[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: zxid 0.53 metadata parsing issues



Sorry for slow reply. I was travelling and got stuck by the ash problem.

Eric Rybski wrote:
> Hi,
>
>    I'm currently evaluating a zxid 0.53 upgrade.  I've been using 0.32.
> I'm
> using the Net::SAML library.
>
> I'm getting new metadata parsing issues with 0.53:
> 1. Bad metadata errors, like: "EntityDescriptor could not be found or was
> corrupt. MD(
> ) 0 chars parsed."
> I don't see what's wrong with the affected metadata files.  Perhaps
> there's
> a new metadata parsing issue in 0.53?

Possible, since I messed with it. 0 chars parsed could be due to
inputn reading problem or it could indicate that the file has some
garbage, probably near beginning. Perhaps a BOM or unwarranted XML
processing instructions?

To triangulate better, can you run

zxcot /opt/saml/var/zxid/cot/

That should parse every metadata file there and list some info
about them. This is a good test for my metadata parsing code.
If that reproduces your problems, then bug is likely to be
in my parser. Otherwise bug is likely to be in I/O.

> 2. Shibboleth 2 IdP metadata now works (never parsed in 0.32), but
> contains
> two EntityDescriptor wrapped in an EntityDescriptors parent tag.  zxid
> uses
> the last one when identifying list of available IdPs by sha1 hash
> (Net::SAML::load_cot_cache).  I need the first one.  Do I need to manually
> separate these descriptors into separate files for zxid?

When ZXID processes the EntitiesDescriptor, it writes a file for
each EntityDescriptor found. You confusion may come from the fact
that although zxid_load_cot_cache() processes all descriptors, it returns
the last one processed. Instead of relying on return value of
zxid_load_cot_cache(), you probably should be calling zxid_get_ent().

> My COT looks like:
> [www@localhost cot]$ ls -al /opt/saml/var/zxid/cot
> total 40
> -rw-r--r--    1 www      www         17924 Feb 22 11:47
> 0D5XlTNF5XoaggdNLUd8nKON-XY
> -rw-r--r--    1 www      www          2166 Apr 20 03:46
> OKCy5mMaXMJUnKQ1wVJCcT00AA8
> -rw-r--r--    1 www      www          6264 Aug 22  2009
> rQalJ8S4WSBIb3HWgs1cDSuHhrQ
> -rw-rw-r--    1 www      www          5329 Sep 13  2009
> s36Te-rgbzReSjVc8vDDGy89tT8
>
> I've attached the four metadata files for reference.
>    1. OK:  0D5XlTNF5XoaggdNLUd8nKON-XY is for TestShib 2 (
> https://idp.testshib.org/idp/shibboleth).
>    2. ERR: OKCy5mMaXMJUnKQ1wVJCcT00AA8 is a demo SP that was included in
> the
> 0.32 distribution (http://auth-int.orange.fr).

I tried that file and had success.

>    3. ERR: rQalJ8S4WSBIb3HWgs1cDSuHhrQ is a local test instance of
> PingFederate 6.0 (https://tstfapcn100).

I see you had attempted to attach some files that got stripped for
some reason. Please include contents of rQalJ8S4WSBIb3HWgs1cDSuHhrQ
inline in the mail so I can analyze it.

>    4. OK: s36Te-rgbzReSjVc8vDDGy89tT8 is for SSOCircle (
> http://idp.ssocircle.com)
>
>
> Here is my test script:
> #!/usr/bin/perl
> use Net::SAML;
> use Data::Dumper;
> my $qs = 'o=E';
> my $cf_url = 'PATH=/opt/saml/var/zxid/&URL=
> http://localhost/saml.pl&AFTER_SLOP=3660&AUTO_CERT=0&BARE_URL_ENTITYID=0&BEFO
> RE_SLOP=86400&CDC_URL=&DI_ALLOW_CREATE=0&DUP_A7N_FATAL=0&DUP_MSG_FATAL=0&MD_F
> ETCH=0&MD_POPULATE_CACHE=0&NAMEID_ENC=0&NOSIG_FATAL=0&REDIR_TO_CONTENT=0&SES_
> ARCH_DIR=/opt/saml/var/zxid/oldses/&SES_COOKIE_NAME=ssid&SES_COOKIE_UNIQ=1&SH
> OW_CONF=0&SIG_FATAL=0&TIMEOUT_FATAL=0&USER_LOCAL=0
> ';
> my $cf = Net::SAML::new_conf_to_cf($cf_url);
> Net::SAML::set_opt($cf, 1, 1); #enable debugging info
> my $simple_cf_flags = $Net::SAML::AUTO_SOAPH | $Net::SAML::AUTO_METAH |
> $Net::SAML::AUTO_LOGINC | $Net::SAML::AUTO_MGMTC | $Net::SAML::AUTO_FORMT;
> my $res = Net::SAML::simple_cf($cf, -1, $qs, undef, $simple_cf_flags);

I presume the call to zxid_simple_cf() is irrelevant for the metadata
debugging exercise.

