Skip to Content.
Sympa Menu

edugain-discuss - Re: [eduGAIN-discuss] EntityDescriptor-embedded signature with invalid reference URI in eduGAIN metadata

edugain-discuss AT lists.geant.org

Subject: An open discussion list for topics related to the eduGAIN interfederation service.

List archive

Re: [eduGAIN-discuss] EntityDescriptor-embedded signature with invalid reference URI in eduGAIN metadata


Chronological Thread 
  • From: Davide Vaghetti <davide.vaghetti AT garr.it>
  • To: Wolfgang Pempe <pempe AT dfn.de>, edugain-discuss AT lists.geant.org
  • Subject: Re: [eduGAIN-discuss] EntityDescriptor-embedded signature with invalid reference URI in eduGAIN metadata
  • Date: Wed, 18 Sep 2019 11:56:47 +0200



On 18/09/19 10:45, Wolfgang Pempe wrote:
> Hi Davide,
>
> Am 18.09.19 um 10:29 schrieb Davide Vaghetti:
>> Hi Wolfgang,
>>
>> I'm trying to reproduce the issue you've found with the schema
>> validation and xmlsectool, but I can't (schema taken from
>> https://github.com/ukf/ukf-meta).
>>
>> Could you send us the command used?
>
> sorry, my/our bad. It seems to be a bug in a stylesheet we use to insert
> some entity attributes. We'll fix that.
>
> Sorry for the confusion,

Not at all, happy to know schema validation works as supposed.

Cheers,
Davide

> Wolfgang
>
>>
>> Cheers,
>> Davide
>>
>> On 18/09/19 08:28, Wolfgang Pempe wrote:
>>> Hi,
>>>
>>> Am 18.09.19 um 08:09 schrieb Zenon Mousmoulas:
>>>> Hi,
>>>>
>>>> the eduGAIN aggregate feed currently (since last night) contains an
>>>> EntityDescriptor that looks like this:
>>>>
>>>>     <md:EntityDescriptor
>>>> entityID="https://accounts.ulbsibiu.ro/simplesaml/saml2/idp/metadata.php";>
>>>>
>>>>
>>>>       <ds:Signature>
>>>>         <ds:SignedInfo>
>>>>           <ds:CanonicalizationMethod
>>>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>>>>           <ds:SignatureMethod
>>>> Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
>>>>           <ds:Reference URI="#pfx44c17c25-60d9-23df-33f8-e68b60e775ed">
>>>>             <ds:Transforms>
>>>>               <ds:Transform
>>>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>>>>               <ds:Transform
>>>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>>>>             </ds:Transforms>
>>>>             <ds:DigestMethod
>>>> Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
>>>>           
>>>> <ds:DigestValue>/xIcnvqd7arPwlNnZ55yxbBZEL4GYYWLy8iOZwBSZwc=</ds:DigestValue>
>>>>
>>>>
>>>>           </ds:Reference>
>>>>         </ds:SignedInfo>
>>>> <!-- [...] -->
>>>>
>>>> The reference URI is invalid. This has some side effects, among which
>>>> some older version of pyFF/pyXMLSecurity gets confused by such a
>>>> signature and bails out.
>>>
>>> The schema validation by the xmlsectool also fails. We're currently not
>>> able to update our downstream metadata.
>>>
>>> Best regards,
>>> Wolfgang
>>>
>>>>
>>>> I suppose this signature should have been stripped at some point.
>>>>
>>>> Right?
>>>>
>>>> Thanks,
>>>> Z.
>>>>
>>>
>>
>

--
Davide Vaghetti
Consortium GARR
Tel: +390502213158
Mobile: +393357779542
Skype: daserzw

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature




Archive powered by MHonArc 2.6.19.

Top of Page