Six feeds were tested:
Feed-A1 signed with a valid certificate CERT1 containing ds:KeyInfo with ds:X509Data / ds:X509Certificate but no ds:Modulus
Feed-A2 signed with a valid certificate CERT1 containing ds:KeyInfo with ds:KeyValue / ds:RSAKeyValue / ds:Modulus and with ds:X509Data / ds:X509Certificate
Feed-B1 signed with an expired certificate CERT2 containing ds:KeyInfo with ds:X509Data / ds:X509Certificate but no ds:Modulus
Feed-B2 signed with an expired certificate CERT2 containing ds:KeyInfo with ds:KeyValue / ds:RSAKeyValue / ds:Modulus and with ds:X509Data / ds:X509Certificate
Feed-C signed with a valid certificate CERT1 and no ds:KeyInfo
Feed-D signed with an expired certificate CERT2 and no ds:KeyInfo
CERT1 and CERT2 are based on the same key pair.
Tools tested:
Five tools: samlsign, xmlsectool.sh, pyFF, Shibboleth MD1, SimpleSAMLphp Aggregator2 behave the same way:
xmlsec1 tool results are a bit weird.
Details below:
verify Feed-A1 using CERT1
xmlsec1 --verify --id-attr:ID urn:oasis:names:tc:SAML:2.0:metadata:EntitiesDescriptor --pubkey-cert-pem CERT1 Feed-A1
Exit code 0, but a warning appears:
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=354:obj=x509-store:subj=X509_verify_cert:error=4:crypto library function failed:subj=/C=PL/O=PIONIER/CN=eduGAIN Metadata Signer;err=18;msg=self signed certificate
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=402:obj=x509-store:subj=unknown:error=71:certificate verification failed:err=18;msg=self signed certificate
result:
OK
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0
Adding the option --trusted-pem CERT1 removes this warning
xmlsec1 --verify --id-attr:ID urn:oasis:names:tc:SAML:2.0:metadata:EntitiesDescriptor --pubkey-cert-pem CERT1 --trusted-pem CERT1 Feed-A1
OK
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0
xmlsec1 --verify --id-attr:ID urn:oasis:names:tc:SAML:2.0:metadata:EntitiesDescriptor --pubkey-cert-pem CERT2 Feed-A1
Exit code 0 but a warning appears:
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=354:obj=x509-store:subj=X509_verify_cert:error=4:crypto library function failed:subj=/C=PL/O=PIONIER/CN=eduGAIN Metadata Signer;err=18;msg=self signed certificate
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=402:obj=x509-store:subj=unknown:error=71:certificate verification failed:err=18;msg=self signed certificate
OK
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0
Adding the option --trusted-pem CERT2 does not help.
Adding the option --trusted-pem CERT1 removes this warning.
xmlsec1 --verify --id-attr:ID urn:oasis:names:tc:SAML:2.0:metadata:EntitiesDescriptor --pubkey-cert-pem CERT1 Feed-B1
Exit code 0 but a warning appears:
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=354:obj=x509-store:subj=X509_verify_cert:error=4:crypto library function failed:subj=/C=PL/O=PIONIER/CN=eduGAIN Metadata Signer;err=18;msg=self signed certificate
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=402:obj=x509-store:subj=unknown:error=71:certificate verification failed:err=18;msg=self signed certificate
OK
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0
Adding --trusted-pem CERT1 does not help.
Adding --trusted-pem CERT2 removes the above warning but a new warning (not error) appears (certificate has expired):
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=354:obj=x509-store:subj=X509_verify_cert:error=4:crypto library function failed:subj=/C=PL/O=PIONIER/CN=eduGAIN Metadata Signer;err=10;msg=certificate has expired
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=394:obj=x509-store:subj=unknown:error=76:certificate has expirred:err=10;msg=certificate has expired
Still exit code is 0
xmlsec1 --verify --id-attr:ID urn:oasis:names:tc:SAML:2.0:metadata:EntitiesDescriptor --pubkey-cert-pem CERT2 Feed-B1
Exit code 0 but a warning appears:
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=354:obj=x509-store:subj=X509_verify_cert:error=4:crypto library function failed:subj=/C=PL/O=PIONIER/CN=eduGAIN Metadata Signer;err=18;msg=self signed certificate
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=402:obj=x509-store:subj=unknown:error=71:certificate verification failed:err=18;msg=self signed certificate
OK
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0
Adding --trusted-pem CERT1 does not help.
Adding --trusted-pem CERT2 removes the above warning but a new warning (not error) appears (certificate has expired):
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=354:obj=x509-store:subj=X509_verify_cert:error=4:crypto library function failed:subj=/C=PL/O=PIONIER/CN=eduGAIN Metadata Signer;err=10;msg=certificate has expired
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=394:obj=x509-store:subj=unknown:error=76:certificate has expirred:err=10;msg=certificate has expired
Still exit code is 0