KeyInfoResolver code returns empty credential object.

Description

as described in the mail thread on shib-users from today:
These are the log messages after the Response was decoded:
OpenSAML.MessageDecoder.SAML2 [2]: extracting issuer from SAML 2.0 protocol message
OpenSAML.MessageDecoder.SAML2 [2]: message from (https://apps.egiz.gv.at/moa-id-stork-test/)
OpenSAML.MessageDecoder.SAML2 [2]: searching metadata for message issuer...
OpenSAML.SecurityPolicyRule.MessageFlow [2]: evaluating message flow policy (replay checking on, expiration 60)
XMLTooling.StorageService [2]: inserted record (_eb6...) in context (MessageFlow) with expiration ..
OpenSAML.SecurityPolicyRule.XMLSigning [2]: validating signature profile
XMLTooling.KeyInfoResolver.Inline [2]: resolved 0 certificate(s)
XMLTooling.KeyInfoResolver.Inline [2]: resolved 0 CRL(s)
XMLTooling.TrustEngine.ExplicitKey [2]: attempting to validate signature with the peer's credentials
XMLTooling.TrustEngine.ExplicitKey [2]: public key did not validate signature: Credential did not contain a verification key.

The zip-archive contains the IDP's certificate files, metadata, response message and logfiles.

Environment

None

Attachments

1
  • 05 Oct 2012, 07:12 PM

Activity

Scott Cantor 
December 10, 2012 at 7:13 PM

Closing with release.

Scott Cantor 
October 6, 2012 at 12:16 AM

Avoid returning an empty Credential object when nothing is populated inside it. Also fix to OpenSAML to metadata base class to stop assuming resolver has to return non-null, per API doc.

http://svn.shibboleth.net/view/cpp-xmltooling?rev=998&view=rev
http://svn.shibboleth.net/view/cpp-opensaml?rev=744&view=rev

Scott Cantor 
October 5, 2012 at 11:25 PM

Condition rule was also a syntax mistake.

This works fine:
<PolicyRule type="Ignore" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">saml2:OneTimeUse</PolicyRule>

Normally that's unneeded anyway. Using an empty rule of type="Conditions" defaults to a set of rules that checks time, audience, and ignores the OneTimeUse condition.

I've changed the bug to an improvement request to try and clean up the logging around a KeyDescriptor processed into an empty shell of a credential for verification.

Scott Cantor 
October 5, 2012 at 11:13 PM

The signature issue is caused by an incorrect namespace on the X509Data and X509Certificate elements in the metadata. Adding ds: to the elements fixes the issue.

I didn't expect that the code would return a Credential object from the metadata with no key inside it. I'll look at that more closely, I might be able to prevent it from returning a credential with nothing inside it at all, which would limit at least some of these cases from being so obscure.

Bug reporter also noted inability to ignore the OneTimeUse condition, checking on that also.

Fixed

Details

Assignee

Reporter

Components

Fix versions

Affects versions

Created October 5, 2012 at 7:12 PM
Updated December 10, 2012 at 7:13 PM
Resolved October 6, 2012 at 12:16 AM