Credential failed name check error upon updating SP certificate

Mark Cairney Mark.Cairney at ed.ac.uk
Thu Apr 7 14:38:15 UTC 2022 

Hi,

I was downloading a fresh copy of the metadata from their application 
after certificate rollover but I suppose it's possible that if the 
application wasn't being fully restarted and was presenting the "old" 
key from memory rather than the one in our updated local copy of the 
metadata. However this normally results in a different error?

As this is our Live IdP we weren't logging at DEBUG level unfortunately.

The mystery continues I guess!


On 07/04/2022 15:09, Mak, Steven wrote:
> This email was sent to you by someone outside the University.
> You should only click on links or attachments if you are certain that 
> the email is genuine and the content is safe.
>
> Based on my experience with vendors saying one thing and doing 
> another, it's likely it's just using the old pub cert still. The name 
> check failure is likely unrelated. It is also an INFO line.
>
> From my experience the CN of the cert doesn't tend to matter. If 
> you're not sure, you could simply add both pub certs to the SP 
> metadata in parallel until the vendor assures you that they removed 
> the old one.
>
> But vendors often don't understand SAML well enough to do this well.
>
> - Steve
>
> *From: *users <users-bounces at shibboleth.net> on behalf of Mark Cairney 
> via users <users at shibboleth.net>
> *Date: *Thursday, April 7, 2022 at 9:37 AM
> *To: *users at shibboleth.net <users at shibboleth.net>
> *Cc: *Mark Cairney <Mark.Cairney at ed.ac.uk>
> *Subject: *Credential failed name check error upon updating SP certificate
>
> Hi,
>
> We've recently been working with a vendor who are upgrading the
> certificate in their metadata from an old SHA1 cert to a SHA256 cert.
>
> However we got the following error when logging in using the new cert:
>
> 2022-04-06 17:57:55,973 - INFO
> [org.opensaml.security.x509.impl.BasicX509Credent
> ialNameEvaluator:297] - [129.215.16.48]|Credential failed name check:
> [subjectNa
> me='CN=careerhub.ed']
> 2022-04-06 17:57:55,974 - WARN
> [net.shibboleth.idp.profile.impl.WebFlowMessageHa
> ndlerAdaptor:197] - [129.215.16.48]|Profile Action
> WebFlowMessageHandlerAdaptor:
> Exception handling message
> org.opensaml.messaging.handler.MessageHandlerException: Validation of
> protocol m
> essage signature failed
> at org.opensaml.saml.common.binding.security.impl.SAMLProtocolMessageXML
> SignatureSecurityHandler.doEvaluate(SAMLProtocolMessageXMLSignatureSecurityHandl
> er.java:147)
>
> We reverted back to the old certificate and the SP started working again
> however we're a bit confused as to why the IdP doesn't like the new
> certificate.
>
> The details of the new cert are:
>
>
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number:
> 1d:15:be:5e:b3:f5:0f:94:46:f8:27:a7:86:30:59:76
> Signature Algorithm: sha256WithRSAEncryption
> Issuer: CN = careerhub-ed
> Validity
> Not Before: Oct 11 14:31:16 2021 GMT
> Not After : Oct 11 14:41:16 2041 GMT
> Subject: CN = careerhub-ed
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> RSA Public-Key: (2048 bit)
> Modulus:
> 00:ab:38:08:1a:06:f6:c5:da:b5:46:17:9e:c1:85:
> 4f:e5:80:99:6e:f8:79:c1:ae:83:29:09:d0:b8:4c:
