...
It has the following behavior, implications, and problems.
| Table of Contents |
|---|
Attributes
Name | Type | Default | Description |
|---|
type type | string | Required | Plugin type name. |
Child Elements
Name | Cardinality | Description | |
|---|---|---|---|
<KeyInfoResolver> <KeyInfoResolver> | 0 or 1 | Advanced plugin interface for | |
mapping <ds: |
KeyInfo> elements into keying material. Mostly for future use. |
Validating Signatures
Each <md:KeyDescriptor> is resolved into a key. If the signature can be verified with one of the keys, then the engine returns success.
The following <ds:KeyInfo> children can be resolved into keys without additional plugin support:
<ds:KeyValue>/<ds:RSAKeyValue><ds:KeyValue>/<ds:DSAKeyValue><ds:X509Data>/<ds:X509Certificate>
Note that under no circumstances is an X.509 certificate evaluated on any level when resolving a key. If it is a correctly encoded certificate, the signed key will be resolved. Valid or expired certificates issued by any signer with any sort of extensions are acceptable.
...
The following <ds:KeyInfo> children can be resolved into keys without additional plugin support:
<ds:KeyValue>/<ds:RSAKeyValue><ds:KeyValue>/<ds:DSAKeyValue><ds:X509Data>/<ds:X509Certificate>
Note that under no circumstances is an X.509 certificate evaluated on any level by Shibboleth during the operation. Valid or expired certificates issued by any signer with any sort of extensions are acceptable as long as they contain the same key that is presented.
...