The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Paetow <Stefan.Paetow AT jisc.ac.uk>]

Hi,

Yep, we're experiencing the same trying to log into CAT. 

:-/

Stefan Paetow
Federated Roaming Technical Specialist

t: +44 (0)1235 822 125
gpg: 0x3FCE5142
xmpp: stefanp AT jabber.dev.ja.net
skype: stefan.paetow.janet


In line with government advice, at Jisc we’re now working from home and our 
offices are currently closed. Read our statement on coronavirus 
<https://www.jisc.ac.uk/about/corporate/coronavirus-statement>.

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by 
guarantee which is registered in England under Company No. 5747339, VAT No. 
GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, 
Bristol, BS2 0JA. T 0203 697 5800.
 

On 06/08/2020, 11:24, "cat-users-request AT lists.geant.org on behalf of Alan 
Cox - UKRI" <cat-users-request AT lists.geant.org on behalf of 
Alan.Cox AT ukri.org> wrote:

    > I don't know a huge amount about the inner workings of the different 
algorithms
    
    I know even less, but a look at 
https://www.w3.org/TR/xmlenc-core/#sec-RSA-OAEP suggests that the same 
encryption is being used in the two cases.
    
    "#rsa-oaep-mgf1p identifier defines the mask generation function as the 
fixed value of MGF1 with SHA1"
    
    Whereas "#rsa-oaep identifier defines the mask generation function using 
the optional xenc11:MGF element", and in the diffs you give, that element 
gives the URI http://www.w3.org/2009/xmlenc11#mgf1sha1, which is MGF1 with 
SHA1.
    
    So, the algorithm is the same, just identified differently.
    
    Which is not to say that this isn't the cause of the problem.
    
    Alan.
    
    -----Original Message-----
    From: cat-users-request AT lists.geant.org 
<cat-users-request AT lists.geant.org> On Behalf Of Matthew Slowe
    Sent: 06 August 2020 10:47
    To: cat-users AT lists.geant.org
    Subject: Re: [[cat-users]] Unable to authenticate
    
    
    > On 6 Aug 2020, at 10:08, Alan Cox - UKRI <Alan.Cox AT ukri.org> wrote:
    >
    > I've just experienced what seems to be the same error, though with a 
Shibboleth 3.4.6 IdP - https://nerckwshibba.nerc.ac.uk/idp/shibboleth.
    
    Our 3.4.6 IdP is also now seeing the same thing - as is the new v4 IdP.
    
    Comparing the assertion for CAT with a "known good" assertion (against an 
SP which doesn't assert any algorithm requirements), I note these differences:
    
    --- ref.xml2020-08-06 10:38:45.000000000 +0100
    +++ cat.xml2020-08-06 10:38:56.000000000 +0100
    @@ -4,8 +4,9 @@
         <xenc:EncryptionMethod 
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; 
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
         <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
           <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; 
Id="id" Recipient="sp-entityid">
    -        <xenc:EncryptionMethod 
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; 
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p";>
    +        <xenc:EncryptionMethod
    + xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
    + Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep";>
               <ds:DigestMethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; 
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
    +          <xenc11:MGF xmlns:xenc11="http://www.w3.org/2009/xmlenc11#";
    + Algorithm="http://www.w3.org/2009/xmlenc11#mgf1sha1"/>
             </xenc:EncryptionMethod>
           </xenc:EncryptedKey>
         </ds:KeyInfo>
    
    
    I don't know a huge amount about the inner workings of the different 
algorithms, but I do wonder if SimpleSAMLphp doesn't support "rsa-oaep" but 
does support "rsa-oaep-mgf1p" but, because the first one is listed first it's 
using that?
    
    --
    Matthew Slowe
    Technical Specialist - Trust & Identity, Jisc
    
    Direct: 07442 097185
    Team: 0300 300 2212, option 2
    Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG To 
unsubscribe, send this message: 
mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
    Or use the following link: 
https://lists.geant.org/sympa/sigrequest/cat-users
    
    
    This email and any attachments are intended solely for the use of the 
named recipients. If you are not the intended recipient you must not use, 
disclose, copy or distribute this email or any of its attachments and should 
notify the sender immediately and delete this email from your system. UK 
Research and Innovation (UKRI) has taken every reasonable precaution to 
minimise risk of this email or any attachments containing viruses or malware 
but the recipient should carry out its own virus and malware checks before 
opening the attachments. UKRI does not accept any liability for any losses or 
damages which the recipient may sustain due to presence of any viruses. 
Opinions, conclusions or other information in this message and attachments 
that are not related directly to UKRI business are solely those of the author 
and do not represent the views of UKRI.
    
    To unsubscribe, send this message: 
mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
    Or use the following link: 
https://lists.geant.org/sympa/sigrequest/cat-users