MDA Removing Signatures

Dan McLaughlin dmclaughlin at tech-consortium.com
Wed Oct 5 13:37:48 UTC 2022 

I could have sworn there used to be an API in the MDA to remove
signatures from metadata.  I was planning on just leaving all the
signatures, but in the latest release of the SP, the SignatureFilter
fails to validate any signatures other than the root.  Since I already
validated all the signatures before aggregating and signing the
metadata, I figured just removing all the signatures before signing
the aggregated metadata would be faster than trying to figure out why
the SP is filtering them out.

>From what I can tell, the SP seems to validate the root and any child
entity descriptors with signatures.

I use the MDA to fetch IDP metadata from multiple sources, including
several from the InCommon MDQ. I use the MDA to download, validate
signatures, aggregate, sign the aggregated metadata, then validate the
signature and schema.  Everything passes validation in the MDA, and if
I use xmlsectool directly to validate the signature, it also passes
validation.  But the SP filters out all child entities with signatures
because it says it can't verify the signature with the supplied keys.

2022-10-04 16:18:49 INFO Shibboleth.Application : building
MetadataProvider of type XML...
2022-10-04 16:18:49 INFO OpenSAML.MetadataProvider : building
MetadataFilter of type Signature
2022-10-04 16:18:49 INFO XMLTooling.CredentialResolver.Chaining :
building CredentialResolver of type File
2022-10-04 16:18:49 INFO XMLTooling.SecurityHelper : loading
certificate(s) from file
(C:/shib-sp/etc/shibboleth/my-fed-signing-cert-2015.pem)
2022-10-04 16:18:49 INFO XMLTooling.CredentialResolver.File : no
private key resolved, usable for verification/trust only
2022-10-04 16:18:49 INFO XMLTooling.CredentialResolver.Chaining :
building CredentialResolver of type File
2022-10-04 16:18:49 INFO XMLTooling.SecurityHelper : loading
certificate(s) from file
(C:/shib-sp/etc/shibboleth/my-fed-signing-cert-2022.pem)
2022-10-04 16:18:49 INFO XMLTooling.CredentialResolver.File : no
private key resolved, usable for verification/trust only
2022-10-04 16:18:49 INFO XMLTooling.CredentialResolver.Chaining :
building CredentialResolver of type File
2022-10-04 16:18:49 INFO XMLTooling.SecurityHelper : loading
certificate(s) from file
(C:/shib-sp/etc/shibboleth/inc-md-cert-mdq.pem)
2022-10-04 16:18:49 INFO XMLTooling.CredentialResolver.File : no
private key resolved, usable for verification/trust only
2022-10-04 16:18:49 DEBUG OpenSAML.MetadataProvider.XML : using local
resource (C:/shib-sp/var/run/shibboleth/my-federation-idp-devmetadata2.xml),
will monitor for changes
2022-10-04 16:18:49 DEBUG OpenSAML.MetadataProvider.XML : loading
configuration from external resource...
2022-10-04 16:18:49 INFO OpenSAML.MetadataProvider.XML : loaded XML
resource (C:/shib-sp/var/run/shibboleth/my-federation-idp-devmetadata2.xml)
2022-10-04 16:18:49 DEBUG XMLTooling.Signature : unmarshalling ds:Signature
2022-10-04 16:18:49 DEBUG XMLTooling.Signature : unmarshalling ds:Signature
2022-10-04 16:18:49 DEBUG XMLTooling.Signature : unmarshalling ds:Signature
2022-10-04 16:18:49 DEBUG XMLTooling.Signature : unmarshalling ds:Signature
2022-10-04 16:18:49 INFO OpenSAML.MetadataProvider : applying metadata
filter (Signature)
2022-10-04 16:18:49 WARN OpenSAML.MetadataFilter.Signature : filtering
out entity (https://idp.foo.edu/idp/shibboleth) after failed signature
check: Unable to verify signature with supplied key(s).
2022-10-04 16:18:49 WARN OpenSAML.MetadataFilter.Signature : filtering
out entity (https://idp.bar.edu/idp/shibboleth) after failed signature
check: Unable to verify signature with supplied key(s).
2022-10-04 16:18:49 WARN OpenSAML.MetadataFilter.Signature : filtering
out entity (https://idp.test.edu/idp/shibboleth) after failed
signature check: Unable to verify signature with supplied key(s).


Here is what Metadata Provider looks like...

<MetadataProvider type="XML" validate="true"
path="C:/shib-sp/var/run/shibboleth/my-federation-idp-devmetadata2.xml">
<MetadataFilter type="Signature">
<CredentialResolver type="Chaining">
<CredentialResolver type="File"
certificate="C:/shib-sp/etc/shibboleth/my-fed-signing-cert-2015.pem"/>
<CredentialResolver type="File"
certificate="C:/shib-sp/etc/shibboleth/my-fed-signing-cert-2022.pem"/>
<CredentialResolver type="File"
certificate="C:/shib-sp/etc/shibboleth/inc-md-cert-mdq.pem"/>
</CredentialResolver>
</MetadataFilter>
</MetadataProvider>

--

Thanks,

Dan McLaughlin
Technology Consortium, LLC
dmclaughlin at tech-consortium.com
mobile: 512.633.8086
http://www.tech-consortium.com

NOTICE: This e-mail message and all attachments transmitted with it
are for the sole use of the intended recipient(s) and may contain
confidential and privileged information. Any unauthorized review, use,
disclosure, or distribution is strictly prohibited. The contents of
this e-mail are personal and may be subject to work product
privileges. If you are not the intended recipient, please contact the
sender by reply e-mail and destroy all copies of the original message.

More information about the users mailing list