An open discussion list for topics related to the eduGAIN interfederation service.

[Wolfgang Pempe <pempe AT dfn.de>]

Hi Davide,

Am 18.09.19 um 10:29 schrieb Davide Vaghetti:
> Hi Wolfgang,
>
> I'm trying to reproduce the issue you've found with the schema
> validation and xmlsectool, but I can't (schema taken from
> https://github.com/ukf/ukf-meta).
>
> Could you send us the command used?

sorry, my/our bad. It seems to be a bug in a stylesheet we use to insert 
some entity attributes. We'll fix that.

Sorry for the confusion,
Wolfgang

> Cheers,
> Davide
>
> On 18/09/19 08:28, Wolfgang Pempe wrote:
> > Hi,
> >
> > Am 18.09.19 um 08:09 schrieb Zenon Mousmoulas:
> > > Hi,
> > >
> > > the eduGAIN aggregate feed currently (since last night) contains an
> > > EntityDescriptor that looks like this:
> > >
> > >     <md:EntityDescriptor
> > > entityID="https://accounts.ulbsibiu.ro/simplesaml/saml2/idp/metadata.php";>
> > >
> > >       <ds:Signature>
> > >         <ds:SignedInfo>
> > >           <ds:CanonicalizationMethod
> > > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> > >           <ds:SignatureMethod
> > > Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
> > >           <ds:Reference URI="#pfx44c17c25-60d9-23df-33f8-e68b60e775ed">
> > >             <ds:Transforms>
> > >               <ds:Transform
> > > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> > >               <ds:Transform
> > > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> > >             </ds:Transforms>
> > >             <ds:DigestMethod
> > > Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
> > >            
> > > <ds:DigestValue>/xIcnvqd7arPwlNnZ55yxbBZEL4GYYWLy8iOZwBSZwc=</ds:DigestValue>
> > >
> > >           </ds:Reference>
> > >         </ds:SignedInfo>
> > > <!-- [...] -->
> > >
> > > The reference URI is invalid. This has some side effects, among which
> > > some older version of pyFF/pyXMLSecurity gets confused by such a
> > > signature and bails out.
> >
> > The schema validation by the xmlsectool also fails. We're currently not
> > able to update our downstream metadata.
> >
> > Best regards,
> > Wolfgang
> >
> > > I suppose this signature should have been stripped at some point.
> > >
> > > Right?
> > >
> > > Thanks,
> > > Z.

--
---------------------------------------------------------------------
Wolfgang Pempe                         Phone  : +49 30 884299-308
DFN-Verein                             Fax    : +49 30 884299-370
Alexanderplatz 1                       E-Mail : pempe AT dfn.de
D-10178 Berlin                         WWW    : https://www.dfn.de
---------------------------------------------------------------------
--------------------- Deutsches Forschungsnetz ----------------------
--------- Germany's National Research and Education Network ---------
---------------------------------------------------------------------

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature