Package: libxmltooling1 Version: 1.0-2+lenny1 Severity: grave Hi,
(elevated severity because of unrelated breakage in a security update) libxmltooling 1.0-2+lenny1 security upgrade breaks Shibboleth SPs for IdPs which have use="signing" in their IDPSSODescriptor's KeyDescriptor. I've verified that with Shibboleth 1.3 and Shibboleth 2.1.3 IdPs, both with PKIX and Inline keys. All the tests are being done in the Greek Research and Technology Network (GRNET)'s federation[1]. You can see the metadata here[2]. 1: http://aai.grnet.gr/ 2: http://aai.grnet.gr/metadata.xml Downgrading the package to 1.0-2 and restarting shibd fixes the problem. Removing use="signing" from the KeyDescriptor also fixes it, but replacing it with use="encryption" isn't (and shouldn't?). AttributeAuthorityDescriptor's KeyDescriptor seems to be irrelevant. I think the problem is in the following change: * SECURITY: Correctly honor the "use" attribute of <KeyDescriptor> SAML metadata to honor restrictions to signing or encryption. This is a partial fix; the complete fix also requires a new version of the OpenSAML library. (i.e. the getCredentialContext -> getCredentalContext) This is backported from upstream's latest version but I haven't tested a squeeze SP installation (and it's hard to). I can, however, temporarily add you in a federation along with IdPs that present the problem and also provide you demo credentials for them. The debug log in both cases is: bad: ---- XMLTooling.TrustEngine.ExplicitKey [1]: unable to validate signature, no credentials available from peer XMLTooling.TrustEngine.PKIX [1]: validating signature using certificate from within the signature XMLTooling.TrustEngine.PKIX [1]: signature verified with key inside signature, attempting certificate validation... XMLTooling.TrustEngine.PKIX [1]: checking that the certificate name is acceptable XMLTooling.TrustEngine.PKIX [1]: certificate subject: CN=a.host.name,O=Greek Research and Technology Network,C=GR XMLTooling.TrustEngine.PKIX [1]: unable to match DN, trying TLS subjectAltName match XMLTooling.TrustEngine.PKIX [1]: unable to match subjectAltName, trying TLS CN match XMLTooling.TrustEngine.PKIX [1]: certificate name was not acceptable good: ----- OpenSAML.SecurityPolicyRule.XMLSigning [3]: validating signature profile XMLTooling.KeyInfoResolver.Inline [3]: resolved 0 certificate(s) XMLTooling.TrustEngine.ExplicitKey [3]: attempting to validate signature with the peer's credentials XMLTooling.TrustEngine.ExplicitKey [3]: public key did not validate signature: Credential did not contain a verification key. XMLTooling.TrustEngine.ExplicitKey [3]: no peer credentials validated the signature XMLTooling.TrustEngine.PKIX [3]: validating signature using certificate from within the signature XMLTooling.TrustEngine.PKIX [3]: signature verified with key inside signature, attempting certificate validation... XMLTooling.TrustEngine.PKIX [3]: checking that the certificate name is acceptable XMLTooling.TrustEngine.PKIX [3]: certificate subject: CN=a.host.name,O=Greek Research and Technology Network,C=GR XMLTooling.TrustEngine.PKIX [3]: unable to match DN, trying TLS subjectAltName match XMLTooling.TrustEngine.PKIX [3]: matched DNS/URI subjectAltName to a key name (a.host.name) XMLTooling.TrustEngine.PKIX [3]: performing certificate path validation... Thanks, Faidon -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
