Skip to Content.
Sympa Menu

edugain-discuss - Re: [eduGAIN-discuss] EntityDescriptor-embedded signature with invalid reference URI in eduGAIN metadata

edugain-discuss AT lists.geant.org

Subject: An open discussion list for topics related to the eduGAIN interfederation service.

List archive

Re: [eduGAIN-discuss] EntityDescriptor-embedded signature with invalid reference URI in eduGAIN metadata


Chronological Thread 
  • From: Valeriu Vraciu <valeriu AT roedu.net>
  • To: edugain-discuss AT lists.geant.org
  • Subject: Re: [eduGAIN-discuss] EntityDescriptor-embedded signature with invalid reference URI in eduGAIN metadata
  • Date: Wed, 18 Sep 2019 11:23:00 +0300

Hi,

It was a signature from the IdP, so now it is removed from metadata
aggregate. If there are any other issues related to RoEduNetID please
contact, for sure there are some (the same IdP has an expired
certificate, we are working with ULBSIBIU to solve this - should we
remove IdP information from aggregate ? although validation tool gives
just a warning).

Best wishes,
Valeriu.

On 18/09/2019 09:28, Wolfgang Pempe wrote:
> Hi,
>
> Am 18.09.19 um 08:09 schrieb Zenon Mousmoulas:
>> Hi,
>>
>> the eduGAIN aggregate feed currently (since last night) contains an
>> EntityDescriptor that looks like this:
>>
>>    <md:EntityDescriptor
>> entityID="https://accounts.ulbsibiu.ro/simplesaml/saml2/idp/metadata.php";>
>>
>>      <ds:Signature>
>>        <ds:SignedInfo>
>>          <ds:CanonicalizationMethod
>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>>          <ds:SignatureMethod
>> Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
>>          <ds:Reference URI="#pfx44c17c25-60d9-23df-33f8-e68b60e775ed">
>>            <ds:Transforms>
>>              <ds:Transform
>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>>              <ds:Transform
>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>>            </ds:Transforms>
>>            <ds:DigestMethod
>> Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
>>           
>> <ds:DigestValue>/xIcnvqd7arPwlNnZ55yxbBZEL4GYYWLy8iOZwBSZwc=</ds:DigestValue>
>>
>>          </ds:Reference>
>>        </ds:SignedInfo>
>> <!-- [...] -->
>>
>> The reference URI is invalid. This has some side effects, among which
>> some older version of pyFF/pyXMLSecurity gets confused by such a
>> signature and bails out.
>
> The schema validation by the xmlsectool also fails. We're currently not
> able to update our downstream metadata.
>
> Best regards,
> Wolfgang
>
>>
>> I suppose this signature should have been stripped at some point.
>>
>> Right?
>>
>> Thanks,
>> Z.
>>
>

--
Valeriu Vraciu
RoEduNet

Attachment: signature.asc
Description: OpenPGP digital signature




Archive powered by MHonArc 2.6.19.

Top of Page