search

janus-ssp / janus

Fully featured metadata registration administration module built on top of simpleSAMLphp.
Other
13 stars 8 forks source link

Certificate import fails on given metadata #570

Closed surfnet-niels closed 9 years ago

surfnet-niels commented 9 years ago

When trying to import metadata from the URL below (either via URL or copy-pasting into XML textfield) the metadata certificate does not get imported, while the other metadata fields do get imported. Manually adding the cert after the entity is created does work. Why does importing the cert fail?

https://crebain2.ics.muni.cz/Shibboleth.sso/Metadata

pmeulen commented 9 years ago

The metadata in question:

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_e850518fa055b9e166bb83d572a0771def0569d1" entityID="https://crebain2.ics.muni.cz/shibboleth">

  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:1.0:protocol">
    <md:Extensions>
      <init:RequestInitiator xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="https://crebain2.ics.muni.cz/Shibboleth.sso/Login"/>
      <idpdisc:DiscoveryResponse xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://crebain2.ics.muni.cz/Shibboleth.sso/Login" index="1"/>
    </md:Extensions>
    <md:KeyDescriptor>
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:KeyName>crebain2.ics.muni.cz</ds:KeyName>
        <ds:X509Data>
          <ds:X509SubjectName>CN=crebain2.ics.muni.cz,OU=Domain Control Validated,DC=tcs,DC=terena,DC=org</ds:X509SubjectName>
          <ds:X509Certificate>MIIFDTCCA/WgAwIBAgIRAJV88F7G/5OsGI/IoU42siQwDQYJKoZIhvcNAQELBQAw
bTELMAkGA1UEBhMCTkwxFjAUBgNVBAgTDU5vb3JkLUhvbGxhbmQxEjAQBgNVBAcT
CUFtc3RlcmRhbTEPMA0GA1UEChMGVEVSRU5BMSEwHwYDVQQDExhURVJFTkEgZVNj
aWVuY2UgU1NMIENBIDIwHhcNMTUwMjE5MDAwMDAwWhcNMTYwMzIwMjM1OTU5WjCB
hDETMBEGCgmSJomT8ixkARkWA29yZzEWMBQGCgmSJomT8ixkARkWBnRlcmVuYTET
MBEGCgmSJomT8ixkARkWA3RjczEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFs
aWRhdGVkMR0wGwYDVQQDExRjcmViYWluMi5pY3MubXVuaS5jejCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBANdJIvqgs/wsQSTp5MRBvp+ro241TeTXXAmb
aM1rTV4jjdgCJIAM6GGEf0UqMjYBIWAqWY9EkgOLnEm9b0c3s5UFt/7NXV/AD149
qIov1NCWfBWqZFg6RIpI1IhKg/XsxFksjMja/pz1YAsIzxLt9fKp3yrcacRzMVHQ
Wxb5wkxoXXwVa01jSmRAf8XypJSTGxyjUe7fLTK7sUMB3wD1V/vDZssCHLiOdymX
0lR7a7EjqXC1Ldo1Nehc9MgcYDEUz0gKyKMWfTotu6QXBkPQWtWpKEwOHnTE7TlX
Rz36tS1BLKHozVuWP3LjYtvsrLhGSGLfxU1TnqKnGOM44DWOx7UCAwEAAaOCAY4w
ggGKMB8GA1UdIwQYMBaAFEHgXzDSnbu7g/WAKJGa/l14j73TMB0GA1UdDgQWBBQp
PGKkbHpMcutkyfHxkBRUdhGIxTAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIw
ADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMAYDVR0gBCkwJzANBgsr
BgEEAbIxAQICHTAMBgoqhkiG90wFAgIBMAgGBmeBDAECATBCBgNVHR8EOzA5MDeg
NaAzhjFodHRwOi8vY3JsLnVzZXJ0cnVzdC5jb20vVEVSRU5BZVNjaWVuY2VTU0xD
QTIuY3JsMHQGCCsGAQUFBwEBBGgwZjA9BggrBgEFBQcwAoYxaHR0cDovL2NydC51
c2VydHJ1c3QuY29tL1RFUkVOQWVTY2llbmNlU1NMQ0EyLmNydDAlBggrBgEFBQcw
AYYZaHR0cDovL29jc3AudXNlcnRydXN0LmNvbTAfBgNVHREEGDAWghRjcmViYWlu
Mi5pY3MubXVuaS5jejANBgkqhkiG9w0BAQsFAAOCAQEAdpe1DIrGBTyauCwKQvbT
Ox4z5Ft6jGGoXH6rclmLkdxvb/+BrS8pgA5RySR8OdpezEY6pyToCDNqHTfKJTiW
H+NrxfdMiSFQIYm9Tv1XFU/ptJ4od39i6A4QyvnULoH5BWnpMc0DB4m4eoeXW8VL
48tcMvFVoDnFtfuOLJTmoO5Qe0iLO3l81hKgDTaFUDPWyG6z3t0kPUx6bowumYP8
fwApabYLB3CAXSwTIwORb3cEYKJF1aybayO0uB6idLjLS4dVJo+PY5COvOUWPV0I
X9oZ3zz/Mx+Oi8GS3B1v70oYWC2pxmGIPVyEhPsddfomTTU8AgrKmjthb9sxIujE
Xw==
</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://crebain2.ics.muni.cz/Shibboleth.sso/Artifact/SOAP" index="0"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://crebain2.ics.muni.cz/Shibboleth.sso/SLO/SOAP"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://crebain2.ics.muni.cz/Shibboleth.sso/SLO/Redirect"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://crebain2.ics.muni.cz/Shibboleth.sso/SLO/POST"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://crebain2.ics.muni.cz/Shibboleth.sso/SLO/Artifact"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://crebain2.ics.muni.cz/Shibboleth.sso/SAML2/POST" index="0"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://crebain2.ics.muni.cz/Shibboleth.sso/SAML2/POST-SimpleSign" index="1"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://crebain2.ics.muni.cz/Shibboleth.sso/SAML2/Artifact" index="2"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://crebain2.ics.muni.cz/Shibboleth.sso/SAML2/ECP" index="3"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://crebain2.ics.muni.cz/Shibboleth.sso/SAML/POST" index="4"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="https://crebain2.ics.muni.cz/Shibboleth.sso/SAML/Artifact" index="5"/>
  </md:SPSSODescriptor>

</md:EntityDescriptor>
thijskh commented 9 years ago

This is caused by use="signing" which is missing from KeyDescriptor, so the key is both for encryption and signing, leading Janus to erroneously conclude that this is an encryption key which it will skip if encryption is not enabled. The pull request should fix this.