Successfully cached metadata documents containing ` ` subquently fail signature validation
Description
Environment
$> cat /etc/redhat-release
CentOS Linux release 7.2.1511 (Core)
$> yum info shibboleth
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Installed Packages
Name : shibboleth
Arch : x86_64
Version : 2.5.6
Release : 3.1
Size : 4.9 M
Repo : installed
From repo : security_shibboleth
Summary : Open source system for attribute-based Web SSO
URL : http://shibboleth.net/
License : Apache 2.0
Description : Shibboleth is a Web Single Sign-On implementations based on OpenSAML
: that supports multiple protocols, federated identity, and the extensible
: exchange of rich attributes subject to privacy controls.
:
: This package contains the Shibboleth Service Provider runtime libraries,
: daemon, default plugins, and Apache module(s).
Activity
Rod Widdowson June 19, 2016 at 1:10 PM
I've not been able to get the saved metadata to pass signing under any circumstances I suspect it has been damaged somewhere in its life.
I ma happy that the code works correctly and will fix the diagnosed issue. If I have time before the fast approaching 2.6 release date I'll try to hand craft some broken metadata and sign it and test. But for now I am resolving (but not closing) this case.
trscavo@ncsa.illinois.edu June 17, 2016 at 2:53 PMEdited
I have a copy of that file but I can't upload it since it's ~23MB, which is more than jira will allow. Do you want me to send via FileSender?
Rod Widdowson June 17, 2016 at 2:46 PM
That link has gone away. I don't suppose anyone has a test file I can poke at?
NP If not, but it would be nice to make sure that the failure is fixed.
Rod Widdowson June 16, 2016 at 4:03 PM
93e8237 fixes this
Rod Widdowson June 16, 2016 at 3:36 PM
There's evidence that this change is leaving dropping behind with
<URLInputSourceStatus xmlns="http://www.opensaml.org/xmltooling">304</URLInputSourceStatus>
in it
I think this is because we need to catch the 304 (or any other event) during the load and delete the backing file.
Discussion of this issue is available at http://marc.info/?l=shibboleth-users&m=145853734225037
Metadata documents which contain ` ` are loaded and verified by shibd without problem on initial request from upstream.
If shibd subsequently attempts to read the locally cached metadata document it cannot verify the signature and the service begins to fail.
The current theory is that unexpected normalization is occurring when shibd is writing out the cached metadata document hence the subsequent invalid signature state occuring.
We've seen this happen within the AAF and it has also happened recently with an entity that was entered via eduGAIN. This seems to impact 'free text' descriptive fields in particular with my thought being the cause is copy/paste from Word documents (or similar on Windows) for these fields.
As a work around the AAF is now filtering out all instances of ` ` from metadata documents prior to signing. This has no impact on our metadata XML and ensures shibd continues to function.