...
The first approach involves splitting the metadata source document into 2 distinct documents: 1) one containing the KeyAuthority elements and any entities which rely on the PKIX model 2) one containing no KeyAuthority elements and only entities which rely on the explicit key model only. A new metadata source provider is then defined which consumes the new PKIX-only metadata source document.
| Code Block | ||||
|---|---|---|---|---|
| ||||
<!-- KeyAuthority elements removed, and only entities using the explicit key model. -->
<md:EntitiesDescriptor name="nonPKIXEntities">
<!-- This entity has a key specified by an X509Data element for use with the explicit key model.
It also has a KeyName. It is not vulnerable to this issue. -->
<md:EntityDescriptor entityID="https://www.example2.org/sp">
<md:SPSSODescriptor>
<md:KeyDescriptor>
<ds:KeyInfo>
<ds:KeyName>www.example2.org</ds:KeyName>
<ds:X509Data> ... </ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
</md:SPSSODescriptor>
</md:EntityDescriptor>
<!-- This entity has a key specified by an X509Data element for use with the explicit key model.
It does not have a KeyName but is no longer vulnerable to this issue. -->
<md:EntityDescriptor entityID="https://www.example3.org/sp">
<md:SPSSODescriptor>
<md:KeyDescriptor>
<ds:KeyInfo>
<ds:X509Data> ... </ds:X509Data>
</ds:KeyInfo>
</md:EntityDescriptor>
</md:EntitiesDescriptor> |
...