> print Dumper(get_cot_eid_sha1($cf));
> sub get_cot_eid_sha1 {
>     my $cf = shift;
>     my %cot;
>     if (my $idp = Net::SAML::load_cot_cache($cf)) {
>         while ($idp) {
>             my $eid  = $idp->swig_eid_get();
>             next unless $eid;
>             my $sha1 = $idp->swig_sha1_name_get();
>             $cot{$eid} = $sha1;
>             $idp = $idp->swig_n_get();
>         }
>     }
>     return \%cot;
> }
>
> Output:
> t zxidsimp.c:1466 zxid_simple_cf_ses zx d QUERY_STRING(o=E) 0.53
> t  zxidecp.c:137 zxid_lecp_check   zx d Neither ECP nor LECP request 0
> t zxidsimp.c:1262 zxid_simple_no_ses_cf zx d LECP check: ss(?)
> t zxidsimp.c:1273 zxid_simple_no_ses_cf zx d NOT CDC 0
> t zxidsimp.c:748 zxid_simple_show_idp_sel zx d cf=0x829fc10 cgi=0xbffff700
> t zxidmeta.c:837 zxid_my_entity_id zx d my_entity_id url(
> http://localhost/saml.pl)


> t zxidsimp.c:460 zxid_idp_select_zxstr_cf_cgi zx d HERE 0x812dc80 e() m()
> d()
> t zxidmeta.c:250 zxid_get_ent_from_file zx d GOT META
> sha1_name(OKCy5mMaXMJUnKQ1wVJCcT00AA8) eid(http://auth-int.orange.fr)
> t zxidmeta.c:157 zxid_parse_meta   zx E Bad metadata. EntityDescriptor
> could
> not be found or was corrupt. MD(
> ) 0 chars parsed.

Seems I/O problem to me.

> t    zxlog.c:423 zxlog             zx d LOG(20100420-082716.174
> 19700101-000000.501 -:- - - - - zx N B BADMD - chars_parsed(0))
> t zxidmeta.c:243 zxid_get_ent_from_file zx E ***** Parsing metadata failed
> for sha1_name(OKCy5mMaXMJUnKQ1wVJCcT00AA8)
> t    zxlog.c:423 zxlog             zx d LOG(20100420-082716.175
> 19700101-000000.501 -:- - - - - zx N B NOMD -
> sha1_name(OKCy5mMaXMJUnKQ1wVJCcT00AA8))


> t zxidmeta.c:250 zxid_get_ent_from_file zx d GOT META
> sha1_name(s36Te-rgbzReSjVc8vDDGy89tT8) eid(http://idp.ssocircle.com)
> t zxidmeta.c:86  zxid_process_keys zx d KeyDescriptor is missing use
> attribute. Assume this certificate can be used for both signing and
> encryption. 0

> t zxidmeta.c:250 zxid_get_ent_from_file zx d GOT META
> sha1_name(yFx-OsV0bEOOcHmPlxAuInI63zk) eid(
> https://sp.testshib.org/shibboleth-sp)

> t zxidmeta.c:250 zxid_get_ent_from_file zx d GOT META
> sha1_name(rQalJ8S4WSBIb3HWgs1cDSuHhrQ) eid(https://tstfapcn100)
> t zxidmeta.c:157 zxid_parse_meta   zx E Bad metadata. EntityDescriptor
> could
> not be found or was corrupt. MD(
> ) 0 chars parsed.
> t    zxlog.c:423 zxlog             zx d LOG(20100420-082716.177
> 19700101-000000.501 -:- - - - - zx N B BADMD - chars_parsed(0))
> t zxidmeta.c:243 zxid_get_ent_from_file zx E ***** Parsing metadata failed
> for sha1_name(rQalJ8S4WSBIb3HWgs1cDSuHhrQ)
> t    zxlog.c:423 zxlog             zx d LOG(20100420-082716.178
> 19700101-000000.501 -:- - - - - zx N B NOMD -
> sha1_name(rQalJ8S4WSBIb3HWgs1cDSuHhrQ))


> t zxidsimp.c:359 zxid_idp_list_cf_cgi zx d Starting IdP processing...
> 0x81aead0
> t zxidsimp.c:419 zxid_idp_list_cf_cgi zx d IdP list(<select name=d>
> <option value="https://tstfapcn100";>  (https://tstfapcn100)
> <option value="http://idp.ssocircle.com";>  (http://idp.ssocircle.com)
> <option value="http://auth-int.orange.fr";>  (http://auth-int.orange.fr)
> </select><input type=submit name="l0" value=" Login "><br>
> )
> t    zxlog.c:423 zxlog             zx d LOG(20100420-082716.178
> 19700101-000000.501 -:- - - - - zx N W IDPSEL - -)
> t zxidsimp.c:697 zxid_simple_show_page zx d No headers 968
> $VAR1 = {
>           'https://tstfapcn100' => 'rQalJ8S4WSBIb3HWgs1cDSuHhrQ',
>           'http://idp.ssocircle.com' => 's36Te-rgbzReSjVc8vDDGy89tT8',
>           'https://sp.testshib.org/shibboleth-sp' =>
> 'yFx-OsV0bEOOcHmPlxAuInI63zk',
>           'http://auth-int.orange.fr' => 'OKCy5mMaXMJUnKQ1wVJCcT00AA8'
>         };

The dump of $VAR1 seems good to me.

Cheers,
--Sampo

> Thanks,
> Eric
>
> [demime 1.01d removed an attachment of type application/octet-stream which
> had a name of 0D5XlTNF5XoaggdNLUd8nKON-XY]

Perhaps the attachments should have MIME type text/xml? Or just text/plain?

> [demime 1.01d removed an attachment of type application/octet-stream which
> had a name of OKCy5mMaXMJUnKQ1wVJCcT00AA8]
>
> [demime 1.01d removed an attachment of type application/octet-stream which
> had a name of rQalJ8S4WSBIb3HWgs1cDSuHhrQ]
>
> [demime 1.01d removed an attachment of type application/octet-stream which
> had a name of s36Te-rgbzReSjVc8vDDGy89tT8]