Skip to Content.
Sympa Menu

cat-users - RE: [[cat-users]] Unable to authenticate

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

RE: [[cat-users]] Unable to authenticate


Chronological Thread 
  • From: Alan Cox - UKRI <Alan.Cox AT ukri.org>
  • To: Matthew Slowe <Matthew.Slowe AT jisc.ac.uk>, "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>
  • Subject: RE: [[cat-users]] Unable to authenticate
  • Date: Thu, 6 Aug 2020 10:23:50 +0000
  • Accept-language: en-GB, en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ukri.org; dmarc=pass action=none header.from=ukri.org; dkim=pass header.d=ukri.org; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=u/V7FY+Avd/paFiUoJeyqEyw11cCxVmMgDB0cY5YcHA=; b=N+onf5NhCOzjV9gJ4Qpo+J+jam7NTC4iFBuodI6A9KSkyrt1dY8V3/gblW81I8aD5qHrPM5fBu5b1/rv/kJXdFe013U9JmiKxY7FqtirdQWt9if9UfONBzClVzV4NjcfPwz22bMBKJSizv927gET61D8ReB+yfxfzDrZj+ve8XI9Vvu4+za04aqP0SgAMynWq17wRxGVbp9R+NtxtpqnvMTBwaclNKXFFngjms9NN3uS1TXKvEjutLV/fnZLJ3EerSBQ9RdT/fgEJO3e3ijkkxd3CKwP0Folg97Zt0sYKUFoJI+iYfZOBWyaBnykGSaKow079xhp9tIwLciAgnPwRg==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=boR8A+xpfrR2bqesq4fbTVpfCseLKDeWMMKmJlpKvYIxAU+CqGajYRcVaSLa+DPOkHPGSee7kPF1GZgR8e858X89TBju9Dimt+mDQOosHHtg9O6BFo9CJ5lb1c6FKLSxtEzg188ta+1q8KYq7CBzoPxmmbhdWb2JIj1K83NMmUFBPKtf0Ffg/srF+UkEYHLK9L7Jt/qSGzmUYOVnuSP8cC6XuOnICZBQpyFI7xYThK3WT2H+CgF5EZ0F3hyZZSus4QCVZ+9cfAF1CNzSWhrGBXOhM4TBXMt2XzofMXx4dM9CdDQHjGi54vqs2fzU5f3H5dRAgQYyuggkT7SM+9ZQVg==
  • Authentication-results: jisc.ac.uk; dkim=none (message not signed) header.d=none;jisc.ac.uk; dmarc=none action=none header.from=ukri.org;

> I don't know a huge amount about the inner workings of the different
> algorithms

I know even less, but a look at
https://www.w3.org/TR/xmlenc-core/#sec-RSA-OAEP suggests that the same
encryption is being used in the two cases.

"#rsa-oaep-mgf1p identifier defines the mask generation function as the fixed
value of MGF1 with SHA1"

Whereas "#rsa-oaep identifier defines the mask generation function using the
optional xenc11:MGF element", and in the diffs you give, that element gives
the URI http://www.w3.org/2009/xmlenc11#mgf1sha1, which is MGF1 with SHA1.

So, the algorithm is the same, just identified differently.

Which is not to say that this isn't the cause of the problem.

Alan.

-----Original Message-----
From: cat-users-request AT lists.geant.org <cat-users-request AT lists.geant.org>
On Behalf Of Matthew Slowe
Sent: 06 August 2020 10:47
To: cat-users AT lists.geant.org
Subject: Re: [[cat-users]] Unable to authenticate


> On 6 Aug 2020, at 10:08, Alan Cox - UKRI <Alan.Cox AT ukri.org> wrote:
>
> I've just experienced what seems to be the same error, though with a
> Shibboleth 3.4.6 IdP - https://nerckwshibba.nerc.ac.uk/idp/shibboleth.

Our 3.4.6 IdP is also now seeing the same thing - as is the new v4 IdP.

Comparing the assertion for CAT with a "known good" assertion (against an SP
which doesn't assert any algorithm requirements), I note these differences:

--- ref.xml2020-08-06 10:38:45.000000000 +0100
+++ cat.xml2020-08-06 10:38:56.000000000 +0100
@@ -4,8 +4,9 @@
<xenc:EncryptionMethod xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
Id="id" Recipient="sp-entityid">
- <xenc:EncryptionMethod
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p";>
+ <xenc:EncryptionMethod
+ xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
+ Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep";>
<ds:DigestMethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+ <xenc11:MGF xmlns:xenc11="http://www.w3.org/2009/xmlenc11#";
+ Algorithm="http://www.w3.org/2009/xmlenc11#mgf1sha1"/>
</xenc:EncryptionMethod>
</xenc:EncryptedKey>
</ds:KeyInfo>


I don't know a huge amount about the inner workings of the different
algorithms, but I do wonder if SimpleSAMLphp doesn't support "rsa-oaep" but
does support "rsa-oaep-mgf1p" but, because the first one is listed first it's
using that?

--
Matthew Slowe
Technical Specialist - Trust & Identity, Jisc

Direct: 07442 097185
Team: 0300 300 2212, option 2
Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG To unsubscribe,
send this message:
mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users


This email and any attachments are intended solely for the use of the named
recipients. If you are not the intended recipient you must not use, disclose,
copy or distribute this email or any of its attachments and should notify the
sender immediately and delete this email from your system. UK Research and
Innovation (UKRI) has taken every reasonable precaution to minimise risk of
this email or any attachments containing viruses or malware but the recipient
should carry out its own virus and malware checks before opening the
attachments. UKRI does not accept any liability for any losses or damages
which the recipient may sustain due to presence of any viruses. Opinions,
conclusions or other information in this message and attachments that are not
related directly to UKRI business are solely those of the author and do not
represent the views of UKRI.




Archive powered by MHonArc 2.6.19.

Top of Page