- Stop depending on shib-sharedJMVN-70Rod Widdowson
- Release Enforcer-data version 1.0.17JMVN-69Resolved issue: JMVN-69Philip Smart
- Remove signatures from the enforcer dataJMVN-68Resolved issue: JMVN-68
- Release Enforcer-data version 1.0.16JMVN-67Resolved issue: JMVN-67Rod Widdowson
- Release a new enforcer-parentJMVN-66Resolved issue: JMVN-66
- Release enforcer 3.3.0JMVN-65Resolved issue: JMVN-65Philip Smart
- Rebase on Shibboleth Java 17 platformJMVN-64Resolved issue: JMVN-64
- Expose the "list all keys" command-line functionalityJMVN-63Rod Widdowson
- Enforcer appears to not work when run from outside the home directoryJMVN-62Rod Widdowson
- Teach the m2 enforcer to sig check zip filesJMVN-61Resolved issue: JMVN-61
- Build and Release Enforcer 3.2.2 and enforcer-parent 1..0.5JMVN-60Resolved issue: JMVN-60Rod Widdowson
- MVN-DATA should be able to check itself.JMVN-59Resolved issue: JMVN-59Rod Widdowson
- SNAPSHOT of the DATA project broken by webflow changesJMVN-58Resolved issue: JMVN-58
- Clean up logging & logging levelsJMVN-57Rod Widdowson
- Review the need for all the POM parsing and warningsJMVN-55Resolved issue: JMVN-55Rod Widdowson
- Release Enforcer Data V1.0.14JMVN-54Resolved issue: JMVN-54Rod Widdowson
- General maintenance after latest enforcer data releaseJMVN-53Resolved issue: JMVN-53Rod Widdowson
- OpenID Provider (OP) and Relying Party (RP) enforcer-data overridesJMVN-52Resolved issue: JMVN-52Philip Smart
- Release maven java-mvn-enforcer-data repository 1.0.13JMVN-51Resolved issue: JMVN-51Rod Widdowson
- Allow local signature from data JAR to be used before resolvingJMVN-50Resolved issue: JMVN-50
- Prune keys for Spring Web Flow when possibleJMVN-56Resolved issue: JMVN-56
- Enforcer fails with an NPE if it could not load signature for enforcer-data from mavenJMVN-49Resolved issue: JMVN-49Rod Widdowson
- Release profile doesn't buildJMVN-48Resolved issue: JMVN-48Rod Widdowson
- Release maven-dist-enforcer 3.2.0JMVN-47Resolved issue: JMVN-47Rod Widdowson
- Release maven java-mvn-enforcer-data repository 1.0.12JMVN-46Resolved issue: JMVN-46Rod Widdowson
- Investigate building a parent pom with the minimum subset of JPARJMVN-45Resolved issue: JMVN-45Rod Widdowson
- Pom 'Parser' fails ungracefully if it finds an undefined propertyJMVN-43Resolved issue: JMVN-43Rod Widdowson
- Enforcer needs to learn about classifiers for the distribution signature checkJMVN-42Resolved issue: JMVN-42Rod Widdowson
- Release maven java-mvn-enforcer-data repository 1.0.11JMVN-41Resolved issue: JMVN-41Rod Widdowson
- Release maven IdP distribution enforcer data repository 1.0.10JMVN-40Resolved issue: JMVN-40Philip Smart
- Document "diagnosing signature issues"JMVN-39Resolved issue: JMVN-39Rod Widdowson
- Detect missing keyrings - even when artifacts are SNAPSHOTJMVN-38Resolved issue: JMVN-38Rod Widdowson
- Remove or replace the parent projects for the enforcer and enforcer dataJMVN-37Resolved issue: JMVN-37Rod Widdowson
- Release maven IdP distribution enforcer data repository 1.0.5JMVN-36Resolved issue: JMVN-36Philip Smart
- Release maven IdP distribution enforcer data repository 1.0.4JMVN-35Resolved issue: JMVN-35Rod Widdowson
- List all keys in the repositoryJMVN-34Resolved issue: JMVN-34Rod Widdowson
- Make it possible to run the M2 enforcer as a maven command lineJMVN-33Rod Widdowson
- Release maven IdP distribution enforcer data repository 1.0.3JMVN-32Resolved issue: JMVN-32Rod Widdowson
- Move parent poms up afer the 4.2 release.JMVN-31Resolved issue: JMVN-31Rod Widdowson
- Release maven IdP distribution enforcer rule 3.1.1JMVN-30Resolved issue: JMVN-30Rod Widdowson
