Six feeds were tested:

Feed-A1 signed with a valid certificate CERT1 containing ds:KeyInfo with ds:X509Data / ds:X509Certificate but no ds:Modulus

Feed-A2 signed with a valid certificate CERT1 containing ds:KeyInfo with ds:KeyValue / ds:RSAKeyValue / ds:Modulus and with ds:X509Data / ds:X509Certificate

Feed-B1 signed with an expired certificate CERT2 containing ds:KeyInfo with ds:X509Data / ds:X509Certificate but no ds:Modulus

Feed-B2 signed with an expired certificate CERT2 containing ds:KeyInfo with ds:KeyValue / ds:RSAKeyValue / ds:Modulus and with ds:X509Data / ds:X509Certificate

Feed-C signed with a valid certificate CERT1 and no ds:KeyInfo

Feed-D signed with an expired certificate CERT2 and no ds:KeyInfo

CERT1 and CERT2 are based on the same key pair.

Tools tested:

Five tools: samlsign, xmlsectool.sh, pyFF, Shibboleth MD1, SimpleSAMLphp Aggregator2 behave the same way:

  • verification of all six feeds using CERT1 and CERT2 certificates is successful
  • verification of all six feeds using FOREIGN_CERT certificate fails
  • none of these tools report an expiry problem for feeds signed with expired certificate or verified using an expired certificate

xmlsec1 tool results are a bit weird.

Details below:

  1. verification of feeds containing ds:Modulus (Feed-A2 and Feed-B2) gives always success for all certificates: CERT1, CERT2, FOREIGN_CERT
  2. verification using FOREIGN_CERT certificate fails for feeds without ds:Modulus (Feed-A1, Feed-B1, Feed-C and Feed-D)
  3. verification of feeds without ds:KeyInfo block (it is without ds:Modulus as well) passes for CERT1 and CERT2, no expiry info
  4. verification of feeds without ds:Modulus
    1. verify Feed-A1 using CERT1

      xmlsec1 --verify --id-attr:ID urn:oasis:names:tc:SAML:2.0:metadata:EntitiesDescriptor --pubkey-cert-pem CERT1 Feed-A1

      Exit code 0, but a warning appears:

      func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=354:obj=x509-store:subj=X509_verify_cert:error=4:crypto library function failed:subj=/C=PL/O=PIONIER/CN=eduGAIN Metadata Signer;err=18;msg=self signed certificate
      func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=402:obj=x509-store:subj=unknown:error=71:certificate verification failed:err=18;msg=self signed certificate
      result:
      OK
      SignedInfo References (ok/all): 1/1
      Manifests References (ok/all): 0/0

      Adding the option  --trusted-pem CERT1 removes this warning

      xmlsec1 --verify --id-attr:ID urn:oasis:names:tc:SAML:2.0:metadata:EntitiesDescriptor --pubkey-cert-pem CERT1 --trusted-pem CERT1 Feed-A1
      OK
      SignedInfo References (ok/all): 1/1
      Manifests References (ok/all): 0/0
    2. verify Feed-A1 using CERT2
      xmlsec1 --verify --id-attr:ID urn:oasis:names:tc:SAML:2.0:metadata:EntitiesDescriptor --pubkey-cert-pem CERT2 Feed-A1

      Exit code 0 but a warning appears:

      func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=354:obj=x509-store:subj=X509_verify_cert:error=4:crypto library function failed:subj=/C=PL/O=PIONIER/CN=eduGAIN Metadata Signer;err=18;msg=self signed certificate
      func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=402:obj=x509-store:subj=unknown:error=71:certificate verification failed:err=18;msg=self signed certificate
      OK
      SignedInfo References (ok/all): 1/1
      Manifests References (ok/all): 0/0

      Adding the option  --trusted-pem CERT2 does not help.

      Adding the option  --trusted-pem CERT1 removes this warning.

    3. verify Feed-B1 using CERT1
      xmlsec1 --verify --id-attr:ID urn:oasis:names:tc:SAML:2.0:metadata:EntitiesDescriptor --pubkey-cert-pem CERT1 Feed-B1

      Exit code 0 but a warning appears:

      func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=354:obj=x509-store:subj=X509_verify_cert:error=4:crypto library function failed:subj=/C=PL/O=PIONIER/CN=eduGAIN Metadata Signer;err=18;msg=self signed certificate
      func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=402:obj=x509-store:subj=unknown:error=71:certificate verification failed:err=18;msg=self signed certificate
      OK
      SignedInfo References (ok/all): 1/1
      Manifests References (ok/all): 0/0

      Adding --trusted-pem CERT1 does not help.

      Adding --trusted-pem CERT2 removes the above warning but a new warning (not error) appears (certificate has expired):

      func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=354:obj=x509-store:subj=X509_verify_cert:error=4:crypto library function failed:subj=/C=PL/O=PIONIER/CN=eduGAIN Metadata Signer;err=10;msg=certificate has expired
      func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=394:obj=x509-store:subj=unknown:error=76:certificate has expirred:err=10;msg=certificate has expired

      Still exit code is 0

    4. verify Feed-B1 using CERT2
      xmlsec1 --verify --id-attr:ID urn:oasis:names:tc:SAML:2.0:metadata:EntitiesDescriptor --pubkey-cert-pem CERT2 Feed-B1

      Exit code 0 but a warning appears:

      func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=354:obj=x509-store:subj=X509_verify_cert:error=4:crypto library function failed:subj=/C=PL/O=PIONIER/CN=eduGAIN Metadata Signer;err=18;msg=self signed certificate
      func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=402:obj=x509-store:subj=unknown:error=71:certificate verification failed:err=18;msg=self signed certificate
      OK
      SignedInfo References (ok/all): 1/1
      Manifests References (ok/all): 0/0

      Adding --trusted-pem CERT1 does not help.

      Adding --trusted-pem CERT2 removes the above warning but a new warning  (not error) appears (certificate has expired):

      func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=354:obj=x509-store:subj=X509_verify_cert:error=4:crypto library function failed:subj=/C=PL/O=PIONIER/CN=eduGAIN Metadata Signer;err=10;msg=certificate has expired
      func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=394:obj=x509-store:subj=unknown:error=76:certificate has expirred:err=10;msg=certificate has expired

      Still exit code is 0




  • No labels