samlsign-ed metadata: "Signature trust establishment failed" at IdP

Description

SAML2.0 metadata signed with samlsign fails to verfiy on the 2.1.2 IdP (with a SignatureVerification MetadataFilter configured) when including a certain EntityDescriptor (for a Shib-IdP). oXygen also fails to verify the signature ("Signature hash does not match signed content"). A 2.2[.1] SP with a signature filter validates this just fine.

Since the score is 2:1 (IdP, oXygen vs. OpenSAML C++) I arbitrarily assign this to OpenSAML.

I'll attach both the working signed metadata file, as well as the one with the offending IdP that breaks the signature validation for the IdP (and oXygen). The signing key is publicly available at https://wayf.aco.net/aconet-aai-metadata-signing.crt

Environment

RHEL 5.3 with official RPMs

Attachments

2

Activity

Scott Cantor 
August 31, 2009 at 2:10 PM

Bug identified in Java xmlsec library.

https://issues.apache.org/bugzilla/show_bug.cgi?id=47761

Scott Cantor 
August 31, 2009 at 2:08 PM

Linking to underlying library improvements related to Java bug.

Scott Cantor 
August 27, 2009 at 4:00 PM

I'm going nuts or something, but the Java log I got with xmlsec 1.4.2 shows it including the xmlns:xml attributes. If that's true, either I blew it and misunderstood the spec and broke my version, or the Java's broken now. Maybe it always was, but I can't understand where I could have found this bug at all unless the Java was doing it right.

I have a question into Sun's committer, and once I confirm I'll probably close this and open a bug against the Java library.

Scott Cantor 
August 27, 2009 at 2:03 PM

Ok, I thought you meant it failed in some other non-signature fashion. I probably won't need it, but it wouldn't hurt if you want to attach the breaking digest log.

peter 
August 27, 2009 at 1:38 PM
(edited)

The more explicit version got truncated while trying to cut down the length of my reply disappointed face
Works fine with the decl removed – SP, IdP, oXygen are all happy.

As for IdP messages: all that I could think that might be relevant is in the first two of my shibboleth-users messages regarding this issue:
https://mail.internet2.edu/wws/arc/shibboleth-users/2009-08/msg00378.html
https://mail.internet2.edu/wws/arc/shibboleth-users/2009-08/msg00389.html
I'm sorry if you meant something else. I can also attach the log with org.apache.xml.security.utils.DigesterOutputStream logging turned to DEBUG while running aacli (or something – tomorrow, that is, gotta go right now).

Invalid

Details

Assignee

Reporter

Affects versions

Created August 27, 2009 at 11:54 AM
Updated June 22, 2021 at 8:48 PM
Resolved August 31, 2009 at 2:10 PM