:da:b5:46:17:9e:c1:85:
4f:e5:80:99:6e:f8:79:c1:ae:83:29:09:d0:b8:4c:
a6:65:a9:f1:cc:54:2e:ab:66:88:43:a3:8f:11:23:
6e:ab:68:90:2a:2e:48:24:f7:eb:9e:67:7f:cc:c7:
d9:1c:f1:49:83:0e:bc:88:6f:69:41:1e:e2:95:ec:
8a:68:86:3e:60:d9:67:ba:73:5c:af:f3:a8:de:f6:
76:2a:70:48:3a:bf:b1:3d:4c:c2:35:84:f1:57:f8:
92:29:22:47:20:09:a1:a6:52:b4:d1:41:31:a1:1a:
0b:61:f0:2d:b7:cc:cc:a5:60:54:48:38:20:83:91:
e0:88:2c:91:a5:e3:ef:5e:cf:7d:e8:05:f1:ff:26:
35:e9:2f:be:9f:23:89:03:97:e4:b5:6c:84:07:d0:
d6:a5:04:ef:cc:f9:68:0f:69:f1:13:87:9d:09:ae:
8c:42:24:75:7d:fb:51:98:7e:fa:34:56:47:38:d9:
41:34:7b:48:9f:c5:65:56:e4:55:05:e4:dc:6d:2c:
e1:5a:3c:1a:d2:d8:03:60:53:58:d4:17:c9:a5:84:
dc:15:3f:f7:d9:17:25:46:75:50:ac:67:cd:d2:13:
c6:32:22:f8:39:13:73:f5:88:fb:62:02:fc:ef:c8:
f7:15
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Subject Alternative Name:
DNS:careerhub-ed
X509v3 Subject Key Identifier:
95:98:29:82:36:42:53:C6:E3:28:15:94:1B:EF:01:7E:D9:0E:EA:96
Signature Algorithm: sha256WithRSAEncryption
78:ad:a1:13:1f:80:4e:23:cb:79:77:78:c5:4e:be:07:0f:1b:
bf:b5:2e:e7:da:38:37:9f:3c:45:15:31:8a:37:4e:77:ee:ea:
34:7d:0e:a1:26:7e:b0:27:43:dc:bf:cc:9b:2d:ae:fc:6c:86:
f9:af:85:ac:97:a7:f4:27:92:ea:ec:aa:20:9d:6d:73:12:9f:
de:aa:46:a4:52:7c:ed:93:50:1c:32:c0:62:af:43:55:dc:93:
7a:57:66:d0:6d:8f:ae:31:a6:3b:85:2f:f9:60:95:f0:fb:06:
a6:c0:37:3c:d7:a7:ff:ad:a0:ff:51:82:32:ef:97:02:97:60:
b6:b0:47:f7:e4:a3:47:1a:6e:dd:b8:66:53:11:bd:fd:0b:98:
06:1b:2c:46:e9:e1:bc:b7:76:40:0b:4a:a3:3f:67:65:11:fa:
15:7f:48:f6:df:29:c3:e4:95:1b:57:09:6e:ac:53:a2:86:5a:
0a:c4:66:a9:45:2c:fe:e2:19:c0:41:24:58:d5:6f:a4:9a:8d:
27:59:54:e3:d4:92:18:fe:67:50:9e:d0:89:ce:2f:8f:5b:e8:
78:7c:c9:24:07:a3:a4:90:24:48:32:64:02:29:31:b4:7a:77:
ef:01:a3:0a:0c:d6:2b:b1:28:5a:f0:74:07:66:37:25:d8:60:
57:e9:7a:9c


The only thing we could think of is that the IdP is being picky about
the CN being a FQDN and having a matching Subject AltName in place
having had a quick look at the OpenSAML
"BasicX509CredentialNameEvaluator" class but it would be good to know
what triggers a failure in this and if there are differing requirements
in place for signing and encryption keys. We've got this working on Dev
now using a fully-qualified domain name as the CN and DNS
SubjectAltName. We did try a new cert with the same Subject as the old
one i.e. "CN= careerhub-ed" but this also failed.

The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. Is e buidheann carthannais a th’ ann an Oilthigh Dhùn Èideann, clàraichte an Alba, àireamh clàraidh SC005336.
--
For Consortium Member technical support, see https://urldefense.com/v3/__https://shibboleth.atlassian.net/wiki/x/ZYEpPw__;!!IBzWLUs!AEMvSFvC2yJH01EA9-9DkAfhAwna7llTJyk4LV2cpky9iqFQDV8ukZ6ntb6AJA$<https://urldefense.com/v3/__https:/shibboleth.atlassian.net/wiki/x/ZYEpPw__;!!IBzWLUs!AEMvSFvC2yJH01EA9-9DkAfhAwna7llTJyk4LV2cpky9iqFQDV8ukZ6ntb6AJA$>
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220407/1818d455/attachment.htm>