[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

zxid 0.53 metadata parsing issues



Hi,

   I'm currently evaluating a zxid 0.53 upgrade.  I've been using 0.32.  I'm
using the Net::SAML library.

I'm getting new metadata parsing issues with 0.53:
1. Bad metadata errors, like: "EntityDescriptor could not be found or was
corrupt. MD(
) 0 chars parsed."
I don't see what's wrong with the affected metadata files.  Perhaps there's
a new metadata parsing issue in 0.53?

2. Shibboleth 2 IdP metadata now works (never parsed in 0.32), but contains
two EntityDescriptor wrapped in an EntityDescriptors parent tag.  zxid uses
the last one when identifying list of available IdPs by sha1 hash
(Net::SAML::load_cot_cache).  I need the first one.  Do I need to manually
separate these descriptors into separate files for zxid?

My COT looks like:
[www@localhost cot]$ ls -al /opt/saml/var/zxid/cot
total 40
-rw-r--r--    1 www      www         17924 Feb 22 11:47
0D5XlTNF5XoaggdNLUd8nKON-XY
-rw-r--r--    1 www      www          2166 Apr 20 03:46
OKCy5mMaXMJUnKQ1wVJCcT00AA8
-rw-r--r--    1 www      www          6264 Aug 22  2009
rQalJ8S4WSBIb3HWgs1cDSuHhrQ
-rw-rw-r--    1 www      www          5329 Sep 13  2009
s36Te-rgbzReSjVc8vDDGy89tT8

I've attached the four metadata files for reference.
   1. OK:  0D5XlTNF5XoaggdNLUd8nKON-XY is for TestShib 2 (
https://idp.testshib.org/idp/shibboleth).
   2. ERR: OKCy5mMaXMJUnKQ1wVJCcT00AA8 is a demo SP that was included in the
0.32 distribution (http://auth-int.orange.fr).
   3. ERR: rQalJ8S4WSBIb3HWgs1cDSuHhrQ is a local test instance of
PingFederate 6.0 (https://tstfapcn100).
   4. OK: s36Te-rgbzReSjVc8vDDGy89tT8 is for SSOCircle (
http://idp.ssocircle.com)


Here is my test script:
#!/usr/bin/perl
use Net::SAML;
use Data::Dumper;
my $qs = 'o=E';
my $cf_url = 'PATH=/opt/saml/var/zxid/&URL=
http://localhost/saml.pl&AFTER_SLOP=3660&AUTO_CERT=0&BARE_URL_ENTITYID=0&BEFO
RE_SLOP=86400&CDC_URL=&DI_ALLOW_CREATE=0&DUP_A7N_FATAL=0&DUP_MSG_FATAL=0&MD_F
ETCH=0&MD_POPULATE_CACHE=0&NAMEID_ENC=0&NOSIG_FATAL=0&REDIR_TO_CONTENT=0&SES_
ARCH_DIR=/opt/saml/var/zxid/oldses/&SES_COOKIE_NAME=ssid&SES_COOKIE_UNIQ=1&SH
OW_CONF=0&SIG_FATAL=0&TIMEOUT_FATAL=0&USER_LOCAL=0
';
my $cf = Net::SAML::new_conf_to_cf($cf_url);
Net::SAML::set_opt($cf, 1, 1); #enable debugging info
my $simple_cf_flags = $Net::SAML::AUTO_SOAPH | $Net::SAML::AUTO_METAH |
$Net::SAML::AUTO_LOGINC | $Net::SAML::AUTO_MGMTC | $Net::SAML::AUTO_FORMT;
my $res = Net::SAML::simple_cf($cf, -1, $qs, undef, $simple_cf_flags);
print Dumper(get_cot_eid_sha1($cf));
sub get_cot_eid_sha1 {
    my $cf = shift;
    my %cot;
    if (my $idp = Net::SAML::load_cot_cache($cf)) {
        while ($idp) {
            my $eid  = $idp->swig_eid_get();
            next unless $eid;
            my $sha1 = $idp->swig_sha1_name_get();
            $cot{$eid} = $sha1;
            $idp = $idp->swig_n_get();
        }
    }
    return \%cot;
}

