Skip to Content.
Sympa Menu

edugain-discuss - [eduGAIN-discuss] EntityDescriptor-embedded signature with invalid reference URI in eduGAIN metadata

edugain-discuss AT lists.geant.org

Subject: An open discussion list for topics related to the eduGAIN interfederation service.

List archive

[eduGAIN-discuss] EntityDescriptor-embedded signature with invalid reference URI in eduGAIN metadata


Chronological Thread 
    < Chronological >      < Thread >
  • From: "Zenon Mousmoulas" <zmousm AT noc.grnet.gr>
  • To: edugain-ot AT lists.geant.org
  • Cc: edugain-discuss AT lists.geant.org
  • Subject: [eduGAIN-discuss] EntityDescriptor-embedded signature with invalid reference URI in eduGAIN metadata
  • Date: Wed, 18 Sep 2019 06:09:46 +0000
Hi,

the eduGAIN aggregate feed currently (since last night) contains an
EntityDescriptor that looks like this:

<md:EntityDescriptor
entityID="https://accounts.ulbsibiu.ro/simplesaml/saml2/idp/metadata.php";>
<ds:Signature>
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#pfx44c17c25-60d9-23df-33f8-e68b60e775ed">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>

<ds:DigestValue>/xIcnvqd7arPwlNnZ55yxbBZEL4GYYWLy8iOZwBSZwc=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<!-- [...] -->

The reference URI is invalid. This has some side effects, among which some
older version of pyFF/pyXMLSecurity gets confused by such a signature and
bails out.

I suppose this signature should have been stripped at some point.

Right?

Thanks,
Z.

Archive powered by MHonArc 2.6.19.

Top of Page