> a6:65:a9:f1:cc:54:2e:ab:66:88:43:a3:8f:11:23:
> 6e:ab:68:90:2a:2e:48:24:f7:eb:9e:67:7f:cc:c7:
> d9:1c:f1:49:83:0e:bc:88:6f:69:41:1e:e2:95:ec:
> 8a:68:86:3e:60:d9:67:ba:73:5c:af:f3:a8:de:f6:
> 76:2a:70:48:3a:bf:b1:3d:4c:c2:35:84:f1:57:f8:
> 92:29:22:47:20:09:a1:a6:52:b4:d1:41:31:a1:1a:
> 0b:61:f0:2d:b7:cc:cc:a5:60:54:48:38:20:83:91:
> e0:88:2c:91:a5:e3:ef:5e:cf:7d:e8:05:f1:ff:26:
> 35:e9:2f:be:9f:23:89:03:97:e4:b5:6c:84:07:d0:
> d6:a5:04:ef:cc:f9:68:0f:69:f1:13:87:9d:09:ae:
> 8c:42:24:75:7d:fb:51:98:7e:fa:34:56:47:38:d9:
> 41:34:7b:48:9f:c5:65:56:e4:55:05:e4:dc:6d:2c:
> e1:5a:3c:1a:d2:d8:03:60:53:58:d4:17:c9:a5:84:
> dc:15:3f:f7:d9:17:25:46:75:50:ac:67:cd:d2:13:
> c6:32:22:f8:39:13:73:f5:88:fb:62:02:fc:ef:c8:
> f7:15
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Key Usage: critical
> Digital Signature, Key Encipherment
> X509v3 Extended Key Usage:
> TLS Web Client Authentication, TLS Web Server Authentication
> X509v3 Subject Alternative Name:
> DNS:careerhub-ed
> X509v3 Subject Key Identifier:
> 95:98:29:82:36:42:53:C6:E3:28:15:94:1B:EF:01:7E:D9:0E:EA:96
> Signature Algorithm: sha256WithRSAEncryption
> 78:ad:a1:13:1f:80:4e:23:cb:79:77:78:c5:4e:be:07:0f:1b:
> bf:b5:2e:e7:da:38:37:9f:3c:45:15:31:8a:37:4e:77:ee:ea:
> 34:7d:0e:a1:26:7e:b0:27:43:dc:bf:cc:9b:2d:ae:fc:6c:86:
> f9:af:85:ac:97:a7:f4:27:92:ea:ec:aa:20:9d:6d:73:12:9f:
> de:aa:46:a4:52:7c:ed:93:50:1c:32:c0:62:af:43:55:dc:93:
> 7a:57:66:d0:6d:8f:ae:31:a6:3b:85:2f:f9:60:95:f0:fb:06:
> a6:c0:37:3c:d7:a7:ff:ad:a0:ff:51:82:32:ef:97:02:97:60:
> b6:b0:47:f7:e4:a3:47:1a:6e:dd:b8:66:53:11:bd:fd:0b:98:
> 06:1b:2c:46:e9:e1:bc:b7:76:40:0b:4a:a3:3f:67:65:11:fa:
> 15:7f:48:f6:df:29:c3:e4:95:1b:57:09:6e:ac:53:a2:86:5a:
> 0a:c4:66:a9:45:2c:fe:e2:19:c0:41:24:58:d5:6f:a4:9a:8d:
> 27:59:54:e3:d4:92:18:fe:67:50:9e:d0:89:ce:2f:8f:5b:e8:
> 78:7c:c9:24:07:a3:a4:90:24:48:32:64:02:29:31:b4:7a:77:
> ef:01:a3:0a:0c:d6:2b:b1:28:5a:f0:74:07:66:37:25:d8:60:
> 57:e9:7a:9c
>
>
> The only thing we could think of is that the IdP is being picky about
> the CN being a FQDN and having a matching Subject AltName in place
> having had a quick look at the OpenSAML
> "BasicX509CredentialNameEvaluator" class but it would be good to know
> what triggers a failure in this and if there are differing requirements
> in place for signing and encryption keys. We've got this working on Dev
> now using a fully-qualified domain name as the CN and DNS
> SubjectAltName. We did try a new cert with the same Subject as the old
> one i.e. "CN= careerhub-ed" but this also failed.
>
> The University of Edinburgh is a charitable body, registered in 
> Scotland, with registration number SC005336. Is e buidheann 
> carthannais a th’ ann an Oilthigh Dhùn Èideann, clàraichte an Alba, 
> àireamh clàraidh SC005336.
> -- 
> For Consortium Member technical support, see 
> https://urldefense.com/v3/__https://shibboleth.atlassian.net/wiki/x/ZYEpPw__;!!IBzWLUs!AEMvSFvC2yJH01EA9-9DkAfhAwna7llTJyk4LV2cpky9iqFQDV8ukZ6ntb6AJA$ 
> <https://urldefense.com/v3/__https:/shibboleth.atlassian.net/wiki/x/ZYEpPw__;!!IBzWLUs!AEMvSFvC2yJH01EA9-9DkAfhAwna7llTJyk4LV2cpky9iqFQDV8ukZ6ntb6AJA$> 
>
> To unsubscribe from this list send an email to 
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220407/6bf531b3/attachment.htm>

More information about the users mailing list