what is the trust store used for in the TOTP plugin?

Rod Widdowson rdw at steadingsoftware.com
Tue Jun 27 09:59:28 UTC 2023

> However I doubt what the trust store is actually used for during the installation process?
It is.

>  I see a folder credentials\net.shibboleth.idp.plugin.authn.totp is crested 
> and an aes file and an empty backup file in this folder after installation. 

This is true for all plugins, not just TOTP.

TL;DR: The installer Is making it easier for you to do the right thing about trust.  The details are documented here [1], but I believe that it is worthwhile to be explicit as well.

By way of background, it is very important to the Shibboleth team that our users do not download or install malevolent packages.  For example, we go to significant lengths to validate any jars that we ship as part of the IdP.

When installing a plugin you are in effect downloading a random bit of software of unknown background.  There is a priori no reason to trust this software which could then go on to perform any amount of damage to your systems and your user's identities.

Whilst it is you that has to make the decision as to whether you are prepared to take that risk, the plugin installer provides some support and only allows plugins to be installed if they have passed a (GPG) signature check. Thus you will see that a plugin package consists of the contents (usually .tar.gz file) and a signature over that file (.asc).  

Before the plugin in installed the signature is checked.  This is this stage:

> Accept this key: 
> Signature:      0x378B845402277962 
> FingerPrint:    DCAA15007BED9DE690CD9523378B845402277962 
> Username:       Scott Cantor <cantor.2 at osu.edu> 
>  [yN] 

At  this stage you are expected to check that the signing certificate matches one that you are prepared to trust.  This stage is critical. 

In order that you do not have to go through this stage every time the installer also keeps track of those certificates that have already be accepted (it is in fact a GPG keyring) .  This is per plugin;  having accepted Scott's signature for the TOTP plugin means that you will not be prompted on an update if that update was signed by the same certificate.  If this certificate was used to sign a different plugin you would be prompted again: The fact that you trust Scott to ship TOTP plugins should not mean that you trust him to sign an OIDC plugin.

So we keep a GPG keyring on a per plugin basis and use this to determine whether you trust a signature or whether you need to go through due diligence on it.  This is the file you are seeing in the credentials folder.  If you have a centrally maintained keyring of trusted signatures you can use that (--truststore).

I hope this helps.

[1] https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1294074003/PluginInstallation#GPG-Trust

More information about the users mailing list