- Release maven IdP distribution enforcer data repository 1.0.2JMVN-29Resolved issue: JMVN-29Rod Widdowson
- Keying for net.shibboleth.maven.enforcer.rules does not contain all potential signatoriesJMVN-28Resolved issue: JMVN-28Rod Widdowson
- Release maven IdP distribution enforcer data repository 1.0.1JMVN-27Resolved issue: JMVN-27Rod Widdowson
- Distribution signature checked cannot handle versions with dashesJMVN-26Resolved issue: JMVN-26Rod Widdowson
- Artifact deriver gives wrong version information for garnished jar names,JMVN-25Resolved issue: JMVN-25Rod Widdowson
- Missing keys for checking an M2 repositoryJMVN-23Resolved issue: JMVN-23Rod Widdowson
- SNAPSHOT version checking is too strict for M2 checkingJMVN-22Resolved issue: JMVN-22Rod Widdowson
- Release maven IdP distribution enforcer data repository 1.0.0JMVN-21Resolved issue: JMVN-21Philip Smart
- Release maven IdP distribution enforcer rule 3.1.0JMVN-20Resolved issue: JMVN-20Philip Smart
- Investigate getting maven coordinates from the M2 address rather than the pom (when m2 checking)JMVN-19Resolved issue: JMVN-19Rod Widdowson
samlsign-ed metadata: "Signature trust establishment failed" at IdP
Description
Environment
RHEL 5.3 with official RPMs
Attachments
is related to
Activity
Scott Cantor August 31, 2009 at 2:10 PM
Bug identified in Java xmlsec library.
Scott Cantor August 31, 2009 at 2:08 PM
Linking to underlying library improvements related to Java bug.
Scott Cantor August 27, 2009 at 4:00 PM
I'm going nuts or something, but the Java log I got with xmlsec 1.4.2 shows it including the xmlns:xml attributes. If that's true, either I blew it and misunderstood the spec and broke my version, or the Java's broken now. Maybe it always was, but I can't understand where I could have found this bug at all unless the Java was doing it right.
I have a question into Sun's committer, and once I confirm I'll probably close this and open a bug against the Java library.
Scott Cantor August 27, 2009 at 2:03 PM
Ok, I thought you meant it failed in some other non-signature fashion. I probably won't need it, but it wouldn't hurt if you want to attach the breaking digest log.
peter August 27, 2009 at 1:38 PM(edited)
The more explicit version got truncated while trying to cut down the length of my reply
Works fine with the decl removed – SP, IdP, oXygen are all happy.
As for IdP messages: all that I could think that might be relevant is in the first two of my shibboleth-users messages regarding this issue:
https://mail.internet2.edu/wws/arc/shibboleth-users/2009-08/msg00378.html
https://mail.internet2.edu/wws/arc/shibboleth-users/2009-08/msg00389.html
I'm sorry if you meant something else. I can also attach the log with org.apache.xml.security.utils.DigesterOutputStream logging turned to DEBUG while running aacli (or something – tomorrow, that is, gotta go right now).
SAML2.0 metadata signed with samlsign fails to verfiy on the 2.1.2 IdP (with a SignatureVerification MetadataFilter configured) when including a certain EntityDescriptor (for a Shib-IdP). oXygen also fails to verify the signature ("Signature hash does not match signed content"). A 2.2[.1] SP with a signature filter validates this just fine.
Since the score is 2:1 (IdP, oXygen vs. OpenSAML C++) I arbitrarily assign this to OpenSAML.
I'll attach both the working signed metadata file, as well as the one with the offending IdP that breaks the signature validation for the IdP (and oXygen). The signing key is publicly available at https://wayf.aco.net/aconet-aai-metadata-signing.crt