Six feeds were tested:
Feed-A1 signed with a valid certificate CERT1 containing ds:KeyInfo with ds:X509Data / ds:X509Certificate but no ds:Modulus
Feed-A2 signed with a valid certificate CERT1 containing ds:KeyInfo with ds:KeyValue / ds:RSAKeyValue / ds:Modulus and with ds:X509Data / ds:X509Certificate
Feed-B1 signed with an expired certificate CERT2 containing ds:KeyInfo with ds:X509Data / ds:X509Certificate but no ds:Modulus
Feed-B2 signed with an expired certificate CERT2 containing ds:KeyInfo with ds:KeyValue / ds:RSAKeyValue / ds:Modulus and with ds:X509Data / ds:X509Certificate
Feed-C signed with a valid certificate CERT1 and no ds:KeyInfo
Feed-D signed with an expired certificate CERT2 and no ds:KeyInfo
CERT1 and CERT2 are based on the same key pair.
Tools tested:
- samlsign (version 3.0.0)
- xmlsectool.sh (version 2.0.0)
- pyFF (0.10.0dev)
- Shibboleth MA1 (aggregator-cli-0.9.2)
- SimpleSAMLphp Aggregator2 (https://github.com/simplesamlphp/simplesamlphp-module-aggregator2)
- xmlsec1 (version 1.2.20 using libxml2-2.9.1)
Five tools: samlsign, xmlsectool.sh, pyFF, Shibboleth MD1, SimpleSAMLphp Aggregator2 behave the same way:
- verification of all six feeds using CERT1 and CERT2 certificates is successful
- verification of all six feeds using FOREIGN_CERT certificate fails
- none of these tools report an expiry problem for feeds signed with expired certificate or verified using an expired certificate
xmlsec1 tool results are a bit weird.
Details below:
- verification of feeds containing ds:Modulus (Feed-A2 and Feed-B2) gives always success for all certificates: CERT1, CERT2, FOREIGN_CERT
- verification using FOREIGN_CERT certificate fails for feeds without ds:Modulus (Feed-A1, Feed-B1, Feed-C and Feed-D)
- verification of feeds without ds:KeyInfo block (it is without ds:Modulus as well) passes for CERT1 and CERT2, no expiry info
- verification of feeds without ds:Modulus
verify Feed-A1 using CERT1
xmlsec1 --verify --id-attr:ID urn:oasis:names:tc:SAML:2.0:metadata:EntitiesDescriptor --pubkey-cert-pem CERT1 Feed-A1
Exit code 0, but a warning appears:
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=354:obj=x509-store:subj=X509_verify_cert:error=4:crypto library function failed:subj=/C=PL/O=PIONIER/CN=eduGAIN Metadata Signer;err=18;msg=self signed certificate
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=402:obj=x509-store:subj=unknown:error=71:certificate verification failed:err=18;msg=self signed certificate
result:
OK
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0
Adding the option --trusted-pem CERT1 removes this warning
xmlsec1 --verify --id-attr:ID urn:oasis:names:tc:SAML:2.0:metadata:EntitiesDescriptor --pubkey-cert-pem CERT1 --trusted-pem CERT1 Feed-A1
OK
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0
- verify Feed-A1 using CERT2
xmlsec1 --verify --id-attr:ID urn:oasis:names:tc:SAML:2.0:metadata:EntitiesDescriptor --pubkey-cert-pem CERT2 Feed-A1
Exit code 0 but a warning appears:
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=354:obj=x509-store:subj=X509_verify_cert:error=4:crypto library function failed:subj=/C=PL/O=PIONIER/CN=eduGAIN Metadata Signer;err=18;msg=self signed certificate
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=402:obj=x509-store:subj=unknown:error=71:certificate verification failed:err=18;msg=self signed certificate
OK
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0
Adding the option --trusted-pem CERT2 does not help.
Adding the option --trusted-pem CERT1 removes this warning.
- verify Feed-B1 using CERT1
xmlsec1 --verify --id-attr:ID urn:oasis:names:tc:SAML:2.0:metadata:EntitiesDescriptor --pubkey-cert-pem CERT1 Feed-B1
Exit code 0 but a warning appears:
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=354:obj=x509-store:subj=X509_verify_cert:error=4:crypto library function failed:subj=/C=PL/O=PIONIER/CN=eduGAIN Metadata Signer;err=18;msg=self signed certificate
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=402:obj=x509-store:subj=unknown:error=71:certificate verification failed:err=18;msg=self signed certificate
OK
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0
Adding --trusted-pem CERT1 does not help.
Adding --trusted-pem CERT2 removes the above warning but a new warning (not error) appears (certificate has expired):
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=354:obj=x509-store:subj=X509_verify_cert:error=4:crypto library function failed:subj=/C=PL/O=PIONIER/CN=eduGAIN Metadata Signer;err=10;msg=certificate has expired
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=394:obj=x509-store:subj=unknown:error=76:certificate has expirred:err=10;msg=certificate has expired
Still exit code is 0
- verify Feed-B1 using CERT2
xmlsec1 --verify --id-attr:ID urn:oasis:names:tc:SAML:2.0:metadata:EntitiesDescriptor --pubkey-cert-pem CERT2 Feed-B1
Exit code 0 but a warning appears:
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=354:obj=x509-store:subj=X509_verify_cert:error=4:crypto library function failed:subj=/C=PL/O=PIONIER/CN=eduGAIN Metadata Signer;err=18;msg=self signed certificate
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=402:obj=x509-store:subj=unknown:error=71:certificate verification failed:err=18;msg=self signed certificate
OK
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0
Adding --trusted-pem CERT1 does not help.
Adding --trusted-pem CERT2 removes the above warning but a new warning (not error) appears (certificate has expired):
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=354:obj=x509-store:subj=X509_verify_cert:error=4:crypto library function failed:subj=/C=PL/O=PIONIER/CN=eduGAIN Metadata Signer;err=10;msg=certificate has expired
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=394:obj=x509-store:subj=unknown:error=76:certificate has expirred:err=10;msg=certificate has expired
Still exit code is 0