Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

CRL in Signature of Metadata is not processed when using PKIX path validation

Description

If the signature on the metadata contains CRLs, they are not evaluated in the PKIX path validation. They should be processed as they are part of the signature validation.

The MD Filter is configured as follows:
<MetadataFilter type="Signature" verifyName="false">
<TrustEngine type="StaticPKIX" verifyDepth="3">
<CredentialResolver type="File">
<Certificate format="DER">
<Path>SWITCHaaiRootCA.crt</Path>
</Certificate>
</CredentialResolver>
</TrustEngine>
</MetadataFilter>

And some log information:
2008-08-27 11:29:12 INFO OpenSAML.Metadata [5]: applying metadata filter (Signature)
2008-08-27 11:29:12 DEBUG XMLTooling.TrustEngine.PKIX [5]: validating signature using certificate from within the signature
2008-08-27 11:29:12 DEBUG XMLTooling.TrustEngine.PKIX [5]: signature verified with key inside signature, attempting certificate validation...
2008-08-27 11:29:12 DEBUG XMLTooling.TrustEngine.PKIX [5]: performing certificate path validation...
2008-08-27 11:29:12 DEBUG XMLTooling.TrustEngine [5]: building CA list from PKIX Validation information
2008-08-27 11:29:12 DEBUG XMLTooling.TrustEngine [5]: successfully validated certificate chain
2008-08-27 11:29:12 INFO Shibboleth.Application [5]: building TrustEngine of type Chaining...
2008-08-27 11:29:12 INFO XMLTooling.TrustEngine.Chaining [5]: building TrustEngine of type ExplicitKey
2008-08-27 11:29:12 INFO XMLTooling.TrustEngine.Chaining [5]: building TrustEngine of type PKIX

Environment

None

Attachments

3

Activity

Show:

Scott Cantor June 23, 2009 at 12:46 PM

Closing after releases.

Scott Cantor September 23, 2008 at 9:51 AM

http://svn.middleware.georgetown.edu/view/cpp-xmltooling?view=rev&revision=525

Fix is to xmltooling, will be picked up by new version of opensaml.

Scott Cantor September 23, 2008 at 9:42 AM

Thanks. My latest code fails with a "certificate revoked" message from OpenSSL.

It also seems to matter where in the chain you find a revocation. If you tell it to require a CRL for every cert in the chain, it still reports that error because it found the revocation at the lowest level, and never notices the missing CRL above that level. Just noting it for the record.

So, I'm going to close this bug specifically, since the core issue is fixed (CRLs are now checked), and I created separate linked issues for the remaining changes.

Patrik Schnellmann September 23, 2008 at 9:16 AM
Edited

In <MetadataProvider type="XML" uri="https://bugs.internet2.edu/jira/secure/attachment/10172/metadata.test.xml"> the full PKIX validation of the signature is supposed to fail as the signing certificate is revoked in the included CRL. (The previous attachment wouldn't fail because the wrong cert serial was in the CRL.)

Patrik Schnellmann September 23, 2008 at 8:31 AM
Edited

A sample metadata file with CRL expiring Oct 13. Serial 49621308769A88C7AD69D6AD6928A09DEAF6D34F revoked (Subject: "C=CH, O=Switch - Teleinformatikdienste fuer Lehre und Forschung, CN=SWITCHaai Metadata Signer").

Fixed
Pinned fields
Click on the next to a field label to start pinning.

Details

Assignee

Reporter

Fix versions

Affects versions

Created August 27, 2008 at 7:14 AM
Updated June 22, 2021 at 11:14 PM
Resolved September 23, 2008 at 9:51 AM