metadata x509 certificate lines terminated with 
 ?

Baron Fujimoto baron at hawaii.edu
Thu Mar 24 00:30:39 UTC 2022


Yeah, that makes some sense, since the rest of their metadata isn't so
afflicted, it's just the certificate data. Even if we ultimately have to
accommodate their broken(?) metadata, it would be personally satisfying to
be able to tell them, "nuh uh".

On Wed, Mar 23, 2022 at 2:24 PM IAM David Bantz via users <
users at shibboleth.net> wrote:

> I wonder whether those line termination characters were added in the
> process of transmitting or intermediate storage of the data.
>
>
>
> On 23Mar2022 at 16:01:40, Baron Fujimoto <baron at hawaii.edu> wrote:
>
>> We are working with an SP who is providing metadata where the character
>> entity "&#xd;" (carriage return, I believe) has been appended to each line
>> of their x509 certificates . E.g.:
>>
>>     <ds:X509Data>
>>
>>  <ds:X509Certificate>MIIGXTCCBUWgAwIBAgIQCLgQc9Z8Mn06Q0tiGbaLyjANBgkqhkiG9w0BAQsFADBZMQswCQYDVQQG
>> &#xd;
>>
>> EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMTMwMQYDVQQDEypEaWdpQ2VydCBHbG9iYWwgRzIg
>> &#xd;
>> ...
>>
>> 3H8TzSiVX+JruLLaUdWCtTqKDYyVJBxNNKV/cVzLqcXaLIUq3LwqrSLfh1axuYW64VT1SHe2MAsM
>> &#xd;
>> U7U1sUyCVwFp2Z7D3xnz+erklZPsBxecF7mTebgi9XUUUJDiEA==</ds:X509Certificate>
>>     <ds:X509Data>
>>
>> The IdP fails to parse this. Is this actually valid SAML for the
>> metadata? I couldn't find a standards reference that answered this
>> definitively. The SP is claiming that, "Since we include the "&#xd"
>> characters to show a break in the metadata information, we will not be able
>> to remove these characters from the XML file" and advises, "If Shibboleth
>> cannot parse the metadata correctly..." we need to download and manually
>> fix the metadata ourselves. If their metadata is in fact not standards
>> compliant, I would very much appreciate any references I could provide to
>> the SP to demonstrate that.
>>
>> --
>> Baron Fujimoto <baron at hawaii.edu> :: UH Information Technology Services
>> minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
>> --
>> For Consortium Member technical support, see
>> https://shibboleth.atlassian.net/wiki/x/ZYEpPw
>> To unsubscribe from this list send an email to
>> users-unsubscribe at shibboleth.net
>>
> --
> For Consortium Member technical support, see
> https://shibboleth.atlassian.net/wiki/x/ZYEpPw
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>


-- 
Baron Fujimoto <baron at hawaii.edu> :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220323/127eda1b/attachment.htm>


More information about the users mailing list