Bug#549936: breaks Shibboleth SPs: IdPs with KeyDescriptor use="signing" are broken
Faidon Liambotis
paravoid at debian.org
Tue Oct 6 13:59:06 UTC 2009
Package: libxmltooling1
Version: 1.0-2+lenny1
Severity: grave
Hi,
(elevated severity because of unrelated breakage in a security update)
libxmltooling 1.0-2+lenny1 security upgrade breaks Shibboleth SPs for IdPs
which have use="signing" in their IDPSSODescriptor's KeyDescriptor.
I've verified that with Shibboleth 1.3 and Shibboleth 2.1.3 IdPs, both with
PKIX and Inline keys. All the tests are being done in the Greek Research and
Technology Network (GRNET)'s federation[1]. You can see the metadata here[2].
1: http://aai.grnet.gr/
2: http://aai.grnet.gr/metadata.xml
Downgrading the package to 1.0-2 and restarting shibd fixes the problem.
Removing use="signing" from the KeyDescriptor also fixes it, but replacing it
with use="encryption" isn't (and shouldn't?). AttributeAuthorityDescriptor's
KeyDescriptor seems to be irrelevant.
I think the problem is in the following change:
* SECURITY: Correctly honor the "use" attribute of <KeyDescriptor> SAML
metadata to honor restrictions to signing or encryption. This is a
partial fix; the complete fix also requires a new version of the
OpenSAML library.
(i.e. the getCredentialContext -> getCredentalContext)
This is backported from upstream's latest version but I haven't tested a
squeeze SP installation (and it's hard to).
I can, however, temporarily add you in a federation along with IdPs that
present the problem and also provide you demo credentials for them.
The debug log in both cases is:
bad:
----
XMLTooling.TrustEngine.ExplicitKey [1]: unable to validate signature, no credentials available from peer
XMLTooling.TrustEngine.PKIX [1]: validating signature using certificate from within the signature
XMLTooling.TrustEngine.PKIX [1]: signature verified with key inside signature, attempting certificate validation...
XMLTooling.TrustEngine.PKIX [1]: checking that the certificate name is acceptable
XMLTooling.TrustEngine.PKIX [1]: certificate subject: CN=a.host.name,O=Greek Research and Technology Network,C=GR
XMLTooling.TrustEngine.PKIX [1]: unable to match DN, trying TLS subjectAltName match
XMLTooling.TrustEngine.PKIX [1]: unable to match subjectAltName, trying TLS CN match
XMLTooling.TrustEngine.PKIX [1]: certificate name was not acceptable
good:
-----
OpenSAML.SecurityPolicyRule.XMLSigning [3]: validating signature profile
XMLTooling.KeyInfoResolver.Inline [3]: resolved 0 certificate(s)
XMLTooling.TrustEngine.ExplicitKey [3]: attempting to validate signature with the peer's credentials
XMLTooling.TrustEngine.ExplicitKey [3]: public key did not validate signature: Credential did not contain a verification key.
XMLTooling.TrustEngine.ExplicitKey [3]: no peer credentials validated the signature
XMLTooling.TrustEngine.PKIX [3]: validating signature using certificate from within the signature
XMLTooling.TrustEngine.PKIX [3]: signature verified with key inside signature, attempting certificate validation...
XMLTooling.TrustEngine.PKIX [3]: checking that the certificate name is acceptable
XMLTooling.TrustEngine.PKIX [3]: certificate subject: CN=a.host.name,O=Greek Research and Technology Network,C=GR
XMLTooling.TrustEngine.PKIX [3]: unable to match DN, trying TLS subjectAltName match
XMLTooling.TrustEngine.PKIX [3]: matched DNS/URI subjectAltName to a key name (a.host.name)
XMLTooling.TrustEngine.PKIX [3]: performing certificate path validation...
Thanks,
Faidon
More information about the Pkg-shibboleth-devel
mailing list