Output:
t zxidsimp.c:1466 zxid_simple_cf_ses zx d QUERY_STRING(o=E) 0.53
t  zxidecp.c:137 zxid_lecp_check   zx d Neither ECP nor LECP request 0
t zxidsimp.c:1262 zxid_simple_no_ses_cf zx d LECP check: ss(?)
t zxidsimp.c:1273 zxid_simple_no_ses_cf zx d NOT CDC 0
t zxidsimp.c:748 zxid_simple_show_idp_sel zx d cf=0x829fc10 cgi=0xbffff700
t zxidmeta.c:837 zxid_my_entity_id zx d my_entity_id url(
http://localhost/saml.pl)
t zxidsimp.c:460 zxid_idp_select_zxstr_cf_cgi zx d HERE 0x812dc80 e() m()
d()
t zxidmeta.c:250 zxid_get_ent_from_file zx d GOT META
sha1_name(OKCy5mMaXMJUnKQ1wVJCcT00AA8) eid(http://auth-int.orange.fr)
t zxidmeta.c:157 zxid_parse_meta   zx E Bad metadata. EntityDescriptor could
not be found or was corrupt. MD(
) 0 chars parsed.
t    zxlog.c:423 zxlog             zx d LOG(20100420-082716.174
19700101-000000.501 -:- - - - - zx N B BADMD - chars_parsed(0))
t zxidmeta.c:243 zxid_get_ent_from_file zx E ***** Parsing metadata failed
for sha1_name(OKCy5mMaXMJUnKQ1wVJCcT00AA8)
t    zxlog.c:423 zxlog             zx d LOG(20100420-082716.175
19700101-000000.501 -:- - - - - zx N B NOMD -
sha1_name(OKCy5mMaXMJUnKQ1wVJCcT00AA8))
t zxidmeta.c:250 zxid_get_ent_from_file zx d GOT META
sha1_name(s36Te-rgbzReSjVc8vDDGy89tT8) eid(http://idp.ssocircle.com)
t zxidmeta.c:86  zxid_process_keys zx d KeyDescriptor is missing use
attribute. Assume this certificate can be used for both signing and
encryption. 0
t zxidmeta.c:250 zxid_get_ent_from_file zx d GOT META
sha1_name(yFx-OsV0bEOOcHmPlxAuInI63zk) eid(
https://sp.testshib.org/shibboleth-sp)
t zxidmeta.c:250 zxid_get_ent_from_file zx d GOT META
sha1_name(rQalJ8S4WSBIb3HWgs1cDSuHhrQ) eid(https://tstfapcn100)
t zxidmeta.c:157 zxid_parse_meta   zx E Bad metadata. EntityDescriptor could
not be found or was corrupt. MD(
) 0 chars parsed.
t    zxlog.c:423 zxlog             zx d LOG(20100420-082716.177
19700101-000000.501 -:- - - - - zx N B BADMD - chars_parsed(0))
t zxidmeta.c:243 zxid_get_ent_from_file zx E ***** Parsing metadata failed
for sha1_name(rQalJ8S4WSBIb3HWgs1cDSuHhrQ)
t    zxlog.c:423 zxlog             zx d LOG(20100420-082716.178
19700101-000000.501 -:- - - - - zx N B NOMD -
sha1_name(rQalJ8S4WSBIb3HWgs1cDSuHhrQ))
t zxidsimp.c:359 zxid_idp_list_cf_cgi zx d Starting IdP processing...
0x81aead0
t zxidsimp.c:419 zxid_idp_list_cf_cgi zx d IdP list(<select name=d>
<option value="https://tstfapcn100";>  (https://tstfapcn100)
<option value="http://idp.ssocircle.com";>  (http://idp.ssocircle.com)
<option value="http://auth-int.orange.fr";>  (http://auth-int.orange.fr)
</select><input type=submit name="l0" value=" Login "><br>
)
t    zxlog.c:423 zxlog             zx d LOG(20100420-082716.178
19700101-000000.501 -:- - - - - zx N W IDPSEL - -)
t zxidsimp.c:697 zxid_simple_show_page zx d No headers 968
$VAR1 = {
          'https://tstfapcn100' => 'rQalJ8S4WSBIb3HWgs1cDSuHhrQ',
          'http://idp.ssocircle.com' => 's36Te-rgbzReSjVc8vDDGy89tT8',
          'https://sp.testshib.org/shibboleth-sp' =>
'yFx-OsV0bEOOcHmPlxAuInI63zk',
          'http://auth-int.orange.fr' => 'OKCy5mMaXMJUnKQ1wVJCcT00AA8'
        };


Thanks,
Eric

[demime 1.01d removed an attachment of type application/octet-stream which had a name of 0D5XlTNF5XoaggdNLUd8nKON-XY]

[demime 1.01d removed an attachment of type application/octet-stream which had a name of OKCy5mMaXMJUnKQ1wVJCcT00AA8]

[demime 1.01d removed an attachment of type application/octet-stream which had a name of rQalJ8S4WSBIb3HWgs1cDSuHhrQ]

[demime 1.01d removed an attachment of type application/octet-stream which had a name of s36Te-rgbzReSjVc8vDDGy89tT8]